* Posts by Miguel 1

11 publicly visible posts • joined 29 Oct 2010

SIM crypto cracked by a single text, mobes stuffed with spyware

Miguel 1

Mobile operator. Normal users are not meant to send this kind of messages.

Miguel 1

It's not the phone, it is the SIM

I had to read both the NYT and Forbes articles to understand what it is all about.

Even though plain DES should not be used, I think it is a protocol failure: the articles did not mention brute force attacks, but malformed OTA messages. Besides SIM manufacturers (Gemalto, G&D and friends) I'd blame mobile operators' cheapness: saving a few pennies on each SIM card goes a long way when you are rolling out millions of them, so they choose old models with very limited memory and obsolete operating systems and crypto processors.

There are two big security fails here:

- first, sending the encrypted keys to the SIM as a response to a malformed message (probably the so-called "Issuer Security Domain keys"). Maybe some debugging mode that should have been deactivated?

- second, breaking the 'sandbox' mode, which I am not sure whether it is a failure of the JavaCard virtual machine implementation or of the underlying SIM operating system, which must implement a security architecture based on "Security Domains" that prevent applications accessing each others' data. Without this second failure, getting access to the SIM would have enabled attackers to delete all existing applications in the SIM and install new ones, but not access their data or keys.

Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform.

Telecom bigwigs: 'We're all friends – really'

Miguel 1


Fierce competitors? Don't make me laugh, they are mostly the kings of price fixing.

BTW, Mr. Alierta was proven guilty of insider trading a few years ago but was lucky that the statute of limitations for such crimes kicks in really early in Spain.

Ten 3D printers for this year's modellers

Miguel 1
Thumb Up

Re: You can cast aluminum direct from a 3D print

That's a pretty good step-by-step guide for those of us who still don't know much about practical applications. Has made worthwhile reading the comments, thanks!

Nokia turns a PROFIT. Sort of

Miguel 1
Thumb Up

Re: As predicted last year....

I'm also gladly surprised that NSN did well, that's some hope for the European telecom engineering business.

But I would not make any conclusions from old wars: pick almost any country, and you'll be able to find past victories if you go back in History far enough...

Telefónica slapped with €67m anti-competitive fine from EU

Miguel 1

Re: No bloody bullfight with ultragore so that politicians can complain? SOMETHING IS WRONG!

Yes, it is indeed anti-competitive to sign an AGREEMENT not to compete, by entering your competitor's home market. I don't think anyone will fine Telefónica or PT for offering telecom services in New Zealand, for example.

Is it so hard to understand?

Debenhams cafes ban outré terms like 'espresso' and 'cappuccino'

Miguel 1

Re: Die Grande Die

I can't fathom why they decided to call that size "grande"... no self-respecting Italian, Spaniard or Portuguese would ever ask for a pint of coffee.

Why the Windows Phone 8 digi-wallet is different to the others

Miguel 1
Thumb Up

Your comparison with the Assyrian Empire is just great

EU to push through more roaming caps in 2012

Miguel 1
Thumb Up

If the European Commission is serious about pulling down borders, barriers to commerce and such, they can do with mobile pricing something similar as they did with money transfer costs in the Euro zone (at least; I don't know if they apply when one of the accounts is in the UK): same price regardless of country of origin and destination.

Prototype iPhone 5 lost in bar, right on schedule

Miguel 1
Thumb Up

50,000-watt radio station?

Do they publish radio stations' transmitting power in the US?

That's really cool, much more than the silly iPhone.

Credit cards get colour screens

Miguel 1

No remote management?

The feature missing from this card, and the winning argument for putting NFC in the mobile phone, is remote management: OTA downloading of applications ('cards') to the secure element (most likely the SIM), remote updates (ticket purchases, account lock/unlock, etc).

Anyway, it is much more difficult to play card skimming attacks against this kind of devices than against magnetic stripes: the secure element will not exchange any information until the NFC reader has authenticated itself.