Mobile operator. Normal users are not meant to send this kind of messages.
11 posts • joined 29 Oct 2010
It's not the phone, it is the SIM
I had to read both the NYT and Forbes articles to understand what it is all about.
Even though plain DES should not be used, I think it is a protocol failure: the articles did not mention brute force attacks, but malformed OTA messages. Besides SIM manufacturers (Gemalto, G&D and friends) I'd blame mobile operators' cheapness: saving a few pennies on each SIM card goes a long way when you are rolling out millions of them, so they choose old models with very limited memory and obsolete operating systems and crypto processors.
There are two big security fails here:
- first, sending the encrypted keys to the SIM as a response to a malformed message (probably the so-called "Issuer Security Domain keys"). Maybe some debugging mode that should have been deactivated?
- second, breaking the 'sandbox' mode, which I am not sure whether it is a failure of the JavaCard virtual machine implementation or of the underlying SIM operating system, which must implement a security architecture based on "Security Domains" that prevent applications accessing each others' data. Without this second failure, getting access to the SIM would have enabled attackers to delete all existing applications in the SIM and install new ones, but not access their data or keys.
Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform.
Re: As predicted last year....
I'm also gladly surprised that NSN did well, that's some hope for the European telecom engineering business.
But I would not make any conclusions from old wars: pick almost any country, and you'll be able to find past victories if you go back in History far enough...
Re: No bloody bullfight with ultragore so that politicians can complain? SOMETHING IS WRONG!
Yes, it is indeed anti-competitive to sign an AGREEMENT not to compete, by entering your competitor's home market. I don't think anyone will fine Telefónica or PT for offering telecom services in New Zealand, for example.
Is it so hard to understand?
If the European Commission is serious about pulling down borders, barriers to commerce and such, they can do with mobile pricing something similar as they did with money transfer costs in the Euro zone (at least; I don't know if they apply when one of the accounts is in the UK): same price regardless of country of origin and destination.
No remote management?
The feature missing from this card, and the winning argument for putting NFC in the mobile phone, is remote management: OTA downloading of applications ('cards') to the secure element (most likely the SIM), remote updates (ticket purchases, account lock/unlock, etc).
Anyway, it is much more difficult to play card skimming attacks against this kind of devices than against magnetic stripes: the secure element will not exchange any information until the NFC reader has authenticated itself.