GPRS Hacked

Just announced:

Nohl's group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren't encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

More articles.

Posted on August 10, 2011 at 4:11 PM • 10 Comments

Comments

ThomasAugust 10, 2011 8:54 PM

@ShadowHatesYou
"Clearly things need to be more robust. A compromised base station should not be able to do this."

The main threat for the people paying for the base-stations are worried about is phone-calls being made without a matching billing entry.

I'm sure that threat is catered for.

jkmAugust 11, 2011 5:28 AM

I seriously doubt that '4G' was hacked (whaterver 4G means; LTE, WiMAX, WCDMA HSPA?).

wiredogAugust 11, 2011 5:51 AM

Anyone who accepts an OTA system update when at DEFCON deserves everything they get...

jggimiAugust 11, 2011 6:09 AM

@jkm, according to a post further down the linked thread, it was WiMAX on Sprint/Clearwire.

GabrielAugust 11, 2011 8:57 AM

@wiredog: how about "civilians" near or at the hotel who aren't part of defcon who take an OTA update? Do they deserve it too?

JonAugust 11, 2011 3:41 PM

Of course, there have been several examples of 'pushed' over the air upgrades. The user doesn't get a choice about whether to accept it or not.

And, of course, if the officially designated people can push an "upgrade", so can everyone else.

J.

Richard Steven HackAugust 11, 2011 10:37 PM

I think the term "smartphone" needs to be rescinded, and the term "stupid phone" (re-)implemented.

I'm glad I don't have the money yet to buy a "smart (stupid) phone". And that the stupid Nokia 6030 phone I use (it's smart enough to randomly shut itself off periodically!) doesn't get used much except to take client calls. No texting, no SMS, no nada. It can do that crap, but I don't.

Besides the security flaws, every time Jeri Ryan has to update her phone, she tweets how it didn't work unless she does it five times...

Obviously these are real quality products being sold...

Nonetheless, nice to know my meme applies equally well to everyone's phone as it does to their computer. :-)

RogerAugust 14, 2011 4:46 AM

Interesting work, but ... GPRS is supposed to have security features!?

Only GPRS app I have been involved in, everyone just assumed it was totally hackable. The application provided its own session security and assumed the link might not be available. (Low priority messages that did not receive a signed acknowledgement would be re-sent later; high priority messages that didn't get an ACK resulted in a dial-up connection.)

Hmm, reading further, it seems we were right. Security features in GPRS are optional, and it isn't easy for the app to find out if they are enabled. So you have to assume the transport layer is insecure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..