Mobile carriers ‘proven’ to be open to surveillance and customer ID theft. The New York Times reports on a study by Karsten Nohl, a Berlin hacker and mobile security specialist who found that many mobile operators provided poor protection of voice mail from hacks.
In a study of 31 mobile operators in Europe, Morocco, and Thailand, Mr. Nohl, found that he could hack into mobile conversations and text messages. The NYT says he used an inexpensive, seven-year-old Motorola mobile phone and free decryption software available on the internet.
He tested each mobile operator more than 100 times and ranked the quality of their defenses. He presented the findings at a recent Chaos Computer Club convention. While his research focused mostly on Europe, Mr. Nohl, a German with a computer science doctorate from the University of Virginia, said the level of security provided by network operators in the US was on a par with that provided by European operators, meaning there was room for improvement.
In Asia, the Middle East, and Latin America, mobile security varies widely and can be much lower. Operators in India and China, Mr. Nohl said, encrypt digital traffic poorly or not at all, either to contain operating costs or to allow government censors unfettered access to communications.
In 2009 Mr. Nohl, who runs Security Research Labs in Berlin, published the algorithms used to encrypt voice and data conversations on GSM digital networks, used in Europe and elsewhere.
According to the NYT article, Mr. Nohl focused on deciphering the predictable, standard electronic ”conversations” that take place between a mobile phone and a mobile network at the start of each call. Typically, Nohl said, as many as 40 packets of coded information are sent back and forth, many just simple commands like, ”I have a call for you,” or ”Wait.” Most operators vary little from this set-up procedure, which he said allowed him to use hacking software to make high-speed, educated guesses to decipher the complex algorithmic keys networks use to encrypt transmissions. (rb- seems like the same problem that WEP has)
Once he derived this key, he said, he could intercept voice and data conversations by impersonating another user to listen to the user’s voice-mail messages or make calls or send text messages on the user’s mobile accounts.
The author claims operators could easily end this vulnerability in the GSM system, which is found in older 2G networks used by almost every cellphone, including smartphones, with a simple software patch. His research found that only two operators, T-Mobile in Germany and Swisscom in Switzerland, used this enhanced security measure, which involves adding a random digit to the end of each set-up command to thwart decoding. For example, ”I have a call for you 4.”
”This is a major vulnerability in most networks we tested, and the irony is that it costs very little, if nothing, to repair,” he said.
Philip Lieberman, CEO of Lieberman Software, a LA company that sells identity management software to large businesses and the US government, said much of the digital technology that protects the privacy of mobile calls was developed in the 1980s and 1990s and is ripe for attack.
The researcher found that Telefonica’s O2 network in the Czech Republic, Belgacom Proximus in Belgium, and Orange Switzerland provided the least security preventing the impersonation and use of another’s mobile account details for calling, texting, or other purposes. T-Mobile Slovakia, T-Mobile Germany, and SFR in France had the best.
The study reports that T-Mobile Slovakia and the Moroccan operators Wana and Medi Telecom were least effective in guarding against the tracking of a cellphone user’s geographic position through the Internet and global positioning satellites had the weakest safeguards; Vodafone Italy, T-Mobile Germany, and Vodafone Germany had the best.
Protect your voice mail
The author concludes that voice mail security does not seem to be a priority for mobile phone networks. Hence, users should be proactive about their privacy. Anyone’s phone can be hacked, if it was easy for Rupert Murdoch’s journalists, it would be easy for anyone to do…
In order to prevent your mobile voice mail from being hacked set an unlock password on your phone. Experts urge you to avoid the following popular passwords on mobile phones:
- 1234
- 0000
- 2580 (the middle column of numbers on a telephone keypad)
- 1111
- 5555
- 5683 (Spells “LOVE”)
- 0852 (the middle column of numbers on a telephone keypad in reverse)
- 2222
- 1212
- 1998
Set a secure voice mail password. You shouldn’t need to memorize it as your phone will store the information. In most cases you should be able to do this manually, but if not contact your mobile network.
Maintaining completely different passwords for all of your various telephone and online accounts is vital, if slightly tricky to do.
Change your passwords regularly.
Hang on to your cell phone. Voice mail hacking can be done from your own phone if the device is left unsecured and there is no unlock PIN setup.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.