Re: SMS protection

[Robin Wood <robin () digininja org>]

On 21 October 2011 18:57, Marcel Tudorache <marceltudorache () yahoo com> wrote:
> Hi,
>
>
> I was wondering how secure is an SMS to be used as authentication/transaction signing means for an application 
> similar with online banking.
>
> To make the analysis more targeted the following assumptions are made:
> - I understand that the new smartphones can get viruses, but I would like to analyse the simple case where we assume 
> that the user does his due dilligence and either does not navigate on the internet or navigates on limited number of 
> trusted websites, so the assumption is that the user does not have an trojan/malware/virus on the smartphone.
> -bluetooth is off
> - Wifi off...
> - the attacker does not have phisycal access to the mobile phone
>
> I think that the SIM card is pretty difficult to be hacked, from my smart card experience(limited), I would assume 
> that before allowing the access to the network of a cloned SIM card the operator might validate some signature of the 
> sim-card (I guess that when the operator issues SIM cards they sign them with their private key... or a similar 
> process).
>
> The question is merely about the intrinsic security of receiving an SMS, and how easy would be for an attacker to 
> read the SMS of somebody else taking into account the above assumptions.
>
> I think it should be pretty secure, what do you think?
>
> Thank you very much,
> Marcel

If you assume that phone is completely infallible then all that is
left is the delivery mechanism, GSM has been broken and demoed at
Defcon a couple of years back:

http://www.darkreading.com/security-services/167801101/security/attacks-breaches/226500010/researcher-intercepts-gsm-cell-phones-during-defcon-demo.html

In this article you have the comment:

"He used the device only to intercept and handle outgoing voice calls
-- which were sent via voice-over-IP -- and not incoming calls nor
data. SMS messaging would require getting caller ID information, which
is difficult to obtain, he said. "

so you can assume that it can be sniffed.

I'd still trust it for now though as this attack isn't wide spread and
you would have to be targeted specifically to get owned through this.

Robin

> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------