Mobile carriers failed to use tech fixes to thwart spying -expert
By Jim Finkle
Dec 27 (Reuters) - The world's mobile phone carriers have failed to implement technology fixes available since 2008 that would have thwarted the National Security Agency's ability to eavesdrop on many mobile phone calls, a cyber security expert says.
Karsten Nohl, chief scientist with Berlin's Security Research Labs, told Reuters ahead of a highly anticipated talk at a conference in Germany that his firm discovered the issue while reviewing security measures implemented by mobile operators around the world.
Nohl also told Reuters that the carriers had failed to fully address vulnerabilities that would allow hackers to clone and remotely gain control of certain SIM cards. Those vulnerabilities were pointed out in July.
While the German cryptologist criticized carriers for failing to implement technology to protect customers from surveillance as well as fraud, he said he does not think they did so under pressure from spy agencies.
"I couldn't imagine it is complicity. I think it is negligence," he said. "I don't want to believe in a worldwide conspiracy across all worldwide network operators. I think it is individual laziness and priority on network speed and network coverage and not security."
A spokeswoman for the GSM Association, which represents about 800 mobile operators worldwide, said she could not comment on Nohl's criticism before seeing his presentation on the topic at the Chaos Communications Congress in Hamburg, Europe's biggest annual conference on hacking, security and privacy issues.
Nohl uncovered the issue while working on a project known as the GSM Security Map, which evaluates security of mobile operators around the globe. The map, which can be found at www.gsmmap.org, is partially funded with a grant from the U.S. government's Open Technology Fund, according to Nohl.
None of the carriers surveyed had implemented measures for thwarting a method that allows the NSA to eavesdrop on most mobile calls by unscrambling a widely used encryption technology known as A5/1, Nohl said. Continued...