Wrong Number

September 11, 2010 at 11:58 pm | Posted in Cyber Security, Privacy | Leave a comment
Tags: , , , , , , ,

At a recent briefing on Cyber Security, one of the speakers remarked that there’s no correlation between the size (numbers, budget, resources) of the attacker and their capability to mount an attack on your networks.  My friend and former colleague Nik Barron drew my attention recently to a presentation at Defcon 18 on the subject of “Practical Cellphone Spying“.

It’s common knowledge  that the crypto scheme in GSM is so weak that it’s easily broken, but in fact,  if you’re within radio range of a target cellphone it’s possible to intercept calls and SMS (text messages) by bypassing the crypto scheme entirely.  In his talk, Paget  explains how to build and operate an IMSI catcher, a fake GSM base station which can trick a target handset into sending you its voice traffic. In fact, GSM phones are designed to accept instructions from the BTS (GSM base station).  Even if instructed to turn off crypto, the handset will not warn the user.  Paget’s solution is based on an overlap between the ISM (Industrial, Scientific, medical) Band and the GSM Band in the US.  This band is also a ham band (ISM is a secondary use), so it’s possible to operate with an amateur radio licence and the necessary equipment can be built by a reasonably skilled amateur for around £1,000.

So, while what Paget proposes – the ability to seduce mobile phones to connect to a fake base station and to use those connections to intercept voice or SMS communications – has been possible for a long time, but crucially, it was always sufficiently difficult and expensive (hundreds of thousands of dollars) that it remained in the province of intelligence services, organised crime or other well-funded adversaries.  While the price (and the expertise needed) is still probably just beyond the point where the public might attempt to “listen in” on their neighbours,  it’s possible to envisage “drive by” interception, using systems built primarily around a laptop (or even a handheld device).

Why does this concern me?  Well, my main area of expertise is around the design and implementation of Identity and Access Management (IAM) systems.  In my field, it’s common practice to use SMS messages for out-of-band transmission of credentials, either for distributing new credentials or for one time passwords, used as part of a multi-factor authentication scheme.  We must now seriously question our trust in SMS as a secure transport for these applications.


Advertisements

New Blog, Old Friend

March 18, 2010 at 10:46 pm | Posted in Uncategorized | Leave a comment
Tags: , , , , ,

I’m always on the lookout for interesting new blogs, especially in my main subject area of Identity and Access management.  Of course, I try to follow the blogs of the best known gurus in my field.  However, I reserve space on my blog roll (over to the right =>) for people that I know and trust.

In this spirit, I just added a link to the “Joined Up Thinking” blog, maintained by Stephen Swann.  Stephen is Belfast based and we met around 8 years ago on opposite sides of an IAM project for a retail bank.  I stumbled upon Stephen through Twitter – he showed up in a search, fed through to Google Reader – and we took the advantage to reconnect through LinkedIn. 

Stephen is an experienced and thoughtful professional and I’ll follow his blogging with great interest.  I strongly recommend that you do too.

Reblog this post [with Zemanta]

Blog at WordPress.com.
Entries and comments feeds.