Karsten Nohl, who runs Security Research Labs in Germany, told the Reuters (News - Alert) news agency, that while hackers have been able to stage mobile phone attacks on small scale, he believes multiple phones powered by GSM technology could be compromised at the same time.
“We can do it to hundreds of thousands of phones in a short time frame,” Nohl said during a presentation in Berlin. Roughly 80 percent of world mobile phone users, including practically everyone in Germany, use GSM networks. Similar attacks against a small number of smartphones have been done before, but the new attack could expose any cell phone using GSM technology.
Each GSM command is exactly 23 bytes long. In most cases, Nohl said that leaves room for carriers to send random data that makes messages harder to intercept. However, some messages use the full 23 bytes requiring a more sophisticated workaround to make things secure.
The convention took place only days after the United States security think tank Strategic Forecasting Inc (Stratfor) said its website had been hacked and that some of the names of corporate subscribers had been made public.
Nohl said he would not present the details of an attack at the conference, but said hackers will usually replicate the code needed for the attack to take place within a few weeks.
Networks that use GSM technology are vulnerable in the way they handle commands Nohl said. Nohl said he studied 11 countries and was able to hack into both voice and text conversations using a seven-year-old Motorola (News - Alert) phone along with widely available decryption software.
“None of the networks protects users very well,” said Nohl adding that most network commands are sent in the simplest computer code, which significantly increases their vulnerability. A range of options for randomizing the data can easily improve the security according to Nohl.
Phillip Liberman, chief executive and president of Liberman Software, a company in Los Angeles that sells identity management software, said the digital technology that protects privacy of cell phone calls that was developed in the 80s and 90s is unsecure. “Your digital mobile calls are generally well protected from people like yourselves, who are not in the position to crack them. However, the technology to so this type of surveillance, which was once possible only by government intelligence agencies, is rapidly becoming affordable to more and more people,” said Liberman.
Nohl said mobile telecom operators could easily improve their clients’ security, in many ways just by updating their software. “Mobile network is by far the weakest part of the mobile ecosystem, even when compared to a lot attacked Android (News - Alert) or iOS devices,” he said.
Edited by Stefanie Mosca