Windows GSM phones get 'unbreakable' encryption

An Australian company last week launched a security tool for GSM mobile phones that encrypts transmissions to avoid eavesdroppers. GSM is one of the most popular mobile phone standards and is built to provide a basic level of security.

An Australian company last week launched a security tool for GSM mobile phones that encrypts transmissions to avoid eavesdroppers.

GSM is one of the most popular mobile phone standards and is built to provide a basic level of security. However, for more than five years the security has been 'cracked' and commercial scanners that can emulate GSM base stations are becoming more common, which has prompted Melbourne-based SecureGSM to launch its encryption tool at the CeBIT exhibition in Sydney last week.

Roman Korolik, managing director of SecureGSM, told ZDNet Australia  that because GSM security was cracked so long ago, there was a lot of information and equipment available that could be used for intercepting GSM calls.

"There are devices available for interception and decoding [GSM calls] in real time... Although they are strictly speaking illegal in most countries, you can buy them," said Korolik, who believes that these scanners are already being used to intercept sensitive calls. "You can imagine that in places like the stock exchange, where the traders are on their mobile phones... there could be a few scanners there."

As far back as 1999, the security used by GSM has been questioned. In a paper published by Lauri Pesonen from the Department of Computer Science and Engineering at Helsinki University of Technology, the GSM model is said to have been "broken on many levels".

"The GSM security model is broken on many levels and is thus vulnerable to numerous attacks targeted at different parts of an operator's network... if somebody wants to intercept a GSM call, he can do so. It cannot be assumed that the GSM security model provides any kind of security against a dedicated attacker," said Pesonen in the paper.

However, additional GSM security is unlikely to be used by the masses, according to Neil Campbell, national security manager of IT services company Dimension Data, who said companies are likely to have higher priorities.

"This is a security control like any other control -- like a firewall or a policy. An organisations needs to believe it is appropriate for their risks to implement this control. Obviously the military is one that you would expect to have a need for secure communications but I wouldn't expect there to be too many organisations in this country that would think it necessary to encrypt their mobile phone conversations," said Campbell.

SecureGSM requires Windows Mobile Phone Edition with an ARM or compatible processor running at 200MHz or better. It also requires 6Mb of RAM and 2MB of storage space.

The SecureGSM application uses 256 bit, triple cipher, layered encryption based on AES, Twofish and Serpent ciphers. According to SecureGSM, all of these algorithms are considered 'unbreakable' and the triple layer ensures that "encrypted data is future proof". The product costs AU$249 for a single user licence and each 'secure' device requires a licence.

Dimension Data's Campbell said that companies thinking about implementing such a solution will need to calculate how much they could lose if their communications were intercepted.

"Share traders may need it but this is for an organisation that communicates by mobile telephone and understands that the risk of interception is generally extremely low, but that risk is completely unacceptable," added Campbell.