All mobile phones may be open to a simple but devastating attack that enables a third party to eavesdrop on any phone conversation, receive any and all short-message service (SMS) messages, and download the phone\u2019s address book. The attack, outlined by a German security expert, would amount to the largest-ever breach of privacy for billions of mobile phone users across the world. But it remains uncertain exactly how easy and how widespread the problem could be thanks to a concerted effort by mobile operators to muddy the issue while they assess its extent. The official response of the mobile phone operators when asked about the threat is that the attack is phony. But despite three days of inquiries by Techworld, none has provided any evidence that there is an adequate defense to it. Wilfried Hafner of SecurStar claims he can reprogram a phone using a "service SMS" or "binary SMS" message, similar to those used by the phone operators to update software on the phone. He demonstrated a Trojan\u00a0that appears to use this method at the Systems show in Munich last month\u2014a performance\u00a0that can be seen in a German-language video. Phone operators use SMS messages to make changes to their customers\u2019 phone without user intervention. These changes can vary from small tweaks to an overhaul of the phone\u2019s internal systems. Hafner claims, however, that phones do not check the source of such messages and verify whether they are legitimate, so by sending a bogus message he is able to pose as a mobile operator and reprogram people\u2019s mobiles to do what he wants. "I found this on a very old Siemens C45 phone, and then tried it on a Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of them authenticated the sender of the service SMS. We could not believe no one had found this possibility before us." On all these phones, Hafner was able to launch an example Trojan called "Rexspy," which he said ran undetected. Rexspy copies all SMS messages to the attacker, and allows the attacker to eavesdrop on any phone conversation by instructing the phone to silently conference the attacker into every call. However, Hafner\u2019s demonstration does not constitute proof. It was done with his own phones, which could have been prepared. Known software such as Flexispy does the same job as Rexspy, but has to be installed manually on a phone. Hafner has also refused to provide Techworld with a demonstration, claiming that he does not want the code put into the wild. Hafner has also put out a press release about his alleged discovery\u00a0that heavily pushes his company\u2019s products.Although unproven, Hafner\u2019s claim is simple to understand\u2014as are the obvious security steps with which operators could prevent such an attack. Despite this, the operators have refused to discuss their strategy to prevent such an attack. "We have been aware for some years of the potential for SMSes of all types to be subverted, and we are confident that we have all the necessary measures in place to counter any such attack through our network," said a Vodafone spokesman, who then declined to discuss what these measures are. A spokesman for the GSM Association was equally unforthcoming: "It is impossible to tell from the information provided whether the claims are theoretically or practically possible or not. The GSMA\u2019s Security Group will look into the claims as a matter of course." Orange said in a statement: "We take the security of our customers communications very seriously and are investigating the claims made by SecurStar regarding the capabilities of this Trojan Horse. Pending the outcome of this investigation, we are unable to comment on the validity of the specific claims that SecurStar have made. We can confirm that we have no evidence to suggest that any of our customers have had the security of their voice or SMS communications compromised using the mechanism SecurStar claim to be used by \u2018RexSpy.\u2019 Should our investigation show that there is any validity to the claims of SecurStar, we will take action to ensure that our customers are protected." "The telephone should ask who is sending a service SMS, and the operators should change the way they are sending these messages and put in signatures," said Hafner. The operators interviewed have refused to say whether they did this or not. All operators have been keen to point out, however, that such an attack would be illegal. The GSMA warned that "if this were demonstrated in the U.K. it would be a serious criminal offense, which could be prosecuted under the Regulation of Investigatory Powers Act 2000 for over the air interception."Hafner\u2019s eavesdropping Trojan is just a sample of what could be done, he says. It could cover its tracks by using a free number for the conference calls. "There\u2019s a further step I haven\u2019t demonstrated, but the Trojan has full access, so I can extract the contact details from the address list," said Hafner. "If I wanted, I could decide to reproduce service the SMS to all your contracts. This would transform the Trojan to a virus." Security experts are skeptical, and question Hafner\u2019s motives: "Our experts believe that service providers should be able to block service SMSes coming from any unauthorized location because the communication would have to go through the official communication center," said Carole Theriault, senior security consultant at Sophos. SecurStar makes encryption software to scramble voice calls made on Windows Mobile phones, to prevent eavesdropping. "It seems to me to be questionable that [SecurStar] would actually write a Trojan in order to market their product," said Theriault.-Peter Judge, Techworld.com (London)Related Links:\n\nABCs of Mobile Security\n\nMicrosoft Windows Mobile Security Blasted by AnalystCheck out our CIO News Alerts and Tech Informer pages for more updated news coverage.