Mobile data is easy to crack; sky falling in 3... 2... 1...

By Richi Jennings (@richi ) - August 12, 2011.

It's emerged that much of the mobile data services in use today are horribly insecure -- either weakly encrypted, or not encrypted at all. The problem is that the "2.5G" GPRS/EDGE is more widely used than people might think, yet many operators don't seem to care about its security. In IT Blogwatch, bloggers boggle at the implications.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: the ongoing saga of the cleavage-snuggling LEGO stormtrooper...

Dan Goodin reports:

Karsten Nohl, chief scientist of...Security Research Labs, said...virtually all of the world's cellular networks deploy insecure implementations of GPRS. ... [Either] no encryption at all...[or] crypto that's so weak that it can easily be read.
...
Nohl characterized most of the cryptographic protection...as “hopelessly out-dated.” ...[No] mutual authentication allows rogue base stations to harvest data. ... [And] short encryption keys make...rainbow tables feasible.   

   
Why care about old technology like GPRS/EDGE? Kevin J. O'Brien explains:

GPRS networks are still widely used as backups for newer, faster 3G wireless networks, and consumers are often diverted to GPRS grids when they reach [their cap]. ... Rogers Communications...estimates that 90 percent of mobile data traffic still runs on GPRS networks.   

James Delahunty adds:

[This] may have implications for industrial equipment, toll systems and other things that rely on GPRS...often the only type of connection available in remote areas.   

Darlene Storm describes the CCC:

[It's] no small...shindig. Chaos Communication Camp is an international hackers' camp that takes place every four years.
...
[It] costs...about $14 for the radio equipment...to attack GPRS. ... Before you next send that naughty photo...or IM, consider the possibility that...your "sensitive" mobile device data can be cracked for cheap.   

Frank "+++ATH" Hayes speaks frankly:

This being a presentation at a hacker conference, Nohl’s report includes all the information necessary to reprogram some older GSM phones so they can monitor GPRS traffic...in an effort to shame [operators] into improving their security.
...
That not only keeps M-Commerce transactions at risk but also endangers in-store use of GSM mobile phones or tablets, whether they’re serving as POS devices, checking inventory or handling any other sensitive data. ... [Lock] down that data with encryption of your own—or simply [run] everything through a VPN.   

  
And Finally...

• Did Google+ ban a cleavage-snuggling LEGO stormtrooper?
• I'm with Google on cleavage-snuggling LEGO stormtrooper

 
Don't miss out on IT Blogwatch:

• Follow @richi, your humble blogwatcher, on Twitter
  
• Subscribe to the Computerworld Blogs newsletter
• Catch up with posts from the previous few days

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com. You can also read Richi's full profile and disclosure of his industry affiliations.