I guess that's the thing about crypto, it's always going to get broken with time. It's when, not if. 3DES's time will come as well I'm sure.
A quarter of mobiles phones using DES encryption rather than the newer triple-DES for their SIM cards are vulnerable to an attack via SMS that results in a complete takeover of the phone. German security researcher Karsten Nohl, founder of Berlin's Security Research Labs, who previously busted GPRS encryption and cracked …
I guess that's the thing about crypto, it's always going to get broken with time. It's when, not if. 3DES's time will come as well I'm sure.
Curios thing is, this doesn't seem to be an attack against DES at all. It looks like (yet another) gimped protocol implementation. Not cryptography/cipher related at all really.
Makes me wonder:
1) Which brands of phone on which networks are programmed to give up their keys this readily.
2) Why not 3DES? Is it that only old (pre 3DES adoption) handsets do this?
Name & shame please!
No need to name & shame any brands of phone, as the 'target device' in the attack is the SIM card not the phone.
The attack appears to compromise the admin keys of the JavaCard smartcard chip used in the SIM and from there it has access to all data on the SIM card, including any phonebook records, stored SMS messages and encryption keys for your network access or any other application running on the SIM card.
It's unlikely that it will have any access to the phone itself (apart from modifying any SIM Toolkit applications that are presented through the phone interface). But it will have access to the network via the SIM Toolkit and so will be able to send/receive calls/text/data, some of which may cost you money or compromise your privacy.
It looks like an interesting attack, with the potential of being able to clone your SIM card just by sending you a text message and allowing the SIM to open a data channel to dump its contents to a remote server.
> I guess that's the thing about crypto, it's always going to get broken with time. It's when, not if. 3DES's time will come as well I'm sure.
People who understand encryption know this. The ideal encryption system keeps information secret until the end of the value in keeping the information secret. So a message saying we're going to start the attack in 5 minutes, is OK to send out on a system that takes 6 minutes break.
Sadly most people who use encryption technologies don't know this.
But perhaps in this case its a weakness that the phone companies like. It provides a built in obsolescence. It encourages users to change their SIM cards regularly. Old SIM cards often operate under older contractual arrangements. By encouraging users to move onto new SIMs they're able to also move customers onto new (read more profitable) Ts&Cs. So for example I have a pile of old SIMs that don't expire if I don't use them or top them up every few months. Bad news for the phone company, coz I don't top them up. Good news for me, since it means I can leave emergency phones in cars, etc... without needing to worry about them expiring.
> By encouraging users to move onto new SIMs they're able to also move customers onto new (read more profitable) Ts&Cs.
When my phone (and SIM card) got obliterated I phoned my provider and they sent me a new SIM card without any need to sign new T&C's or extend the contract and it was free of charge. All they wanted to know was what type of phone the card was going to be put into.
> my provider and they sent me a new SIM card without any need to sign new T&C's or extend the contract
Sure, with a contract phone, now try it with a 5years old PAYG SIM, which hasn't been topped up for 3 years.
"Sadly most people who use encryption technologies don't know this."
So that will be about 99.999999...% of all mobile phone users. Shame on them.
> So that will be about 99.999999...% of all mobile phone users. Shame on them.
Except my dig wasn't at the end user, they have no choice in the encryption tech used by their SIM card.
I was having a serious dig at the phone companies (also all smart cards etc... Oyster, Paris Metro..., they all seem to have the same problem, and they do chose the tech but just seem to prefer to have their collective heads stuffed up their respective arses on this issue)
"People who understand encryption know this. The ideal encryption system keeps information secret until the end of the value in keeping the information secret. So a message saying we're going to start the attack in 5 minutes, is OK to send out on a system that takes 6 minutes break.
Sadly most people who use encryption technologies don't know this"
Indefinite security needs much longer keys.
BTW have you noticed the epidemic of downvotes for saying that DES was f**ked since the EFF cracker in 1998?
> Indefinite security needs much longer keys.
Personally I think it is a mistake to ever think in terms of indefinite security. Who knows what tomorrow brings?
But at the least any encryption system should be viewed in light of Moore's law. Next years computer will be twice as fast and half the cost and the decrypt function should be assumed to get twice as good. This gives you a starting point for planned obsolescence.
The problem with increasing the key length is that it takes longer to process and probably more expensive.
If you're planning something like an automated ticket system, you need to take this into account. You need to plan to use more powerful cards as they become available, you need to upgrade the ticket machines regularly. You need to make sure that the tickets do expire and can be replaced by newer ones capable of using longer keys. In short you need to plan for the future.
You can't just view it as an install once, problem solved issue.
"an Oracle product"
What a surprise. Not. Anyone who still buys their crappy and insecure boat anchors, OS, Databases or builds anything on Java should be fired...
I'm surprised that single DES was still considered acceptable recently enough to be in cards like this - IS2R that 3DES was being advanced in the late 1990s as a result of single DES being considered vulnerable (although, IIRC, that was mainly because the key length was two short).
Correct. In 1999 the use of single DES was deprecated (restricted to legacy systems only) by the US (FIPS 46-3). Single DES is not trivial to break (if correctly implemented) but its 56-bit key is well within the range of brute force using arrays of custom chips.
Back in the sad, and portent-laden fading days of the Republic (the "Bubble in Time"), the following went to the printers:
by the Electronic Frontier Foundation.
Statements of note:
We noticed an increasing number of situations in which highly talented and respected people from the U.S. Government were making statements about how long it takes to crack DES. In all cases, these statements were at odds with our own estimates and those of the cryptographic research community. A less polite way to say it is that these government officials were lying, incompetent, or both. They were stating that cracking DES is much more expensive and time-consuming than we believed it to be. A very credible research paper had predicted that a machine could be built for $1.5 million, including development costs, that would crack DES in 3-1/2 hours. Yet we were hearing estimates of thousands of computers and weeks to years to crack a single message.
On Thursday, June 26, 1997 the U.S. House of Representatives' Committee on International Relations heard closed, classified testimony on encryption policy issues. The Committee was considering a bill to eliminate export controls on cryptography. After hearing this testimony, the Committee gutted the bill and inserted a substitute intended to have the opposite effect. A month later, a censored transcript of the hearing was provided; see http://jya.com/hir-hear.htm. Here are excerpts:
Statement of Louis J. Freeh, Director, Federal Bureau of Investigation
". . . And we do not have the computers, we do not have the technology to get either real-time access to that information or any kind of timely access. If we hooked together thousands of computers and worked together over 4 months we might, as was recently demonstrated decrypt one message bit. That is not going to make a difference in a kidnapping case, it is not going to make a difference in a national security case. We don't have the technology or the brute force capability to get to this information."
"Single DES is not trivial to break (if correctly implemented) but its 56-bit key is well within the range of brute force using arrays of custom chips."
Cracking 56 bit DES became quite popular when it was used by some digital satellite TV broadcasters.
Yup. The EFF project was 15 years ago. that should have put the red line through new uses.
How many mobile phones are still running from 1997?
Phone operators. Their networks protect your privacy.
Except when they are too cheap, or THE PATRIOT Act tells them to copy all metadata over to the govt.
Does anyone know which phones are only using single DES, and how to tell if yours is vulnerable?
Also, I would have thought it was the SIM provider (ie: the network operator) who determined the encryption mode of the SIM - or at least set the options available for the phone to choose from - and therefor to fix the problem by disabling or limiting use of single DES...
According the article in the NYT*, "... [Nohl] added that consumers using SIM cards more than three years old should get new cards from their carriers." Elsewhere on the web** he is quoted as saying ""Different shipments of SIM cards either have [the bug] or not," Nohl told Forbes. "It's very random," he said.
So, it seems that there is no way you can tell about any particular card :-(
**http://securitywatch.pcmag.com/mobile-security/313914-encryption-bug-in-sim-card-can-be-used-to-hack-millions-of-phones (quoted from the Forbes article, but I can't get into it)
It's not the phone it's the SIM. The SIM handles the crypto and runs Java. The phone is hardly involved, it powers the SIM and relays the messages.
It should have been game over for all new DES applications from then on.
BTW AFAIK no one has done a proper crypto analysis of 3DES. It is believed it is very much more secure, but I'm not sure that's been proved, so the theory that it's like the equivalent of 168 bit key encryption remains a theory IOW there could be keys or settings that knock down that to a much smaller key space.
This is another epic fail for cheap ass GMS vendors and operators and their ongoing security-by-obscurity.
Actually very valid point. ROT-13 is simple to crack, so is double-ROT-13 twice as hard? No, it becomes cleartext again. Dramatic example of course, but that's corner cases for you. Or similarly, a Caesar cypher gets no stronger by repeating it, so 3Caesar (if you get my drift) is exactly as secure as 1Caesar. If 3DES hasn't been been fully analysed (I'm surprised to learn this BTW), it genuinely may not be as secure as initial assumptions would suggest.
Yes, there's been a great deal of study of 3DES. Easy to find if you try. Properly implemented with 3 unrelated keys it's still considered a very good cipher providing ~112 bits of security. Not insignificant as a demonstration of cascading too.
Obviously new designs should consider something more efficient and modern, offering a better margin: Serpent, Rijndael, Camellia, etc.
The eCrypt annual report is an excellent way to keep up to date on the current state of things. http://www.ecrypt.eu.org/
So name any cipher which has been proved to be secure.
And just FYI, 3DES has an effective key length of 112 bits, not 168.
So i get double the security from 3 times the key length provided I implement the key generation process correctly.
Now where could this process possibly go wrong?
I get that if you've got systems in the field that are impossible to upgrade, or you simply must have compatibility with stuff that might have been installed up to 36 years ago then you may have no choice.
But for the rest of us in 2013?
BTW foundry processes are around 1200x faster (the EFF cracker ran at 20Mhz) and gate densities can hit 21k gates a cm^2 And of course storage has gotten much cheaper, so once you've captured it you can keep returning it till it cracks.
Indeed, anyone using DES after Deep Crack is an idiot. I also agree that 3DES is probably broken as well, after all it is only 3 chained DES engines, and there is probably a shortcut to cracking that by our favourite 3-letter agencies...
"So i get double the security from 3 times the key length provided I implement the key generation process correctly."
No. Ideally 1 extra bit key length gives you double the security. If you do it right you get pretty close to that.
"sending a text message that spoofs the phone's operator"
Does "operator" refer to the mobile network or the phone user?
Mobile operator. Normal users are not meant to send this kind of messages.
That makes it a conflict of interest then. The people who could advise you to update your SIM (or just provide one) are the people who potentially gain the most from you not upgrading.
I had to read both the NYT and Forbes articles to understand what it is all about.
Even though plain DES should not be used, I think it is a protocol failure: the articles did not mention brute force attacks, but malformed OTA messages. Besides SIM manufacturers (Gemalto, G&D and friends) I'd blame mobile operators' cheapness: saving a few pennies on each SIM card goes a long way when you are rolling out millions of them, so they choose old models with very limited memory and obsolete operating systems and crypto processors.
There are two big security fails here:
- first, sending the encrypted keys to the SIM as a response to a malformed message (probably the so-called "Issuer Security Domain keys"). Maybe some debugging mode that should have been deactivated?
- second, breaking the 'sandbox' mode, which I am not sure whether it is a failure of the JavaCard virtual machine implementation or of the underlying SIM operating system, which must implement a security architecture based on "Security Domains" that prevent applications accessing each others' data. Without this second failure, getting access to the SIM would have enabled attackers to delete all existing applications in the SIM and install new ones, but not access their data or keys.
Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform.
"Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform."
Yes and no.
The standards are freely available.
Yes and no again. some standards are but some parts are only available to network operators. Those have already been reverse engineered.
Now are you saying people asked that DES be used, given the first announced hardware cracker was built in 1998?
I don't think so.
More likely the operators didn't think anyone would notice what they were using because it's an obscure part of the system subscribers never worry about.
There are several variations on the details of a security-by-obscurity policy.
What they all have in common is that they are dumb.
If a someone invented a perfect encryption, then governments will circumvent it.
For law enforcement reasons, you have no privacy. I have no problem with this.
And like I said a million times, I do.
"For law enforcement reasons, you have no privacy. I have no problem with this."
Says the Anonymous Coward.
It's easy to spot this A/C he's the new boy that's appeared around here, mainly defending the NSA and calling Snowden a a traitor....
Let's point something out here:
"For law enforcement reasons,"
The Police et al are there to to uphold the law as written, no to use and abuse it. If you have commited no crime, then the Police and co have no reason to investigate you or harvest you details.
Liberty and Amnesty must be loving this to be finally happening the "civilised" world and us finally waking up to whats been going on everywhere else for decades.
"It's easy to spot this A/C he's the new boy that's appeared around here, mainly defending the NSA and calling Snowden a a traitor...."
Oh yes. The one called borntowin ?
Titus and Matt are not so backward about coming forward.
... People who have no problem with being spied on by law enforcement agencies are obviously ultra-right wing and need to be locked-up for our safety.
And why post as Anonymous Coward, if they have nothing to fear!!!
i can not get over how there's people that don't have a problem with this.
Imagine having a government dude sitting in your bedroom listening and watching all that you do there in the name of wider security, some perceived threat, because, hey, if you have nothing to hide you don't have to worry about anything right?
But if you refuse to allow them in then you're hiding something.
Don't there have to be limits to what is allowed? Where do you draw the line?
Some seem to think that allowing the government to snoop on bytes that you produce is okay, well i don't agree with them.
...or the other thought-provoking response to "I have nothing to hide"... "do you have curtains?" :)
I notice, in an other article today, that only 1% of java implementations are up to date. Not that it matters much as there has been yet another 0-day disclosed today. One does wonder what version(s) of java sim cards run on and how it is proposed to keep them current.
One could also speculate whether there might be resistance from our Lords and Masters if any attempt is made to improve sims' security.
I don't think JavaCard VMs are upgradeable once in the field... we are talking about smart cards here, where most code is in ROM.
I guess the SIM issuers (i.e. mobile operators) are the party most interested in not having this vulnerability.
Just put a filter on the exchanges, job's a good'un. Owait, femtocells.
My thoughts exactly, why would the real operator allow network control messages from 3rd parties....?
The traffic has to go through their systems regardless of how the phone is connected to the network, OTA or femtocell.
This is very old crypto news about the DES system.
It was cracked i think 1999 read
So if they are still using old tech then its the companies fault they are cheap.The banks have been doing it for years with chip & pin. Remember CHIP & PIN is also broken people.
When will the public demand that businesses use the latest tech that is secure so far proven.
SO THIS IS NOT NEW NEWS YOU ALL NEED TO WALK UP!
"SO THIS IS NOT NEW NEWS YOU ALL NEED TO WALK UP!"
I do "walk up", I do about 5 miles before breakfast and about 5 miles through-out the day as I don't trust lifts and escalators!
"the ITU is planning an advisory to all mobile phone operators"
And they'll do what? Push out a firmware update, send everyone a new SIM or try and sell you a new phone?
It shouldn't be that hard. The operators could filter out the text messages before they send it to the devices. A kind of virus checking for SMS...
... send in the Blue Helmets
I think Oracle is trying to replace Adobe as the go-to product for malicious entry vectors. And they're doing it in markets Adobe couldn't even come close to reaching.
Real strong push, very impressive.