Dragan on Security

There is serious vulnerability with A5/1 encryption scheme used in GSM networks. It can lead to interception of GSM calls.This vulnerability has been presented by Karsten Nohl and Chris Paget at the 26th Chaos Communication Congress (26C3). This event is the annual four-day conference organized by the Chaos Computer Club (CCC). It took place from December 27th to December 30th 2009 at the bcc Berliner Congress Center in Berlin, Germany.

Citation from CCC Web site:

The world’s most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM’s security hasn’t received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising.

From the total lack of network to handset authentication, to the “Of course I’ll give you my IMSI” message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet.

Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS’ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.

Slides are here.

Track repository is here. It implements attack on the A5/1 cipher.

Torrents are here.

Note 1: This in not advocating exploiting weaknesses but rather wanting to inform about the fact that GSM calls are already being intercepted and decrypted using commercial tools.

Note 2: Links above are active in moment of writing this blog post. It is possible that some of them can be recalled or inactive from various reasons.

After quite some time of silence regarding my work on Wireless Intrusion Detection and Prevention Systems (WIDS / WIPS), I’m considering continuing that work. In past I have done research, published couple of papers on this topic at conferences and journals and also created concept, basic architecture and design of system and products. This possible “reactivation” of work is particularly pushed by recent increased interest of companies, organizations and institutions including commercial, government etc, who contacted me regarding it, and requirements of many production environments.

As you could have read earlier on this blog, that area has been one of my research interests for long time. Intrusion Detection and Prevention Systems (IDS/IPS), especially used in wireless and mobile networks, are becoming particularly interesting and important with increased usage of these types of networks. My research has been particularly oriented to usage artificial intelligence, fuzzy logic and neural networks to make these systems better, easier for use and more efficient.  At 19th Annual Computer Security Applications Conference ACSAC  (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published couple of papers on this topic. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS / IPS systems unnoticed.

Wireless Intrusion Detection and Prevention System, in architecture that I proposed many years ago, consist of:

• WIDS / WIPS Agent. It is software installed on mobile computer or device. It detects intrusions and attacks by analyzing traffic and behavior, making conclusions and denies it. It protects computer or computerized device. Agent works in contribution with WIDS / WIPS Sensor and Server if those are available in network and can be reached. Position of application is on Personal Computer (PC) including Pocket PC (PPC) and similar mobile devices.

• WIDS / WIPS Sensor. It is an appliance which sits in wireless network environment. It has embedded logic for detecting intrusions and alerting stations and servers about it. It alerts network users and/or administrators too. Sensor works in contribution with WIDS Agent and Server if it is available in same network. Position of application is area of wireless computer network.

• WIDS / WIPS Server. It is corporate software which integrates functions of previous two components and has additional mechanisms such as: collecting, analyzing, making conclusions (based on neural networks and fuzzy logic implementation), and giving support to WIDS Agent and Sensor. It can communicate with CERT centers and similar. It is responsible for contribution with other security software or devices (antivirus software firewalls…) Server collects information about WLAN security, events, incidents, and performance from the WIDS Sensors deployed throughout a WLAN. The server delivers the information to the WIDS Console in format that helps Network Administrators immediately identify problems. Position of application is in corporate network or remote for more mutually linked networks.

•WIDS / WIPS Console & Management, Reporting Tools. This is set of utilities intended to provide possibility of monitoring, management, tuning, and preparing various reports about WIDS / WIPS components activity. They are installed on Server, but could collect and show data from various components of WIDS / WIPS system. Single utilities could reside on Agent and Sensor devices and hey provide remote access and configuration capability too.

This is just brief description. If you are interested in more details or want to consider contribution or investment into this development send me e-mail.

Gábor Török, senior mobile software engineer who has been involved in S60 platform development since 2000, posted interesting article on his blog. Title of this post is “Symbian Platform Security – hacked?” and it links to another couple blogs and Web pages with related resources.

With couple of not so complex steps (if you are familiar with programming and Symbian), you can change firmware and flash your phone. Then you have such a phone (software) that allows you to give so powerful rights to any 3rd party application that they can do basically anything on the device. It uses great S60 program, Y-Browser with added AllFiles capability to the program so that he could explore the entire file system, which he hadn’t been able to do until then.

Gábor says that it is not clear why did Symbian publish such a confidential information that is useful solely for phone manufacturers? Also he says that the documentation of Software Installation Policy is a very internal thing. You can see that it’s enough if one talented person stumbles upon that documentation and uses it. Also, why is a firmware package in such a format that anyone can edit it?

There is also interesting article at Antony’s Mobile Blog. It confirms that hack solution works. Manko from Symbaali has demonstrated how he can access protected folders on the phone. Antony believes that Symbian or Nokia will come with a counter-hack pretty soon. It is going to be very interesting to watch next steps.

Hopefully, this will be fixed with another firmware update that we will not wait too long. Also, this shows that mobile phones and other PDA devices is new arena for security battles.

Remark: Thanks to Robert B. for pointing me to this excellent article.

This sounds unbelievable but document marked as strictly confidential, Ericsson Interception Management System Manual is available for free download from Internet. I don’t know is that obsolete document or valid, but anyway it is very surprising that you can obtain document from Internet. I learned about this through an article in IEEE Spectrum related to Greek telephone tapping scandal.

In IEEE Spectrum, July 2007 issue, there is interesting article how some extremely smart hackers pulled off the most audacious cell-network break-in ever. It is still unknown who pulled off the most audacious network hack ever, but here’s (IEEE Spectrum: The Athens Affair) how they did it. This article gives a technical insight.

The illegally wiretapped cellphones in the Athens affair included those of the prime minister, his defense and foreign affairs ministers, top military and law ­enforcement officials, the Greek EU commissioner, activists, and journalists.

The Wikipedia article http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 contains additional links to press stories and background material.

Ericsson’s Interception Management System user manual (marked confidential) is available on the Web through a Google search: http://www.google.com/search?q=IMS+ericsson+manual or at http://cryptome.org/ericsson-ims.htm. 

Seems interesting if it is true – Tutorial: “Unlock” your iPhone with SuperSim – Hackint0sh.

At present time many people talk about possibility of eavesdropping their phone conversations, including voice, data transfers and SMS/MMS messages.

On the “Systems exposition” in Germany, Mr Wilfired Hafner – general manager SecurStar, demonstrated how easy it is to listen on everybody’s mobile telephone conversation and spy on every sent /received telephone message. Read articles at itwire.com, here and here.

He found and demonstrated a new cellular phone vulnerability that allows infecting any cellular phone with a Trojan horse (RexSpy). This Trojan is sent to the victim using a special SMS that automatically starts itself on the target phone. SecurStar has developed and distributes free of charge a small utility that will remove the “RexSpy” Trojan from infected phones. You can download it from download section of their Web site (requires registration, of course). In the next weeks a removal utility for Symbian, Palm and Blackberry devices will be provided, according SecurStar web site.

Also, SecurStar produces security software PhoneCrypt for mobile phones. They claim: with PhoneCrypt, SecurStar offers the ultimate security solution for mobile phones. With this software, every telephone call will be 100% encrypted and nobody will be able to listen your phone conversations. PhoneCrypt also patches the Smartphone operating system (windows mobile) and eliminates vulnerabilities such as the one used by RexSpy and others, so that your phone can no longer be infected. More information about PhoneCrypt here.

I haven’t tried SecurStar software yet, so I can’t say personal experience about this. If you did, send your opinions, please.

Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.

Bluetooth technology has achieved global acceptance such that any Bluetooth enabled device, almost everywhere in the world, can connect to other Bluetooth enabled devices in proximity. Bluetooth enabled electronic devices connect and communicate wirelessly through short-range, ad hoc networks known as piconets. Each device can simultaneously communicate with up to seven other devices within a single piconet. Each device can also belong to several piconets simultaneously. Piconets are established dynamically and automatically as Bluetooth enabled devices enter and leave radio proximity.

A fundamental Bluetooth wireless technology strength is the ability to simultaneously handle both data and voice transmissions. This enables users to enjoy variety of innovative solutions such as a hands-free headset for voice calls, printing and fax capabilities, and synchronizing PDA, laptop, and mobile phone applications to name a few.

But Bluetooth technology raised some security and privacy issues and concerns. If you want to know more about these i.e. about bluejacking, bluebugging, bluesnarfing and other related stuff, visit official Bluetooth SIG (Special Interest Group) web site and its security section (here).

That is one side of medal. There are many papers that desribe how pairing in a public location potentially introduce a security risk.

Pairing in a public place, such as a point of sale, is discouraged when using the pairing procedure from the Bluetooth Baseband specification, as there is much greater risk that a subversive unit may intercept the keys. Note that such risk only occurs if a low-entropy Bluetooth passkey value is used.

For the highest level of security when using the pairing procedure from the Bluetooth Baseband specification, random long Bluetooth passkey values must be used. The maximum (useful) length of a passkey is 128 bits. An alternative approach for secure pairing is to provide a physical serial port interface between the Audio Gateway (AG) and the Headset (HS) to transfer sufficiently strong link keys directly.

Read this and this.

Can mobile / cellular phone be used for remotely eavesdropping? Maybe yes, maybe no – who knows.

Read interesting Schneier’s post and find out more about this.

You are probably overwhelmed with lot of new and various words and acronyms that you can hear or read everywhere. Here is one more: SMiShing. McAfee Avert Labs Blog in its post (I saw this word for first time there), considers SMiShing as an emerging threat vector. Some cell phone users have started receiving SMS messages that call them to visit various web sites or that are fake confirmation about signing to various online services.

This is version of phishing by SMS and yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams. SMiShing will certainly require more attention in future.