Back in December of 2009,I wrote about a presentation at the Chaos Communications Conference that described a proof of concept attack against the encryption mechanism used in the GSM cellular telephony standard, and suggested that both voice calls and text (SMS) messages were vulnerable to interception. As is fairly typical, the service providers claimed that the attack was “a long way from being a practical attack on GSM”. A year later, at the next Chaos Communications Conference, the same researcher, Karsten Nohl, demonstrated the interception and decryption of GSM messages, using only cheap cell phones and a laptop computer.
The Technology Review has a report that Mr. Nohl and some of his associates have now presented an attack against another cellular protocol, the General Packet Radio Service [GPRS]. GPRS is a data transmission standard that is used by some pre-3G cellular devices, and also by 3G phones operating on Edge networks,
Researchers plan to show today how to break the encryption that protects information sent over the General Packet Radio Service (GPRS), a standard commonly used to send data to and from mobile devices, and from other devices such as smart meters. This breach makes it possible to listen in on data communications such as e-mail, instant messages, and Web browsing on smart phones, as well as updates from automated industrial systems.
Phones are probably the most common devices that use GPRS, but the standard is used in some industrial control systems and electronic toll systems, too. The encryption that protects GPRS transmissions is weak, except in some countries where it is non-existent. The equipment to implement the attack can be obtained for about € 10 ($ 14). The researchers suggest that the encryption algorithms used in GPRS be upgraded; some applications may be able to implement their own encryption by using protocols such as SSL.
The GPRS standard is administered by the same industry association, the GSM Association, that manages GSM. Their reaction to the announcement is not particularly surprising.
The organization says it is reviewing Nohl’s research but has not yet learned enough to comment.
Giver the increasing use of wireless technology in a wide variety of applications, we must hope that their education does not take too long.