Hacking mobile phones is hard to do

This Wired piece about some techies who discovered a major flaw in the DNS systems that underpin the Internet, and co-ordinated a mass surreptitious effort to fix it, is worth reading if you like That Sort Of Thing.

However, there’s one aspect of it which strikes me as utterly bizarre:

“The first thing I want to say to you,” Vixie told Kaminsky, trying to contain the flood of feeling, “is never, ever repeat what you just told me over a cell phone.”

Vixie knew how easy it was to eavesdrop on a cell signal, and he had heard enough to know that he was facing a problem of global significance. If the information were intercepted by the wrong people, the wired world could be held ransom. Hackers could wreak havoc. Billions of dollars were at stake, and Vixie wasn’t going to take any risks.

And later:

Andreas Gustafsson knew something was seriously wrong. Vixie had emailed the 43-year-old DNS researcher in Espoo, Finland, asking to talk at 7 pm on a hardwired line. No cell phones.

Gustafsson hurried into the freezing March evening—his only landline was the fax in his office a brisk mile walk away.

But mobile phones are protected by fairly hardcore encryption. While it’s theoretically possible to break GSM encryption, there’s no evidence of anyone actually having done so outside the lab, and the effort required to do so would be immense – while criminal gangs could muster the technology and expertise required, it’s extremely unlikely anyone in advance would realise the commercial importance of a few geeks calling each other up. CDMA encryption is harder still to break. On the other hand, tapping or bugging a landline is a trivial effort.

I know first-generation, analogue, mobile phones were easily intercepted (as Princess Diana discovered), but nobody uses them anymore, even in the US, and the events in the Wired article all took place this year. Now, Paul Vixie is a long way from an idiot when it comes to tech security issues – so is this a sign of encroaching senility on his part, with the other players indulging his whim, or are there some substantive concerns that I’m missing?

(and yes, this post should probably just have taken the format of ’email to Alex Harrowell’…)

11 thoughts on “Hacking mobile phones is hard to do

  1. You are correct that the GSM's encrption is haed to break and before yu do that you have to identfy the channel it is on and isoltae the data you want, no small tak either. It is made harder because the network doesn't use the real mobile number (IMSI) but a temporary one.

    The encryption is at the air interface level only and the connection between 2 networks or different switches on the same network isn't (usually) encrypted. However you still have to find the right channel within the various multiplexers, no meant feat in itself especially if separate C7 signalling channels are used.

    So, as you say, it is highly unlikely anyone would be able to eavesdrop unless the had access to the switches in the same way that the security authorities do it. That would imply some form of white collar crime.

  2. They do use GSM in the USA but also CDMA. CDMA is an even more compliced air interface to decode than GSM so it is difficult to eavesdrop even withoun encryption.

    Same issues apply between switches.

  3. Breaking the A5 cipher on GSM is certainly not beyond the means of a well-funded criminal enterprise. COPACABANA and similar efforts make it, if not trivial, then quite feasible.

  4. By a weird coincidence, I was sitting in a restaurant this evening and overheard a snippet of conversation from a nearby table and they were discussing this very idea. One guy claimed that his boss (I've no idea who he works for or even what sector) had placed a ban on discussing anything confidential over mobile phones because — and I quote — "apparently there's some way to hack them now".

    I don't know what he means by "hack", and I don't know if it just means his boss is exceptionally gullible. From the little I know, it's a non-issue (unless, maybe, you're the sort of person the NSA is interested in). But maybe — just maybe — some enterprising cryptologist has developed a new fangled scanner or something?

    I suspect it's bollocks, but it's weird to have encountered the idea twice in the same day.

  5. I think it's become easier to hack A5, but it's still nontrivial.

    The easiest exploit would probably be to get physical access to the device and install one of those stalkerware apps that copy all activity to a destination of your choice, or else try to spearphish the target with something that would install it.

    The latter would be difficult – Symbian has a lot of inherent security features, there have been remarkably few exploits even of Windows Mobile (it's based on Windows CE, which is significantly different from the desktop kind and is designed for, among other things, control systems applications).

    Actually, the least secure mobile OS seems to be Google Android. They discovered everything you typed into the phone, or sent to, was piped into a hidden command-line, so you could type "reboot" and the gadget would just reboot – or type rm /rf * and erase all files.

    But then, maybe the NSA is spying on Paul Vixie; he's on this social network after all!

  6. To be honest, I think this is probably what happens when intelligent and sensibly paranoid people who have no specialist knowledge of how mobile phones work spend too much time watching "The Wire". Inside the pasty head of Paul Vixie there is a little Stringer Bell, reminding him "No cell phones, ever".

  7. Snooping the signal between the phone and the tower is hard but irrelevant. It's all unencrypted within the switches. Why break through the front door of a house when all the back windows are open?

    Hypothetically of course.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.