T 5.97 Unauthorised transfer of data over mobile phones

Mobile phones provide the means whereby data from one IT system, e.g. a PC or notebook, can be transported to another without a cable connection having to be established between the two devices.

Information can then be surreptitiously retrieved and transmitted in a place where IT systems can be accessed openly. If a mobile phone is connected to a modem or has an in-built modem, information held on a computer can be transmitted to virtually anywhere in the world wire-free.

This type of unauthorised data transfer can be performed either with a mobile phone that has been specially brought along for the purpose or even using an internal mobile phone. In this way large quantities of data can be passed to the outside world unnoticed. Existing bandwidth limitations which currently make the transmission of large quantities of data unattractive are likely to disappear over the next few years as new technologies come on stream. With GSM the maximum data transfer rate is currently 9600 bps, whereas next generation protocols (GPRS, UMTS) envisage significantly higher transfer rates.

Nor is it always possible to check afterwards whether such data transmission has occurred as the network provider's record of the call data may already have been deleted.

Example:

• An employee of one company is called out of a meeting with an outside party so that he can take an important phone call. The external party uses the brief interval during which he is alone in the meeting room to link up the PC installed there with his GSM modem. He then initiates a data transfer to a connection of his choice.

• Where remote access services are used over mobile phone networks, often the Calling Line Identification Presentation (CLIP) mechanism is used as an authentication feature. If the mobile phone is stolen or lost, the authentication procedure will no longer function properly. Although normally a PIN has to be entered when a mobile phone is switched on, most people leave their phones switched on. If the telephone is already switched on when it is stolen, then theoretically it can be used immediately by a third party. If the battery is re-charged in time, the point at which the phone cuts out due to lack of power can be deferred and hence the need to input the PIN because the phone has been switched on again.