Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« "Taxonomy of Operational Cyber Security Risks" | Main | Friday Squid Blogging: Smaller Male Squid Have Bigger Sperm »

August 10, 2011

GPRS Hacked

Just announced:

Nohl's group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren't encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

More articles.

Tags: , , , GPRS,

Posted on August 10, 2011 at 4:11 PM10 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

ShadowHatesYouAugust 10, 2011 5:40 PM

GPRS isn't the only standard to fall, it's been reported that CDMA and 4g were also compromised at Defcon this year.

http://www.gossamer-threads.com/lists/fulldisc/...

The largest threat to these protocols seems to be the ease of compromising pico/femtocells and making them do your bidding: http://wiki.thc.org/vodafone

Clearly things need to be more robust. A compromised base station should not be able to do this.

ThomasAugust 10, 2011 8:54 PM

@ShadowHatesYou
"Clearly things need to be more robust. A compromised base station should not be able to do this."

The main threat for the people paying for the base-stations are worried about is phone-calls being made without a matching billing entry.

I'm sure that threat is catered for.

jkmAugust 11, 2011 5:28 AM

I seriously doubt that '4G' was hacked (whaterver 4G means; LTE, WiMAX, WCDMA HSPA?).

wiredogAugust 11, 2011 5:51 AM

Anyone who accepts an OTA system update when at DEFCON deserves everything they get...

jggimiAugust 11, 2011 6:09 AM

@jkm, according to a post further down the linked thread, it was WiMAX on Sprint/Clearwire.

Natanael LAugust 11, 2011 7:05 AM

So, maybe I should set up a proxy at home for my smartphone. Are the Android proxy security "good enough"?

GabrielAugust 11, 2011 8:57 AM

@wiredog: how about "civilians" near or at the hotel who aren't part of defcon who take an OTA update? Do they deserve it too?

JonAugust 11, 2011 3:41 PM

Of course, there have been several examples of 'pushed' over the air upgrades. The user doesn't get a choice about whether to accept it or not.

And, of course, if the officially designated people can push an "upgrade", so can everyone else.

J.

Richard Steven HackAugust 11, 2011 10:37 PM

I think the term "smartphone" needs to be rescinded, and the term "stupid phone" (re-)implemented.

I'm glad I don't have the money yet to buy a "smart (stupid) phone". And that the stupid Nokia 6030 phone I use (it's smart enough to randomly shut itself off periodically!) doesn't get used much except to take client calls. No texting, no SMS, no nada. It can do that crap, but I don't.

Besides the security flaws, every time Jeri Ryan has to update her phone, she tweets how it didn't work unless she does it five times...

Obviously these are real quality products being sold...

Nonetheless, nice to know my meme applies equally well to everyone's phone as it does to their computer. :-)

RogerAugust 14, 2011 4:46 AM

Interesting work, but ... GPRS is supposed to have security features!?

Only GPRS app I have been involved in, everyone just assumed it was totally hackable. The application provided its own session security and assumed the link might not be available. (Low priority messages that did not receive a signed acknowledgement would be re-sent later; high priority messages that didn't get an ACK resulted in a dial-up connection.)

Hmm, reading further, it seems we were right. Security features in GPRS are optional, and it isn't easy for the app to find out if they are enabled. So you have to assume the transport layer is insecure.

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier