Friday 21 September 2012
Cellular-Wi-Fi Integration - technology and standardization roadmap
Monday 3 September 2012
Cellular or WiFi: Which is the preferred network access?
Another interesting observation from above is that the survey puts WiFi and Cellular security to the same level. Though the cellular is more secure in case of an open public WiFi scenario where an eavesdropper may be able to get hold of login/password information it is generally at the same level of security to a secured WiFi. On the other hand with cellular, lawful interception may be much more easy as compared to using secure WiFi.
I am sure that the content of last paragraph are debatable and am happy to hear your viewpoints.
A slidecast of the Cisco whitepaper mentioned above is embedded as follows:
Friday 27 April 2012
Tuesday 17 April 2012
Release-12 Study on Integration of Single Sign-On (SSO) frameworks with 3GPP networks
This Work Item aims to provide service requirements for interworking of the operator-centric identity management with the user-centric Web services provided outside of an operator’s domain. Specifically, it addresses integration of SSO and the 3GPP services, which is essential for operators to leverage their assets and their customers’ trust, while introducing new identity services. Such integration will allow operators to become SSO providers by re-using the existing authentication mechanisms in which an end-user’s device effectively authenticates the end user.
For the operator to become the preferred SSO Identity Provider might require integration of the operator core with existing application service / content providers to allow the usage of credentials on the UE for SSO services. The 3GPP operator may leverage its trust framework and its reliable and robust secure credential handling infrastructure to provide SSO service based on operator-controlled credentials. Such SSO integration has to work with varied operator authentication configurations.
The Objective is to provide a comprehensive set of service requirements for the integration of SSO frameworks with 3GPP network by building upon the work done in the related feasibility study FS_SSO_Int (published in TR 22.895) as well as previously published related technical reports. This Work Item covers the following:
• Service requirements for integration of Identity Management and SSO frameworks, e.g. OpenID;
• Service requirements for Operators to enable users to access 3rd party services using Operator controlled user credentials;
• Service requirements associated with ensuring that the intended user is making use of the associated SSO capability (including the case when the UE has been stolen or lost).
3GPP TR 22.895 V12.0.0 - Study on Service aspects of integration of Single Sign-On (SSO) frameworks with 3GPP operator-controlled resources and mechanisms (Release 12) is an interesting read that provides use cases for SSO
The diagram above is from an interesting paper titled "Multi-domain authentication for IMS" that describes SSO and other authentication procedures and introduces the advantage of SSO.
Saturday 14 April 2012
Evolution of 3GPP Security
Friday 24 February 2012
'Mapped Security' Concept in LTE
When a UE registers on a network in 2G/3G or LTE, it has to perform Authentication. The Authentication Vectors are located in the USIM for the device and in Authentication Center (AuC) in the network. Once the Authentication is performed successfully, then the Keys for Ciphering and Integrity are derived and used during the call.
As I showed in my earlier post here, It is possible that the same AuC is used for 2G/3G and LTE networks. In this case if the UE has recently performed Authentication in one network then unless the keys are old, there is no need to perform the Authentication again in the other radio access technology (RAT). The Security keys (Ciphering and Integrity key) would be derived based on the keys in the previous RAT. 3GPP TS 33.102 and 3GPP TS 33.401 gives the details on how to derive the key from the previous RAT while in the new RAT using this mapped security concept.
Wednesday 23 November 2011
Secure Wi-Fi for Large Scale Events and Arenas
To download this presentation and other presentation from the recent event, click here.
Thursday 4 August 2011
Detailed presentation on Femtocell Security from Black Hat 2011
Monday 25 July 2011
Femto Hacking in UMTS and LTE
One of the differences you may notice is that the signalling from Femto to the Core Network over S1 is encrypted and Integrity Protected. In case of the LTE Femto, there are multiple keys and only the required key (Kenb) is provided to the Femto. See the key hierarchy below:
Wednesday 22 June 2011
Presentation on use of Femtocells to test UMTS Security
Saturday 11 June 2011
Smart Meters Data and Privacy
Wednesday 8 June 2011
3GPP LTE Security Aspects
3GPP LTESecurity Aspects
Wednesday 4 May 2011
New Security Algorithms in Release-11
Tuesday 1 February 2011
6th ETSI Security Workshop
Tuesday 3 August 2010
Double whammy for GSM Security
How does the GSM snooping work?
Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.
What happens to the calls?
Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.
But, aren't my calls encrypted?
Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."
What wireless provider networks are affected?
Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.
Does 3G protect me from this hack?
This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.
A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.
The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.
Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.
"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."
An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.
Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.
To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.
More information about the tool and the privacy issues is on the Security Research Labs Web site.
Monday 15 February 2010
New Technologies for Mobile Phone Theft prevention
Design Out Crime: Mobile Phone solutions from Design Council on Vimeo.
Three prototype solutions for preventing mobile phone theft have been unveiled.
The i-migo, the 'tie' solution and TouchSafe have been developed to counter crimes such as mobile phone identity fraud, which rose by over 70 per cent in 2009.
TouchSafe uses Near Field Communications (NFC) technology similar to that used by the Oyster Card and requires the handset's owner to carry a small card with them that they touch on the phone every time they make a purchase.
The 'tie' solution makes an association between a handset and theSIM chip so that other SIMs cannot be used on the handset should the mobile phone be stolen.
And the i-migo is a small device carried by the mobile phone's owner that sounds an alert and locks the handset should it be taken outside of a set range. Additionally, it automates the back-up of any data stored on the device.
The prototypes were inspired by a Home Office initiative to develop new ways of preventing mobile phone theft and will be shown off atMobile World Congress in Barcelona next week.
Home Office Minister Alan Campbell said: "As new technology creates new opportunities for the user it can also provide criminals with opportunities as well.
"I believe the solutions developed by this challenge have the potential to be as successful as previous innovations like Chip and Pin, which reduced fraud on lost or stolen cards to an all-time low, and would encourage industry to continue working with us and take them up," Campbell continued.
Monday 25 January 2010
LTE/EPS Security Starting point
Tuesday 3 November 2009
Wavesecure: Helping track lost phones
Siliconindia organized Mobile Applications Conference (MAC) on October 31, where 25 mobile companies exhibited their applications and presented their business plans in NIMHANS (National Institute of Mental Health and Neuro Sciences) convention center, Bangalore, in front of around 400 people and entrepreneurs. Industry leaders within the mobile space also put some light on where the industry is headed and how entrepreneurs and developers can take advantage.
TenCube, whose anchor product, WaveSecure, is the market leading mobile security suite recognized by customers and analysts, won the best mobile application award. TenCube was the unanimous choice of judges as well as the audience. It got 71 votes followed by Eterno Infotech and Divium, which got 37 and 36 votes respectively. Originally developed for police and military use in Singapore, WaveSecure has become Nokia's preferred mobile security product, chosen to be bundled into millions of premium Nokia devices. It is also the preferred security service selected by leading operators like Telenor and SingTel for their subscribers.
Very interesting FAQ's for those interested.
See Demo below:
Thursday 27 August 2009
Security of Mobiles and Networks to be tested soon
In comments made to the German edition of the Financial Times, the hacking group claims that governments, and criminals, are already using the technique which can break the encryption used to protect 2G GSM calls in near-real time using existing systems. The group says a public exposure of the technique will take place in the next month or two and allow anyone equipped with a laptop and an antenna to listen in to GSM phone calls.
Wednesday 8 July 2009
Wireless Cellular Security
There are lots of interesting Questions and Answers. One interesting one is:
Does number portability mean that data within an AuC is compromised?
Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.
You can read all Q&A's here.
I wrote a tutorial on UMTS security many years back. Its available here.