3GPP LTESecurity Aspects
Wednesday 8 June 2011
3GPP LTE Security Aspects
3GPP LTESecurity Aspects
Wednesday 4 May 2011
New Security Algorithms in Release-11
Tuesday 1 February 2011
6th ETSI Security Workshop
Tuesday 3 August 2010
Double whammy for GSM Security
How does the GSM snooping work?
Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.
What happens to the calls?
Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.
But, aren't my calls encrypted?
Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."
What wireless provider networks are affected?
Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.
Does 3G protect me from this hack?
This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.
A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.
The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.
Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.
"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."
An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.
Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.
To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.
More information about the tool and the privacy issues is on the Security Research Labs Web site.
Monday 15 February 2010
New Technologies for Mobile Phone Theft prevention
Design Out Crime: Mobile Phone solutions from Design Council on Vimeo.
Three prototype solutions for preventing mobile phone theft have been unveiled.
The i-migo, the 'tie' solution and TouchSafe have been developed to counter crimes such as mobile phone identity fraud, which rose by over 70 per cent in 2009.
TouchSafe uses Near Field Communications (NFC) technology similar to that used by the Oyster Card and requires the handset's owner to carry a small card with them that they touch on the phone every time they make a purchase.
The 'tie' solution makes an association between a handset and theSIM chip so that other SIMs cannot be used on the handset should the mobile phone be stolen.
And the i-migo is a small device carried by the mobile phone's owner that sounds an alert and locks the handset should it be taken outside of a set range. Additionally, it automates the back-up of any data stored on the device.
The prototypes were inspired by a Home Office initiative to develop new ways of preventing mobile phone theft and will be shown off atMobile World Congress in Barcelona next week.
Home Office Minister Alan Campbell said: "As new technology creates new opportunities for the user it can also provide criminals with opportunities as well.
"I believe the solutions developed by this challenge have the potential to be as successful as previous innovations like Chip and Pin, which reduced fraud on lost or stolen cards to an all-time low, and would encourage industry to continue working with us and take them up," Campbell continued.
Monday 25 January 2010
LTE/EPS Security Starting point
Tuesday 3 November 2009
Wavesecure: Helping track lost phones
Siliconindia organized Mobile Applications Conference (MAC) on October 31, where 25 mobile companies exhibited their applications and presented their business plans in NIMHANS (National Institute of Mental Health and Neuro Sciences) convention center, Bangalore, in front of around 400 people and entrepreneurs. Industry leaders within the mobile space also put some light on where the industry is headed and how entrepreneurs and developers can take advantage.
TenCube, whose anchor product, WaveSecure, is the market leading mobile security suite recognized by customers and analysts, won the best mobile application award. TenCube was the unanimous choice of judges as well as the audience. It got 71 votes followed by Eterno Infotech and Divium, which got 37 and 36 votes respectively. Originally developed for police and military use in Singapore, WaveSecure has become Nokia's preferred mobile security product, chosen to be bundled into millions of premium Nokia devices. It is also the preferred security service selected by leading operators like Telenor and SingTel for their subscribers.
Very interesting FAQ's for those interested.
See Demo below:
Thursday 27 August 2009
Security of Mobiles and Networks to be tested soon
In comments made to the German edition of the Financial Times, the hacking group claims that governments, and criminals, are already using the technique which can break the encryption used to protect 2G GSM calls in near-real time using existing systems. The group says a public exposure of the technique will take place in the next month or two and allow anyone equipped with a laptop and an antenna to listen in to GSM phone calls.
Wednesday 8 July 2009
Wireless Cellular Security
There are lots of interesting Questions and Answers. One interesting one is:
Does number portability mean that data within an AuC is compromised?
Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.
You can read all Q&A's here.
I wrote a tutorial on UMTS security many years back. Its available here.
Friday 10 April 2009
HSPA based Laptop Enabler/Disabler
Ericsson's F3607gw mobile-broadband module for HSPA/GPRS/EDGE networks, to be released in June, will provide enhanced functionality and convenience through its innovative features, reduced power consumption, prolonged battery life and an increased level of integration, reducing the number of necessary components and therefore cost. The new module will also provide built-in mobile broadband support for Microsoft Windows 7.
Mats Norin, Vice President of Ericsson Mobile Broadband Modules, says: "The combination of leading technology and innovative design in the next-generation module is key to delivering a superior user experience at an affordable price. This module release confirms Ericsson's commitment to making the benefits of connectivity available to everyone."
Operators can also combine the wake-on wireless feature and embedded GPS functionality to create a range of differentiating services for consumers and the enterprise market, including remote manageability, security updates, asset protection and tracking and geo-fencing. The module can also be used for content push services, such as podcasts, public warnings, traffic updates and database updates.
Specifically, the wake-on wireless feature supports security solutions based on Intel's Anti-Theft PC Protection Technology. An anti-theft management service in the network can send a message via SMS to the mobile-broadband module inside the notebook, which securely transfers the message to Intel's Anti-Theft function inside the processor platform. This takes appropriate actions, such as completely locking the computer and making it unusable. When the notebook is located and recovered, an unlock message can be sent to the notebook that makes the data accessible again.
Thursday 5 February 2009
100% secure Zumba Lumba Phone to be available soon
The Zumbafone could be available by the end of this year, according to reports.
The innovation is a circular pad that can be placed over the ear and detaches from a small handset that contains a circular dial pad and screen. Simply removing the earpiece pad from the handset activates a connection to the internet. You then simply say the name of a contact to dial a number or send a text. When you receive a text it can them be read out to you.
No contact information is stored on the handset itself, with all data being held ‘in the cloud’, which the makers say makes the phone 100 per cent secure. As it is fully tied to voice recognition, the claim is that if lost, the phone cannot be used by anyone else.
The phone is aimed as a low cost, or secondary phone, so eschews features such as high resolution screen and camera.
You can watch Youtube video of ZumbaLumba:
Thursday 29 January 2009
LTE Femtocells Killer App: Wireless HDD
Security appears to be all washed up, as USB sticks with sensitive data are being left regularly in pockets when workers take their clothes to be cleaned at laundrettes.
According to a survey from Credant Technologies, who claims that 9,000 USB sticks have been forgotten and left in pockets of clothes taken to dry cleaners. These figures were obtained from phone interviews with 500 dry cleaners across the UK, who found an average of two USB keys per year. Extrapolating this to the 4,500 dry cleaners in the UK leads to the 9,000 figure.
Data sticks are most frequently found in city centres and commuter areas with one proprietor in the City of London finding 80 memory sticks in 2008 alone.
Back in the LTE world summit last year, one of the things I mentioned was, that once LTE Femtocells are available we may be able to create innovative and groundbreaking applications to run on it. I was aware of some people suggesting that the broadband providers may throttle the backhaul traffic on the Femto but I was assured by one person from Sweden (or Finland ... cant recall for sure) that in the Nordics there is already upto 100Mbps speeds available and most of the people use P2P networks thereby consistently loading the ISP's. He did not think that there will be a problem.
One of the applications I suggested was a wireless Hard Disk Drive (HDD) or maybe a better term would be mobile USB (MUSB). The following slides are extracted from my presentation as I am being a bit lazy (and busy) to put them here.
Thursday 24 April 2008
Security Upgrade from Release 7
From Release 7 there are some additional provisions made for increasing the security.
First lets talk about GSM. Initially only a5_1 and a5_2 algorithms were defined for GSM. They have not been compromised till date and are still secure. Still some new algorithms have been defined to make sure there is a backup if they are ever compromised. a5_3, a5_5 and a5_8 have been defined for GSM/GPRS and GEA3 defined for EDGE.
For UMTS, UEA2 and UIA2 have been defined. They are based on 'Snow 3G' algorithm. Kasumi is a 'blockcipher' algorithm whereas Snow 3G is 'streamcipher'. The interesting thing as far as I understand is that even though this is defined and mandatory for UEs and N/w from Rel7, it wont be used but will only serve as backup. More on this topic can be learnt here.
More detailed information on UIA2 and UEA2 is available here.
There are some enhancements coming in the SIM as well. At present all the Keys are 128bits but there should be a provision that in future, 256 bits can be used.
There are some extensive overhauling of IMS security as well but I havent managed to get a good understanding of that yet.
All the reports from the 3rd ETSI Security Workshop held on Jan 15-16 2008 are available here.