Can our cell phones, laptops and pagers ever really be secure? Or are our phone calls, the data on our hard
drives, and the messages that we receive inevitably going to be an open book for any suitably motivated government spy-or teenaged hacker?
As a culture, we have little experience with secure communications-and a lot of experience with communications security gone sour. Time and again, wireless equipment vendors and providers have been shamed by the security failings of their products. The analog cellular telephone systems of the early 1980s lacked any protection at all; a $200 scanner from Radio Shack would let you listen in on anybody’s cell-phone conversation.
Rather than endow their products with strong encryption, the wireless companies turned to Washington for help. The result was the 1986 Electronic Communications Privacy Act, which effectively made it illegal to listen in on cellular-phone calls. But the legislation didn’t stop snooping: after the law’s enactment, House Speaker Newt Gingrich, Virginia governor Douglas Wilder and even Prince Charles all had their wireless communications intercepted.
The cellular industry paid dearly for its decision to seek security from Congress rather than cryptographers; just as phone calls were sent through the airwaves without encryption, so were the account numbers used for billing. The 1990s saw an explosive rise in the incidence of cellular fraud, with thieves sniffing account information in order to “clone” phones-that is, have one phone bill to another phone’s account. According to industry estimates, phone cloning was costing the industry several hundred million dollars each year by 1997.
Unfortunately, many decision-makers have learned the wrong lesson from these chronic failings: instead of resolving to deliver more secure systems, many seem to have concluded security and privacy are elusive at best-and that scarce resources are better spent on other goals. This spells real danger as wireless devices become a greater part of our economy. All of the large-scale wireless paging and data networks deployed in the 1980s and ’90s repeated the cell-phone industry’s mistake and eschewed encryption. Today these networks are the basis for popular wireless products like pagers and the Palm VII personal digital assistant. Messages sent using these systems can be-and are-intercepted with ease.
What’s worse, it can be nearly impossible for a consumer to make an informed decision about a product’s security. Consider the Palm: all PalmOS-based computers let you make certain records “private,” meaning that they shouldn’t be visible unless a password is entered. This password could be enforced with encryption, but it isn’t: last September, the Cambridge, MA, computer security firm @Stake announced that anyone with physical possession of a person’s Palm could reverse-engineer the password.