Bugtraq mailing list archives
Re: otp - the next generation
From: Dag-Erling Smorgrav <des () THINKSEC COM>
Date: Fri, 23 Mar 2001 15:11:08 +0100
Gregory Steuck <greg () NEST CX> writes:
This is the part the whole authentication mechanism depends on. You made at least 2 assumptions here:
I'm tempted to quote Samuel Jackson here - "as everyone knows, when you make an assumption, you make an ass out of you and mption" :)
1) GSM phone network is secure between the endpoints (phones) and can not be sniffed.
This is a serious problem. GSM does not offer end-to-end encryption. See further down.
2) SMS source address can not be forged.
They can - it's trivial if you have the right phone (or rather, the right firmware). This is less serious though, since the one-time password is sent to the registered phone number, so even if a third party forges your MSN he will not receive the OTP. It does allow for some interesting DoS or harassment attacks though. This is a situation which GSM operators could easily remedy if they wanted to - just like ISPs could easily kill certain types of DoS attacks at the source with egress routing - there just doesn't seem to be any incentive to do so. (It's even possible to forge so-called network-originated messages, which can be used to reprogram the recipient's SIM card etc.)
I am pretty sure that both assumptions are wrong. Phone company (or companies, I don't know how the messages are routed) will most certainly be able to sniff your messages and forge the source address.
The situation is even worse if the sender and receiver are on different GSM networks - GSM operators typically exchange SMS messages over unencrypted TCP/IP connections. DES -- Dag-Erling Smørgrav - des () thinksec com
Current thread:
- otp - the next generation Lukasz Luzar (Mar 22)
- Re: otp - the next generation Szilveszter Adam (Mar 23)
- Re: otp - the next generation Casper Dik (Mar 23)
- Re: otp - the next generation Denis A. Doroshenko (Mar 23)
- Re: otp - the next generation Gregory Steuck (Mar 23)
- Re: otp - the next generation Tollef Fog Heen (Mar 23)
- Re: otp - the next generation Ben Laurie (Mar 23)
- Re: otp - the next generation Dag-Erling Smorgrav (Mar 23)
- Re: otp - the next generation Tristam Fenton-May (Mar 23)
- <Possible follow-ups>
- Re: otp - the next generation Elias Levy (Mar 23)
- Re: otp - the next generation Szilveszter Adam (Mar 23)