Security researcher Karsten Nohl has shown that if you send some mobile phones an SMS that appears to originate with the phone company, the phone will SMS back an error message containing sensitive info about its SIM. With this info, you can send another SMS that terminally compromises the phone, giving the attacker the ability to listen in on calls, read texts, and impersonate the phone's owner. He disclosed the vulnerability to the GSM association early, and on August 1 he'll present his work at Black Hat in Las Vegas. At the root of the problem is a reliance on an older, compromised form of crypto, DES:
For each message, the network and the phone verify their identities by comparing digital signatures. The message sent by Mr. Nohl deliberately used a false signature for the network. In three-quarters of messages sent to mobile phones using D.E.S. encryption, the handset recognized the false signature and ended communication.
But in a quarter of cases, the phone broke off the communication and sent an error message back to Mr. Nohl that included its own encrypted digital signature. The communication provided Mr. Nohl with enough information to derive the SIM card’s digital key.
Mr. Nohl said he had advised the GSM Association and chip makers to use better filtering technology to block the kind of messages he had sent. He also advised operators to phase out SIM cards using D.E.S. encryption in favor of newer standards. He added that consumers using SIM cards more than three years old should get new cards from their carriers.
Encryption Flaw Makes Phones Possible Accomplices in Theft
(Image: MTN SIM card, a Creative Commons Attribution Share-Alike (2.0) image from warrenski's photostream)
The highly-rated Tronsmart Titan 10A/90W 5-Port USB Charger Charging Station with Quick Charge 2.0 Technology sells on Amazon for $38, but if you use code USBTITAN you can get it for $24.
Nelson E. Ross’s “small booklet” sets out the principles of sending telegrams “in the most economical manner possible,” so you can take full advantage of a communications medium that “annihilates distance and commands immediate attention.”
The Rightshears don’t exist yet, but the inventors have promised a crowdfunding campaign to conjure them into reality, soon. (via Oh Gizmo)
Hackers are people too. And sometimes, they’re the good guys. The fundamentals of hacking have created an entire new level to the security industry and one that you can totally dominate with this certification training course that’s 98% off now. To know how to protect something, you have to be able to see how it’s […]
Light used to just be one of two things: on or off. Simple as that. Either a flood of yellow or total darkness. Then the dimmer switch happened and you could adjust the brightness to meet your seductive needs and suddenly everyone looked a little better in the gentler light. And now your luminary universe […]
Projects will always need management. And now with the tech gold rush it feels like there are more projects than ever with fewer managers than there’s demand for. But it takes too much time and money to go back to school full time so luckily the Project Management Professional certification training course is now 96% […]