The researchers are more than just showing off, however, saying the development could lead to new mobile Internet payment methods.
The tiny server, called the WebCamSIM and based on the MS Smart Card platform, allows an ordinary GSM phone to serve up text to computers over the Internet. Messages are sent through an SMS (Short Message Service) gateway, which translates them back and forth into a form that can be understood by machines on the Internet. The WebCamSIM server can be programmed with the software tool set for the MS Smart Card.
Kai Rannenberg, a member of the Microsoft Security Group leading the research, says the technique makes use of the encryption and security built into GSM networks and therefore represents a cheap and easy way to make secure payments over the Internet.
Rannenberg added that WebCamSIM could--theoretically--be used to serve up ordinary Web pages. "There is nothing to stop you, in practice," he says. "You could deliver a simple text page."
Microsoft's researchers have used the SIM (subscriber identity module) HTTP server to send and receive simple messages via the Internet. A digital key requiring a password is stored in the SIM card, which the phone user can use to confirm a payment or order over the Internet, said Rannenberg. A thief would need to not only steal and unlock a user's phone but then guess the identifying code to bypass the security, he said.
Security is key
Analysts agree that adequate security is fundamental to promoting confidence in mobile Internet technology. The next generation of mobile phone networks, known as UMTS (Universal Mobile Telecommunications System), or 3G (third generation), will give mobile devices much higher bandwidth, which in turn promises to inspire mobile Internet commerce services.
The security of WebCamSIM, however, can only be as strong as its weakest link, noted John Everitt, a British computer-security consultant. The main problem is that this relies on the underlying infrastructure of mobile phone companies," he said. "It depends on how it is secured point to point."
Everitt said a weakness could be found at the point where messages are translated from SMS format.
Everitt also noted that the encryption protecting GSM is not perfect. GSM SIM cards generate a 40-bit encryption key for each a phone that logs onto a network. In 1999, however, researchers at the Weismann Institute in Israel exploited an alleged weakness in the underlying algorithm to decode GSM phone messages.
The next generation of networks will raise the stakes by using 128-bit keys, but UMTS phones will also be considerably more powerful. Rannenberg acknowledged this will complicate the situation. "This might be more dangerous with more complex phones," he said.
He also acknowledged that a mobile phone is not ideally suited to acting as a Web server. GSM mobile phones have a limited amount of memory, typically around 64 kilobytes. GSM networks also restrict phones to sending just 160 SMS characters at a time, and a user is charged for each individual message.
Nevertheless, SMS messaging has seen surprising popularity among mobile phone users in Europe. A survey carried out by the GSM Association in December estimated that more than 200 billion text messages will be sent this year alone.