[cryptography] Must have seemed like a good idea at the time

ianG iang at iang.org
Mon Jul 22 01:48:37 EDT 2013


Also here:

http://www.forbes.com/sites/parmyolson/2013/07/21/sim-cards-have-finally-been-hacked-and-the-flaw-could-affect-millions-of-phones/

On 22/07/13 02:27 AM, James A. Donald wrote:
> On 2013-07-22 9:01 AM, Randall Webmail wrote:
>>
>> [SNIP]
>> To derive a DES OTA key, an attacker starts by sending a binary SMS to
>> a target device. The SIM does not execute the improperly signed OTA
>> command, but does in many cases respond to the attacker with an error
>> code carrying a cryptographic signature, once again sent over binary
>> SMS.


Wait -- using the same signing DES key as that which it uses to accept 
the OTA (over-the-air) java applet???


>> A rainbow table resolves this plaintext-signature tuple to a
>> 56-bit DES key within two minutes on a standard computer.


OK, but how does one acquire the rainbow table?  Does one have to send 
2^64 attempts to the SMS, and does it shut down after the 3rd ... or did 
they forget that part too?

The hint following the links is that it is like this process:
https://srlabs.de/blog/wp-content/uploads/2010/07/Attacking.Phone_.Privacy_Karsten.Nohl_1.pdf
So, yes, you have to mount an approximate 2^64 attack.


>> *Deploying SIM malware.* The cracked DES key enables an attacker to
>> send properly signed binary SMS, which download Java applets onto the
>> SIM. Applets are allowed to send SMS, change voicemail numbers, and
>> query the phone location, among many other predefined functions. These
>> capabilities alone provide plenty of potential for abuse. [SNIP]
>>
>> https://srlabs.de/rooting-sim-cards/
>>
>
> A number of projects have been launched to use cell phones as a money
> device, a smart card.  I am pretty sure if your malware can send sms, it
> can transfer funds.


Talking about the leading system that does money over the phone, yes, as 
far as I know, it's straight SMS-based, and the authentication of the 
source phone is important.


> This not all that fatal, as the money is traceable, but it means that
> the financial institution needs an apparatus to reverse cell phone
> transactions, and that cell phone money is therefore soft on the may scale.

And yes to that too.  The reversal situation is much like CC, in that 
customers phone up, complain, and it is reversed.

Oh, and rumour has it that they are losing hundreds of tx per day (count 
your entries on one finger...).

So they are well capable of dealing with fallout in theory, but the 
practical import might be rather annoying.  I imagine the trick would be 
to get some fake ID, and convert to cash at some random exchange agent.

iang



More information about the cryptography mailing list