GSM networks can be hacked into, reveals security start-up

Kripa Raman Updated - March 12, 2018 at 12:31 PM.

SAFETY CONCERNS

bl19 cblnr mobile security_G8H3Q037T.1+BL24_TAN_CELL_.jpg

A GSM mobile phone user in India is not very safe from hacking attacks, a security company has demonstrated.

Four founding members of a company called Matrix Shell say they have worked out a way to hack into India GSM phone numbers and make calls from them. They were able to use the unique SIM card number called International Mobile Subscriber Identity (IMSI) of their target victims.

Using a firmware called Osmocom and using software written by them on it, they successfully hacked into GSM phones at a recent security conference.

They showed it is possible through this kind of hacking to use a subscriber's IMSI and make calls; to illegally intercept calls; to draw up large bills against a post-paid subscriber's accounts; and to deplete a prepaid subscriber's balance, said Mr Aseem Jakhar, head of Null, an open security community that organised the conference.

At the mobile service provider's end it will appear that the calls were actually made from the subscriber's number, said Mr Akib Sayyed, one of the founders of Matrix Shell.

Standard encryption

“The standard encryption on GSM should be a5/1 whereas in India most providers mostly use a5/0 which is practically no encryption,” he said. “This allows an attacker to use various open source software to sniff communication from the air and listen in on GSM calls easily.” He refused to identify which Indian networks did not have the required encryption.

It is likely that this encryption would mean more time in setting up a session between a mobile phone and the Base Transceiver Station of the operator.

Operators are avoiding this so that there will be less load on their systems, as there is huge traffic on GSM networks. Implementing a certain level of encryption would also mean more hardware upgrades for the operator, said Mr Sayyed. Those who are using the right encryption are frequently shutting it off, he added.

Vodafone, Airtel and RCom declined to respond to queries regarding encryption on their GSM networks.

‘In full compliance'

“We follow the GSM protocols and are in full compliance in terms of security, protection and algorithms. The Government has also mandated stringent security measures,” said Mr R.S. Mathews, Director-General of COAI. “There may be some isolated instances of attack, but we don't think our networks are compromised.”

kripram@thehindu.co.in

Published on March 18, 2012 17:05