Most Cellular Networks Worldwide Vulnerable to Attack, Researcher Says

A German security researcher this week is detailing a manner in which the leading cellular networks worldwide are all vulnerable to attack.

Networks that use the GSM standard are vulnerable because of the way in which they handle commands, German researcher Karsten Nohl told AllThingsD on Monday. GSM networks are common throughout the world and are used in the U.S. by AT&T and T-Mobile USA

Nohl’s studies were reported earlier by the New York Times.

Nohl, who is presenting his research in Germany on Tuesday, studied 11 countries and was able to hack into both voice and text conversations, using a seven-year-old Motorola phone along with widely available decryption software, according to the Times report.

At the heart of the vulnerability is the fact that network commands are sent in the simplest of computer code, basically amounting to a message like “I have a call for you.” A range of options for randomizing the data can easily improve the security, but Nohl said that the carriers have varied widely in how well they implement protection.

Each GSM command is exactly 23 bytes long. In most cases, Nohl said, that leaves room for carriers to send random data that makes the messages harder to intercept. However, some messages use the full 23 bytes, requiring a more sophisticated workaround to make things secure.

In Morocco, for example, one carrier sends messages with no attempt at encryption whatsoever.

“That doesn’t happen in Europe,” Nohl said. “However, we are still very far away from reasonable protection.”

It’s also hard to guess which networks are best-protected without studying them.

“It’s pretty unpredictable which network will be configured how,” Nohl said. While Vodafone did pretty well on its British network, its German subsidiary has a less secure network.

Nohl said the vulnerability is limited to the oldest 2G variant of the GSM networks, but since all GSM phones support the 2G network, that leaves all such phones vulnerable.

Although Nohl’s research focused on European countries, along with Morocco and Thailand, carriers elsewhere could be vulnerable unless they use better encryption than their European counterparts. Representatives for AT&T and T-Mobile USA were not immediately available for comment.

Nohl told AllThingsD that he will release a tool on Tuesday for people to check the vulnerability in their area. Nohl hopes volunteers will help quickly fill in the gaps, showing globally how vulnerable or not various networks are.