The GSM handsets owned by as much as 80 percent of mobile phone users worldwide may be vulnerable to a new wave of sophisticated hacker attacks, according to a new study from Security Research Labs.
The Berlin-based SRL's tests, which were conducted in 11 countries, demonstrate that sophisticated cyber criminals would not find it difficult to intercept, track and impersonate the activities of GSM handset users.
Other security experts have questioned whether the threat is significant, due to the sophistication of the techniques required to launch GSM attacks, which places the technology beyond the reach of most individuals. However, SRL head Karsten Nohl warned that no one should underestimate the level of the threat that GSM handset users now face.
"We have seen university students implement GSM cracking equipment within a week using only scrap parts and free software from the Internet," Nohl said in an e-mail Tuesday.
"While an engineering background certainly is 'beyond the abilities of most individuals,' there are still millions of tech-savvy kids out there that could turn into GSM hackers overnight," Nohl said.
All GSM Networks Vulnerable
Nohl said had already succeeded in hacking into the personal phone of a consenting colleague using a GSM handset on 30 different networks in nine European Union member states, as well as three networks in Morocco and four in Thailand.
Though SRL did not conduct any network vulnerability tests within the United States, Nohl noted that American carriers such as AT&T and T-Mobile use the same GSM technology found elsewhere in the world. So far, however, few wireless carriers around the world have elected to employ a simple patch that would eliminate this security vulnerability.
Though the extent to which GSM handset users are protected from impersonation, interception and tracking attacks varies widely among the wireless carriers already tested, all of the systems Nohl tested were vulnerable to some extent.
What's more, the requisite tools for cracking GSM security keys and analyzing GSM voice traffic are available for download over the Internet. For example, a programmable radio can be used in tandem with the GnuRadio tool to record GSM over-the-air data.
SRL noted the Airprobe tool's GSM receiver is capable of decoding the GSM network's control traffic, "and in scenarios where no encryption is used -- or where the encryption key is known -- [Airprobe] also decodes voice traffic." By contrast, the purpose of the Kraken utility for PCs is to search through recorded cellular traffic and extract the secret key for breaking GSM's A5/1 encryption.
The Best Defense
SRL is encouraging wireless carriers to use GnuRadio, Airprobe, Kraken and other tools to gauge the extent to which their networks are vulnerable. The security firm also recommends the deployment of the short-term protocol patches currently available, which make cracking GSM significantly harder than it is right now.
In the long run, however, SRL said, the best defense is for carriers to migrate to newer wireless technologies. The venerable GSM standard also known as 2G does "not provide sufficient security and stronger alternatives such as UMTS (3G) and LTE (4G) should be preferred," the security firm said.
According to Nohl, the voice mail hacking done in the past -- such as the alleged hacking of phones by journalists in the United Kingdom -- prompted operators to upgrade their defenses. "They now more diligently check the caller ID and set not-predictable pin codes," Nohl said.
The new attacks about which Nohl is warning, however, would be able to circumvent these new protection measures. "Fortunately, the one newspaper that would have wanted this privacy-intruding capability did not live to witness today's release," Nohl said of Rupert Murdoch's News of the World. The newspaper closed last summer after revelations of illegal wiretapping.