Feeds

Hordes of new threats ahead for mobile networks

Faked femtocells will eff up your ess

New hybrid storage solutions

Malware on smartphones is just the first in a series of new security threats for mobile networks ushered in by the embrace of internet technologies, according to mobile phone encryption firms.

Dr Bjoern Rupp, chief exec of GSMK CryptoPhone, warns that criminal gangs are able to steal private information and undermine fair business trading thanks to advances in technology that have made attacks possible on low-cost kit. Years ago such attacks were only possible for intelligence agencies, but have now become feasible as a means of industrial espionage.

Attacks scenarios fall into three categories: active (setting up fake mobile network nodes in a technique akin to the better understood tactic of setting up rogue Wi-Fi hotspots), passive (eavesdropping) and malware-based attacks on smartphones.

Rogue femtocell ruse

The first and most ambitious line of attack involves spoofing femtocells to feign that you are the user's mobile network provider, while in fact you are taking over his network traffic. This can be accomplished using cheap hardware and some free open-source software.

"In the old-world of mobile telecoms you would need $50,000 to buy measurement equipment from the likes of Rohde & Schwarz for such an attack," Rupp told El Reg. "Now your commercial IPX software allows you to run a base station on Linux and simulate a GSM cell."

A spoofed femtocell is one approach to running man-in-the-middle attacks on mobile networks but suffers from practical obstacles. Most femtocells are 3G, and the 3G standard requires mutual authentication (so the network must authenticate itself to the handset and via versa) so it's much harder to pretend to be a node on that network. GSM (2G networks) only authenticate in one direction, with the SIM proving its identity to the network.

Rupp said hackers could force smartphones connected to a rogue femtocell to fall back and use GSM. "A determined adversary could push targeted devices into GSM mode," he explained. He added that this type of attack was more potent than much-publicised Evil Twin-style rogue Wi-Fi hot spot attacks.

"In the Wi-Fi area users generally make an active decision to connect to a network. With the rogue base station attack, users will not realise they have entered a trap. The phone will simply think it has entered a new cell with a strong signal, and will begin talking to a rogue base station automatically."

Spy on the wire

The second line of attack involves passively intercepting and decrypting mobile network traffic, by exploiting the latest cryptographic advances in breaking GSM's built-in encryption algorithms.

A codebook that allows A5/1 GSM encryption – which is used in 80 per cent of mobile phones – was published online back in December. The attack was demonstrated by German computer scientist Karsten Nohl at the Chaos Communication Congress (CCC) in Berlin. This advance reduces the cost of cell phone eavesdropping below $10,000, according to Cellcrypt, another voice encryption specialist.

A month later a practical method for cracking A5/3 encryption used in 3G mobile phone calls was published by leading cryptographer Adi Shamir (the ‘S’ in RSA).

Performing such eavesdropping attacks would involve running GNU radio on a printed circuit board, among other equipment. "Such an attack would require knowledge but might cost only a few hundred dollars, and so poses no great barrier," Rupp explained. "You could tune into GSM signals and decrypt calls, as show in the CCC demo."

Mobile malware enters the fray

A third line of attack involves remote takeover of mobile devices by using tricks such as BlackBerry Service Book updates, Trojans and SIM Toolkit attacks.

Security vendors have warned about the threat of mobile malware for at least ten years, but it's only since the uptake of internet-enabled smartphones such as the iPhone that next year's threat has finally materialised. The ikee Rickrolling worm and much more dangerous Duh mobile worm exploited default passwords on jailbroken iPhones to spread for the purposes of mischief and phishing Dutch banking credentials, respectively. These threats ramp up the exploit potential from earlier threats which largely involved Trojan applications on Symbian devices and the like.

Research published this week from computer scientists at Rutgers University demonstrates how rootlets on smartphones and (possibly) upcoming tablets such as the iPad might be used to turn devices into "remotely-activated bugging or tracking systems", as explained in our earlier article here.

The attacks were demonstrated on a smartphone called the OpenMoko running Linux but might potentially be applied to smartphones running Android, iPhones and BlackBerries.

"Smartphones have arrived at the internet age. There is sensitive data on these devices but the level of perception of the threat has not developed," Rupp concluded.

Both GSMK and Cellcrypt sell voice encryption products that combat such attacks and therefore have a vested interest in talking up the threat involved. Instances of practical exploits of the scenarios outlined by GSMK are hard to come by, but then again those engaged in corporate espionage, much less state-sponsored spying, tend not to publicise their activities.

Cellcrypt has published a handy top tips guide which corporate telecoms managers, operators and equipment manufacturers would do well to review. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Drag queens: Oh, don't be so bitchy, Facebook! Let us use our stage names
Handbags at dawn over free content ad network's ID policy
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
'Serious flaws in the Vertigan report' says broadband boffin
Report 'fails reality test' , is 'simply wrong' and offers ''convenient' justification for FTTN says Rod Tucker
This flashlight app requires: Your contacts list, identity, access to your camera...
Who us, dodgy? Vast majority of mobile apps fail privacy test
Apple Watch will CONQUER smartwatch world – analysts
After Applelocalypse, other wristputers will get stuck in
Shades of Mannesmann: Vodafone should buy T-Mobile US
Biting the bullet would let Blighty-based biz flip the bird at AT&T
Net neutrality fans' joy as '2.3 million email' flood hits US Congress
FCC invites opinions in CSV format, after Slowdown day 'success'
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.