Readily available wireless eavesdropping kits exist for criminals to crack wireless GSM encryption on mobile phones, all for the rather bargain price of around $2000. That’s what Pat Burke, a senior vice president with Virginia-based SRA International, told Infosecurity at this week’s SC Congress in Manhattan.
Using kits that were only previously available to those with ties to intelligence agencies, Burke said that today’s relatively inexpensive intercept kits mimic cell phone tower base stations to take control of a particular device. He says that these kits can then defeat the encryption, “and take your call and manage it just like [it] was the cell tower, forwarding it on through the rest of the network”.
An individual device can be targeted, or an entire cell tower, warned Burke. The type of information that can be gathered using this method is staggering, he continued, especially if you think about how much confidential information is discussed over the phone in neighborhoods like New York’s financial district.
“What we’re trying to do is defeat that market”, said Burke, speaking about what he views to be a blossoming underground industry that will target mobile communications. “It’s really a high value target.” These targets include not only finance, but local law enforcement, legal, and other proprietary business information.
Cybercriminals, or organized crime actors, are not the only worry with respect to mobile eavesdropping; corporate espionage is another major concern.
Burke believes this threat is not one on the horizon, but one that is already upon us. He uses, as an example, the growing awareness of computer cybersecurity in mainstream society. “If you were on the inside of those investigations, you knew what was happening, but the reality is that people were not talking about it because of reputation concerns.”
The intelligence community was quite aware of what was going on during the Operation Aurora attacks, said Burke, but they were actively putting together an investigation, so there was quite a delay in making this information public. “But until this stuff became front-page news, the awareness level was not there.”
He warns, however, that enterprises should not take the same reactionary approach to securing their mobile communications, simply because a major story has yet to break on the accompanying security threats.
The SRA VP said one of the solutions to the problem is to first make organizations more aware of the threat.
We tried to modify an old axiom for the digital age added Adam Meyers, director of cybersecurity intelligence for SRA International’s cybersecurity division. “Don’t write anything down you can say on the phone; don’t say anything on the phone that you can say encrypted on the phone; and don’t say anything encrypted on the phone that you can say in person.”