Nohl told The New York Times that mobile operators turn off GPRS encryption "to be able to monitor traffic, to detect and suppress Skype, or to filter viruses, in a decentralized fashion." Unfortunately, that also means thieves with reprogrammed mobile phones can eavesdrop on many M-Commerce transactions using GSM smartphones. And even if payment-card information gets its own layer of encryption, there's still plenty of other personal data that customers would probably prefer not to fall into the hands of thieves.
This being a presentation at a hacker conference, Nohl's report includes all the information necessary to reprogram some older GSM phones so they can monitor GPRS traffic that's not encrypted at all, on networks like those of Italy's mobile carriers TIM and Wind, in an effort to shame them into improving their security. (He's withholding details of how to crack the encryption that's merely weak. Gosh, thanks, guy.)
In practice, it's not likely that mobile operators will start using strong encryption anytime soon, even though the networks are designed to use it. Between the desire of carriers to block Skype and the desire of governments to be able to monitor wireless data traffic easily, there's just too much on the weak-encryption side of the argument.
That not only keeps M-Commerce transactions at risk but also endangers in-store use of GSM mobile phones or tablets, whether they're serving as POS devices, checking inventory or handling any other sensitive data.
Locking down that data with encryption of your own—or simply running everything through a VPN—is a pain. But considering that what one hacker can discover, other hackers will re-create, you have to assume those reprogrammed mobile phones will be showing up soon in the hands of data thieves at a shopping mall near you.