Skip to main content

Mobile phones face mounting security risks in 2011

All Wi-Fi-enabled phones are vulnerable to a variety of hacking risks via sidejacking tools, Amy Gahran says.
All Wi-Fi-enabled phones are vulnerable to a variety of hacking risks via sidejacking tools, Amy Gahran says.
STORY HIGHLIGHTS
  • Wired.com reported phones on GSM networks are vulnerable to remote-controlled disabling
  • In the US, the main GSM networks are for wireless carriers AT&T and T-Mobile
  • With $15 worth of gear and a little expertise, eavesdropping is possible over GSM networks
RELATED TOPICS

Editor's note: Amy Gahran writes about mobile tech for CNN.com. She is a San Francisco Bay Area writer and media consultant whose blog, Contentious.com, explores how people communicate in the online age.

(CNN) -- Expect mobile phone security to become a hot topic in 2011, with vulnerabilities emerging for complex smartphones and simple "feature phones" alike.

This week, the technology security firm McAfee listed mobile devices among its top targets for emerging threats in 2011.

What do mobile security problems look like? Wired.com reports that many popular feature phones operating on GSM networks (the world's most popular mobile network standard) are vulnerable to remote-controlled disabling or damage via the "SMS of Death." This is according to a presentation by German researchers at this week's Chaos Computer Club Congress in Berlin.

In the U.S., the main GSM networks are for wireless carriers AT&T and T-Mobile.

Researchers Collin Mulliner and Nico Golde set up a GSM network in their lab to see what happens when popular handset models receive a variety of damaging payloads transmitted via SMS text messages.

According to Wired: "The result was bugs, and plenty of them... In the worst cases, the message would disconnect the phone and force it to reboot without registering the fact of the message's receipt -- in most cases forcing the operator's network to continue sending the message and triggering the shutdown cycle again. Fixing the problem required putting the SIM card into a new, unsusceptible phone. In the other cases, the payload-laden messages forced the phones' interfaces to shut down, and disconnected the devices from the network."

"At first glance, these problems appear to be relatively minor compared to the botnet or trojan susceptibilities of smartphones. But these simple attacks could cause serious problems, potentially for a single well-chosen target, or -- more disturbingly -- if launched on a large scale. This could be relatively easily done."

This problem is exacerbated by the fact that inexpensive feature phones, on which more than 75% of US mobile users rely, rarely get firmware updates. This leaves feature phones especially vulnerable to attacks, even from exploits that have been well known and well publicized for a long time. By contrast, smartphone firmware tends to get updated fairly regularly.

Another security problem discussed at this conference: Eavesdropping on mobile phone calls over GSM networks is now much easier and cheaper, with $15 worth of gear and a little expertise.

Wired reported that researcher Karsten Nohl and programmer Sylvain Munaut demonstrated "a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network 'sniffers,' a laptop computer and a variety of open source software."

Wired notes that the network-sniffing devices that law enforcement agencies have been using cost around $50,000. However, "this pieced-together hack takes advantage of security flaws and shortcuts in the GSM network operators' technology and operations to put the power within the reach of almost any motivated tech-savvy programmer."

Smartphone users may be somewhat less vulnerable to the SMS of Death, but all Wi-Fi-enabled phones (just like Wi-Fi-enabled laptops) are vulnerable to a variety of hacking risks via sidejacking tools like Firesheep.

In October, GigaOm advised: "Many smartphone owners are accessing the web via Wi-Fi hotspots, but those devices have the best protection against hackers in their 3G or 4G connections. As tempting as using the free Wi-Fi may be, the safest way to connect to the web is using the phone's integrated 3G/4G data connection."

[TECH: NEWSPULSE]

Most popular Tech stories right now