Please turn on JavaScript. Media requires JavaScript to play.
Security researchers demonstrate the vulnerability of the GSM system. Mark Ward and his BBC colleagues agreed to have their calls monitored
Stroll around a park making or receiving mobile phone calls and it is hard to believe that anyone could be listening in.
Who could possibly eavesdrop on your modern, digitally encrypted handset?
It should take the kind of technology and resources only available to the security services.
Yet two men wearing hoodie tops have managed to crack the system.
Karsten Nohl and Sylvain Munaut don’t look like secret agents, sitting behind their fold-out table next to a pile of old Motorola phones.
But these two security researchers have discovered a cheap, relatively simple way of intercepting mobile calls.
“We have been looking at GSM technology for a while and we find it to be pretty much outdated in every aspect of security and privacy,” said Mr Nohl.
The Global System for Mobile Communications (GSM) is the dominant cellular phone technology, used in billions of handsets around the world.
Large parts of it were developed in the 1980s and it is now vulnerable to 21st century hackers
Future attack
Mobile calls normally remain private thanks to digital encryption and because base stations rapidly change the way they identify a particular handset.
Karsten and Sylvain managed to reverse engineer the mathematical algorithm behind the encryption process, and use it decode voice calls.
Old mobile technology is proving vulnerable to powerful computers and cheap storage
The tools of their trade are a laptop and a particular model of Motorola phone whose base operating system, or “firmware” had previously been pulled apart and its details posted online.
Programmers used that information to create their own customised software, capable of displaying hidden technical information on mobile phone base stations.
The pair set up a demonstration for the BBC, in which they showed how to locate a handset, track its movements from a distance of more than 500m and steal copies of all the calls made on it.
Karsten and Sylvain say they do not plan to release their eavesdropping tools, but warned that it was only a matter of time before someone else re-created them.
That could lead to vandals, criminals and snoopers going on “war drives” – travelling around scooping up interesting conversations.
Such a situation is reminiscent of the early days of analogue mobile phones, when anyone with a radio scanner could listen in on calls.
“It’s a real concern,” said Oliver Crofton, director of Vigilante Bespoke which provides security services to high value individuals including sports stars, celebrities and chief executives.
“It will not take long for someone else to invest time and effort in this,” he said.
Vigilante Bespoke’s own experiences showed that there was already an interest in getting at the phones of the famous and powerful.
About 25% of the handsets analysed by the company are found to contain software or hardware modifications capable of reporting a phone’s location, texts and contacts, said Mr Crofton.
“We’re not talking about teenagers in a bedroom,” he said. “It’s organised crime, malicious journalists and blackmailers.”
Find and fix
The GSM Association (GSMA) said that the weaknesses found by Karsten and Sylvain related to older technologies. However, it conceded that those were still used in networks around the world.
Continue reading the main story
“Start Quote
It will not take long for someone else to invest time and effort in this.”
End Quote Oliver Crofton Vigilante Bespoke
Charles Brookson, chair of the GSMA’s security group for the past two decades, explained that when the first and second generation mobile standards were created, no-one expected them to be in use 20 years later.
“We knew that as the technology aged there was going to be more loopholes in it,” he said.
Those pioneering designers, of which he was one, also had to respect strict controls on the type and strength of encryption they could use.
“It was as strong as we could make it,” said Mr Brookson.
The GSMA was advising its 750 operator members to improve security on networks as they were upgraded, he explained.
It had also added functions that let people spot if they are connecting to a fake base station.
Despite the remaining weaknesses, Mr Brookson said he doubted that others could easily copy Karsten and Sylvain’s hack.
“Yes, the attacks are feasible but they are not exactly the sort of thing that the average person will be doing,” he said.
His view is shared by telecoms analyst Nigel Stanley who has been carrying out his own tests on mobile security.
The handsets of celebrities and sports stars are already being targeted by phone hackers
“It is relatively easy to set this up in a laboratory environment where you have controlled access to the technology,” he said.
“The issue might be if people are out and about driving in the street maybe hoping to intercept people in a real-time live environment,” he added. “I think it might be just a bit more difficult.”
He pointed out that the growing focus on mobile security by researchers and criminals was leading mobile providers to take action.
“Operators have reputational risks and they do not want to be associated with running an insecure network,” he said.
Those worried about mobile security can, if they have the right phone, force it to only use third-generation networks that use much stronger encryption.
Mobile owners can also opt for add-on software that encrypts calls to prevent eavesdropping.
Such applications are widely available for smartphones and include Redphone and Kryptos.
“The work that’s been undertaken out there in the community looking at security algorithms and technologies is actually very good,” said Mr Stanley.
“It does inform the network operators and the associations and helps them put in place a more secure infrastructure.”
EVERY word uttered in a cab could soon be recorded. Source: The Courier-Mail
EVERY word uttered in a cab could soon be recorded and stored under proposed State Government changes to the operation of taxi security cameras.
Simply opening the door or starting the meter would activate the recording of trips in an industry that claims to transport 90 million passengers in Queensland each year.
The move has alarmed civil libertarians, the state Opposition and even concerned some members of the taxi industry.
Queensland’s Privacy Commissioner Linda Matthews, who was not consulted about the proposal detailed in a Transport and Main Roads’ discussion paper, said there would be no such thing as “an anonymous taxi ride” once audio recordings were introduced.
“The public would want to be reassured the record is used for genuine law enforcement purpose and the protections that are in place should be sufficient. I guess time will tell,” she said.
When security cameras were first introduced to Queensland cabs in 2006, the recording of audio was not permitted under law for privacy reasons.
But the discussion paper states that “enabling of audio is not considered to increase any risk of breaches of privacy”.
Under the proposal, stickers in taxis would inform passengers that “security cameras and microphones are fitted, you will be photographed, conversations will be recorded”.
Once downloaded by a taxi company, the audio would be able to be held for a maximum 35 days before it had to be deleted or destroyed.
Michael Cope from the Queensland Council of Civil Liberties said the new proposal was “extraordinary and unnecessary”.
“I haven’t seen anything that justifies adding audio to the footage recorded in cabs,” Mr Cope said.
“It wasn’t considered necessary when security cameras were first introduced. You’d really need some strong evidence that it would make a difference to cabbies’ safety to justify it.”
QCCL vice-president Terry O’Gorman said audio was “a totally unjustified intrusion into people’s taxi conversations”.
“We would say that if it goes ahead, downloads should only be done on the order of a magistrate where there’s reasonable cause to think it would assist in investigating a crime,” Mr O’Gorman said.
Lee Sims, from the Cab Drivers’ Association of Queensland, who recently launched a “word of mouth campaign” against the Bligh Government, said there were already too many regulations on downloading material from security cameras.
“As far as I’m concerned we’ve gone too far with privacy and we should not have to jump through so many hoops to get access to material from the security cameras,” Mr Sims said. “A lot more fare evaders would be caught if it was easier to access downloads.”
Queensland Taxi Advisers Incorporated also raised concerns about safeguards, but spokesman John Rahilly said they supported the introduction of audio recordings.
“Greater transparency and certainty will be provided in investigations where there are conflicting statements from drivers and passengers,” Mr Rahilly said. “(But) the security and integrity of the process, especially in the area of downloading, is of paramount importance in protecting the privacy issues of all parties.”
Opposition transport spokesman Scott Emerson questioned why the discussion paper was not advertised by the State Government, with only taxi industry members aware of the document.
Submissions closed last Saturday.
Mr Emerson said it was vital the public had an opportunity to comment on an issue that had the potential to impact everyone who got into a cab.
“This would be a very significant change and it is important that the public is well and truly aware that this is being considered,” Mr Emerson said.
Top five topics raised in cabs (provided by Lee Sims, Cab Drivers Association of Queensland)
1. Personal issues, particularly relationships
2. Weather
3. Sport
4. Politics and current affairs
5. Happenings and events around the city
Mr Sims said despite the commonly held belief cabbies were barometers of social opinion, that was not really the case.
“Conversations in cabs vary greatly. Drivers are told not to initiate conversations but some do of course,” Mr Sims said.
“We do hear some very personal information, kind of like hairdressers I guess. People seem to see cabs as confessional boxes.”
RIGA – The Prosecutor General’s Office is looking into the information that surfaced last week about the covert bugging of VIP suites and conference rooms at the Radisson Blu Ridzene Hotel in Riga, reports news agency LETA. The Prosecutor General’s Office said that no petitions have been submitted yet on this matter, and that the person making the allegation, Latvia’s First Party/Latvia’s Way leader and MP Ainars Slesers, has not provided any evidence on his claims.
Slesers announced in an interview on the LNT program ‘900 sekundes’ on May 5 that Latvian intelligence services have been bugging rooms at the Ridzene hotel for several years.
Foreign embassies have so far not reacted to or turned to the Foreign Ministry over the accusations about possible covert listening devices in several hotel suites. Prime Minister Valdis Dombrovskis’ (Unity) spokeswoman, Zanda Sadre, said that Dombrovskis was on vacation, and could not comment on the issue.
President Valdis Zatlers, after a meeting with Slesers, agreed that Slesers and the Norwegian owners of the Ridzene would have to officially request the Prosecutor General’s Office to investigate the suspected bugging of rooms there.
Slesers said that the president clearly stated that “this matter must be pushed forward.” Slesers added that the Norwegians are “disturbed at the developments, and that their reaction will be harsh.”
Employees at the prosecutor’s office have contacted the director general at Ridzene, said Radisson Blu Group spokesperson Aiga Lapina. She pointed out that management at Radisson Blu Group learned about the supposed tapping of VIP suites and a conference room from the mass media, and that no one had ever heard such a thing before. “We are open to all inspections, as such information is bad publicity for the hotel,” she added.
Slesers named several hotel suites that he said were tapped, where foreign and local high-ranking officials used to stay. He said several representatives from Latvia’s intelligence agencies were prepared to testify in the case, but they required political guarantees from the next president of Latvia.
This would certainly “cause major international pressure, and that several Latvian officials might have to step down now,” said Slesers. He went on to say that President Zatlers is the only politically neutral official at the moment, but he will have to prove in the time remaining until the presidential elections whether he is prepared to tackle serious political problems, which most probably means that he will have to “lock horns with several politicians.”
Zatlers will have to find out who ordered foreign officials’ conversations tapped, and foreign intelligence services will have to be involved in investigating the matter, stressed Slesers. “We have a situation where the state is run not by politicians but intelligence services,” said Slesers.
He also claimed that Latvia’s authorities had been tapping VIP suites and the conference hall “for several years.”
This, however, brings into question Slesers’ own motives, and possible previous involvement or knowledge, in the case and in why he’s bringing out this information only now, and not years earlier.
Saeima Deputy Chairman and National Security Commission Chairman Gundars Daudze (Union of Greens and Farmers) said “It is hard to comment on the matter, because I only know what the media have reported. If Mr. Slesers indeed has proof of what he said, he should turn to the authorities, as prescribed in the law,” Daudze said.
“I believe that the matter must be tackled legally, not politically. This means that the Saeima National Security Committee does not have to review it either,” said Daudze.
SOCIAL BOOKMARKS: Delicious Digg Reddit Ask Facebook MrWong Netvouz
A 27-year-old man was arrested for allegedly trying to pick up a 15-year-old middle school student, Salinas police said today.
The man, Andrew Gaytan, was allegedly following girls near La Paz Middle School as he cruised around in a charcoal colored Mazda, officials said.
A passerby called to report the incident to police at 9:22 a.m. Wednesday. The caller told officers that they were trying to follow Gaytan and last saw him on Moreno Street talking to the 15-year-old.
Officers said that when they arrived, they found Gaytan trying to talk the girl into his car.
Their investigation revealed that Gaytan had contacted the girl three different times, police said. Officers, believing Gaytan was drunk, gave him a field sobriety test, which officials said he failed.
Gaytan was three times over the legal limit, police said.
Police booked Gaytan into Monterey County Jail on suspicion of driving under the influence and three counts of annoying a child.
Internet phones sold by Cisco Systems ship with a weakness that allows them to be turned into remote bugging devices that intercept confidential communications in a fashion similar to so many Hollywood spy movies, SC Magazine reported.
The publication quoted consultants from Australia-based HackLabs, who said customers had lost $20,000 a day from exploits, which also included attacks that forced the devices to make calls to premium phone numbers. The consultants said the underlying weaknesses were present in the default settings and could be fixed only by making changes to the phones’ configuration settings.
“The book says to shut off web services,” HackLabs’ Peter Wesley was quoted as saying, referring to the manual that shipped with the phones. “Who’s going to read all that.”
SC Magazine said that a Cisco spokesman advised users to “apply the relevant recommendations in manuals to secure their systems. There was no explanation why phones are by default open to the attacks described in the article. A more sensible policy might be to ship the phones with the features disabled and allow customers who have a specific need for them to turn them on.
The magazine didn’t name the specific make of phone, which is also susceptible to denial of service attacks. The article is here. ®
Old mobile technology is proving vulnerable to powerful computers and cheap storage
The handsets of celebrities and sports stars are already being targeted by phone hackers
