/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/media_files/2025/09/26/vnd-banner-2025-09-26-11-20-57.jpg)
Flexilis, a US-based security firm, created a flutter when it revealed that
it was able to access the confidential data on more than 50 Hollywood
celebrities who had assembled at the Oscar Ceremony recently. John Hering, one
of the company's founders, himself carried out the operation with scanning
software and a powerful antenna hidden into a backpack. Recently, mobile phone
account of hotel heiress Paris Hilton was hacked from T-Mobile's website. And
way back in October 2003, an Israeli team broke into cellphone calls on some GSM
networks and listened to the conversation and even took on a caller's
identity. They cracked the A5 algorithm that is widely used to encrypt the
calls. The GSM Association said that it was "not worried."
Mobile security is at risk. Mobile thefts, hacking of data stored in the
phone, virus, and worm attacks and mobile spam can take place any time. Of late,
cloning or subscription frauds have also come to the fore. At a time when
service providers are busy deploying new data services to increase their ARPU,
the degree of vulnerability of their networks in terms of security has increased
manifold. Any security breach can result in leakage of customers' information-personal
or business content-stored on the device. This assumes greater importance for
those service providers who are implementing enterprise mobile network. High-end
handsets loaded with features like camera are more at risk considering that most
of the senior executives who use these phones carry valuable and business
sensitive information.
According to US Secret Service, financial crimes division, telecom fraud
losses are pegged at more than $1 billion annually. Cloning of handsets is one
of the largest markets for these frauds. Vodacom, a South African operator,
spends over $20 million annually on tackling handset thefts and frauds. More
than the lost handset, it is the security of valuable data on the phone that is
more important.
/vnd/media/post_attachments/031bfa7da7c5c1a49ebf4bdbf32d6f6bae931f2ea7bae482ccf40935a93d4371.jpg)
Charles
Brookson, chairman, security group, GSM Association while addressing a recent
GSM Conference in Goa said that some of the algorithms that were developed
during the 1980s have been compromised resulting in security threats. Brookson
also mentioned that the authentication algorithm COMP128-1, which was broken a
long ago, is still being used.
The Stakeholders
It is difficult to put the onus of mobile security on a particular entity,
considering the multiple players involved in the entire spectrum. Handset
vendors, mobile processor vendors, SIM vendors, OS vendors, service providers,
enforcement agencies, retailers, and users are some of the stakeholders in the
security. All these stakeholders, though concerned about mobile security,
largely work in isolation and there is hardly any effort to bring them together
for addressing this issue. The greatest responsibility of security lies with the
handset vendors, together with the mobile-processor manufacturers. Most of the
handset vendors are yet to move beyond the basic security features like PIN
(personal identification number), which has not been tamperproof. Intel and
other chip vendors have been instrumental in developing technologies to secure
the networks and the devices. Anti-virus vendors have also jumped into the fray
to take desktop-level security to the mobile devices. Companies like Trend
Micro, Semantec, F-Secure, and others have products that aim to secure the
devices from virus and worm attacks. Trend Micro claims to protect mobile
devices from new threats in 'real time'. It also allows users to scan
storage devices inserted into supported phones and also initiate scans manually.
/vnd/media/post_attachments/94106790e2c2692e72bedcdc4357fb97c41682221c3ceb88f491dd1c4d913da2.jpg) | /vnd/media/post_attachments/53bb06c5ad4da1ab72588a1c99e50bede2410e9abd7d318095ff188f89df5919.jpg) | /vnd/media/post_attachments/e289cd3de87985f0fca9471d56b0a268791fc02be7b0065d3910526321b244b8.jpg) | /vnd/media/post_attachments/5feba4488b2c835826345c15898d09f2207f26e92bd7c0a46d468761a2df5ea1.jpg) |
Disinfection of Cabir.A with F-Secure anti-virus for Symbian | When user clicks on the caribe.sis in the phone messaging inbox, the phone will display a warning dialog | If user clicks yes, the phone will ask normal installation questions | If user clicks yes the Cabir worm will activate and show a dialog that contains the name that virus author wants to give to the worm and the authors initialias and group initial 29A |
But most of these vendors have solutions specific to a particular handset
model, which support specific operating systems (OS), which is a great hurdle.
For example, F-Secure has products for Nokia's Series 60 platform and the
Nokia 9200 Communicator, and Pocket PCs only. Similarly, Symantec also provides
support for Nokia 9500 Communicator and the 9300 smartphone. OS companies like
Symbian claim to minimize the risk of attack by advanced security within the OS
itself and the use of application-signing schemes. Surprisingly, most of the
mobile OS vendors do not provide security updates on their websites as opposed
to the desktop OS vendors. Incidentally, according to Microsoft, (which is
specific to Windows Mobile OS) updates, whether critical or voluntary, must come
directly from the manufacturer. This is surprising, as it leaves users with
little choice in getting security updates.
The Initiatives So Far
Security Group of the GSM Association has taken two initiatives during the
last two years. First it introduced AS/3, a new GSM security algorithm that
further enhances the AS algorithm and ensures security between base station and
terminals. Sensing an increased vulnerability, the group aims to deploy the
latest algorithms such as 3GSM algorithm security multi-band terminals.
Secondly, it also has plans to deploy security protocol known as authentication
key agreement (AKA) that will be applicable to all mobiles, regardless of
standards (3GPP or 3GPPl). This is considered to be an important step towards
security inter-standard international roaming. Future security plans of the
group are aimed at addressing the GPRS security. The group will also work with
handset manufacturers for
greater security.
Qualcomm claims that the noise-like signature of a CDMA signal over the air
interface makes eavesdropping very difficult. This, according to Qualcomm, is
due to the CDMA Long Code, a 42-bit PN (pseudo-random noise of length 242-1)
sequence, which is used to scramble voice and data transmissions. Texas
Instruments, Orange, and Trusted Logic recently demonstrated a new wireless
security handset mechanism aimed at eliminating unauthorized handset use and
fraud.
Indian Scenario
There have been incidents of phone theft and SIM cloning in the recent past.
"Though all these security systems are available but with the advancement
of technology, there is always a risk," according to Naresh Malhan, COO,
Delhi, Rajasthan, Tata Teleservices. Talking about his experience he said,
"Tata Teleservices will never allow/share the database of its users with
any other organization. Hence there has never been/can never be any spam except
in the form of messages/calls through random generation of number/calls. We have
not come across any mobile virus case till date."
/vnd/media/post_attachments/8e7520b85998fbd3280a1146fabdcc267ca4d6f8dd8432ebd9a90670f0d1f772.jpg) | /vnd/media/post_attachments/e1f78af4df5ac9e121f69e000fd6cd786c3bfbd5e0b04d82b26c92d985e10f7c.jpg) |
Naresh Malhan, COO, Tata Teleservices | Charles |
Surprisingly, service providers have not been forthcoming in educating the 40
million plus mobile users on ways to communicate securely over a mobile network
and on what to do in the event of a handset theft, SIM cloning, virus attacks,
etc.
TRAI started the consultation process in January 2004 and issued a paper. The
regulator wanted to 'evolve a regime to disincentivise theft of handsets
through legislation and other policies'.
The enforcement agencies are groping in the dark, and are yet to come out
with a concrete mechanism to check the theft of handsets. Perhaps, they need to
take a leaf out of the initiatives taken by the UK government in enforcing the
Mobile Telephones (Re-programming) Act 2002, which considers it a criminal
offence to change the international mobile equipment identification (IMEI)
number of a phone and to possess, supply, or offer to supply equipment for that
purpose. Those indulging in such activities can face imprisonment for up to five
years.
Conclusion
There is an urgent need for handset manufacturers to spend on R&D to
make handsets more secure. The chances of networks not being encrypted is high,
considering that the GSM standard was originally designed for Western Europe,
and European export regulations forbid the use of algorithm technology outside
Europe. There should be a concerted effort by ITU, and GSMA together with other
standards-making bodies like ETSI to evolve a mechanism for universal
implementation of security practices to make networks and the terminal devices
more secure.
Realizing the importance of secure transactions Ericsson, NEC, Nokia,
Panasonic, Siemens, and Sony Ericsson got together and formed Mobile electronic
Transactions (MeT) to further strengthen the framework for secure mobile
transactions. There are also companies like mFormation which provide
over-the-air diagnosis and patch updates regardless of the device.
Considering that foolproof security might not be always possible, there is
also a need for Indian enforcement agencies to work closely with service
providers and handset vendors and others to bring those responsible to the book.
Service providers should identify insecure handsets available in the market.
Handset vendors also have a very important role to play and they need to take
the responsibility for providing a secure handset so that users do not need to
go to third-party security vendors for securing the same, as is the case with
enterprise users.