Schneier on Security
A blog covering security and security technology.
« U.S. Court Rules that Hashing = Searching |
| Anti-Terror Law Mission Creep in the U.K. »
November 6, 2008
The Ill Effects of Banning Security Research
The Indian police are having trouble with SIM card cloning:
Police had no idea that one SIM card could be used simultaneously from two handsets before the detention of Nazir Ahmed for interrogation. Nazir was picked up from Morigaon after an SMS from his mobile number in the name of ISF-IM claimed responsibility for Thursday's blasts in Assam.
Nazir had a Reliance connection and an Eve handset. Each handset of this particular model has a unique International Mobile Equipment Identity (IMEI) number. Cops found that two IMEI numbers were using the same SIM. Accordingly there were two record sheets of calls and SMSes from Nazir's mobile number. The record of the SMS to the media was found in only one sheet, which forced police to believe that Nazir's SIM might have been cloned and someone else was using the duplicate card, with or without the owner's knowledge.
"We stumbled upon this technological surprise that Nazir Ahmed's SIM card was used in two handsets," Assam IG (Law and Order) Bhaskarjyoti Mahanta said.
So far, not that interesting. There are lots of vulnerabilities in technological systems, and it's generally a race between the good guys and the bad guys to see who finds them first. It's the last sentence of this article that's significant:
The experts said no one has actually done any research on SIM card cloning because the activity is illegal in the country.
If the good guys can't even participate, the bad guys will always win.
Posted on November 6, 2008 at 6:26 AM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The experts said no one has actually done any research..."
Apparently, someone did do the research.
When thinking becomes a crime, only criminals can think.
A friend and former neighbor was a Postal Inspector... and told us that half of his job was to think of ways to "break" systems so they could harden them. "If you can't think like a criminal, you can do this job."
Granted, he told cutesy stories about some ironies he ran across.
Laws only restrict those who feel accountable to the Law, just like locks only keep the honest out of your property.
Though, all in all, who watches the watchers?
"If you can't think like a criminal, you can't do this job."
The best detectives, I have been told, can think like the people they are being paid to catch despite what you see on television, so, think, detectives successfully working homicide cases...
When I worked at IBM, 10 years ago, I saw a GREAT job title for what later became called "Ethical Hackers" (which should have been "Ethical Crackers")...
Imagine, while Bill Clinton was still in office, having the job title of "Penetration Analyst"...
One of the nice things about security research currently is you are allowed to do oddball things, and no technology is (/should) be off limits to your investigations.
In most other research paths you have to tred the paths of those before you and only alow your foot to stray a little from the "chosen path". Such is the wisdom of the community.
Which is why this "Indian story" is so surprising to people who read this blog.
However I suspect "the writing is on the wall" with the likes of the Boston Transportation agency and those responsable for MiFare etc resorting to the courts to suppress "unfavourable research". And with the recent governments in the US/UK setting the ajenda in the "name of keeping us safe" it is almost expected that limits will be placed at any time...
The question is how long do you suppose it will be before "security researchers" are required to be registered and "Government Approved" like researchers into say opiates or similar?
I remember asking a similar question a year or so ago when the UK proposed legislation to make possetion of software "security tools" illegal. so far we have been sort of lucky...
Interesting that the police would actually figure this out just because the guy they were sweating denied all knowlege of the call,
One would expect the guy either had connections to the power structure or was clueless through some very rough time.
Police in india have a reputation. Some were caught for injecting ink into eyeballs, but the victims were people with no connections to anyone who would care about them.
@ John Campbell,
It appears to be an "Opps day" today...
"to make possetion of software"
All jokes to /dev/null please.
Who says the SIM card was cloned? All you have to do is move it to another phone, make the calls you want to deny, and then move it back.
Or even "oops" day. I seem to see the typo "opps" a lot though.
Someone needs to hammer some sense into these people. This is like saying "nobody realized that you could get into a locked house without a key, because picking locks or breaking someone's windows is a crime."
Another good example of the futility of "security thru obscurity". Or to rehash another metaphor, think of the parent who upon overhearing their teenage kids talking about the great sex they are having, place their hands over their ears and chant to themselves the mantra "I'm not hearing this. I'm not hearing this..." - as if ignoring a problem will somehow magically make it go away. What maroons!
So, out of curiosity, what kind of a setup does it take to write privileged data to a SIM card -- overwrite the IMEI, etc.? Is it DIY-able with commodity hardware, or do you have to get a contraband machine from a phone operator? What does such a setup cost?
See, this is what we're up against. Some people think that banning things will make it go away. Well, handguns are de facto illegal here in the People's Republic of New York City but the drug dealers don't seem to have any problems getting guns. Or, you know, drugs.
@ Carlo Grazinai:
In 1998 our team cloned SIM cards using equipment costing well under $100.
As for the Indian police being unaware that SIMs can be cloned and multiple phones with the same IMSI can roam on the same network, perhaps the police officers didn't watch CNN 10 years ago when this discovery was announced.
obligatory "Spaceballs" reference:
Evil will always triumph because "good" is dumb.
"The experts said no one has actually done any research on SIM card cloning because the activity is illegal in the country."
I call BS on this.
SIM cloning has been a big part of research in mobile security since GSM started. Even if they claim that no one domestically has done research, it has been done elsewhere in the world and discussed widely. I mean even the iPhone is known to have been hacked by sending a different IMSI with the Identity Key (Ki)...
Sure new SIM are said to be harder to crack, but do we really believe a SIM is unbreakable just because a vendor says so? The India Times article seems to be allowing the police little more than a really, really weak excuse.
This is a questionable story at best.
Reliance in India uses CDMA and there are no SIM cards in that technology.
I don't know what Eve uses.
The last comment about research being illegal is also kind of dumb -- doesn't mean that someone will be doing research if it wasn't illegal -- you need another ingredient -- brain, which seems to be missing.
Story is questionable -- Reliance uses CDMA, no SIM's involved. I don't know what Eve uess.
being an Indian, let me clarify on few myths.
1) Reliance does provide GSM services in many areas, assam being one of them.
2) as mentioned by Stephen, just changing the phone with the same SIM won't give you same IMEI number.
3) As it happens across the world whether it is US or India or Japan, newpapers publish whatever they wish. The only clause they add is "on condition on anonymity". IITs(Indian Institute of Technology) is the highest learning institute in India which has best of professors from around the world. Everyone in the world knows about IITs. So, Please don't consider the comment.
4) The story has been wrongly worded as usual. Research is not illegal in India. As like every other country, its use is illegal.
5) Being just a bit patriotic, India is not behind rest of the world. Latest achievement being the third country in the world to complete its mission to moon.
In a nutshell, I request Bruce not to downgrade India's intellectual level in the area of security just by reading a newspaper report or a statement of a cop.
Cops, Newspapers, media is similar in every damn country.
Amit Goel: I had no idea about India's moon mission. Thanks!
It will never cease to amaze me, how ignorant lawmakers can truly be. I suppose I shouldn't be surprised, but I am.
I believe you misunderstand.
I read the posters here as insulting Indian cops, not Indian academics.
There are smart cops everywhere, and there are dumb cops everywhere.
It appears that the later variety were on the case here.........
"The experts said no one has actually done any research on SIM card cloning because the activity is illegal in the country."
... that's an ambiguous statement. Is this saying that the act of performing research into cloning is illegal, or that the act of cloning is illegal? There's a whole world of difference you know.
@ Kerry Thompson
Cloned SIM cards are typically allowed for the purpose of legal inspections/investigations. So the act of cloning without authorization is the bit intended to be illegal; the police are most likely allowed an exception to clone SIM cards for their own investigations as well as research.
@ John Campbell
'Imagine, while Bill Clinton was still in office, having the job title of "Penetration Analyst"...'
I heard the job went to a Cuban.
The difficulty of SIM card cloning depends on the starting conditions. A) if you have an original, ready to program, operator card and the correct data then you just have to buy a machine from the internet and type some numbers B) if you have physical access to the card, you just need (at most) electron microscopes, semiconductor etching kits; some semiconductor security experts and a small research team. C) if you try to do it over the air, it should be "impossible" for any competent operator - remember the authentication algorithm is fully replaceable per SIM card; not even per operator. There's no justification for it giving away Ki.
So, basically, the question is really how easy is it to get into situation A. In other words, how good are the operator's security people; or how long is a piece of string. There are pretty serious possibilities for protecting this data, but that doesn't mean many use them properly.
The next issue is that, if someone uses it, it's quite trivial to quickly detect a cloned SIM card. So if the operator is any good he should hunt you down like the dog you are :-) That means that you definitely want cloning to be cheap for it to be profitable.
Sorry guys, but the story to me is not bout India or SIM cards. It's about doing criminally-linked activities [in a closed environment] to study them.
Whenever I read about ethical hackers or think of some of the ones I've met, a quote from Nietzsche always comes to mind:
Be careful when you fight the monsters, lest you become one.
This is just ridiculous. Every single kid in the street in India knows that SIM card cloning is possible. A lot of guys are doing just that for various reasons.
It is a shame that the Police department did not know this.
That's a disgustingly sad comment: "no one has actually done any research on SIM card cloning because the activity is illegal in the country."
Just because the research has not been done in that country should not mean research from abroad should not be introduced. I'd like to see any country try to waltz around this scenario:
Prosecution: "Irrelevant your honor - the research was from some other country - how can we trust their experts"
Defense: "Your honor, I'd like to bring in my laptop and introduce you to the Internet - it too was based on research from "elsewhere"..."
It's not like any defense can't find information on cloning, dual SIM's etc.
sil at infiltrated dot net
This goes for you. I have utmost respect for you. You are one fo those very few individuals who understand security to the core. may be one of the best. but then, just because you published a newspaper report as it is, it might lead to people misinterpreting indian intellect or indian people. This is much more visible in above comments.
For everyones information, no country blocks any kind of research, the only blockade is the use of research stuff if it leads to illegal uses.
Every one knows in this world that media is just looking for stories which can be published to make more money. IIT's are comparable to Standford and MIT. and professors at IIT's are one of the best in the world.
So, guys, apply some brains..
we get it. i think it was established after your original post this was NOT an attack against indian academics, or even indian police. every country has both competent and incompetent individuals in all fields. if you deny this, you aren't realistically applying your own cranial matter...
The link to discussion report I wrote in 2002. It was amended before releasing it into the wild at my webblog:
Research is always ongoing in the hacking community and forums eg:
If cloning is taking place then this has everything to do with poor security policy and implementing non-robust security mechanisms.
Most operators (but not all) supplying SIMs/USIMs take a great deal of time to implement electronic countermeasures and dead-man's traps (over 15 trap doors).
"no country blocks any kind of research, the only blockade is the use of research stuff if it leads to illegal uses."
- - - oh, where to begin - - -?
the therapeutic advantages of inhalation over ingestion for chemotherapy patients?
age/gender differences in drug dosage for disease?
immunosupressive effects of street drugs?
accuracy tests for geo-archeo-lithic dating?
improved making of yellow glaze from pitchblend?
variola major culturing?
practical perceptual manipulation by media environments?
LD-50 atmospheric decompression leading to death as tested on prisoners?
peak experience as PTSD anchoring of spetznaz lethality training?
double blind study of treatment vs non-treatment of neurosiphilis on black people?
torture to condition behavior or to extract valid information?
HIV vaccine that is "ineffective against the principal agent but will be tested to see if it raises the hope of the seriously infected regions" in the third world?
weaponization of a hybrid smallpox-ebola-polio virus?
allowing in utero gender selection as a means of poulation control?
dealing with cross national gender imbalances afterwards?
not only is research of certain types prohibited, but some types of research should be - but who decides?
the threatened department chair or the civil code to ensure protection of (innocent/ignorant) humans?
"I just wanted informed consent, and you've given it. I didn't say I wouldn't do it..." - The Hulk
He who fights with monsters should look to it that he himself does not become a monster, and if you stare long into an abyss, the abyss also stares into you.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.