X

Cell phone, VoIP technologies lack security, experts say

Speakers at security confab LayerOne say people should be careful with sensitive information while using GSM-based mobile phones and most VoIP systems.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read

PASADENA, Calif. -- Be careful what you say over that mobile phone or VoIP system.

The most widely used mobile phone standard, GSM, is so insecure that it is easy to track peoples' whereabouts and with some effort even listen in on calls, a security expert said late on Saturday at the LayerOne security conference.

"GSM security should be come more secure or at least people should know they shouldn't be talking about (sensitive) things over GSM," said David Hulton, who has cracked the encryption algorithm the phones use. "Somebody could possibly be listening over the line."

GSM is used in Nokia and other phones from carriers AT&T and T-Mobile, for instance.

For as little as $900, someone can buy equipment and use free software to create a fake network device to see traffic going across the network.

"You can see all the cell phones connected to the base station," he said. "You can't see calls, but people associated with the calls. You can also do location tracking. If you know somebody is on the network you can see how close to the base station they are."

That is possible because the subscriber identifier, which is basically the user identification number, can easily be seen on the traffic, although the identifiers are never supposed to be transmitted in plain text, he said. "I know exactly where you are on the network."

Asked if viewing that data is legal, Hulton responded: "I'm not entirely sure."

Earlier in the day, attendees learned about issues with VoIP systems, which can reduce communications costs for corporations and consumers but typically "have little to no security," said David Bryan, senior security consultant with security firm Netspi.

VoIP systems based on open standards are not encrypting the traffic, which leaves them at risk for eavesdropping, forged or intercepted calls and bogus voice messages, he said, adding that there are numerous tools for doing that, with names like "Vomit" and "Cain and Abel."

In a live demonstration, Bryan injected an emergency broadcast in the middle of a phone conversation and recorded the call with an automated tool.

Skype does encryption, but uses a proprietary technology which means it can't benefit from outsiders dissecting the code looking for flaws, he said.

Vonage has no encryption, basically no security at all, according to Bryan.