Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

Apps for the Paranoid Needed?

Posted by Craig H on 4 January 2010

I can’t let Karsten Nohl‘s presentation at 26C3 go without comment. To be clear, he was only talking about weaknesses that were already known (so headlines like “Secret mobile phone codes cracked” are at best misleading) but his purpose was to demonstrate that those theoretically known attacks are now practical. His point is a very valid one, and holds for most (all?) cryptographic algorithms: researchers will discover more efficient attack techniques, and technology will evolve to make such attacks practical, so you’d better design your cryptographic protocols so you can switch to different algorithms if and when the future need arises.* Happily this is the case for the GSM protocols, and all (!) that is needed is for the phone manufacturers and network operators to deploy the A5/3 algorithm and we can all go about our business.

That said, there is an interesting point made, almost in passing, in the presentation. Your phone knows what encryption algorithm is being used between it and the base station: for example, my Sony Ericsson P1i shows a little warning triangle icon if the base station switches it to A5/0 (that is, no encryption) although I don’t think my Nokia E71 does. Karsten also notes “IMSI catching is detectable from [the] phone, but no detect apps exist” (we have mentioned IMSI catching in this blog before).

So, the main point of the presentation is the assertion that well-funded attackers (security agencies, organised crime) are already using attacks to break GSM encryption, and his aim in making attacks practical for hobbyists is to push the phone manufacturers and network operators to improve security for everyone. I think that’s a heavy-handed approach, to say the least, but it’s done now. I am though left wondering who is being targeted today by GSM eavesdroppers. I’ve posted an idea on the Symbian Ideas site that there should be an app available to tell the phone user (in so far as that is possible) when their communications security is being compromised. Please join in there if you think that’s interesting!

* Renewability of hash algorithms is also an active topic in the Symbian Security Forum.

3 Responses to “Apps for the Paranoid Needed?”

  1. mirmit said

    Hi,

    When there is no encryption on Nokia devices, an open lock is shown on the call status icon. You can experiment this quite easily in China.

    • Craig H said

      Interesting! I think the UIQ warning icon is shown even when there isn’t an active call, but as I’m in the UK I doubt I have the opportunity to easily test it. As the phone is by my ear when I’m on a voice call, I doubt I would notice a different call status icon anyway.

  2. At PrivateWave http://www.privatewave.com we provide Nokia Voice encryption software (VoIP and GSM CSD) that let users do encrypted and undecipherable phone calls.

    It encrypted voice content and signaling information (who call who) with two IETF standard protocols: SIP/TLS and ZRTP .

    ZRTP for mobile phones provide end users guarantee against wiretapping and is available for Nokia, iPhone and Blackberry, works over WiFi and mobile networks (3G, EDGE, GPRS).

    Fabio Pietrosanti

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: