Blimey
I guess that's the thing about crypto, it's always going to get broken with time. It's when, not if. 3DES's time will come as well I'm sure.
A quarter of mobiles phones using DES encryption rather than the newer triple-DES for their SIM cards are vulnerable to an attack via SMS that results in a complete takeover of the phone. German security researcher Karsten Nohl, founder of Berlin's Security Research Labs, who previously busted GPRS encryption and cracked …
Curios thing is, this doesn't seem to be an attack against DES at all. It looks like (yet another) gimped protocol implementation. Not cryptography/cipher related at all really.
Makes me wonder:
1) Which brands of phone on which networks are programmed to give up their keys this readily.
and
2) Why not 3DES? Is it that only old (pre 3DES adoption) handsets do this?
Name & shame please!
No need to name & shame any brands of phone, as the 'target device' in the attack is the SIM card not the phone.
The attack appears to compromise the admin keys of the JavaCard smartcard chip used in the SIM and from there it has access to all data on the SIM card, including any phonebook records, stored SMS messages and encryption keys for your network access or any other application running on the SIM card.
It's unlikely that it will have any access to the phone itself (apart from modifying any SIM Toolkit applications that are presented through the phone interface). But it will have access to the network via the SIM Toolkit and so will be able to send/receive calls/text/data, some of which may cost you money or compromise your privacy.
It looks like an interesting attack, with the potential of being able to clone your SIM card just by sending you a text message and allowing the SIM to open a data channel to dump its contents to a remote server.
> I guess that's the thing about crypto, it's always going to get broken with time. It's when, not if. 3DES's time will come as well I'm sure.
People who understand encryption know this. The ideal encryption system keeps information secret until the end of the value in keeping the information secret. So a message saying we're going to start the attack in 5 minutes, is OK to send out on a system that takes 6 minutes break.
Sadly most people who use encryption technologies don't know this.
But perhaps in this case its a weakness that the phone companies like. It provides a built in obsolescence. It encourages users to change their SIM cards regularly. Old SIM cards often operate under older contractual arrangements. By encouraging users to move onto new SIMs they're able to also move customers onto new (read more profitable) Ts&Cs. So for example I have a pile of old SIMs that don't expire if I don't use them or top them up every few months. Bad news for the phone company, coz I don't top them up. Good news for me, since it means I can leave emergency phones in cars, etc... without needing to worry about them expiring.
> By encouraging users to move onto new SIMs they're able to also move customers onto new (read more profitable) Ts&Cs.
When my phone (and SIM card) got obliterated I phoned my provider and they sent me a new SIM card without any need to sign new T&C's or extend the contract and it was free of charge. All they wanted to know was what type of phone the card was going to be put into.
> So that will be about 99.999999...% of all mobile phone users. Shame on them.
Except my dig wasn't at the end user, they have no choice in the encryption tech used by their SIM card.
I was having a serious dig at the phone companies (also all smart cards etc... Oyster, Paris Metro..., they all seem to have the same problem, and they do chose the tech but just seem to prefer to have their collective heads stuffed up their respective arses on this issue)
"People who understand encryption know this. The ideal encryption system keeps information secret until the end of the value in keeping the information secret. So a message saying we're going to start the attack in 5 minutes, is OK to send out on a system that takes 6 minutes break.
Sadly most people who use encryption technologies don't know this"
True.
Indefinite security needs much longer keys.
BTW have you noticed the epidemic of downvotes for saying that DES was f**ked since the EFF cracker in 1998?
> Indefinite security needs much longer keys.
Personally I think it is a mistake to ever think in terms of indefinite security. Who knows what tomorrow brings?
But at the least any encryption system should be viewed in light of Moore's law. Next years computer will be twice as fast and half the cost and the decrypt function should be assumed to get twice as good. This gives you a starting point for planned obsolescence.
The problem with increasing the key length is that it takes longer to process and probably more expensive.
If you're planning something like an automated ticket system, you need to take this into account. You need to plan to use more powerful cards as they become available, you need to upgrade the ticket machines regularly. You need to make sure that the tickets do expire and can be replaced by newer ones capable of using longer keys. In short you need to plan for the future.
You can't just view it as an install once, problem solved issue.
Back in the sad, and portent-laden fading days of the Republic (the "Bubble in Time"), the following went to the printers:
Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design
by the Electronic Frontier Foundation.
Statements of note:
We noticed an increasing number of situations in which highly talented and respected people from the U.S. Government were making statements about how long it takes to crack DES. In all cases, these statements were at odds with our own estimates and those of the cryptographic research community. A less polite way to say it is that these government officials were lying, incompetent, or both. They were stating that cracking DES is much more expensive and time-consuming than we believed it to be. A very credible research paper had predicted that a machine could be built for $1.5 million, including development costs, that would crack DES in 3-1/2 hours. Yet we were hearing estimates of thousands of computers and weeks to years to crack a single message.
On Thursday, June 26, 1997 the U.S. House of Representatives' Committee on International Relations heard closed, classified testimony on encryption policy issues. The Committee was considering a bill to eliminate export controls on cryptography. After hearing this testimony, the Committee gutted the bill and inserted a substitute intended to have the opposite effect. A month later, a censored transcript of the hearing was provided; see http://jya.com/hir-hear.htm. Here are excerpts:
Statement of Louis J. Freeh, Director, Federal Bureau of Investigation
". . . And we do not have the computers, we do not have the technology to get either real-time access to that information or any kind of timely access. If we hooked together thousands of computers and worked together over 4 months we might, as was recently demonstrated decrypt one message bit. That is not going to make a difference in a kidnapping case, it is not going to make a difference in a national security case. We don't have the technology or the brute force capability to get to this information."
Yup. The EFF project was 15 years ago. that should have put the red line through new uses.
How many mobile phones are still running from 1997?
Not many.
Phone operators. Their networks protect your privacy.
Except when they are too cheap, or THE PATRIOT Act tells them to copy all metadata over to the govt.
or....
Does anyone know which phones are only using single DES, and how to tell if yours is vulnerable?
Also, I would have thought it was the SIM provider (ie: the network operator) who determined the encryption mode of the SIM - or at least set the options available for the phone to choose from - and therefor to fix the problem by disabling or limiting use of single DES...
According the article in the NYT*, "... [Nohl] added that consumers using SIM cards more than three years old should get new cards from their carriers." Elsewhere on the web** he is quoted as saying ""Different shipments of SIM cards either have [the bug] or not," Nohl told Forbes. "It's very random," he said.
So, it seems that there is no way you can tell about any particular card :-(
*http://www.nytimes.com/2013/07/22/technology/encryption-flaw-makes-phones-possible-accomplices-in-theft.html
**http://securitywatch.pcmag.com/mobile-security/313914-encryption-bug-in-sim-card-can-be-used-to-hack-millions-of-phones (quoted from the Forbes article, but I can't get into it)
It should have been game over for all new DES applications from then on.
BTW AFAIK no one has done a proper crypto analysis of 3DES. It is believed it is very much more secure, but I'm not sure that's been proved, so the theory that it's like the equivalent of 168 bit key encryption remains a theory IOW there could be keys or settings that knock down that to a much smaller key space.
This is another epic fail for cheap ass GMS vendors and operators and their ongoing security-by-obscurity.
Actually very valid point. ROT-13 is simple to crack, so is double-ROT-13 twice as hard? No, it becomes cleartext again. Dramatic example of course, but that's corner cases for you. Or similarly, a Caesar cypher gets no stronger by repeating it, so 3Caesar (if you get my drift) is exactly as secure as 1Caesar. If 3DES hasn't been been fully analysed (I'm surprised to learn this BTW), it genuinely may not be as secure as initial assumptions would suggest.
Yes, there's been a great deal of study of 3DES. Easy to find if you try. Properly implemented with 3 unrelated keys it's still considered a very good cipher providing ~112 bits of security. Not insignificant as a demonstration of cascading too.
Obviously new designs should consider something more efficient and modern, offering a better margin: Serpent, Rijndael, Camellia, etc.
The eCrypt annual report is an excellent way to keep up to date on the current state of things. http://www.ecrypt.eu.org/
So i get double the security from 3 times the key length provided I implement the key generation process correctly.
Now where could this process possibly go wrong?
I get that if you've got systems in the field that are impossible to upgrade, or you simply must have compatibility with stuff that might have been installed up to 36 years ago then you may have no choice.
But for the rest of us in 2013?
BTW foundry processes are around 1200x faster (the EFF cracker ran at 20Mhz) and gate densities can hit 21k gates a cm^2 And of course storage has gotten much cheaper, so once you've captured it you can keep returning it till it cracks.
Indeed, anyone using DES after Deep Crack is an idiot. I also agree that 3DES is probably broken as well, after all it is only 3 chained DES engines, and there is probably a shortcut to cracking that by our favourite 3-letter agencies...
I had to read both the NYT and Forbes articles to understand what it is all about.
Even though plain DES should not be used, I think it is a protocol failure: the articles did not mention brute force attacks, but malformed OTA messages. Besides SIM manufacturers (Gemalto, G&D and friends) I'd blame mobile operators' cheapness: saving a few pennies on each SIM card goes a long way when you are rolling out millions of them, so they choose old models with very limited memory and obsolete operating systems and crypto processors.
There are two big security fails here:
- first, sending the encrypted keys to the SIM as a response to a malformed message (probably the so-called "Issuer Security Domain keys"). Maybe some debugging mode that should have been deactivated?
- second, breaking the 'sandbox' mode, which I am not sure whether it is a failure of the JavaCard virtual machine implementation or of the underlying SIM operating system, which must implement a security architecture based on "Security Domains" that prevent applications accessing each others' data. Without this second failure, getting access to the SIM would have enabled attackers to delete all existing applications in the SIM and install new ones, but not access their data or keys.
Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform.
"Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform."
Yes and no.
The standards are freely available.
Yes and no again. some standards are but some parts are only available to network operators. Those have already been reverse engineered.
Now are you saying people asked that DES be used, given the first announced hardware cracker was built in 1998?
I don't think so.
More likely the operators didn't think anyone would notice what they were using because it's an obscure part of the system subscribers never worry about.
There are several variations on the details of a security-by-obscurity policy.
What they all have in common is that they are dumb.
It's easy to spot this A/C he's the new boy that's appeared around here, mainly defending the NSA and calling Snowden a a traitor....
Let's point something out here:
"For law enforcement reasons,"
The Police et al are there to to uphold the law as written, no to use and abuse it. If you have commited no crime, then the Police and co have no reason to investigate you or harvest you details.
Liberty and Amnesty must be loving this to be finally happening the "civilised" world and us finally waking up to whats been going on everywhere else for decades.
This post has been deleted by its author
Right.
i can not get over how there's people that don't have a problem with this.
Imagine having a government dude sitting in your bedroom listening and watching all that you do there in the name of wider security, some perceived threat, because, hey, if you have nothing to hide you don't have to worry about anything right?
But if you refuse to allow them in then you're hiding something.
Don't there have to be limits to what is allowed? Where do you draw the line?
Some seem to think that allowing the government to snoop on bytes that you produce is okay, well i don't agree with them.
I notice, in an other article today, that only 1% of java implementations are up to date. Not that it matters much as there has been yet another 0-day disclosed today. One does wonder what version(s) of java sim cards run on and how it is proposed to keep them current.
One could also speculate whether there might be resistance from our Lords and Masters if any attempt is made to improve sims' security.
My thoughts exactly, why would the real operator allow network control messages from 3rd parties....?
The traffic has to go through their systems regardless of how the phone is connected to the network, OTA or femtocell.
This is very old crypto news about the DES system.
It was cracked i think 1999 read
https://www.networkworld.com/news/1999/0120cracked.html
So if they are still using old tech then its the companies fault they are cheap.The banks have been doing it for years with chip & pin. Remember CHIP & PIN is also broken people.
http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
When will the public demand that businesses use the latest tech that is secure so far proven.
SO THIS IS NOT NEW NEWS YOU ALL NEED TO WALK UP!
The privacy issue is more complex than having nothing to hide.
Say they decide to go for pattern recognition comparing all our correlated communications patterns against those of known criminals or suspected terrorists - perhaps recruiting one of the usual suspects with their crack squad of programmers. The patterns are neural networks or similar and are automatically produced by the computer system - the people operating it have no idea how it works, nor any way to really know whether it's picked you out using the computer equivalent of the sorting hat.
So let's say by pure coincidence you trip the system so they start to review your "file". They discover that one person you communicate with has (unknown to you) a bit of history - maybe they did a bit of time for protesting against globalization when they were young. Or maybe they just happen to be Muslim.
Now they have enough to think you might be in a ring of criminals so they get a court order to take a closer look. Now they're rummaging around in all your affairs. Perhaps they are all legitimate but maybe you don't want them asking questions about your love of transvestite pornography, or your frequent visits to a "friend" in Sheffield ('cos they spot your registration plate on the NPR system on the M1 every Thursday). Etc.
And god forbid they find "something" to actually haul you in for - your life could easily be ruined in the process - not because of the tiny infraction they did find, but more for the legal-but-deviant behaviour they stumbled across along the way.
Personally, I don't relish the thought of having to prove my innocence, which is what it will boil down to. Who here hasn't battled against some insane IT-backed bureaucracy at some point in their life? You are 100% in the right, but you cannot get the people in power to understand why their data is wrong - e.g. the council is convinced you haven't paid your council tax, even though they agree they are in receipt of the money ... etc.
So we must have a right to privacy so that we aren't placed in a position of having to justify our perfectly legal behaviour. If a real human for genuine reasons decides that I present enough of a risk that they should investigate me, no problem with them then deciding to snoop on everything I write. Until then, piss off and leave me in peace.
Or as the other poster put it, if you have nothing to hide, why do you have curtains?