Tags: encryption, GSM, hacking, IAM, IMSI Catcher, mobile phone, one time password, SMS
At a recent briefing on Cyber Security, one of the speakers remarked that there’s no correlation between the size (numbers, budget, resources) of the attacker and their capability to mount an attack on your networks. My friend and former colleague Nik Barron drew my attention recently to a presentation at Defcon 18 on the subject of “Practical Cellphone Spying“.
It’s common knowledge that the crypto scheme in GSM is so weak that it’s easily broken, but in fact, if you’re within radio range of a target cellphone it’s possible to intercept calls and SMS (text messages) by bypassing the crypto scheme entirely. In his talk, Paget explains how to build and operate an IMSI catcher, a fake GSM base station which can trick a target handset into sending you its voice traffic. In fact, GSM phones are designed to accept instructions from the BTS (GSM base station). Even if instructed to turn off crypto, the handset will not warn the user. Paget’s solution is based on an overlap between the ISM (Industrial, Scientific, medical) Band and the GSM Band in the US. This band is also a ham band (ISM is a secondary use), so it’s possible to operate with an amateur radio licence and the necessary equipment can be built by a reasonably skilled amateur for around £1,000.
So, while what Paget proposes – the ability to seduce mobile phones to connect to a fake base station and to use those connections to intercept voice or SMS communications – has been possible for a long time, but crucially, it was always sufficiently difficult and expensive (hundreds of thousands of dollars) that it remained in the province of intelligence services, organised crime or other well-funded adversaries. While the price (and the expertise needed) is still probably just beyond the point where the public might attempt to “listen in” on their neighbours, it’s possible to envisage “drive by” interception, using systems built primarily around a laptop (or even a handheld device).
Why does this concern me? Well, my main area of expertise is around the design and implementation of Identity and Access Management (IAM) systems. In my field, it’s common practice to use SMS messages for out-of-band transmission of credentials, either for distributing new credentials or for one time passwords, used as part of a multi-factor authentication scheme. We must now seriously question our trust in SMS as a secure transport for these applications.
Tags: NHS, Summary Care Record
The row over Summary Care Records for the NHS rumbles on. A UCL report published more than a year ago on the experiences of early adopters indicated concern that non-medical staff may be given access to the information, despite reassurances that this would not happen. The explanation – that it fits better with working practices – is very telling. While it’s possible to conceive circumstances where the SCR might prove of value to a patient (if the patient were to be admitted to hospital, unconscious and unaccompanied), the convenience of NHS staff appears to be at least equally important. AC Grayling makes the point in his book “Liberty in the Age of Terror” that this gradual erosion of individual privacy fundamentally changes the relationship between the citizen and the state for the worse.
Now, I have strong reservations about the whole notion, because:
- The Government’s record on large scale computer projects is dismal;
- The security mechanisms intended to protect this information are untried;
- Inevitably, over time, the information is likely to be aggregated with the contents of databases from other Government departments and made available to an ever wider community, far exceeding the original audience of “only those involved in your care”, as promised in the Care Record Guarantee.
- Already, the Guarantee notes that “We will not share health information that identifies you (particularly with other government agencies) for any reason other than providing your care, unless … we have special permission because the public good is thought to be of greater importance than your confidentiality.”
- Finally, it’s inevitable that sooner or later, large amounts of data from the SCR will be lost (maybe on a DVD, maybe on a laptop, who knows?).
Fortunately, the GP Practice that looks after my family has conscientiously provided information for patients on the implications of this new development. They also provided a simple method for patients to opt out, by sending a pro-forma letter, which is then stored with their computerised records within the practice.
Elsewhere, this morning’s Times suggests that patients in Primary Care Trusts in Bolton, Bradford and Airedale, Bury, Dorset, South Birmingham and South West Essex might find it a bit trickier. Everyone registered with a GP in those areas has this week received a pamphlet explaining the new arrangements. The pamphlet helpfully directs you to a URL, where you can opt out. Wrong. It seems that the site (which has no search function) does not provide the facility to opt out. The journalist has discovered (by dint of sheer bloody-mindedness, I presume) that the covering letter gives a different URL, via which you can eventually reach a downloadable opt-out form. One has to assume that we’re not supposed to be able to find it!