GSM phones on 3G connections vulnerable
Does this mean your GSM phone on a 3G connection is more prone to security breach? Should you be really, really worried?
Global System for Mobile Communications (GSM) is the most widely used mobile phone protocol, with about 80% of all mobile phones using it worldwide. Some of the well-known networks providing GSM phones in the USA are AT&T and T-Mobile.
A breach could mean someone eavesdropping on your calls and finding out confidential personal information such as your bank account or Social Security number.
The worrisome news came to light a little more than two weeks ago when a researcher found that for less than $30,000 anyone can build a system to break into the A5/1 and A5/2 based GSM system. The more secure A5/3 system that the 3G connections are based on was also found to be vulnerable. And sure enough, the Israeli team showed just that.
The system the Israeli team developed is able to break the security of any 3G GSM connection within two hours. We can take comfort that this is not practical in real life and GSM systems have not suddenly become more vulnerable. But, what the team has shown is that the A5/3 system, which is based on KASUMI, a much weaker form of another encrypting method called MISTY is not strong enough for 3G systems.
In other words, your 3G GSM connection is not immediately vulnerable, but could become vulnerable in the future. This report does not effect 3G connections that don't use GSM technology.
The report did not intend to either scare consumers from giving up GSM phones, nor is it a handout to potential criminals. It seems like it was meant to influence the GSM designers to move to a stronger encryption system, possibly based on the stronger MISTY method, which will make future GSM systems more robust.
A clear lesson from these two reports is that no matter how insulated we would like to be from the technical nitty-gritty of the gadgets we use, we have no choice but to be aware of at least the security aspects surrounding them. Even a small breach could result in personal liabilities, and an infringement on professional secrets.