Researchers at Microsoft's laboratories in Cambridge have managed to squeeze a minuscule Web server into a GSM mobile phone SIM card.
The researchers are more than just showing off, however, and claim that the development could lead to new mobile Internet payment methods.
The tiny server, called the WebCamSIM is based on the MS Smart Card platform and allows an ordinary GSM phone to serve up text to computers over the Internet. Messages are sent through an SMS (Short Message Service) gateway, which translates them back and forth into a form that can be sent around the Internet. The WebCamSIM server can be programmed with the software tool set for the MS Smart Card.
Kai Rannenberg, a member of the Microsoft Security Group which is leading the research, says the technique makes use of the encryption and security that is built into GSM networks and therefore represents a cheap and easy way to make secure payments over the Internet. Rannenberg also says, however, that theoretically the WebCamSIM could be used to serve up ordinary Web pages. "There is nothing to stop you, in practice," he says. "You could deliver a simple text page."
Microsoft's researchers have used the SIM HTTP (Hyper Text Transfer Protocol) server to send and receive simple messages via the Internet. A digital key requiring a password is stored in the SIM which the phone user can use to confirm a payment or order over the Internet, said Rannenberg. A thief would need to not only steal a user's phone and unlock it, but then guess their identifying code in order to bypass the security, he said.
Analysts agree that adequate security is fundamental to ensure that confidence in mobile Internet technology blossoms. The next generation of mobile phone networks, known as UMTS (Universal Mobile Telecommunications System), or 3G (third generation), will give mobile devices much higher bandwidth which in turn promises to inspire mobile Internet commerce services.
As experts points out, however, the security of WebCamSIM can only be as strong as its weakest link. "The main problem is that this relies on the underlying infrastructure of mobile phone companies," remarks John Everitt, an independent computer security consultant. "It depends on how it is secured point to point." Everitt suggests that a weakness could be found at the point where messages are translated from SMS format.
Everitt also notes that the encryption protecting GSM is not perfect. GSM SIM cards generate a 40bit encryption key that is each a phone logs onto a network in order to protect its communications channel. In 1999, however, researchers at the Weismann Institute in Israel exploited an alleged weakness in the underlying algorithm to decode GSM phone messages.
The next generation of networks will raise the stakes by using 128bit keys, but UMTS phones will also be considerably more powerful. Rannenberg acknowledges that this will complicate the situation. "This might be more dangerous with more complex phones," he says.
He also acknowledges that a mobile phone is not ideally suited to being a Web server. GSM mobile phones have a limited amount of memory, typically around 64k. GSM networks also restrict phones to sending just 160 SMS characters at one time and a user is charged for each individual message.
Nevertheless, SMS has seen surprising popularity among mobile phone users in Europe and a survey carried out by the GSM Association in December estimates that more than 200 billion text messages will be sent this year alone.
Take me to the Mobile Technology Special
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.