The GSM handsets owned by as much as 80 percent of mobile phone users worldwide may be vulnerable to a new wave of sophisticated hacker attacks, according to a new study from Security Research Labs.
The Berlin-based SRL's tests, which were conducted in 11 countries, demonstrate that sophisticated cyber criminals would not find it difficult to intercept, track and impersonate the activities of GSM handset users.
Other security experts have questioned whether the threat is significant, due to the sophistication of the techniques required to launch GSM attacks, which places the technology beyond the reach of most individuals. However, SRL head Karsten Nohl warned that no one should underestimate the level of the threat that GSM handset users now face.
"We have seen university students implement GSM cracking equipment within a week using only scrap parts and free software from the Internet," Nohl said in an e-mail Tuesday.
"While an engineering background certainly is 'beyond the abilities of most individuals,' there are still millions of tech-savvy kids out there that could turn into GSM hackers overnight," Nohl said.
All GSM Networks Vulnerable
Nohl said had already succeeded in hacking into the personal phone of a consenting colleague using a GSM handset on 30 different networks in nine European Union member states, as well as three networks in Morocco and four in Thailand.
Though SRL did not conduct any network vulnerability tests within the United States, Nohl noted that American carriers such as AT&T and T-Mobile use the same GSM technology found elsewhere in the world. So far, however, few wireless carriers around the world have elected to employ a simple patch that would eliminate this security vulnerability.
Though the extent to which GSM handset users are protected from impersonation, interception and tracking attacks varies widely among the wireless carriers already tested, all of the systems Nohl tested were vulnerable to some extent.
What's more, the requisite tools for cracking GSM security keys and analyzing GSM voice traffic are available for download over the Internet. For example, a programmable radio can be used in tandem with the GnuRadio tool to record GSM over-the-air data . (continued...)