Mobiles fall prey to hack attacks

Stroll around a park making or receiving mobile phone calls and it is hard to believe that anyone could be listening in.

Who could possibly eavesdrop on your modern, digitally encrypted handset?

It should take the kind of technology and resources only available to the security services.

Yet two men wearing hoodie tops have managed to crack the system.

Karsten Nohl and Sylvain Munaut don't look like secret agents, sitting behind their fold-out table next to a pile of old Motorola phones.

But these two security researchers have discovered a cheap, relatively simple way of intercepting mobile calls.

"We have been looking at GSM technology for a while and we find it to be pretty much outdated in every aspect of security and privacy," said Mr Nohl.

The Global System for Mobile Communications (GSM) is the dominant cellular phone technology, used in billions of handsets around the world.

Large parts of it were developed in the 1980s and it is now vulnerable to 21st century hackers

Mobile calls normally remain private thanks to digital encryption and because base stations rapidly change the way they identify a particular handset.

Karsten and Sylvain managed to reverse engineer the mathematical algorithm behind the encryption process, and use it decode voice calls.

The tools of their trade are a laptop and a particular model of Motorola phone whose base operating system, or "firmware" had previously been pulled apart and its details posted online.

Programmers used that information to create their own customised software, capable of displaying hidden technical information on mobile phone base stations.

The pair set up a demonstration for the BBC, in which they showed how to locate a handset, track its movements from a distance of more than 500m and steal copies of all the calls made on it.

Karsten and Sylvain say they do not plan to release their eavesdropping tools, but warned that it was only a matter of time before someone else re-created them.

That could lead to vandals, criminals and snoopers going on "war drives" - travelling around scooping up interesting conversations.

Such a situation is reminiscent of the early days of analogue mobile phones, when anyone with a radio scanner could listen in on calls.

"It's a real concern," said Oliver Crofton, director of Vigilante Bespoke which provides security services to high value individuals including sports stars, celebrities and chief executives.

"It will not take long for someone else to invest time and effort in this," he said.

Vigilante Bespoke's own experiences showed that there was already an interest in getting at the phones of the famous and powerful.

About 25% of the handsets analysed by the company are found to contain software or hardware modifications capable of reporting a phone's location, texts and contacts, said Mr Crofton.

"We're not talking about teenagers in a bedroom," he said. "It's organised crime, malicious journalists and blackmailers."

The GSM Association (GSMA) said that the weaknesses found by Karsten and Sylvain related to older technologies. However, it conceded that those were still used in networks around the world.

Charles Brookson, chair of the GSMA's security group for the past two decades, explained that when the first and second generation mobile standards were created, no-one expected them to be in use 20 years later.

"We knew that as the technology aged there was going to be more loopholes in it," he said.

Those pioneering designers, of which he was one, also had to respect strict controls on the type and strength of encryption they could use.

"It was as strong as we could make it," said Mr Brookson.

The GSMA was advising its 750 operator members to improve security on networks as they were upgraded, he explained.

It had also added functions that let people spot if they are connecting to a fake base station.

Despite the remaining weaknesses, Mr Brookson said he doubted that others could easily copy Karsten and Sylvain's hack.

"Yes, the attacks are feasible but they are not exactly the sort of thing that the average person will be doing," he said.

His view is shared by telecoms analyst Nigel Stanley who has been carrying out his own tests on mobile security.

"It is relatively easy to set this up in a laboratory environment where you have controlled access to the technology," he said.

"The issue might be if people are out and about driving in the street maybe hoping to intercept people in a real-time live environment," he added. "I think it might be just a bit more difficult."

He pointed out that the growing focus on mobile security by researchers and criminals was leading mobile providers to take action.

"Operators have reputational risks and they do not want to be associated with running an insecure network," he said.

Those worried about mobile security can, if they have the right phone, force it to only use third-generation networks that use much stronger encryption.

Mobile owners can also opt for add-on software that encrypts calls to prevent eavesdropping.

Such applications are widely available for smartphones and include Redphone and Kryptos.

"The work that's been undertaken out there in the community looking at security algorithms and technologies is actually very good," said Mr Stanley.

"It does inform the network operators and the associations and helps them put in place a more secure infrastructure."