An Academic Problem

The news shocked an industry that thought it had discovered the no-fraud air interface. But sure enough, two University of California students, working with a software developer, located GSM's Achilles' heel: the SIM card. By transferring the card's wealth of information into a computer system -- even something as simple as one of those pocket organizers you carry around -- then hooking the computer into a wireless phone, they managed to fool a GSM network into thinking an authorized subscriber was speaking to it.

Voila. The impenetrable is penetrated. Worldwide, providers of GSM service are forced into a defensive mode. And two more technology hackers toasted what they undoubtedly celebrated as the IT sector's continuing foolishness in the face of academic genius.

George Schmitt, Omnipoint Communications president, quickly assured subscribers that the security flaw "doesn't damage the integrity of the system nor does it put customers or operators at risk." Nevertheless, the PCS operator -- and GSM champion -- altered its code.

European wireless carriers, on the other hand, refused to bow to the news. Arne Foxman, senior engineer at Tele Danmark, said the discovery didn't constitute a security problem; it instead represented "an academic problem."

As an industry, should we be concerned by what these students cooked up with a stolen (in theory) data card, a very powerful computer and lots of free time? While fraud is a primary detriment to the profit line, and perceived security is a secondary reason potential subscribers steer clear of wireless, the implications of this invasion are questionable.

First, you can change the security codes, which basically means you're running scared. But try hiding from the David Wagners and Ian Goldbergs of this world. (Those are the UC-Berkeley researchers who found the flaw, just in case you wanted to write a thank-you note. They're the same two who learned how to breach credit-card security on Netscape's web browser.) No matter how many secret algorithms you devise to protect your network and your customers, someone always will find a way to challenge them.

It reminds me of those stories about auto theft that broadcast at least twice a year, usually during "sweeps month," on the local news. The consumer reporter outfits her red Miata with a variety of anti-theft devices, all of which are disarmed by some wizard capable of making The Club break away like balsa wood. Then the police spokesperson says, voice full of apathetic defeat, "In the end, if the thief knows what he's doing, it really doesn't matter what kind of anti-theft device you have. He'll get your car."

Second, you should make sure any customer whose SIM card has been compromised will report it to you immediately. This kind of preventive education is as simple as an informational flyer included with your next billing statements.

Finally, and most important, on a daily basis our industry chases the active fraud that plagues analog networks, where thieves tap into the airwaves to clone phones. For service providers financially strapped to focus on the ever-more-necessary extras of their infrastructure -- everything from disguise towers to churn-reduction software to data features -- it's reasonable to invest time and money in the beasts they do know rather than the esoteric discoveries that cause Berkeley researchers such glee.