Skip to content|Skip to Sections

Fixed Mobile Handsets Special Feature

Security - More Than Just Snooping says Zimmermann

07 August 2006
Telecoms Special Features

Phil Zimmermann tells Alexander Harrowell that it's not just viruses that threaten the mobile...

Information security and privacy expert Phil Zimmermann of MIT - not to mention PGP fame - spoke exclusively to Telecoms.com for this week's security special.

Out of the classic hacker repertoire of threats, we first touched on the one most familiar to the telecommunications industry, theft of service.

Two schools of thought exist on this: Those who argue that the telcos' insistence on billing for every bit means that real money is at stake and that hackers will be irresistibly drawn to attack the BSS-OSS databases, or they may just be drawn to making free calls from another user's device. The other argues that no-one will fail to notice that their phone is being misused precisely because they have to pay.

Zimmermann thinks both arguments are wrong, or at least going that way. "The economics may still be here to hack someone and make free calls, but soon they won't be," he said.

Because the price of voice calls will approach zero?

"Right. It won't be worth the effort."

The next option, of course, is to steal information, rather than service. "You could steal the address book. You could hack the phone and put something in there. You could put something in there to let you listen in on the calls. And you could download the calling history." 2006 has, after all, already seen the first Trojan that promises to do just that.

But the personal and mobile nature of mobile devices makes Zimmermann worry that more sinister attacks may be possible than mere snooping. "You could detect somebody as they go by, identify them, follow them. You might construct a roadside bomb, an IED, that waits for an individual."

Another, less personal, form of electronic terrorism would be a denial of service attack aimed at taking out an entire carrier. Some security experts (see MCI's April issue) believe that the increasing standardisation on TCP/IP, SIP and the DNS that embodies IMS makes this a significant danger. Despite the security risk, Zimmermann is committed to the internet-isation of telecoms. "My project now is VoIP. I'm going to follow VoIP wherever it goes, including onto the mobile platform."

So where does he think it is going? Will a UMA or enterprise VoIP-like, carrier-centric model or a peer-to­peer, Skype or SIP IETF-like model succeed? "As T goes to infinity, it'll be peer-to-peer. Right now, what we have right now is a legacy from the old days when we had telephone companies, when the brains were in the network and the end-points were stupid. Your grandmother's telephone didn't have a CPU in it, but the network was smart. The internet has changed that-the network's still pretty smart but it could be a lot dumber. It's the end­points that have got smart."

"When mobile phones became available, they just copied the PSTN and built a smart network with dumb handsets. The first mobile phones, they weren't computers.  And the service providers built their systems with that kind of architecture. All that's changing-we don't need a mobile provider any more. You could use wifi and choose your SIP server, the one at your office, the one at your house. It won't be a SIP server operated by T-Mobile, it'll be your SIP server."

Regarding IMS, Zimmermann argues it's not that relevant at all. "There are these architectures to carry the IP on top of whatever structure, but the standards community, the IETF, has a different approach than the ITU and they move in the direction of P2P solutions. Even SIP is being implemented in a P2P way, with distributed streaming. One might have thought that SIP would have been immune to that, but you can have presence detection in a peer-to­peer network, and everything's going that way.

Other articles in this Special Feature: