Time To Encrypt (Again): Researcher Says Data Over Cell Networks Is Easy To Read

Many mobile-commerce transactions running on GSM smartphones are easy to intercept and monitor, according to a presentation on Wednesday (August 10) at the Chaos Computer Camp hacking conference in Germany. Cryptographer Karsten Nohl of Security Research Labs was researching how well cell-phone data was secured when he discovered that most GSM cell operators (in the U.S. that's AT&T and T-Mobile) use either weak encryption or none at all on the GPRS networks that carry their phones' data. (Newer 3G networks use better encryption, but wherever there's not enough 3G, phones fall back to GPRS.)

Nohl told The New York Times that mobile operators turn off GPRS encryption "to be able to monitor traffic, to detect and suppress Skype, or to filter viruses, in a decentralized fashion." Unfortunately, that also means thieves with reprogrammed mobile phones can eavesdrop on many M-Commerce transactions using GSM smartphones. And even if payment-card information gets its own layer of encryption, there's still plenty of other personal data that customers would probably prefer not to fall into the hands of thieves.

This being a presentation at a hacker conference, Nohl's report includes all the information necessary to reprogram some older GSM phones so they can monitor GPRS traffic that's not encrypted at all, on networks like those of Italy's mobile carriers TIM and Wind, in an effort to shame them into improving their security. (He's withholding details of how to crack the encryption that's merely weak. Gosh, thanks, guy.)

In practice, it's not likely that mobile operators will start using strong encryption anytime soon, even though the networks are designed to use it. Between the desire of carriers to block Skype and the desire of governments to be able to monitor wireless data traffic easily, there's just too much on the weak-encryption side of the argument.

That not only keeps M-Commerce transactions at risk but also endangers in-store use of GSM mobile phones or tablets, whether they're serving as POS devices, checking inventory or handling any other sensitive data.

Locking down that data with encryption of your own—or simply running everything through a VPN—is a pain. But considering that what one hacker can discover, other hackers will re-create, you have to assume those reprogrammed mobile phones will be showing up soon in the hands of data thieves at a shopping mall near you.