We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Researchers Hack Mobile Data Communications

The encryption protecting mobile-device data transmission is permeable.

Researchers plan to show today how to break the encryption that protects information sent over the General Packet Radio Service (GPRS), a standard commonly used to send data to and from mobile devices, and from other devices such as smart meters. This breach makes it possible to listen in on data communications such as e-mail, instant messages, and Web browsing on smart phones, as well as updates from automated industrial systems.

Affected devices: Researchers have broken the encryption used to protect GPRS, which sends data among many smart electronic devices, including the vehicle tracking system shown here.

The researchers, who will make their announcement at the Chaos Communication Camp, a hacker event taking place near Berlin, Germany, previously cracked the Global System for Mobile Communications (GSM), which is used to carry calls among 80 percent of the world’s mobile phones. GPRS is an older technology that often supplements GSM, for example when faster 3G connections are unavailable. Smart phones, including the iPhone, use GPRS when operating on Edge networks (when the network connection says “E” rather than “3G”). Phones that don’t support 3G use GPRS all the time. Both GSM and GPRS are used worldwide, though in the United States some major carriers, including Verizon and Sprint, use a competing standard.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication.  The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

GPRS has not suffered very many security problems in the past, says Jukka Nurminen, a professor of data communications at Aalto University in Finland who spent 25 years at the Nokia Research Center. If the researchers have truly achieved what they claim, Nurminen says, many mobile communications could be much less secure. Depending on mobile operator and subscription plan, some devices maintain a GPRS connection at all times, particularly those whose users access e-mail and instant message applications from their phones.

However, Nurminen adds, it might be possible to mitigate the risk by encrypting communications when they are sent, using common e-mail and Web-browsing tools. He notes that GPRS security is also affected by regulations in different countries, and that some laws undermine security by requiring governments to be able to break into communications if necessary.  

The GSM Association, a London-based organization representing mobile operators, handset makers, and other industry interests, regulates GPRS as well as GSM. The organization says it is reviewing Nohl’s research but has not yet learned enough to comment.

Nohl says companies will be negligent if they ignore the risks. He suggests that mobile applications take steps now to use encryption such as SSL, which already protects much of the sensitive information sent over the Internet. Nohl hopes that cellular network companies will require better authentication among devices and base stations communicating over GPRS. He also believes the ciphers used by the standard should be upgraded.

Get stories like this before anyone else with First Look.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.