Hacking mobile phones is hard to do
This Wired piece about some techies who discovered a major flaw in the DNS systems that underpin the Internet, and co-ordinated a mass surreptitious effort to fix it, is worth reading if you like That Sort Of Thing.
However, there’s one aspect of it which strikes me as utterly bizarre:
“The first thing I want to say to you,” Vixie told Kaminsky, trying to contain the flood of feeling, “is never, ever repeat what you just told me over a cell phone.”
Vixie knew how easy it was to eavesdrop on a cell signal, and he had heard enough to know that he was facing a problem of global significance. If the information were intercepted by the wrong people, the wired world could be held ransom. Hackers could wreak havoc. Billions of dollars were at stake, and Vixie wasn’t going to take any risks.
Andreas Gustafsson knew something was seriously wrong. Vixie had emailed the 43-year-old DNS researcher in Espoo, Finland, asking to talk at 7 pm on a hardwired line. No cell phones.
Gustafsson hurried into the freezing March evening—his only landline was the fax in his office a brisk mile walk away.
But mobile phones are protected by fairly hardcore encryption. While it’s theoretically possible to break GSM encryption, there’s no evidence of anyone actually having done so outside the lab, and the effort required to do so would be immense – while criminal gangs could muster the technology and expertise required, it’s extremely unlikely anyone in advance would realise the commercial importance of a few geeks calling each other up. CDMA encryption is harder still to break. On the other hand, tapping or bugging a landline is a trivial effort.
I know first-generation, analogue, mobile phones were easily intercepted (as Princess Diana discovered), but nobody uses them anymore, even in the US, and the events in the Wired article all took place this year. Now, Paul Vixie is a long way from an idiot when it comes to tech security issues – so is this a sign of encroaching senility on his part, with the other players indulging his whim, or are there some substantive concerns that I’m missing?
(and yes, this post should probably just have taken the format of ‘email to Alex Harrowell’…)