Wednesday, January 5, 2011

The new heist - your conversations and text messages

The good guys strike again.  I have said before that technology functionality typically outpaces the ability to secure it.  Good guys are constantly trying to think like the bad guys to expose weaknesses that put you at risk.

Also, the term "hacker" has been hijacked and is associated with bad guys.  A hacker is someone who knows how to break into a system to override it.  This skill can be used for good, or for evil.  It's at the hands of the person's moral compass.

Two cybersecurity good-guy hackers worked on cell phone vulnerabilities for roughly a year designing ways to think like bad guys to see if they could steal text messages.  They recently accomplished this feat and showed how they could steal text messages from any phone within 20 seconds.  Wow!

The demonstration:
1.  The hacker sends a ghost text message  to a target phone which does NOT show up on the phone
2.  By sending the message to the target phone, they are able to obtain the unique id number on the phone
3.  Once they grab the id number, the recorded phone conversations and texts from that phone
4.  The demonstration took place on the GSM Network which houses roughly 80% of all phones globally. (GSM - Global System for Mobile)

So, is this affordable or scalable?  What was the cost of the technology?  You'll be surprised:
Roughly 36 British Sterling for the 4 Motorola phones ($56.09 US) and some sweat equity in programming.

The good-guy hackers did this as a wake up call to the mobile security industry.  It should also be a wake up call to consumers, businesses, and government agencies.

Great quote from one of the researchers pulled from the Security News Daily:
“This is all a 20-year-old infrastructure, with lots of private data and not a lot of security,” Karsten Nohl.

Sources:
"Cybersecurity Experts Create Program That Steals Text Messages", Matt Liebowtiz, Security News Daily, January 4, 2011.

"GSM Phones Vulnerable to Hacking, Claim Researchers", John Plunkett, The Guardian, December 31, 2010.

No comments:

Post a Comment