3G: Will 3G devices be secure?

NEWS While anticipating the delights of 3G, be aware of the inherent dangers. According to computer security experts, all this connectivity and functionality will inevitably mean an increased risk of attack by mobile viruses and worms as well as malicious hackers. Evidence of potential for new threats can already be seen. Earlier this month Japan's highly successful mobile broadband standard i-mode ran into its first major security issue highlighting the dangers ahead. "They [3G devices] will definitely be targeted," says chief researcher at Symantec's European computer security labs, Eric Chien. "The question is to what extent." Security exploits and accidents are a constant bugbear for Internet commerce which has suffered significant setbacks due to monthly and often high profile security blunders. Not surprisingly, the government's Janet security department Computer Emergency Response Team (Cert) is eager to see 3G developed with security in mind. Head of Cert Andrew Cormack acknowledges that security problems have been the bane of Internet commerce. "I hope they have learnt the lesson of the Internet," he says. "The vision is of people selling all sorts of services through these devices, so there might be banking details and all sorts of good stuff for people to steal." Analysts too are sceptical about the viability of 3G as a safe environment. "As more wireless devices find their way into corporate environments, wireless security is a growing concern to IT departments. With the emergence of these devices come a whole new slew of possible security breaches," says Chris Christiansen, program director, for Internet Security at IDC. Adnan Al-Adnani of the Panasonic Mobile Communications Development Centre -- involved with the UMTS Security Architecture (Useca) project -- argues that until security is dealt with in a way that offers consumers some guarantee of safety, 3G will not take off. "It is probably the most important thing," he says. "It is a major concern for the operators and they won't introduce anything until it's secure." The network is the first place that security has to be considered. Analogue mobile phones sent unencrypted messages that could easily be intercepted and listened to. Digital phones overcame this by encoding voice signals. GSM (Global System for Mobile Communications) uses a 40bit key generated each time a phone logs onto a network in order to disguise voice signals as seemingly random noise. GPRS (General Packet Radio Service) represents the second generation of mobile communications technology and will begin increasing the bandwidth available to users. Based on GSM, however, it will mean no significant security enhancements. UMTS (Universal Mobile Telecommunications System), on the other hand, will see two major security developments.

• The cryptography used will be strengthened with the introduction of 128bit keys. This increase is important. Cryptographic experts at the Weisemann Institute in Israel claimed in December to have developed a technique allowing a standard PC to listen in to GSM networks and figure out the 40bit key used to encrypt voice signals. Increasing the length of the key to 128bits would make this virtually impossible even with vastly increased computer power.
• Mutual authentication will be introduced using cryptographic keys to establish the identity of both user and base station over a connection. The signalling system providing authentication for users passing between different networks will also be protected using a public key cryptographic system.

Chairman of the 3G Partnership Project Security Group Michael Walker says these changes are seen as fundamental to the commercial success of UMTS. "GSM was designed in the 80s and we've moved on. This is keeping up with those changes to cryptography and future-proofing." The networks themselves are just one part of the security equation, however. The growing complexity of mobile devices and the increased prevalence of interoperability software on them raises the spectre of mobile device viruses and hacking attacks. Security experts say that the potential for serious mischief must be considered. "Even now you can effect phones and as you add more functionality comes risk," says Jack Clark, European product manager for Network Associates. "They [operators] must look at security at the same time that they look at functionality. Look at it with a malicious mind." Symbian's Epoc operating system is likely to power many future mobile devices, having been licensed by mobile phone manufacturers including Nokia, Ericsson, Motorola and Sony. Symbian acknowledges the potential for security threats, but argues that Epoc has been designed from the ground up with security in mind and will not compromise security for functionality. Epoc features its own Java Virtual Machine. Java has in-built security features which will provide a certain amount of inherent protection against programs trying to access other parts of the operating system or other applications. A spokesman for Nokia says that its 3G devices will give external high-level code or scripts little access to the hardware underneath. He says that 3G operating systems are also expected to make use of server-side application to minimise risk of interference. Nevertheless, anti-virus company F-Secure this month released virus software designed to protect the Epoc operating system. This does not reflect weaknesses in the operating system, says F-Secure. Rather, the fact is that "the more powerful you make an operating system, the more security risks you create," according to a spokesman. The last risk is the 3G device itself. They promise to be attractive to both petty thieves and professional criminals after corporate and financial data. UMTS SIM cards called USIM (User Services Identity Module) will therefore be developed with more emphasis on security. As well as pin protection, USIM cards may take the form of removable smart cards. According to laptop security specialists Carraig biometrics, technologies such as voice recognition and Iris scanning may also be used to ensure 3G devices don't become another casualty of the not-so-secure Internet. Read about the 3G devices of the future. Find out about competing 3G standards. The technology of 3G - get technical! What will 3G mean for business? Who could be the big players of the future in 3G? 3G startups. What do you think? Tell the Mailroom. And read what others have said.