Skip to Content
Uncategorized

Researchers Hack Mobile Data Communications

The encryption protecting mobile-device data transmission is permeable.
August 10, 2011

Researchers plan to show today how to break the encryption that protects information sent over the General Packet Radio Service (GPRS), a standard commonly used to send data to and from mobile devices, and from other devices such as smart meters. This breach makes it possible to listen in on data communications such as e-mail, instant messages, and Web browsing on smart phones, as well as updates from automated industrial systems.

Affected devices: Researchers have broken the encryption used to protect GPRS, which sends data among many smart electronic devices, including the vehicle tracking system shown here.

The researchers, who will make their announcement at the Chaos Communication Camp, a hacker event taking place near Berlin, Germany, previously cracked the Global System for Mobile Communications (GSM), which is used to carry calls among 80 percent of the world’s mobile phones. GPRS is an older technology that often supplements GSM, for example when faster 3G connections are unavailable. Smart phones, including the iPhone, use GPRS when operating on Edge networks (when the network connection says “E” rather than “3G”). Phones that don’t support 3G use GPRS all the time. Both GSM and GPRS are used worldwide, though in the United States some major carriers, including Verizon and Sprint, use a competing standard.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication.  The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

GPRS has not suffered very many security problems in the past, says Jukka Nurminen, a professor of data communications at Aalto University in Finland who spent 25 years at the Nokia Research Center. If the researchers have truly achieved what they claim, Nurminen says, many mobile communications could be much less secure. Depending on mobile operator and subscription plan, some devices maintain a GPRS connection at all times, particularly those whose users access e-mail and instant message applications from their phones.

However, Nurminen adds, it might be possible to mitigate the risk by encrypting communications when they are sent, using common e-mail and Web-browsing tools. He notes that GPRS security is also affected by regulations in different countries, and that some laws undermine security by requiring governments to be able to break into communications if necessary.  

The GSM Association, a London-based organization representing mobile operators, handset makers, and other industry interests, regulates GPRS as well as GSM. The organization says it is reviewing Nohl’s research but has not yet learned enough to comment.

Nohl says companies will be negligent if they ignore the risks. He suggests that mobile applications take steps now to use encryption such as SSL, which already protects much of the sensitive information sent over the Internet. Nohl hopes that cellular network companies will require better authentication among devices and base stations communicating over GPRS. He also believes the ciphers used by the standard should be upgraded.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.