Researcher Karsten Nohl gave a presentation this week at the Chaos Communication Camp 2011 in Finowfurt, Germany to debunk notions about the security of the typical GPRS-based mobile data network. Nohl claims that he and colleague Luca Melette successfully intercepted GPRS data in a 3.1-mile radius by modifying an inexpensive seven-year-old Motorola C-123 cellphone.

The data was subsequently decrypted with the use of several free software applications including the open-source Wireshark network protocol analyzer. 

GPRS networks were introduced as successors to the older GSM digital networks in 2000, and are still heavily used to complement 3G wireless networks around the world. As reported by The New York Times, Canadian operator Rogers Communications estimates that 90 percent of mobile data traffic still runs on GPRS networks.

Nohl also noted that "GPRS data networks provide the backbone for our mobile society."

It is hence all the more shocking to discover that the majority of GPRS operators do not bother using encryption at all, with some apparently switching off encryption to facilitate the monitoring and filtering of mobile data in a decentralized manner. Even operators that enable encryption employ what Nohl considers to be "weak" encryption that he was able to decrypt successfully.

What Nohl's work translates into is this: Businesses should enable the use of encryption via VPN for mobile wireless access, and also build encryption into apps or networked software via standards such as SSL.

In the meantime, the slides from the presentation titled "GPRS Intercept: Wardriving your country" can be downloaded here.

For more:
- check out this article at MIT's Technology Review
- check out this article at New York Times
- check out this article at CNET News

Related Articles:
Things employees do that make CIOs cringe
Disparity in security for smartphones, tablets and laptops
iPad takes root in the enterprise, but Apple lags on security
Many consumer apps storing critical information as plaintext
Whitepaper: Are iOS and Android hijacking corporate security?