Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Researchers plan to show today how to break the encryption that protects information sent over the General Packet Radio Service (GPRS), a standard commonly used to send data to and from mobile devices, and from other devices such as smart meters. This breach makes it possible to listen in on data communications such as e-mail, instant messages, and Web browsing on smart phones, as well as updates from automated industrial systems.

The researchers, who will make their announcement at the Chaos Communication Camp, a hacker event taking place near Berlin, Germany, previously cracked the Global System for Mobile Communications (GSM), which is used to carry calls among 80 percent of the world’s mobile phones. GPRS is an older technology that often supplements GSM, for example when faster 3G connections are unavailable. Smart phones, including the iPhone, use GPRS when operating on Edge networks (when the network connection says “E” rather than “3G”). Phones that don’t support 3G use GPRS all the time. Both GSM and GPRS are used worldwide, though in the United States some major carriers, including Verizon and Sprint, use a competing standard.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication.  The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

GPRS has not suffered very many security problems in the past, says Jukka Nurminen, a professor of data communications at Aalto University in Finland who spent 25 years at the Nokia Research Center. If the researchers have truly achieved what they claim, Nurminen says, many mobile communications could be much less secure. Depending on mobile operator and subscription plan, some devices maintain a GPRS connection at all times, particularly those whose users access e-mail and instant message applications from their phones.

However, Nurminen adds, it might be possible to mitigate the risk by encrypting communications when they are sent, using common e-mail and Web-browsing tools. He notes that GPRS security is also affected by regulations in different countries, and that some laws undermine security by requiring governments to be able to break into communications if necessary.  

The GSM Association, a London-based organization representing mobile operators, handset makers, and other industry interests, regulates GPRS as well as GSM. The organization says it is reviewing Nohl’s research but has not yet learned enough to comment.

Nohl says companies will be negligent if they ignore the risks. He suggests that mobile applications take steps now to use encryption such as SSL, which already protects much of the sensitive information sent over the Internet. Nohl hopes that cellular network companies will require better authentication among devices and base stations communicating over GPRS. He also believes the ciphers used by the standard should be upgraded.

1 comment. Share your thoughts »

Credit: Coban Group

Tagged: Communications, smart phone, encryption, communication, hack, mobile security

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me