This week brought some bad news for mobile phone users. German security expert Karsten Nohl showed how easy it is to eavesdrop on GSM-based (Global System for Mobile Communications) cell phones, including those used by AT&T and T-Mobile customers in the U.S.
Nohl, who has a doctorate in computer engineering from the University of Virginia, made headlines last year publicizing weaknesses in wireless smart card chips used in transit systems around the globe.
Karsten Nohl
(Credit: Kingsley Liu)CNET interviewed Nohl via e-mail on Thursday about his latest work and what the implications are for the more than 3 billion GSM mobile phones worldwide, representing about 80 percent of the market, according to the GSM Alliance.
Q: You made quite a splash at the Chaos Communication Congress hacker conference in Berlin this week. What happened?
Nohl: We showed that GSM, the widely used cell phone standard, is insecure, and explained how your neighbor might already be listening in on your calls. After GSM's security was declared outdated several times before, we were the first to make tools available for people to verify its insecurities.
Q: In August you launched an open-source, distributed computing project designed to crack GSM encryption and compile it into a code book that can be used to eavesdrop on calls. Is this week's announcement related to that?
Nohl: Yes, at the conference a code book was released--a data set previously only available to well-funded organizations. This code book has been computed in just a few months thanks to many volunteers on the Internet.
Q: And this is to determine the key used to encrypt GSM communications, right?
Nohl: That's correct. The code book reveals the encryption key of a call.
Q: What is the problem with the GSM encryption technology exactly?
Nohl: GSM's A5/1 encryption function uses a 64-bit key that is too short to withstand the computing power available today. When the algorithm was designed 20 years ago when CPU [central processing unit] cycles and storage were much more expensive, it must have seemed a lot more secure. However, the A5/1 function should have been replaced years ago when researchers first discussed practical attacks.
Q: What does this mean for users of GSM phones? What is the real-world threat?
Nohl: Cell phone calls can be intercepted--not just since this week, but more cheaply every month. Sensitive information, say, from politicians, can be overheard from, say, foreign embassies. Others willing to cross the line into illegality and listen in on a call could be industry spies or even private snoops.
Q: Exactly how would someone use this technology to spy on mobile phone conversations?
Nohl: You record a call and then decrypt it. Recording requires some advanced radio equipment, which can be as cheap as the $1,500 suggested retail price [Universal Software Radio Peripheral] device. One direction of a call can potentially be intercepted from a kilometer away while catching both directions requires the eavesdropper to be in the vicinity of the victim. Decryption is then done using the code book the community produced.
Q: What should people do to protect themselves against this?
Nohl: In the short-term, there is not much users can do to protect themselves other than being aware of the threat and keeping their most confidential calls and text messages off the GSM network. To improve GSM security in the long run, customers should go to their operators and create demand for improvements.
Q: What are the practical implications of your work? In other words, does your research make it cheaper and easier to eavesdrop and if so, how much cheaper and how much faster to crack the encryption? (One expert had estimated that the code book would let someone crack the code in hours now instead of taking weeks.)
Nohl: Our results don't necessarily make decryption faster; current commercial interceptors decrypt within seconds, often faster than the time a user takes to answer the call. Our project makes the technical background of these systems more accessible and aims to inform about the fact that GSM intercept is widespread. As a side effect, interception might become cheaper, too.
Q: What exactly does someone need to eavesdrop? (In other words, the code book/tables, antennas, special software, and $30,000 worth of hardware?)
Nohl: The more you spend on hardware, the faster you can decrypt calls. Two USRP radios, a beefy gaming computer, and a handful of USB sticks can already decrypt many calls. For $30,000 you can build a sub-minute decryptor.
Q: I understand it is illegal to intercept mobile phone calls in the U.S. and many other countries. Is what you did legal?
Nohl: Intercepting the phone calls of others should be illegal everywhere, and we do not plan to do that. Our research instead exposes that nothing in GSM is keeping criminals away from doing illegal intercepts. Fortunately, such security research is still legal.
Q: What did you do to make sure you have good legal standing? Did you consult with the Electronic Frontier Foundation?
Nohl: The EFF indeed helped us understand the legal implications of researching GSM technology.
Q: Have you been in touch with the GSM Alliance or any other pertinent entities?
Nohl: We have not yet been able to start a discourse with the GSMA. Through the press, though, we hear that a GSMA meeting in February might decide to ramp up upgrade efforts toward A5/3, the better encryption function. That would be great!
Q: Why did you do this research and public disclosure?
Nohl: We aim to make users of GSM aware that the GSM cannot be fully trusted. After other researchers have called a hack [questioned the security] of GSM for many years, we thought it was time to go one step further and provide tools for customers to "try at home" how insecure GSM's current encryption function is.
Q: Can the tables be used against the A5/3, the successor to A5/1? What is the difference between the two crypto standards?
Nohl: Fortunately, we cannot crack A5/3. This newer encryption is used in 3G networks and is currently considered a security patch for GSM networks. So there is [hope].
Q: What should mobile phone operators or carriers do about this?
Nohl: Carriers should now do the security patch that is overdue 15 years by upgrading to a new encryption function. I suspect they will only do so if customer demand is significant. Hopefully the customers will make it clear to their provider that they want 21st century security for their phone calls.
Holiday shoppers brought good cheer to e-commerce retailers, spending $27 billion online from November 1 through December 24, a 5 percent jump over last year, ComScore reported Wednesday.
The period from Black Friday through Christmas Eve was also bright and merry as sales grew by around 3.5 percent, even after adjusting for an additional shopping day this year. Consumer electronics proved to be the hottest selling category, rising 20 percent. Larger retailers outpaced smaller vendors thanks in part to their use of free shipping and marketing via social-networking sites, said ComScore.
(Credit:
ComScore)
The growth in this year's online holiday sales showed improvement over 2008, when sales dropped by 3 percent. Results were likely helped by a snowstorm that blanketed the East Coast the weekend of December 19-20, forcing many shoppers to pick up those last-minute gifts online.
"Online sales growth this year was driven by a continued increase in the number of people buying online, but consumers' economic challenges resulted in a slight decline versus last year in the amount spent per buyer," said ComScore chairman Gian Fulgoni in a statement. "The season featured a strong start as a result of early retailer promotions and a very strong finish helped by the snowstorms that occurred the weekend of December 19-20, retailers' willingness to offer free shipping later in the season, and consumers' confidence in expedited shipping arriving in time."
The Kindle e-reader, the Nintendo Wii, and an Asus Netbook were among the top tech items for Amazon customers in 2009.
The retail giant touted three "Best of 2009" lists on Wednesday, revealing the best selling, most wished for, and favorite gift items chosen by Amazon consumers for the year. The company also introduced its Bestsellers Archive, which can show historical popularity among several categories, including print books, Kindle books, music downloads, movies and TV shows, and video games.
Amazon has been relentlessly proclaiming the popularity of its Kindle device, though it just as steadfastly has declined to provide actual sales numbers. PC maker Asus, meanwhile, has been riding the Netbook craze and drew top honors in Amazon's computer category with its Eee PC 1005HA 10.1-inch Netbook.
Nintendo's Wii game console lost some steam during 2009, but heading into the holiday season gave strong signs of regaining its dominance.
Other top tech items on the several Amazon lists included Microsoft Office Home and Student 2007, an Omron Digital Pocket Pedometer, and an Accutire Programmable Digital Tire Gauge--the latter two perhaps being of use to tech types who need to take a long walk or drive after a hard day using Microsoft Office.
The Casio Men's Sea Analog Illuminator Dual LED Dive Watch made the best-sellers list for people who need to keep tabs on the time while under the sea. On the most-wished-for list was the Sunforce 50044 60-Watt Solar Charging Kit, designed to tap into the power of the sun to charge the battery in your car, RV, tractor, boat, and other vehicles on the go. New Super Mario Bros also made the cut as the most-wished-for video game.
Amazon's "Best of 2009" lists cover all but the last 10 days of the year--stretching, that is, from January 1 to December 22, 2009. The Bestsellers Archive goes back in time to the start of Amazon to unveil the most popular items over the long haul.
In the video game category, the Wii came in at number 6 historically and has been on the top 100 list for 1,128 days. Among electronics, Apple's iPod Touch 3G takes the second (8GB version) and third (32GB version) slots on the list for 112 days. And for software, MS Office Home and Student 2007 hit the number 2 spot as part of the top 100 for 1101 days.
You can also view historical data right in the Bestsellers Archive just by selecting the pulldown menu for year and choosing a different year, as far back as 1995 for books and more recent years for other items. A peek back at 1999, for example, revealed that "Who Wants to Be a Millionaire" was the most popular video game of the year.
"The Bestsellers Archive reveals the collective interests of our customers back to the beginning of Amazon.com," said Eva Manolis, vice president of Retail Customer Experience, in a statement. "It's a fun experience enabling exploration of bestselling products -- helping customers find their favorites as well as discover those they may not know about."
The full 2009 lists can be found on Amazon's news release Web site.
(Credit:
Gizmodo)
A tipster just sent in these Nexus One screenshots that supposedly confirm two things: that Google will sell it unlocked and unsubsidized for $530, and that Google will sell it itself. Plus, some other very interesting details.
Some of the most important bits of info we extracted (assuming the tipster is accurate, and it seems like he is). Oh, and take a look at our hands on with the device in case you haven't familiarized yourself with it yet.
• Yeah, it's $530 unsubsidized. Google's not going to be selling the phone at cost, like so many people considered. They're not going to save us from the "making money off of hardware" culture we've got right now, so this is basically just another Android handset, albeit a really good one
• If you want it subsidized, you'll have to sign up for a 2 year mandatory contract and pay $180 for the phone
• There's only one rate plan: $39.99 Even More + Text + Web for $79.99 total
• Existing customers cannot keep their plan if they want a subsidized phone; they have to change to the one plan, and this only applies to accounts with one single line
• If that doesn't fly with you, you have to buy the $530 unlocked version--this actually might save you money over two years if you already have a cheap plan
• Family plans, Flexpay, SmartAccess and KidConnect subscribers must buy the phone unlocked and unsubsidized for $530
• You can only buy five Nexus One phones per Google account
• There is language in the agreement of shipping outside the US
• Google will sell it at google.com/phone, which explains what they were doing with that page a few weeks ago
• Google will still call it the Nexus One apparently, and not the Google Phone
And here is a big one:
• If you cancel your plan before 120 days, you have to pay the subsidy difference between what you paid and the unsubsidized price, so $350 in this case. Or you can return the phone to Google. You also authorize them to charge this directly to your credit card.
One weirdness in the Terms of Sale that we quickly glanced through was that Google made sure you acknowledged that the manufacturer is HTC, and not Google.
This story originally appeared on Gizmodo.
(Credit:
Gizmodo)
The legal back-and-forth between Nokia and Apple over patents, and who might be abusing them, continued Tuesday as Nokia lodged a complaint with the U.S. International Trade Commission.
In its complaint to the USITC, the Finnish company alleges that Apple infringes seven Nokia patents "in virtually all of its mobile phones, portable music players, and computers."
The alleged patent infringement is connected to key features in Apple products including user interface, camera, antenna, and power management technologies. Their value to Nokia, the company says, comes in allowing better user experience, lower manufacturing costs, smaller size, and longer battery life for Nokia products.
In October, Nokia filed a lawsuit against Apple in U.S. District Court in Delaware regarding 10 patents related to wireless handsets, which Nokia says Apple has refused to license. Every iPhone model since the original, introduced in 2007, infringes on those patents, Nokia has charged.
Apple filed a countersuit earlier this month, charging Nokia with infringing 13 Apple patents related to the iPhone.
"While our litigation in Delaware is about Apple's attempt to free-ride on the back of Nokia investment in wireless standards, the ITC case filed today is about Apple's practice of building its business on Nokia's proprietary innovation," Paul Melin, general manager of patent licensing at Nokia, said in a statement.
"Nokia has been the leading developer of many key technologies in small electronic devices," Melin said. "This action [Tuesday's complaint to the USITC] is about protecting the results of such pioneering development."
Apple was not immediately available to comment on Nokia's filing with the U.S. International Trade Commission. The USITC is an independent federal agency that looks at issues including unfair trade practices involving patent, trademark, and copyright infringement.
Nokia says that over the past two decades it has spent some 40 billion euros ($57.5 billion) on R&D and has amassed "one of the wireless industry's strongest and broadest IPR portfolios, with over 11,000 patent families."
In November, research firm Strategy Analytics reported that Apple had surpassed Nokia in quarterly mobile phone profits, bringing in $1.6 billion from the iPhone, compared with Nokia's $1.1 billion in cell phone profits.
(Credit:
eMarketer.com)
New data shows that the iPhone may finally have a true competitor in the Android operating system with user profiles appearing very much alike.
According to eMarketer.com, marketing intelligence firm comScore found that 37 percent of U.S. mobile users had heard of Android in November 2009, up from 22 percent in August, "likely due to the Verizon Droid ad campaign." More interestingly, "17 percent of mobile users in the market for a new smartphone in the next three months planned to buy an Android phone, compared with 20 percent who would pick up an iPhone."
The data also showed that usage patterns for Android and iPhone owners were very similar in terms of media consumption, browser and application usage, but e-mail oddly tracked behind on Android devices. This is likely due to the immaturity of the mail application that ships with Android and not a change in use patterns.
This news obviously keeps the iPhone in the dominant position but shows that other smartphones finally present a real challenge. It's notable because BlackBerry and iPhone users have always seemed worlds apart, whereas Android users seem to be using their devices at parity with the iPhone crowd.
The fact that the Droid runs on Verizon instead of AT&T no doubt helps, though only time will tell if Verizon can handle the traffic, or if T-mobile could handle the pressure of a huge influx of new Google Nexus One phones running Android.
... Read more
AT&T has resumed selling iPhones through its Web site to New York City customers, with no indication as to what prompted the halt.
Over the holiday weekend, New Yorkers who tried to order an iPhone through AT&T's Web site were left out in the cold. Making matters worse, explanations ranged from network congestion problems to online fraud to this fine example of corporate-speak: "We periodically modify our promotions and distribution channels."
But at some point on Monday, sales could once again be processed for New York City ZIP codes through AT&T's site. An AT&T representative did not immediately respond to a request for clarification on what knocked out online iPhone sales for Gothamites.
Karsten Nohl talks about his project at the Hacking at Random conference in August.
(Credit: Hacking at Random)A German computer engineer said Monday that he had cracked the secret code used to encrypt most of the world's mobile phone calls.
In an attempt to expose holes in the security of global wireless systems, 28-year-old Karsten Nohl cracked the 21-year-old GSM algorithm, which is used to encrypt 80 percent of the world's mobile calls, reports The New York Times.
Nohl revealed his success at the Chaos Communication Congress in Berlin, Germany. He said that 24 people worked independently to reproduce the code book, or binary code log, for the algorithm, which contains the equivalent of about two terabytes of data.
He announced his intentions to crack the GSM algorithm at a conference in August.
Read more of "Code that encrypts world's GSM mobile phone calls is cracked" at ZDNet's Between the Lines.
Update at 1:50 p.m. PST December 28: AT&T has resumed sales.
AT&T has stopped selling the Apple iPhone in the New York metropolitan area through its Web site, perhaps due to data congestion, credit card fraud, or routine sales strategy changes, depending on whom you believe.
Online sales of the phone were apparently suspended Sunday. Prospective customers attempting to buy an iPhone through the Web site and using a New York area ZIP code get a message saying, "We're sorry, there are no Packages & Deals available at this time. Please check back later." However, changing ZIP codes to other U.S. metro areas yields a bevy of iPhone choices.
An AT&T representative's statement to CNET suggested that the move to not offer any iPhones online to buyers in the Big Apple was a routine strategic decision.
"We periodically modify our promotions and distribution channels," said Fletcher Cook, an AT&T spokesman.
However, customer service representatives, who are likely not authorized to comment officially for the company, painted divergent pictures.
One customer service representative hinted that data congestion may be the reason for the suspension, telling The Consumerist that "New York is not ready for the iPhone. You don't have enough towers to handle the phone."
In light of AT&T's tarnished reputation for its 3G service, this is certainly a plausible explanation. For more than a year, iPhone users have complained about dropped calls and poor service on the 3G network. The problems appear to be particularly acute in densely populated urban areas, such as New York and San Francisco.
However, another representative suggested that credit card fraud is responsible. Sales were suspended due to "increased fraudulent activity in that area when ordering the iPhone," the other representative told the Gearlog blog. However, the iPhone is apparently still for sale at Apple stores in the New York area.
No word on what the nature of the alleged fraud may be, but as others have certainly pondered, isn't online fraud as likely to happen in Dallas, Seattle, or San Francisco?
An FCC commissioner has sent an open letter to Verizon Wireless, scolding the carrier for its new early termination fees.
Mignon Clyburn,
FCC commissioner
Mignon Clyburn, one of five members of the Federal Communications Commission, was responding to the defense that Verizon sent the FCC last week about early termination fees, or EFTs.
"The company's answers...are unsatisfying and, in some cases, troubling. In particular, I am concerned about what appears to be a shifting and tenuous rationale for ETFs," she said in a statement (PDF) released Wednesday by the FCC. "No longer is the claim that ETFs are tied solely to the true cost of the wireless device; rather, they are now also used to foot the bill for 'advertising costs, commissions for sales personnel, and store costs.'"
Verizon's early termination fees recently climbed from $175 to $350 for smartphones and other "advanced devices." In early December, the FCC asked Verizon to explain itself.
Among its defenses, Verizon asserted that the fees enable the company to sell phones at lower upfront prices and to reduce losses if customers break their contracts early. The carrier also noted that it prorates the fees and that the additional revenue helps keep its broadband network strong.
Clyburn asserted that consumers already pay hefty amounts to carriers. "So when they are assessed excessive penalties, especially when they are near the end of their contract term, it is hard for me to believe that the public interest is being well served," she said.
"I am also alarmed by the fact that many consumers have been charged phantom fees for inadvertently pressing a key on their phones thereby launching Verizon Wireless's mobile Internet service. The company asserted in its response...that it 'does not charge users when the browser is launched,' but recent press reports and consumer complaints strongly suggest otherwise."
A Verizon representative told Bloomberg that the company will "take a good hard look at her concerns and address them in an appropriate fashion."
