A design flaw in the protocol used in global system for mobile communication cell phones could allow eavesdropping.
Your cell phone may be multilingual - and that could be detrimental to your privacy. Computer security researchers
said a design flaw in the protocol used in global system for mobile communication cell phones could allow eavesdropping.
The trick: Just make the cell phone think it's somewhere else.
Only 6.5 million people in North America use global system for mobile communications cell phones - through providers
such as Pacific Bell Wireless and VoiceStream Wireless - but worldwide, it's the most widely used standard, accounting
for 65 percent of the total wireless digital market.
GSM phones are increasingly popular in the United States because they allow roaming in Asia and Europe upon
insertion of the appropriate smart card.
Since Western Europe can't export encryption products to certain countries, such as targets of United Nations
sanctions, the default version of the GSM protocol does not use encryption.
This in itself isn't necessarily a problem, said David Wagner, a professor of computer science at the University
of California-Berkeley, but GSM also does not authenticate its base stations, the hardware that communicates with
the handsets - and that is potentially troublesome.
Experts said it is possible to build a phony base station that jams the signal from the real base station and
forces the cell phone to connect to it.
The base station then tells the cell phone, in essence, "You're in Iraq, don't use encryption," and
the call proceeds unprotected with the false base station relaying information between the real base station and
'A well-kept secret'
A handful of researchers have been aware of the loophole for several years now, but it's been "a well-kept
secret", Wagner said.
Security experts call this a "man-in-the-middle" attack because the phony base station sits between
the handset and the real base station, intercepting their communications, but neither the real base station nor
the handset knows it's there.
"We know about it as a technical issue, but we haven't seen it demonstrated," said James Moran, fraud
and security director at the GSM Association.
He added that building an interception device would require considerable technical skill. Moran said the next
GSM standard would address the problem.
Other cell phone standards probably don't authenticate base stations either, Wagner said, perhaps because their
designers were more concerned with preventing handset cloning, which allows someone to bill his or her calls to
someone else's number. But the phony-base-station trick is a particular problem for GSM because different strengths
of encryption are used in different places.
"Whenever you have to support both weak and strong cryptography, one very real risk is that you end up
with 'least common denominator' security," Wagner said.
Cracking different pieces of the cryptography that protects GSM cell phones from eavesdropping has long been
a favorite pastime for computer security researchers.
Just last December, two Israeli researchers announced that they had found a fast method of cracking the A5/1
algorithm, the strong encryption used to protect GSM phone calls in Europe and the United States. But the phony-base-station
strategy obviates the need for any encryption busting.