100% Secure? Oh yeah, like the MoDs use of PTAS? thats funny!!! or, in
the civilian arena, GSMs A5/x and GPRS ? Realy! You'd think a member of
this forum would have more sense than to use a term like '100% secure'
*lick*As for jamming, *everything* can be jammed. TETRA is actualy quite
resilient in that regard due to its much broader allocation.
I've heard a lot of conflicting reports about scrapping the proposal (and,
frankly, it would be best all-round if they did) but if it HAS been scrapped
then its about time someone informed the Secretary of State for the Home
Department as, if I'm not wrong, he still seems to be pressing the mmo2
over planning permissions for around 800 of the unresolved mast sites.
SRC: CH.COMMS/Questions [114598],[114597],[198273] and [198275]The fact remains that despite very bold statements from the vendors and
previous independent reviews from defence contractors PTAS, GSMs A5/x,
GPRS and *many others* they still continue to have security flaws. Some of
which I understand, many of which can/have been demonstrated but go way
over my head.
I don't wish to air the MoD's dirty laundry in public, and I'm sure a public
discussion of PTAS or the PSRCS flaws is probably a bad idea but certainly
GSM's analysis of 'security' is based on nobody putting together their own
portable celltower, faith in poor algo's, and the relatively low *reported*
incidence of air cloning.
Twice at cons I've talked to people with bag-towers that air-snarf GSM.
Indeed, I have a friend in ***oops*** who, until very recently I believe,
was using the GSM/GPRS equivalent of an old analogue snarfer.
My interests don't lie in that direction although I believe its a standard MITM
challenge/reply attack that can pin down a GSM (Ded. Ki) in less than 500ms
just on the SRES in A5/1, A5/2 and A5/3. Certainly I've seen it in operation
effortlessly cranking out a cloned sim in under 30 seconds and surprisingly
it doesnt rely on weak challenges (As I first thought when he mentioned
weak reception areas - y'know, a pure surrogate approach). Apparently he
only uses weak signal areas in order to limit the chances the weaker cellphone
will get out to a legitimate tower and cause a collide report and that his stronger
signalling equipment is the only one identified by the legitimate apparatus (And
I guess it helps being the best signal on offer to the target cell)
I believe there IS a multiple-weak-challenge approach too.
He was also running interceptions with the same MITM unit using a technique to
play down the abilities of the target phone to allow casual eavesdropping. He's
former SigInt and can more than hold his own on GPRS(G1/G2) too *wink*
My point is that even with GPRS vulnerabilities that didn't stop the technology
from being proposed (And accepted) as a contending solution for the sensitive
PSRCS. Okay, they settled on mmo2/BTQs but by purely logistical reasoning.
I probably explained all that rather badly, as I said it isn't my area. If you do
have any doubts or questions I'll get him on here to talk to ya, prolly easier : )
aaanyways, I got out of all of that business back in the analogue days when it
was an easy score with my little 4800AX. Encryption never was my thing just
aint got the head for it I guess
SG
If anyone thinks I'm a bad bad gurlie and wants to report me to British Telecoms
Cellular Fraud Investigation Department in Milton Keynes then please feel free.
Ask to talk to Nick Harwood if he's still there, he's real nice - if you need the
number the operator or BTInterVue should have it, if not just PM me : )
Any comments made here are my own and I take sole responsibility for them.
They do not reflect the views of GSO, its members, its owner(s) or their hosting
company. If this post is deemed offensive, inciteful or in any way damaging
simply ask nicely and I'm sure the site admin will remove it.
The biggest security problem with airwave is the fact it can be jammed. Its the equivalent of a DoS attack. Besides... hasnt all the emergency services pretty much decided it was crap and caused cancer because of the 300ish - 400ish MHz frequencies?
