Your phone-to-phone text messages are secured against being read by hackers using a decades-old technology that is full of holes and regularly being hacked. As is your location, any time you have your phone turned on. And it's not just the phone companies, not just law enforcement using $50,000 network sniffing devices. It's hackers using $15 cell phones and a laptop. In a demonstration at the Chaos Computer Club (CCC) Congress a few days ago, a couple of seasoned pros gave the assembled hackers a step-by-step tutorial.
But wait, you say, how come hackers aren't cracking the phone companies' SIM card codes so I can do stuff like, say, run an iPhone on my Sprint account? Well, that's because the phone companies are using much tougher encryption to lock in their revenues than to secure your private information. “There is one key used for communication between the operators and the SIM card that is very well protected, because that protects their monetary interest,” says Security Research Labs researcher Karsten Nohl. “The other key is less well protected, because it only protects your private data.”
The problem stems from laziness. The companies could almost effortlessly make two or three changes to tighten up security, firstly, to follow their own industry standards that have been in place for many years. Rather than sending random data in the constant "Are you there?" messages sent to your phone, they use plain text, making it easy to find you and connect a phone with specific data traffic. There is no reason whatsoever for this negligence, but the second step might require a bit more programming, namely, to stop the practice of reusing security keys over and over, making it easy for a hacker to run through a few keys and quickly tap into your session. The fix would probably take a programmer a couple days and cost your phone company a whopping few hundred bucks. Multiplied by several phone companies, the astronomical price of securing hundreds of millions of phones - yours, mine and everybody else's - would run in excess of a few thousand dollars.
Okay, maybe that's a low-ball. Check out the article at ars technica.