Security Crisis Worsens For Mobile Networks

A report just published by Heavy Reading identifies mobile networks as having a number of key security vulnerabilities that must be addressed. The Heavy Reading report is quite correct in identifying a potential problem with the security of mobile networks, for the simple reason that the wireless nature of the cellular networks makes them more susceptible to criminal attack.

If anything, research suggests that the report understates the security risk that the last mile of the cellular-delivered mobile Internet now represents, as A5/1 – the main GSM encryption algorithm – was cracked in a practical attack late last year by Karsten Nohl.

Put simply, this means that, with sufficient equipment and CPU power, we believe that a cybercriminal can now mount a practical eavesdropping or Web browser injection attack on a cellular delivered Internet connection.

Whilst a WiFi-based Internet connection can be said to be less secure than a desktop link, on the basis that the wireless signal can be intercepted and/or eavesdropped in some way, its range is relatively short before it hits the landline networks. With the cellular mobile Internet, however, the signal can reach for several miles, and is therefore a lot more vulnerable to electronic trickery.

Heavy Reading’s report reinforces my research team’s observations, since it adds the very real prospect of criminal tampering with the network infrastructure to the mix. The industry has not seen any proven cases of network infrastructure tampering or Web browser injections, but the possibility grows stronger by the day, especially given the steady march of the mobile Internet.

With mobile dongles and MiFi units now becoming more and more popular – largely owing to their considerable flexibility and the fact that the technology also frees users from the `line rental tax’ that almost also telcos impose on their broadband users – more and more Web traffic is being carried the last mile by cellular means.

With the GSM Association having reported the number of high-speed mobile broadband connections have topped the 150 million mark around the world in the summer of last year, it can be seen that cellular infrastructure – because of its wireless nature – now poses an IT security risk that many users overlook.

This is what makes this report so timely, and reinforces previous warnings about the mobile Internet security threat that few experts have even considered as a possibility. Add in the fact that mobile Internet connections are highly transient, with dynamic IP addresses that are used and re-used on a cyclic basis, and you begin to see the nature of the problem.

Until the hardware vendors and networks address the issue, perhaps with the assistance of IT security software vendors as well, it’s clear that mobile Internet connections need to be considered less safe than their landline equivalents.

That isn’t to say the problem isn’t surmountable, as users of online financial services should employ any and all security measures available to them – such as installing in-browser security – in addition to their existing IT security measures. Add in some serious commonsense when using mobile Internet connections, and your online session should be safe, despite the underlying insecurities in cellular encryption and the network infrastructures.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Prior to founding Trusteer, Amit Klein was Chief Scientist at Cyota (acquired by RSA Security) a leading provider of layered authentication solutions. In this role, Amit researched technologies that prevent online fraud, phishing, pharming, He filed several patents in those areas during his time at Cyota. Prior to Cyota, Amit worked as Director of Security and Research at Sanctum (acquired by Watchfire) where he was responsible for the security architecture of all Sanctum products. Prior to Sanctum, Amit spent almost 7 years serving in the Israeli Army as a research officer and project manager. He is a graduate of the prestigious Talpiot programme of the Israeli Army. He holds a B.Sc. (cum laude) in Mathematics and Physics from the Hebrew University (Jerusalem). Amit is also a world renowned security researcher, having published over two dozen articles, papers and technical notes on the topic of Internet security.