Forwarded from: X Ndala <xndalaat_private> Inaccurate information in this article... hope this reply corrects it. >-----Original Message----- >From: InfoSec News [mailto:isnat_private] >Sent: den 13 mars 2002 10:18 >To: isnat_private >Subject: [ISN] New Attack Intercepts Wireless Net Messages > > > http://www.eweek.com/article/0,3658,s=1884&a=23806,00.asp > > March 11, 2002 > By Dennis Fisher and Carmen Nobel [...] > By design, the Mobitex specification, like other wireless standards > such as Global System for Mobile Communications and General Packet > Radio Service, sends packets in unencrypted form. The network, which > handles data transmissions only, has been in operation since 1986 > and has a large base of installed devices, with customers using it > for everything from point-of-sale verification to e-mail. Wrong: GSM and GPRS are encrypted in the air interface. The mobile operator has the choice to turn off encryption for GSM or GPRS traffic, but that is very rare. For your information: GPRS extends GSM to support radio packet switched traffic. By definition, GSM traffic is circuit switched (like normal telephone lines where you can have voice or data from dial-ups, only it's mobile). > "The attack is fairly simple," said Joe Grand, one of the > researchers who perfected the technique. "The problem is, this isn't > a bug. It's part of the spec that data is transmitted in the clear, > just like it's part of the spec that Internet data is transmitted in > the clear. The risk depends on who is using the network and when and > what data they're sending." [...] Wrong again: GSM and GPRS specs are available at http://www.etsi.org. If you bother to read them, you'll see that data is NOT transmitted in the clear. GSM and GPRS have been developed with Confidentiality, Integrity and Authentication in mind. That's what makes these technologies much more secure than others. An example of another technology being developed with security in mind is 3G (short for 3rd Generation, or UMTS/WCDMA in Europe, CDMA2000 in the US). Take a look at the excellent security specs in http://www.3gpp.org. 3G is an evolution from GSM (sometimes called 2G) and GPRS (sometimes called 2.5G). I wonder what the world would be like if Micro$oft developed software using this methodology (inherent security requirements)... uhmm... Hey Billy!, wanna see ya fussing now through all those lines of code reviewing security items! Might as well start a whole new system... no, wait, have to keep retro-compatibility with windows2k and dotNet... sh*t. ... sorry folks, got myself a little bit carried away with my feelings... back to reality... I believe we have to be positive: IP will one day be much safer like these wireless techologies. Many things like IPSec and PKI are coming into place. And 10 or 20 years from now we'll have a much safer world. (orchestra in the background, please) But until we get there there's a looooot of work to be done; like correcting articles as this one that take away hope from people by saying lack of security is not a bug, it's the specs... ?! Yours sincerily --xndala - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 08:56:38 PST