Can our cell phones, laptops and pagers ever really be secure? Or are our phone calls, the data on our hard
drives, and the messages that we receive inevitably going to be an open book for any suitably motivated government spy-or teenaged hacker?
Certainly, nothing can ever be 100 percent protected. Sadly, though, the makers of portable computing devices and wireless communications systems have led us down a false path by failing to make security a top priority. For more than a decade, cryptographers have possessed strong encryption techniques that could virtually guarantee that data falling into the wrong hands-through a stolen laptop, say, or an intercepted radio signal-would be impossible to decode. Unfortunately, these techniques have not made it from the lab into the mainstream.
As a culture, we have little experience with secure communications-and a lot of experience with communications security gone sour. Time and again, wireless equipment vendors and providers have been shamed by the security failings of their products. The analog cellular telephone systems of the early 1980s lacked any protection at all; a $200 scanner from Radio Shack would let you listen in on anybody's cell-phone conversation.
Rather than endow their products with strong encryption, the wireless companies turned to Washington for help. The result was the 1986 Electronic Communications Privacy Act, which effectively made it illegal to listen in on cellular-phone calls. But the legislation didn't stop snooping: after the law's enactment, House Speaker Newt Gingrich, Virginia governor Douglas Wilder and even Prince Charles all had their wireless communications intercepted.
The cellular industry paid dearly for its decision to seek security from Congress rather than cryptographers; just as phone calls were sent through the airwaves without encryption, so were the account numbers used for billing. The 1990s saw an explosive rise in the incidence of cellular fraud, with thieves sniffing account information in order to "clone" phones-that is, have one phone bill to another phone's account. According to industry estimates, phone cloning was costing the industry several hundred million dollars each year by 1997.
Unfortunately, many decision-makers have learned the wrong lesson from these chronic failings: instead of resolving to deliver more secure systems, many seem to have concluded security and privacy are elusive at best-and that scarce resources are better spent on other goals. This spells real danger as wireless devices become a greater part of our economy. All of the large-scale wireless paging and data networks deployed in the 1980s and '90s repeated the cell-phone industry's mistake and eschewed encryption. Today these networks are the basis for popular wireless products like pagers and the Palm VII personal digital assistant. Messages sent using these systems can be-and are-intercepted with ease.
What's worse, it can be nearly impossible for a consumer to make an informed decision about a product's security. Consider the Palm: all PalmOS-based computers let you make certain records "private," meaning that they shouldn't be visible unless a password is entered. This password could be enforced with encryption, but it isn't: last September, the Cambridge, MA, computer security firm @Stake announced that anyone with physical possession of a person's Palm could reverse-engineer the password.
Share »
Digg this
Add to del.icio.us
Add to Reddit
Add to Facebook
Slashdot It!
Stumble It!
Add to Newsvine
Add to Connotea
Add to CiteUlike
Add to Furl
Googlize this
Add to Rojo
Add to MyWeb
Favorite
Print
E-mail
Massachusetts Institute of Technology
Comments