Cell phone crypto aims to baffle eavesdroppers

Windows-based GSM phones encrypt transmissions to prevent conversations from being intercepted and overheard.

Munir Kotadia Special to CNET News
3 min read
An Australian company last week launched a security tool for GSM mobile phones that encrypts transmissions to avoid eavesdroppers.

GSM, or Global System for Mobile Communications, is one of the most popular mobile phone standards and is built to provide a basic level of security. However, for more than five years the security has been "cracked," and commercial scanners that can emulate GSM base stations are becoming more common. That prompted Melbourne-based SecureGSM to launch its encryption tool at the CeBit exhibition in Sydney last week.

Roman Korolik, managing director of SecureGSM, said that because GSM security was cracked so long ago, there was a lot of information and equipment available that could be used for intercepting GSM calls.

"There are devices available for interception and decoding (GSM calls) in real time...Although they are, strictly speaking, illegal in most countries, you can buy them," said Korolik, who believes that these scanners are already being used to intercept sensitive calls. "You can imagine that in places like the stock exchange, where the traders are on their mobile phones...there could be a few scanners there."

As far back as 1999, the security used by GSM has been questioned. In a paper published by Lauri Pesonen from the Department of Computer Science and Engineering at Helsinki University of Technology, the GSM model was said to have been "broken on many levels."

"The GSM security model is broken on many levels and is thus vulnerable to numerous attacks targeted at different parts of an operator's network...If somebody wants to intercept a GSM call, he can do so. It cannot be assumed that the GSM security model provides any kind of security against a dedicated attacker," Pesonen wrote in the paper.

However, additional GSM security is unlikely to be used by the masses, according to Neil Campbell, national security manager of IT services company Dimension Data, who said companies are likely to have higher priorities.

"This is a security control like any other control--like a firewall or a policy. An organization needs to believe it is appropriate for their risks to implement this control. Obviously the military is one that you would expect to have a need for secure communications, but I wouldn't expect there to be too many organizations in this country that would think it necessary to encrypt their mobile phone conversations," said Campbell.

SecureGSM requires Windows Mobile Phone Edition with an ARM or compatible processor running at 200MHz or better. It also requires 6Mb of RAM (random access memory) and 2MB of storage space.

The SecureGSM application uses 256-bit, triple cipher, layered encryption based on AES, Twofish and Serpent ciphers. According to SecureGSM, all of these algorithms are considered "unbreakable" and the triple layer ensures that "encrypted data is future proof." The product costs $188 (AU$249) for a single-user license, and each "secure" device requires a license.

Dimension Data's Campbell said that companies thinking about implementing such a solution will need to calculate how much they could lose if their communications were intercepted.

"Share traders may need it, but this is for an organization that communicates by mobile telephone and understands that the risk of interception is generally extremely low, but that risk is completely unacceptable," Campbell said.

Munir Kotadia of ZDNet Australia reported from Sydney.