Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Cell Phone insecurity -- RE: Security Czar Points Finger of Blame (should beat Governments)

From: Dave Farber <dave () farber net>
Date: Sat, 03 Aug 2002 12:09:15 -0400

------ Forwarded Message
From: "the terminal of Geoff Goodfellow" <geoff () iconia com>
Date: Sat, 3 Aug 2002 17:55:16 +0200
To: <farber () cis upenn edu>
Subject: Cell Phone insecurity -- RE: Security Czar Points Finger of Blame
(should beat Governments)

Re: Cell phone insecurity (vs. email, the internet, etc.)

i can speak from ground zero regarding the history and lack of cell phone
insecurity.  i was there, in the early 80's, in a non-smoke filled room at
the EIA headquarters in Washington DC, trying to fix the problem before it
became one.

I will never forget that day.  I was on the TR-45.2 committee dealing with
"back end" issues such as automatic roaming at the time. I was told
(in)security issues needed to be addressed by the TR-45.1 air interface
"front end" committee.  So, on the day of presentation of the insecurity
issues to the TR-45.1 group, I'll never forget how i was told (along with
colleague Bob Jesse) or rather scolded, by the AT&T's rep (Jerry Baker if i
recall correctly) that it was not to be a problem! The rep from Ericsson
suggested we should re-arrange (scramble) the digits around to make it more
difficult!! Use strong encryption?  Naaaaah.  Forget it!

The TR-45.1 committee just didn't see security as being a problem or an
issue worth triffeling with -- thinking that the IS-3 CELLULAR SYSTEM MOBILE
STATION - LAND STATION COMPATABILITY SPECIFICATION as it was known at the
time -- was just fine with its Electronic Serial Number (ESN) security and
the spec surely didn't need to be changed for the sake of "better security".

Astute colleagues Robert Jesse and Andrew Lamothe and I were just
flabbergasted by the naivete and just plain uncaring attitude of The Big
Equipment Vendors who were committed to burden their customers, the cellular
carriers, with future multi-zillion dollar loss exposure from FRAUD!

As a result of the total disinterest on the part of EIA TR-45.1 Big Vendors,
we 3 set about to do what just about anyone does when their logic and
reasoning is ignored in private -- you go public!  As a result, we
co-authored the first article on the lack of cell phone security -- November
1985 --  which i just found via Google:

            THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?
                'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS

http://mirror.lcs.mit.edu/telecom-archives/archives/cellular/cellular.sieve

It looks at the history of the lack of security in mobile telephony and, how
we predicted, when it was written in 1985, that cellular would be no more
secure than its predecessors.  Furthermore, we proposed what Should Be Done
to nip the coming problem in proverbial bud.  I'm sad to say it fell on deaf
ears or went right over the heads the industry at the time. No one did
anything and The rest, as they say, is history!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
geoff.goodfellow () iconia com * Prague - CZ * telephone +420 603 706 558
"success is getting what you want & happiness is wanting what you get"
http://www.nytimes.com/library/tech/99/01/biztech/articles/17drop.html
http://www.tapsns.com/members-bio/geoff-goodfellow.shtml


-----Original Message-----
From: owner-ip-sub-1 () admin listbox com
[mailto:owner-ip-sub-1 () admin listbox com]On Behalf Of Dave Farber
Sent: Saturday, August 03, 2002 4:10 PM
To: ip
Subject: IP: Security Czar Points Finger of Blame (should beat
Governments)


For years , many of us have been fighting the GovernmentS desire to restrict
cryptography endlessly warning them that the inability to use strong
encryption (or in some places any) weakens the security of the electronic
world.  Yet endlessly we have seen attempts to control the use of
cryptography or so weaken it as to be ineffective.  Our cell phones are
insecure, our email is insecure and worse our internet is painfully
insecure. Our computer systems and their software are so insecure as to be
laughable.

I only hope Clarke can change that attitude but I doubt it. The position of
law enforcement has been and will, I suspect remain, that strong encryption
and secure systems makes it hard to catch crooks so we will all continue to
live in cyber-houses without locks and suffer .

Dave


------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: