Dragan on Security

There is serious vulnerability with A5/1 encryption scheme used in GSM networks. It can lead to interception of GSM calls.This vulnerability has been presented by Karsten Nohl and Chris Paget at the 26th Chaos Communication Congress (26C3). This event is the annual four-day conference organized by the Chaos Computer Club (CCC). It took place from December 27th to December 30th 2009 at the bcc Berliner Congress Center in Berlin, Germany.

Citation from CCC Web site:

The world’s most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM’s security hasn’t received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising.

From the total lack of network to handset authentication, to the “Of course I’ll give you my IMSI” message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet.

Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS’ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.

Slides are here.

Track repository is here. It implements attack on the A5/1 cipher.

Torrents are here.

Note 1: This in not advocating exploiting weaknesses but rather wanting to inform about the fact that GSM calls are already being intercepted and decrypted using commercial tools.

Note 2: Links above are active in moment of writing this blog post. It is possible that some of them can be recalled or inactive from various reasons.

After quite some time of silence regarding my work on Wireless Intrusion Detection and Prevention Systems (WIDS / WIPS), I’m considering continuing that work. In past I have done research, published couple of papers on this topic at conferences and journals and also created concept, basic architecture and design of system and products. This possible “reactivation” of work is particularly pushed by recent increased interest of companies, organizations and institutions including commercial, government etc, who contacted me regarding it, and requirements of many production environments.

As you could have read earlier on this blog, that area has been one of my research interests for long time. Intrusion Detection and Prevention Systems (IDS/IPS), especially used in wireless and mobile networks, are becoming particularly interesting and important with increased usage of these types of networks. My research has been particularly oriented to usage artificial intelligence, fuzzy logic and neural networks to make these systems better, easier for use and more efficient.  At 19th Annual Computer Security Applications Conference ACSAC  (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published couple of papers on this topic. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS / IPS systems unnoticed.

Wireless Intrusion Detection and Prevention System, in architecture that I proposed many years ago, consist of:

• WIDS / WIPS Agent. It is software installed on mobile computer or device. It detects intrusions and attacks by analyzing traffic and behavior, making conclusions and denies it. It protects computer or computerized device. Agent works in contribution with WIDS / WIPS Sensor and Server if those are available in network and can be reached. Position of application is on Personal Computer (PC) including Pocket PC (PPC) and similar mobile devices.

• WIDS / WIPS Sensor. It is an appliance which sits in wireless network environment. It has embedded logic for detecting intrusions and alerting stations and servers about it. It alerts network users and/or administrators too. Sensor works in contribution with WIDS Agent and Server if it is available in same network. Position of application is area of wireless computer network.

• WIDS / WIPS Server. It is corporate software which integrates functions of previous two components and has additional mechanisms such as: collecting, analyzing, making conclusions (based on neural networks and fuzzy logic implementation), and giving support to WIDS Agent and Sensor. It can communicate with CERT centers and similar. It is responsible for contribution with other security software or devices (antivirus software firewalls…) Server collects information about WLAN security, events, incidents, and performance from the WIDS Sensors deployed throughout a WLAN. The server delivers the information to the WIDS Console in format that helps Network Administrators immediately identify problems. Position of application is in corporate network or remote for more mutually linked networks.

•WIDS / WIPS Console & Management, Reporting Tools. This is set of utilities intended to provide possibility of monitoring, management, tuning, and preparing various reports about WIDS / WIPS components activity. They are installed on Server, but could collect and show data from various components of WIDS / WIPS system. Single utilities could reside on Agent and Sensor devices and hey provide remote access and configuration capability too.

This is just brief description. If you are interested in more details or want to consider contribution or investment into this development send me e-mail.

Recommended reading on Ars Technica: Battered, but not broken: understanding the WPA crack. It says:

Academic researchers have found an exploitable hole in a popular form of wireless networking encryption. The hole is in a part of 802.11i that forms the basis of WiFi Protected Access (WPA), so it could affect routers worldwide. German graduate student Erik Tews will present a paper at next week’s PacSec in Tokyo coauthored with fellow student and aircrack-ng team member Martin Beck that reveals how remnants of WPA’s predecessor allow them to slip a knife into a crack in the encryption scheme and send bogus data to an unsuspecting WiFi client.

If this proves to be true, many wireless networks might be vulnerable. Let’s wait presentation “Gone in 900 Seconds, Some Crypto Issues with WPA” by Erik Tews on PacSecin Tokyo next week and see.

Do you owe cell phone? Yes, of course. Then read this: Cell Phone Spying: Is Your Life Being Monitored?

It says:

It connects you to the world, but your cell phone could also be giving anyone from your boss to your wife a window into your every move.  The same technology that lets you stay in touch on-the-go can now let others tap into your private world — without you ever even suspecting something is awry.

and

You don’t have to plant a CIA-style bug to conduct surveillance any more.  A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

Also:

Dozens of programs are available that’ll turn any cell phone into a high-tech, long-range listening device.  And the scariest part?  They run virtually undetectable to the average eye.

Take, for example, Flexispy.  The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.”  Its tools use a phone’s microphone to let you hear essentially any conversations within earshot.  Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on.  The phone won’t even ring, and its owner will have no idea you are virtually there at his side.

Is that legal?

You won’t find it on the flashy front page, but buried a bit further in the site, the company says you’re fine to use their program only “on a phone that you own, for protecting your children,” or for purposes like “archiving data.”  It’s a bit of a contrast from the bold suggestions of “uncover[ing] employee espionage,” “catch[ing] cheating husbands,” and “bug[ging] meeting rooms” that fill the company’s materials.  After a little more explanation, their answer as to the legality of the service ends with a broad statement: “Please consult a qualified lawyer in your country for the correct answer to this question.”

Let me make it easier for you: Once you get into listening in to private conversations without either party’s consent, you’re treading rough water that could sweep you straight into jail.  Whether it’s an employee or a spouse on the receiving end of your mission, neither federal nor state privacy laws take violations lightly in America.  Getting caught could cost you several years behind bars, among other serious penalties.

And can it be detected?

Finding spyware on your phone isn’t easy.  There are dozens of bug detectors available from surveillance companies, but the only true fix is taking your phone to your provider and having them wipe it out altogether.  That will restore the factory settings and clear out any hidden software that’s running on your phone.

Scary, isn’t it? I would strongly suggest to keep your hands far from this.

But also I would suggest to use security software for your cell. For example, there is F-Secure Mobile and I have been using it for some time. Two products can be very helpfull F-Secure Mobile Anti-Virus(TM) and F-Secure Mobile Security(TM). Here are some details:

F-Secure Mobile Anti-Virus(TM)

• F-Secure Mobile Anti-Virus(TM) is easy to use and does not require excess device resources or unnecessary user interaction.
• It automatically scans all files in the background, both in the device and on the memory cards.
• When an infected file is detected it is immediately quarantined to protect all other data in the system.
• The antivirus database is updated invisibly in the background when a data connection is used for emails, web browsing etc.

F-Secure Mobile Security(TM)

• F-Secure Mobile Security enables secure mobile computing by combining an integrated antivirus and firewall.
• Device-recident protection safeguards the mobile device from any type of attack, from intrusion attempts to malware.
• The solution delivers invisible and automated safety through real-time, on-device protection with easy to use firewall rule sets and automatic over-the-air antivirus updates
• F-Secure Mobile Security scans both incoming and outgoing internet/network data packets. It stops malicious, unwanted, harmful, or possibly dangerous packets.
• F-Secure Mobile Security is designed to be easy to use and delivers protection without need for unnecessary user intervention.

We can expect much more to come soon.

The outbreak of a wireless computer worm that spreads among portable devices like a flu epidemic is a possibility, according to a new mathematical model developed by Imperial College London researcher Christopher Rhodes and BT researcher Maziar Nekovee. Their model considers a group of people carrying Bluetooth-enabled smartphones, each of which has a fixed range for linking to other phones in the crowd. Each member of the crowd moves in a straight line and at a fixed speed, giving a phone that is contaminated by a worm a fixed likelihood of infecting other devices while they are within range. Rhodes and Nekovee’s work demonstrates that a wireless worm could most efficiently proliferate in a crowded environment and also jump between geographically scattered locations, just like a real virus. “Knowledge that person-to-person contact, or rather device-to-device contact, represents a major factor in how a Bluetooth worm spreads is definitely important,” says Symantec Security Response researcher Eric Chien. He adds that the disablement of non-essential Bluetooth communications during an outbreak “reduces the contact occurrences and would be analogous to wearing a surgical mask in areas of potential infection.” Source: ACM TechNews.

This interesting NewScientistTech article is here: Wireless worms will follow influenza’s example.

Hacking challenge Bangkok 2007: AirRaid2 – Wireless Hacking Tournament.

From tournament description:

Wireless networks using 802.11 and Bluetooth have become common deployments in today’s corporate environments.

To underscore the importance of securing these wireless networking technologies, ThinkSECURE is following up our original and hugely successful AIRRAID wireless hacking tournament (held in 2005 in Singapore), with the new and bigger AIRRAID2!

WEP is dead and here’s the proof – explanation how attack on the 802.11 wireless security protocol works: Gone in 120 seconds: cracking Wi-Fi security | The Register.

Ryan Naraine writes on his ZDNet blog about Wi-Fi hacking with a handheld PDA.

The palm-sized PDA tucked away in Justine Aitel’s pocketbook just might be the most scary device on display at this year’s RSA security conference.
Aitel is roaming the hallways here with Silica, a portable hacking device that can search for and join 802.11 (Wi-Fi) access points, scan other connections for open ports, and automatically launch code execution exploits from a built-in exploit platform.

Read more here.

Interesting video at YouTube (here).

In recent post on this blog, I wrote about critical bugs in wireless drivers. Here is what Joshua Wright has to say at wifisec group at securityfocus.com:

This is only the beginning of what will likely be a rash of vulnerabilities in drivers that allows an attacker to remotely compromise systems, regardless of the authentication or encryption mechanism used.

This article is about a Broadcom vulnerability (https://www.wirelessve.org/entries/show/WVE-2006-0071), and the WVE has recorded several others as well.

- -Josh

Interesting development of situation. We certainly should follow on this topic.