Wrong NumberSeptember 11, 2010 at 11:58 pm | Posted in Cyber Security, Privacy | Leave a comment
Tags: encryption, GSM, hacking, IAM, IMSI Catcher, mobile phone, one time password, SMS
At a recent briefing on Cyber Security, one of the speakers remarked that there’s no correlation between the size (numbers, budget, resources) of the attacker and their capability to mount an attack on your networks. My friend and former colleague Nik Barron drew my attention recently to a presentation at Defcon 18 on the subject of “Practical Cellphone Spying“.
It’s common knowledge that the crypto scheme in GSM is so weak that it’s easily broken, but in fact, if you’re within radio range of a target cellphone it’s possible to intercept calls and SMS (text messages) by bypassing the crypto scheme entirely. In his talk, Paget explains how to build and operate an IMSI catcher, a fake GSM base station which can trick a target handset into sending you its voice traffic. In fact, GSM phones are designed to accept instructions from the BTS (GSM base station). Even if instructed to turn off crypto, the handset will not warn the user. Paget’s solution is based on an overlap between the ISM (Industrial, Scientific, medical) Band and the GSM Band in the US. This band is also a ham band (ISM is a secondary use), so it’s possible to operate with an amateur radio licence and the necessary equipment can be built by a reasonably skilled amateur for around £1,000.
So, while what Paget proposes – the ability to seduce mobile phones to connect to a fake base station and to use those connections to intercept voice or SMS communications – has been possible for a long time, but crucially, it was always sufficiently difficult and expensive (hundreds of thousands of dollars) that it remained in the province of intelligence services, organised crime or other well-funded adversaries. While the price (and the expertise needed) is still probably just beyond the point where the public might attempt to “listen in” on their neighbours, it’s possible to envisage “drive by” interception, using systems built primarily around a laptop (or even a handheld device).
Why does this concern me? Well, my main area of expertise is around the design and implementation of Identity and Access Management (IAM) systems. In my field, it’s common practice to use SMS messages for out-of-band transmission of credentials, either for distributing new credentials or for one time passwords, used as part of a multi-factor authentication scheme. We must now seriously question our trust in SMS as a secure transport for these applications.