BERLIN - It may be tempting to view the illegal interception of telephone voice mails, a practice that has roiled Britain and the News Corp. media empire of Rupert Murdoch, as an arcane tool employed by scofflaw journalists with friends in Scotland Yard.
But according to a study to be presented Tuesday, cellphone users in Europe and the rest of the world may be just as vulnerable as the actor Hugh Grant and other celebrities to having their personal voice mail hacked - or worse - because of outdated mobile network security.
In a study of 31 mobile operators in Europe, Morocco and Thailand, Karsten Nohl, a Berlin hacker and mobile security expert, found that many operators provided poor or weak defenses to protect consumers from illicit surveillance and identity theft.
Mr. Nohl said he was able to hack into mobile conversations and text messages and could impersonate the account identities of cellphone users in 11 countries using an inexpensive, 7-year-old Motorola cellphone and free decryption software available on the Internet. He has tested each mobile operator more than 100 times, he said, and has ranked the quality of their defenses.
He plans to present his results at a convention of the Chaos Computer Club, a hackers' group, in Berlin, where he will open the project to researchers in other countries.
In 2009 Mr. Nohl, who runs a Berlin consulting company, Security Research Labs, published the algorithms used to encrypt voice and data conversations on GSM digital networks, which are used in Europe and elsewhere.
In an interview, Mr. Nohl said he had made sure to conduct his latest research to avoid the illegal theft of data and communications by intercepting the phone transmissions of a colleague during field tests. In random tests, he said, he ended interceptions just one or two seconds after they began.
The technique he uses focuses on deciphering the predictable, standard electronic "conversations" that take place between a cellphone and a mobile network at the beginning of each call. Typically, Mr. Nohl said, as many as 40 packets of coded information are sent back and forth, many just simple commands like, "I have a call for you," or "Wait."
Most operators vary little from this set-up procedure, which Mr. Nohl said allowed him to use hacking software to make high-speed, educated guesses to decipher the complex algorithmic keys networks use to encrypt transmissions. Once he derived this key, Mr. Nohl said, he was able to intercept voice and data conversations by impersonating another user to listen to their voice mails or make calls or send text messages on their mobile accounts.
Mr. Nohl said operators could easily fix this vulnerability in the GSM system, which is found in older 2G networks used by almost every cellphone, including smartphones, with a simple software patch. His research found that only two operators, T-Mobile in Germany and Swisscom in Switzerland, were already using this enhanced security measure, which involves adding a random digit to the end of each set-up command to thwart decoding. (For example, "I have a call for you 4.")
"This is a major vulnerability in most networks we tested, and the irony is that it costs very little, if nothing, to repair," Mr. Nohl said. "Often it is just a question of inertia on the part of operators, or they have other priorities, such as building their networks."
Philip Lieberman, the chief executive and president of Lieberman Software, a company in Los Angeles that sells identity management software to large businesses and the U.S. government, said much of the digital technology that protects the privacy of cellphone calls had been developed in the 1980s and 1990s and is now ripe for attack.
"Your digital mobile calls are generally well protected from people like yourselves, who are not in the position to crack them," Mr. Lieberman said in an interview. "However, the technology to do this type of surveillance, which was once possible only by government intelligence agencies, is rapidly becoming affordable to more and more people."
In compiling his research, which was conducted from Sept. 1 through the past week, Mr. Nohl measured a network's vulnerability to three attacks: the interception of voice and text messages, the impersonation of a cellphone user's identity to make calls or hear voice mails and the tracking of a cellphone user's location through the Internet and the cell network. He then ranked the operators in the three categories by compiling a risk scale, with 100 percent representing the best possible security and zero representing none.
In protecting against the illicit interception of voice and text messages, the operators Orange Switzerland and TDC Sunrise in Switzerland and True Move in Thailand performed most poorly, according to his study. Deutsche Telekom's T-Mobile in Germany and Slovakia and Swisscom's Natel in Switzerland had the best security.
In preventing the impersonation and use of another's mobile account details for calling, texting or other purposes, Telefónica's O2 network in the Czech Republic, Belgacom Proximus in Belgium and Orange Switzerland provided the least security, while T-Mobile Slovakia, T-Mobile Germany and SFR in France had the best, the study showed.
In guarding against the tracking of a cellphone user's geographic position through the Internet and global positioning satellites, T-Mobile Slovakia and two Moroccan operators, Wana and Medi Telecom, had the weakest safeguards, according to the research. Vodafone Italy, T-Mobile Germany and Vodafone Germany had the best security, according to the study. The tracking of cellphone users is not tied to the interception of identities but to a network's ability to be tricked into disclosing the calling cell where the user is located.
Many operators who performed poorly in the survey did not respond to requests for comment for this article. A spokeswoman for Deutsche Telekom, Alexia Sailer, said the company declined comment because it did not have details. A spokesman for Sunrise Communications in Zurich, Tobias Kistner, said the company would study the research and make any necessary security improvements.
"GSM networks use a range of encryption and authentication technologies and other features to make it difficult for criminals to fraudulently access and/or eavesdrop on customer communications or to identify and locate customers," the association said in a statement.
Mr. Nohl said he had based the choice of countries for his study on the ability of him and his team to travel. His Berlin firm advises businesses, European governments and mobile operators, he said, on how to erect better digital communication defenses.
As consumers begin using cellphones for retail purchases and online banking, the potential damage from theft may increase, he said. Generally, however, the digital security tools used by banks and retailers, Mr. Nohl said, are far superior to those used by mobile operators and should thwart most attacks.
While the research was limited mostly to Europe, Mr. Nohl, a German citizen who received a doctorate in computer science at the University of Virginia, said the level of security provided by U.S. network operators was on a par with European operators, meaning there was also room for improvement.
In Asia, the Middle East and Latin America, the level of mobile security varies widely and can be much lower. Operators in India and China, Mr. Nohl said, encrypt digital traffic poorly or not at all, either to save on the network's operating costs or to allow government censors unfettered access to communications.
© Copyright 2012, Inc. All rights reserved.