Mobile Phone Calls as Security Risk
Do you rely on your mobile phone? Do you frequently call someone or get called? Do you transmit messages or data across mobile phone networks? Maybe you shouldn’t unless you use additional security layers since mobile phone networks must be regarded as a security risk. Karsten Nohl of Security Research Labs has taken a look at Austrian mobile networks. The result is a wake-up call for companies and individuals alike. According to Nohl the local Austrian providers A1/Mobilkom, T-Mobile Österreich und Orange have not updated their networks as other operators in Europe have already. He explained that there is no sign of any additional hardening.
The transmissions of mobile phone network clients can be intercepted and decrypted with very little technical effort. The networks still use the A5/1 encryption standard which has been repeatedly broken (explained in talks at DeepSec 2007 and DeepSec 2009). In 2010 security experts were able to substantially lower the hardware requirements to eavesdrop GSM communication. In August 2011 Karsten Nohl published attacks on GPRS transmissions. Since all these threats are a purely passive attack there are no traces you can detect. You won’t notice anything at all. What was once the domain of high-level industrial espionage can now be deployed by stalkers, private investigators, burglars, competitors, and everyone who has a need for gathering information. Tightly packed office building housing many different companies are a fertile ground for intercepting phone calls, text messages and data. „Know thy neighbour and double-encrypt.“ might be a good candidate for your company motto.
Encryption-wise the successor A5/3 is still not fully deployed. Only a complete coverage with 3G (UMTS, …) or 4G (LTE, …) technologies might help (but even then the 2G network won’t go away and you have to actively block 2G mode on your clients). Another temporary security measure is to authenticate clients before every call or connection. This hot-fix was introduced in 2008 to counter some of the threats to the mobile phone networks. Austrian providers (except T-Mobile when sending text messages) do not require authentication before every call.
Some companies have already reacted to this threat, but most others are completely oblivious to the risks of mobile voice/data communication. Consider your calls and data intercepted and update your security procedures. We are not talking about theoretical attacks. Everything can be put to practice. If you want to know what danger you are facing, how attackers can attack the GSM/GPRS network and how you can defend yourself, then consider the „Attacks on GSM Networks“ workshop at DeepSec 2011.