SIGINT: Few advances in GSM security

European network operators are taking their time updating their networks to close known security vulnerabilities, cryptography experts reported at the Chaos Computer Club's SIGINT 12 conference in Cologne, Germany. An analysis of 105 networks showed that only very few providers have taken effective steps against security vulnerabilities that allow third parties to, for example, pinpoint the location of mobile phones, listen to messages, and misappropriate someone else's identity. Plans are now in the works to further evaluate the gathered data with better software.

At the CCC conference 28C3 in late 2011, Karsten Nohl and his team demonstrated new security vulnerabilities affecting GSM, and launched the GSMMap project, where volunteers can submit data on the state of network operators' security in various countries. The Osmocom software serves as the foundation, collecting data on network communication with the help of a cheap mobile phone. An interactive map shows the results of the crowdsourcing project.

The results are sobering. At this point, only seven of the network providers included have implemented the A5/3 encryption standard, which fixes the problems known since 2009 to be present in the previous A5/1 standard. On other networks, these vulnerabilities can still be used to intercept GSM data and decode it almost in real time. For example, according to GSMMap project's data, none of the German network operators have switched to A5/3 yet. In Cologne, Sam May pointed out that very few mobile phones in western Europe can even handle the new standard. The figure is between 10 and 25 per cent in Germany, but over 75 per cent in Iran, Slovenia and Egypt, May said.

Things don't look much better where other security problems are concerned. A number of companies, for instance, offer to locate mobile phones – as a paid service – by using information exchanged when text messages are sent. Security researcher Luca Melette recommends a solution called home routing, in which service providers don't pass on information about a user's location and instead only indicate that they have taken over delivery of the text message. Researchers were surprised to find that certain web services could no longer locate customers of a number of network providers, but checking a less well known service told the full story: nineteen providers had simply blocked queries from the most popular location service providers, while only nine seemed to have actually fixed the vulnerability.

To make it easier to fill in GSMMap, the developers have updated the software. Instead of having to compile Osmocom themselves, users will now be able to start a preconfigured Linux distribution so that all relevant data can be read from nearby mobile network cell sites and uploaded to GSMMap in just a few steps. As well as a computer, participants also need one of three supported types of mobile phones and a data cable.

See also:

• Economical GSM base station using free software, a report from The H.
  

(Torsten Kleinz / fab)