AusCERT senior security analyst Marco Ostini has called for drastic international action to fix security holes in the 2G cellular network that currently leave everyone vulnerable to attack, even though telcos are moving to 4G networks and beyond.
(Droid Eris meets pavement image by
Robert Nelson, CC2.0)
Speaking at the Security on the Move event hosted in Sydney by AusCERT and SC Magazine yesterday, Ostini drew on research presented at previous Defcon events in the US, including the WASP — Wireless Aerial Surveillance Platform — drone that two security researchers, with links to the US Government, built to sniff Wi-Fi Bluetooth and GSM traffic.
While the risks of Wi-Fi and Bluetooth sniffing are fairly well publicised and procedures to protect against them are simple to implement, Ostini was particularly worried about the research that allowed others to sniff communications over cellular networks.
Ostini praised the 2G network and all the advances that it had allowed, but said that it was never planned to be used with such high data throughput and was designed as an overly proprietary system. He said that that proprietary nature had, at the time, caused many to believe it would be protected.
"It needs to be fixed. It doesn't do proper authentication. If you just ask it to do the lowest level of encryption, that would be easily crackable on a laptop. It's got weak confidentiality, it has no data integrity algorithms."
Given that telco providers are moving to 3G and 4G networks, the problem with 2G might seem reminiscent of the same security issues that plagued Wi-Fi in its early days. Ostini touched on how naive people were in the earliest days of Wi-Fi and how it took WEP, then WPA and WPA2 to finally secure those networks to a reasonable extent. Similarly, 3G and 4G networks solve a lot of the security issues that have been identified in 2G, but the biggest difference between Wi-Fi networks and the GSM network is how each network handles poor reception.
Wi-Fi drops to a more reliable speed, a function that is independent of whichever security measure is employed, but phones fall back to legacy networks like 2G and adopt any security issues that network may have. What that means is that despite 2G's security being fixed in 3G and 4G networks, none of those benefits are realised as soon as reception gets patchy, or worse, when someone intentionally jams those networks.
"Every phone that you have that's also using 3G has 2G in it and in many cases will automatically fall from 3G back to 2G when 3G is not available."
It's this failover to an insecure network that has Ostini concerned. According to him and as demonstrated by the researchers at Defcon, it's relatively simple to set up your own GSM sniffer and capture or even manipulate all phone calls, SMS messages and data over the 2G network. In fact, he said that researchers have demonstrated this with equipment that cost them less than $1500 thanks in part to the availability of open source software.
Furthermore, he said it was possible this was already happening in certain parts of the world.
"I'd be very surprised if three-letter organisations are not already doing similar things — possibly with using a lot more expensive equipment, but hopefully with the appropriate warrants and legal approval to do so."
The obvious solution is to not use 2G networks, but in many cases, users don't have a choice.
"iPhones and iPads are of particular concern because unlike most other mobile device, you can't tell them to only use 3G. You can tell them to only use 2G, or you can ask them to roam between 2 and 3, but you can't lock them in at 3 only."
Ostini said that in many cases it also took a lot of work to stop wireless USB dongles that communicate over the GSM networks from falling back to the 2G network.
Individuals weren't the only targets either, with Ostini providing examples of where businesses could be at risk.
"Branch offices, particularly in some rural areas where it is too expensive to get infrastructure to them, they use a 3G base-station modem/router and that provides the local network for that area. They could also be intercepted. You could force it from 3G back down to 2 and then hop in and see what they're up to."
"That could include the transmission of EFTPOS transactions or credit card details," he said, noting that point of sale systems themselves often used the GSM network.
But Ostini had larger concerns than just individuals or businesses losing control of their devices.
"The thing that concerns me possibly the most are SCADA systems."
These supervisory control and data acquisition systems are responsible for controlling industrial processes, including those used in critical infrastructure like power stations, water plants and the electricity grid.
Ostini pointed out the recent incident at a water utility in South Houston water utility, which was broken into to prove a point to the US Government. If a hacker wanted to, they could remotely operate industrial processes to intentionally malfunction.
"My understanding is [some pieces of industrial equipment] are pretty expensive. I think we're talking hundreds of thousands of dollars."
He pointed to smart meters, designed to log how much electricity a premise uses and in the future possibly allow home automation, communicate over 3G networks and failover to 2G when necessary.
To solve the problem, Ostini advocated petitioning the GSM Association to make the necessary changes to secure 2G.
He acknowledged that even if GSM Association were to listen and implement the security that he believed it should have had to begin with, there would still be the mammoth task of reflecting that change in the associated infrastructure and the devices that connect to it.
"Every base station running it would need to have a firmware update. All phones would need a firmware update. All mobile devices that connect to GSM networks would need a firmware update. It sounds like a big ask; yes it is.
"Basically, this is almost of the scale of trying to fix the Y2K kind of problem. A rather large international effort is required. But it's not impossible to do. Considering that 80 per cent of the planet uses this telecommunications network, we should probably make the effort."
In the meantime, he recommended that those that could stop their devices from falling back to the 2G network do so, or otherwise ensure that they make use of appropriate encryption, where possible, to ensure that their data couldn't be captured.
"I've done it for the past 12 months. I'd certainly recommend people to do it as well, if you can."