AT&T Tech Support 360Cell phone, VoIP technologies lack security, experts say
PASADENA, Calif. -- Be careful what you say over that mobile phone or VoIP system.
The most widely used mobile phone standard, GSM, is so insecure that it is easy to track peoples' whereabouts and with some effort even listen in on calls, a security expert said late on Saturday at the LayerOne security conference.
"GSM security should be come more secure or at least people should know they shouldn't be talking about (sensitive) things over GSM," said David Hulton, who has cracked the encryption algorithm the phones use. "Somebody could possibly be listening over the line."
GSM is used in Nokia and other phones from carriers AT&T and T-Mobile, for instance.
For as little as $900, someone can buy equipment and use free software to create a fake network device to see traffic going across the network.
"You can see all the cell phones connected to the base station," he said. "You can't see calls, but people associated with the calls. You can also do location tracking. If you know somebody is on the network you can see how close to the base station they are."
That is possible because the subscriber identifier, which is basically the user identification number, can easily be seen on the traffic, although the identifiers are never supposed to be transmitted in plain text, he said. "I know exactly where you are on the network."
Asked if viewing that data is legal, Hulton responded: "I'm not entirely sure."
Earlier in the day, attendees learned about issues with VoIP systems, which can reduce communications costs for corporations and consumers but typically "have little to no security," said David Bryan, senior security consultant with security firm Netspi.
VoIP systems based on open standards are not encrypting the traffic, which leaves them at risk for eavesdropping, forged or intercepted calls and bogus voice messages, he said, adding that there are numerous tools for doing that, with names like "Vomit" and "Cain and Abel."
In a live demonstration, Bryan injected an emergency broadcast in the middle of a phone conversation and recorded the call with an automated tool.
Skype does encryption, but uses a proprietary technology which means it can't benefit from outsiders dissecting the code looking for flaws, he said.
Vonage has no encryption, basically no security at all, according to Bryan.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Secondly, standard POTS telephone service is not secure at all, so to trounce on VoIP is only telling half of the story.
Another thing to consider is the government wants access to lines, which means whenever a company tried to make a secure form of anything, they get a nice little microscope in their face and anything they are doing.
Be balanced - you're a journalist. Tell the whole story. Allow the reader to make his or her own conclusions. Your premise is right - security is lax on these forms of communication, but that is the case for more than just what you write, yet you write it as if these are the only insecure forms out there. That is deceptive, and divisive. Lastly, don't make public the tools for doing exactly what you say is wrong. It makes you appear just as blackhat as those you wish to warn people about. You have just become the enabler for those that wanted to do it, but were not sure of how to begin. This makes you just as much at fault - maybe not legally, but ethically.
GSM is 15 years old, but I still think it is enough to stop most of the attacks.
Wireless VoIP phones are also known as VoWLAN or voice over wireless local network areas and Wi-Fi phones. The working of wireless VoIP phones involves a data network to which Wi-Fi equipment is connected. The network itself can either be independent, or connected to the Internet or the public phone system. The equipment enables high-speed wireless connection to unlimited access points.
Each access point has an antenna to catch the signal from the Wi-Fi equipment and broadcast it in a 300-foot radius or a hot spot. Within the radius all Wi-Fi enabled laptops, personal digital organizers and wireless phones can tune into the signal.
In wireless VoIP phones, the voice is converted into segments of data for transmission from the phone antenna to the Wi-Fi radio waves and then received by the data network. Here the data segments reverse the process to reach an extension or the traditional phone network. In other words, an extension can be carried around.
Although there is no argument about wireless VoIP phones being advantageous, they have their share of shortcomings as well. Fore one, they can not yet completely replace hard-wire VoIP phones mainly due to lack of reliability and the limited functions of wireless phones currently available in comparison to desktop phones.
However the biggest disadvantage in wireless VoIP phones is the limit on the number of simultaneous calls that can be made. The maximum number of calls in each wireless system cannot exceed five or ten. This seriously undermines its call handling capability in a large corporate environment.
Nevertheless, the dramatic reduction in operational costs has made it possible for wireless operators with high quality compressed VoIP to bring the ease and comfort of cordless calling to the VoIP world. Morover Phones like the ones from panasonic http://www.panateldirect.com are a very good addon