In short, it means that the phone call is not being encrypted. But that being the case, shouldn't the iPhone be displaying a similar icon? (the call in progress in the picture was established between the two phones). Keep on reading, and you will see that there is more to it than meets the eye.
GSM usually encrypts your calls to protect your privacy, and the same goes for your GPRS/EDGE data connections. Now, GSM has many security problems, but for the purpose of this discussion, let us concentrate on the "usually" part in the above sentence.
The GSM specification gives full control to the network to select the encryption algorithm to be used to protect the communications on the radio interface, choosing from a set of supported algorithms, which nowadays in most cases include only two choices: A5/1, which is the most commonly used encryption algorithm in GSM networks (already broken, but that's another story), and A5/0, which is an euphemism for no-encryption-at-all. Thus, the network can choose to encrypt, or not, your communications.
Most GSM operators do encrypt their subscribers' communications, but some may choose not to do it, and in some countries, like India, they may even be required by law not to use encryption. Making things even more worrisome, an attacker can very easily set up a rogue GSM base station, pretending to belong to your usual network operator, and route all your calls and data connections, unencrypted, through his base station.
So, you cannot decide whether the communication will be encrypted or not. But, could you, at least, KNOW if your communication is being encrypted or not?
The GSM specification states that you, the user, "should" be informed by your mobile device when the communication is not encrypted (3GPP Rel.9 TS 33.102-920 "3G Security Architecture" 5.5.1 Visibility):
"Although in general the security features should be transparent to the user, for certain events and according to the user's concern, greater user visibility of the operation of security features should be provided. This yields to a number of features that inform the user of security-related events, such as:
The ciphering indicator feature is specified in 3GPP TS 22.101 [...]"
The referenced 3GPP TS 22.101 specification (R99 22.101-3.17.0), on section 13, "Types of features of UEs", says:
"The basic mandatory UE requirements are:
- Ciphering Indicator for terminals with a suitable display;
The ciphering indicator feature allows the ME to detect that ciphering is not switched on and to indicate this to the user. The ciphering indicator feature may be disabled by the home network operator setting data in the SIM/USIM. If this feature is not disabled by the SIM, then whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user. Ciphering itself is unaffected by this feature, and the user can choose how to proceed;"
Interesting! So, according to the specification, our mobile devices should tell us that the communication is not encrypted and we should be allowed to choose how to proceed, unless our SIM card were configured to disable this feature. However, is that how it is in real life?
In a little experiment we did in our lab, we took 2 SIM cards from 2 different network operators, let us call them Operator1 and Operator2, and we inserted them in the phones you saw in the previous picture, an old (2004) Nokia 6230, and a more recent (2008) iPhone 3G. Then, we established a call between them, using our own base station with A5/0, that is, no encryption, and the result was the one depicted in the previous picture: the old Nokia phone displayed the open lock icon, indicating that the call was not being encrypted, while the iPhone did not show any indication of this fact.
Then, we swapped the SIM cards between the two phones, and established again a call between them. The result: this time neither the Nokia 6230 nor the iPhone 3G displayed any indication of the call not being encrypted, as you can see in the following picture:
The conclusions we can draw from this little experiment are:
- the Nokia 6230 will show an open lock icon when a call is not encrypted, unless the SIM card disables this feature,
- the iPhone 3G will never notify the user about a call not being encrypted,
- the SIM card from Operator1 (inserted in the Nokia Phone in the first picture) does not disable the ciphering indicator, and
- the SIM card from Operator2 (inserted in the Nokia Phone in the second picture) disables the ciphering indicator
Think about it for a second, and then try again to answer the question in the title of this article: does your phone warn you when it is not encrypting your calls?
If you want to find out, bring your mobile phone and SIM card to our GSM/UMTS (2G/3G) SECURITY training course, and you will be able to test it yourself! Sessions available in English and in Spanish!