By Jim Finkle
Dec 27 (Reuters) - The world's mobile phone carriers havefailed to implement technology fixes available since 2008 thatwould have thwarted the National Security Agency's ability toeavesdrop on many mobile phone calls, a cyber security expertsays.
Karsten Nohl, chief scientist with Berlin's SecurityResearch Labs, told Reuters ahead of a highly anticipated talkat a conference in Germany that his firm discovered the issuewhile reviewing security measures implemented by mobileoperators around the world.
Nohl also told Reuters that the carriers had failed to fullyaddress vulnerabilities that would allow hackers to clone andremotely gain control of certain SIM cards. Thosevulnerabilities were pointed out in July.
While the German cryptologist criticized carriers forfailing to implement technology to protect customers fromsurveillance as well as fraud, he said he does not think theydid so under pressure from spy agencies.
"I couldn't imagine it is complicity. I think it isnegligence," he said. "I don't want to believe in a worldwideconspiracy across all worldwide network operators. I think it isindividual laziness and priority on network speed and networkcoverage and not security."
A spokeswoman for the GSM Association, which representsabout 800 mobile operators worldwide, said she could not commenton Nohl's criticism before seeing his presentation on the topicat the Chaos Communications Congress in Hamburg, Europe'sbiggest annual conference on hacking, security and privacyissues.
Nohl uncovered the issue while working on a project known asthe GSM Security Map, which evaluates security of mobileoperators around the globe. The map, which can be found atwww.gsmmap.org, is partially funded with a grant from the U.S.government's Open Technology Fund, according to Nohl.
None of the carriers surveyed had implemented measures forthwarting a method that allows the NSA to eavesdrop on mostmobile calls by unscrambling a widely used encryption technologyknown as A5/1, Nohl said.
The Washington Post reported on Dec. 13 that documentsleaked by former NSA contractor Edward Snowden showed the agencycan crack A5/1. () Nohl said that methodwould have been blocked if carriers had applied two patchesreleased in 2008.
Nohl is credited with leading research teams that haveuncovered major flaws in mobile technology in recent years.
In July, he reported on security vulnerabilities that wouldallow hackers to gain remote control of and clone certain mobileSIM cards. The unprecedented work prompted a United Nationsgroup known as the International Telecommunications Union, whichadvises nations on cyber security plans, to urge the industry totake quick action to tackle the vulnerabilities.
Once a hacker copies a SIM, it can be used to make calls andsend text messages impersonating the owner of the phone, saidNohl, who has a doctorate in computer engineering from theUniversity of Virginia.
A few weeks after Nohl disclosed his findings, he said itlooked like most carriers had implemented fixes to prevent suchattacks.
Yet he said on Friday that while conducting research for theGSM Security Map project, he learned on closer inspection thatthose fixes still left plenty of room for attacks, makingcustomers on many networks vulnerable.
"I need to go back on what I said. The majority of theoperators only addressed the symptoms, not the root cause," Nohlsaid.
He said that his firm launched the GSM Security Map projectto pressure mobile operators around the world to boost security.
The effort will also push researchers like himself not to becomplacent.
"We as researchers must not give up so easily like we did inJuly, when we said 'The network operators addressed it. We areso proud. We changed the world,'" Nohl said.
The group will continue to update the map, which hasdetailed reports for each country surveyed that describesecurity of individual carriers.
In the map's initial release on Friday, the country whosenetworks were rated the most secure was France.
Not all countries are surveyed, however, because the groupdoes not yet have enough data.
Vodafone (VOD)