Mobile operator. Normal users are not meant to send this kind of messages.
Posts by Miguel 1
11 publicly visible posts • joined 29 Oct 2010
SIM crypto cracked by a single text, mobes stuffed with spyware
Monday 22nd July 2013 08:20 GMT
It's not the phone, it is the SIM
I had to read both the NYT and Forbes articles to understand what it is all about.
Even though plain DES should not be used, I think it is a protocol failure: the articles did not mention brute force attacks, but malformed OTA messages. Besides SIM manufacturers (Gemalto, G&D and friends) I'd blame mobile operators' cheapness: saving a few pennies on each SIM card goes a long way when you are rolling out millions of them, so they choose old models with very limited memory and obsolete operating systems and crypto processors.
There are two big security fails here:
- first, sending the encrypted keys to the SIM as a response to a malformed message (probably the so-called "Issuer Security Domain keys"). Maybe some debugging mode that should have been deactivated?
- second, breaking the 'sandbox' mode, which I am not sure whether it is a failure of the JavaCard virtual machine implementation or of the underlying SIM operating system, which must implement a security architecture based on "Security Domains" that prevent applications accessing each others' data. Without this second failure, getting access to the SIM would have enabled attackers to delete all existing applications in the SIM and install new ones, but not access their data or keys.
Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform.
Telecom bigwigs: 'We're all friends – really'
Ten 3D printers for this year's modellers
Nokia turns a PROFIT. Sort of
Friday 25th January 2013 10:07 GMT
Re: As predicted last year....
I'm also gladly surprised that NSN did well, that's some hope for the European telecom engineering business.
But I would not make any conclusions from old wars: pick almost any country, and you'll be able to find past victories if you go back in History far enough...
Telefónica slapped with €67m anti-competitive fine from EU
Wednesday 23rd January 2013 15:25 GMT
Re: No bloody bullfight with ultragore so that politicians can complain? SOMETHING IS WRONG!
Yes, it is indeed anti-competitive to sign an AGREEMENT not to compete, by entering your competitor's home market. I don't think anyone will fine Telefónica or PT for offering telecom services in New Zealand, for example.
Is it so hard to understand?
Debenhams cafes ban outré terms like 'espresso' and 'cappuccino'
Why the Windows Phone 8 digi-wallet is different to the others
EU to push through more roaming caps in 2012
Thursday 22nd December 2011 10:52 GMT
If the European Commission is serious about pulling down borders, barriers to commerce and such, they can do with mobile pricing something similar as they did with money transfer costs in the Euro zone (at least; I don't know if they apply when one of the accounts is in the UK): same price regardless of country of origin and destination.
Prototype iPhone 5 lost in bar, right on schedule
Credit cards get colour screens
Friday 29th October 2010 10:06 GMT 
No remote management?
The feature missing from this card, and the winning argument for putting NFC in the mobile phone, is remote management: OTA downloading of applications ('cards') to the secure element (most likely the SIM), remote updates (ticket purchases, account lock/unlock, etc).
Anyway, it is much more difficult to play card skimming attacks against this kind of devices than against magnetic stripes: the secure element will not exchange any information until the NFC reader has authenticated itself.
Biting the hand that feeds IT
