Wednesday, December 30, 2009

Security Smorgasbord, vol 1 no 10

The year is ending not with a security bang, but with a security whimper.

There's been no security updates of note to point out for a week, so other than the usual perimeter security, you can stand down for the end of year festivities.

About the only thing worth pointing out is that it looks like GSM security has been broken. GSM is cell phone stuff, and is essentially used in any modern mobile phone. When it was introduced 20 years ago, its security was highly touted. Now it looks like a combination of inherent weaknesses in the algorithms as well as Moore's Law have caught up:
At a hacker conference in Berlin that runs through Wednesday, the cryptographers said they've cracked the algorithm that determines the random channel hopping and have devised a practical means to capture entire calls using equipment that costs about $4,000. At the heart of the crack is open-source software for computer-controlled radios that makes the frequency changes at precisely the same time, and in the same order, that the cellphone and base station do.

"We now know this is possible," said Karsten Nohl, a 28-year-old cryptographer and one of the members of an open-source project out to prove that GSM, the technical standard used by about 80 percent of the mobile market, can't be counted on to keep calls private. The attack "is practical, and there are real vulnerabilities that people are exploiting."
This means that you should realize that your cell phone is essentially a fancy two-way radio. If someone really wants to listen in, they can. Most readers already know this, probably.

20 years ago, Oracle's Larry Ellison caught quite a lot of flak for his comment "You got no privacy; get over it." Time is showing him to be more right than not.

Not much of a smorgasbord. But remember that when it comes to security, no news is good news.


BobG said...

"If someone really wants to listen in, they can."

Hell, the way most of the cell phone users yell on the phone all the time, you end up listening in whether you want to or not.

wolfwalker said...

A 20-year-old algorithm, and it's only being cracked now? Wow, musta been a damned good one.

Hey, wait a minute. If it was previously impossible to break GSM, then where did that news story come from a few years ago about the Congressman's cellphone call that was recorded and then leaked to the news media?

Eseell said...

Wolfwalker, GSM is actually relatively uncommon in the US, many cell carriers in the USA use CDMA instead.

Regardless, I've always assumed that anything transmitted over the air is insecure. I wish more people would get into that mindset.

Anonymous said...

Borepatch said: "No news is good news"

which leads me to wonder: is it "in the the absence of news, we assume things are good" or "the news is universally bad"?