Interesting People mailing list archives
Re Every LTE call, text, can be intercepted, blacked out, hacker finds
From: "Dave Farber" <farber () gmail com>
Date: Mon, 24 Oct 2016 15:21:14 -0400
Begin forwarded message:
From: Thomas Leavitt <thomas () thomasleavitt org> Date: October 24, 2016 at 2:38:13 PM EDT To: Dave Farber <dave () farber net> Subject: Re: [IP] Every LTE call, text, can be intercepted, blacked out, hacker finds Dave, This comment in response to the article seems cogent, I don't have the background to evaluate accuracy, but it seems legit? Thomas Clarification on LTE call/SMS interception (not!) When they say the attack allows intercepting calls and SMS: this is only happening when the device is on 2G, not on LTE. It is still NOT possible to do the interception on LTE itself, so the attack switch the device to 2G, which is insecure. To give the history here: 2G has no mutual authentication. So a rogue 2G base station can do MITM and intercept call and traffic. 2G has deployed often has weak crypto too (there's a fix, but not always deployed). So 2G has poor security, and tends not to be upgraded for cost reasons. But several operators are going to (or already have in SK and Japan) turned 2G off. Getting rid of 2G is the best solution here. But in Europe we'll have to be patient... About LTE now. The initial messages between a device (UE) and base station (eNB) are not encrypted. Pretty normal there, one need to establish a context. The redirection the attack is using happens in this non-encrypted phase, so can redirect the UE to a fake (no service) or 2G (MITM) base station. There's a trade-off here: for overload management, a fast redirection is better. For security, waiting after authentication will be better (but would load the chosen cell). Pick your poison... In practice, with pure LTE, the redirection attack is a form of DoS. And anybody who knows radio knows that jamming is easy anyway. Instead of faking an eNB, just jam the channel and kill all LTE on the given frequency. So preferring load robustness in this context is a reasonable trade-off. It's just a poor fit with network still using legacy 2G with crappy security unfortunately. So let's get rid of 2G fast, please.On Mon, Oct 24, 2016 at 1:08 AM, Dave Farber <dave () farber net> wrote: ---------- Forwarded message ---------- From: Lauren Weinstein <lauren () vortex com> Date: Sunday, October 23, 2016 Subject: [ NNSquad ] Every LTE call, text, can be intercepted, blacked out, hacker finds To: nnsquad () nnsquad org Every LTE call, text, can be intercepted, blacked out, hacker finds http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/ The Third Generation Partnership Project (3GPP) telco body has known of the hack since at least 2006 when it issued a document describing Zhang's forced handover attack, and accepts it as a risk. The 3GPP's SA WG3 working group which handles security of LTE and other networks proposed in a May meeting that it would refuse-one-way authentication and drop encryption downgrade requests from base stations. - - - --Lauren-- Care About Science and Tech? Our Job One: STOP TRUMP: https://vortex.com/stop-trump - - - Archives | Modify Your Subscription | Unsubscribe Now
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20161024152123:0A79ED88-9A1F-11E6-A290-EE558BDAD992 Powered by Listbox: http://www.listbox.com
Current thread:
- Re Every LTE call, text, can be intercepted, blacked out, hacker finds Dave Farber (Oct 24)