Re Every LTE call, text, can be intercepted, blacked out, hacker finds

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: Thomas Leavitt <thomas () thomasleavitt org>
> Date: October 24, 2016 at 2:38:13 PM EDT
> To: Dave Farber <dave () farber net>
> Subject: Re: [IP] Every LTE call, text, can be intercepted, blacked out, hacker finds
>
> Dave,
>
> This comment in response to the article seems cogent, I don't have the background to evaluate accuracy, but it seems 
> legit?
>
> Thomas
>
> Clarification on LTE call/SMS interception (not!) 
> When they say the attack allows intercepting calls and SMS: this is only happening when the device is on 2G, not on 
> LTE. It is still NOT possible to do the interception on LTE itself, so the attack switch the device to 2G, which is 
> insecure.
> To give the history here: 2G has no mutual authentication. So a rogue 2G base station can do MITM and intercept call 
> and traffic. 2G has deployed often has weak crypto too (there's a fix, but not always deployed). So 2G has poor 
> security, and tends not to be upgraded for cost reasons. But several operators are going to (or already have in SK 
> and Japan) turned 2G off. Getting rid of 2G is the best solution here. But in Europe we'll have to be patient...
> About LTE now. The initial messages between a device (UE) and base station (eNB) are not encrypted. Pretty normal 
> there, one need to establish a context. The redirection the attack is using happens in this non-encrypted phase, so 
> can redirect the UE to a fake (no service) or 2G (MITM) base station. There's a trade-off here: for overload 
> management, a fast redirection is better. For security, waiting after authentication will be better (but would load 
> the chosen cell). Pick your poison...
> In practice, with pure LTE, the redirection attack is a form of DoS. And anybody who knows radio knows that jamming 
> is easy anyway. Instead of faking an eNB, just jam the channel and kill all LTE on the given frequency. So preferring 
> load robustness in this context is a reasonable trade-off. It's just a poor fit with network still using legacy 2G 
> with crappy security unfortunately.
> So let's get rid of 2G fast, please.
>
> > On Mon, Oct 24, 2016 at 1:08 AM, Dave Farber <dave () farber net> wrote:
> >
> >
> > ---------- Forwarded message ----------
> > From: Lauren Weinstein <lauren () vortex com>
> > Date: Sunday, October 23, 2016
> > Subject: [ NNSquad ] Every LTE call, text, can be intercepted, blacked out, hacker finds
> > To: nnsquad () nnsquad org
> >
> >
> >
> > Every LTE call, text, can be intercepted, blacked out, hacker finds
> >
> > http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/
> >
> >         The Third Generation Partnership Project (3GPP) telco body has
> >         known of the hack since at least 2006 when it issued a
> >         document describing Zhang's forced handover attack, and
> >         accepts it as a risk. The 3GPP's SA WG3 working group which
> >         handles security of LTE and other networks proposed in a May
> >         meeting that it would refuse-one-way authentication and drop
> >         encryption downgrade requests from base stations.
> >
> >  - - -
> >
> > --Lauren--
> > Care About Science and Tech? Our Job One: STOP TRUMP:
> > https://vortex.com/stop-trump
> >  - - -
> >
> > Archives  | Modify  Your Subscription | Unsubscribe Now       



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20161024152123:0A79ED88-9A1F-11E6-A290-EE558BDAD992
Powered by Listbox: http://www.listbox.com