* New phone hacking methods highlighted by tabloid scandal
* Commercial secrets may be next targets in line
* Operators do little to remedy network vulnerability
By Georgina Prodhan
LONDON, June 17 (Reuters) - British mobile carriers have tightened voicemail security since a phone-tapping scandal at News Corp’s News of the World tabloid, but technological advances mean eavesdropping is easier than ever.
Politicians, actors and sportspeople have been top targets as front-page story fodder, but businesspeople with access to commercially sensitive information may be the next victims.
Soccer star Ryan Giggs this week became the latest celebrity to say he was suing the newspaper for intercepting his mobile phone messages, joining dozens of others including Hollywood actor Jude Law .
But the practice, dating back to the mid-2000s, of trawling voicemails for scandal — which could yet threaten News Corp’s $14 billion bid for UK broadcaster BSkyB — looks primitive compared with privacy invasions possible today.
Intercepting phone calls, an activity that until recently was largely limited to governments and organised crime, is now well within the reach of motivated individuals or unscrupulous private investigators, as equipment prices plummet.
“I’d be very surprised if no criminal organisation understood this potential and wasn’t already doing this,” said hacker Karsten Nohl, who helped expose a security flaw in the widely used GSM mobile network standard last December.
“In particular, business people with stock-relevant information would be prime victims of this kind of attack,” he told Reuters.
A recent trawl by the GSM Association group of mobile operators found 18 different spyware applications sold openly on the Internet, at prices ranging from $29.99 to $847.
Most of these require the snooper to get hold of the target’s phone to install the necessary software.
But now phone calls can be targeted through the network with no need to gain possession of the device, and without leaving traces. A new industry has begun to spring up to take advantage.
“Over the past two years there’s been a commodisation of tools to hack into the GSM network,” says Nigel Stanley, practice leader for security at European IT research and consultancy firm Bloor Research.
Bjoern Rupp, chief executive of GSMK CryptoPhone, which makes high-end secure phones, says: “If you have the necessary criminal energy, it wouldn’t be hard to find someone to supply the necessary equipment.
The vulnerability of the 20-year-old GSM standard, used by billions of people in about 80 percent of the global mobile market, was clearly demonstrated last December by Nohl together with fellow hacker Sylvain Munaut.
The two demonstrated an interception at the Chaos Computer Club Congress in Berlin, using a toolkit of four cheap phones, a laptop and some open-source software to hack the A5/1 algorithm used to keep GSM voice conversations confidential.
James Moran, chief security officer of the GSM Association, told Reuters: “We always knew that the day would come when algorithm A5/1 would be vulnerable.”
The GSM Association has developed a new, more secure algorithm but it is hard to deploy in older networks. It has also made available a security patch that is easier to implement, but Nohl said it had not been widely deployed.
Nohl is currently conducting tests on networks around Europe and says he had been able to attack all the GSM networks in London, France, Germany and the Netherlands during recent tests, using kit that a computer studies student could build in a week.
Nohl told Reuters he estimated an entire surveillance operation could be built around a person or organisation today for under 30,000 euros ($42,000) — about one-tenth of the price it might have cost four or five years ago.
Among the British operators, only Vodafone is rolling out the GSMA’s security patch to protect its network.
Orange and T-Mobile (DTEGn.DE), who have recently merged their networks, are looking at security options but have no firm plans.
O2 said it was reviewing the GSMA’s patch to see whether it was an appropriate response, but pointed out that the majority of calls on its network were now carried by the 3G UMTS technology, which does not rely on the A5/1 privacy algorithm.
Britain’s smallest operator, Hutchison Whampoa’s 3, has a 3G only network, so the question does not arise.
For those with a few thousand dollars to spare, secure phones are available from suppliers such as GSMK CryptoPhone or Cellcrypt and are used by top government officials, senior executives and celebrities.
But many ordinary businesspeople privy to confidential information have no such option, and may prefer to discuss business by phone than in writing, for compliance reasons.
“We are seeing a growing tension between organisational security requirements and personal convenience requirements with people often discussing sensitive issues on mobile phones to get their jobs done faster or because they have no other practical choice,” says Cellcrypt CEO Richard Greco.
Eavesdropping on phone conversations is illegal in most countries including Britain, except by certain government bodies on grounds of national security, crime prevention or other public-interest reasons.
But Britain’s private-detective industry is unregulated, despite the efforts of the Association of British Investigators, which has been lobbying for years to regulate the industry.
“There’s those who belong to an association or advertise in the yellow pages or have a website, and then there’s the brokers of information,” said a spokesman for the association. “These people make a lot of money.”
“Most of them are one man bands, operate out of a back bedroom, do a reasonable job,” he said. “But it’s possible for any extreme criminal element or somebody on the sexual offences register to set up in business this afternoon... they are a danger and sadly that’s the situation.” ($1=.6003 Pound) ($1=.7072 Euro) (Editing by Sophie Walker and Alexander Smith)