SIM security and GSM security

In the old days the SIM was there to control access to the GSM network. A GSM 11.11 compliant handset would forward an authentication request from the network to the SIM by issuing RUN_GSM_ALGORITHM command. And that was it. The threat landscape was clear (unauthenticated access to the network) and security of the solution relied entirely on the security of the SIM.

The SIM application toolkit complicates things, however. A GSM 11.14 compliant handset implements a complex protocol which involves polling multiple Java Card applets and message passing from and to the network and the GUI. If the handset correctly implements this protocol then SIM applets have a trusted interface to the user during so-called proactive SIM sessions. This means, for example that an application on the handset (a MIDlet, say) cannot interfere with the GUI during such sessions. (GSM 11.14 doesn't actually say that, but other ETSI standards such as ETSI 102 206 seem to rely on this.)

Some weeks ago a worm targeting jailbroken iPhones was discovered. The iPhone (besides being a lot of other things) is a GSM handset which implements GSM 11.14 at some level. Big question is: is a jailbroken iPhone still a GSM 11.14 compliant hand set?

With smart phone operating systems becoming more open (and users demanding control over them) this is getting more interesting. Perhaps a hypervised approach is the solution. In any case, it's not as simple as it used to be.

Variable Road Pricing

We seem to be getting variable road pricing over here in the Netherlands. Which generates a lot of discussion, of course. The Dutch ministry of transport has a nice high level overview including a diagram with some interfaces of the system:


I haven't made a detailed security analysis of this system, obviously. But couldn't one simply block the incoming GPS signal (say, using a GPS jammer). Better yet, why not relay the signal from a stationary GPS receiver at home to your on board unit?

RSA Conference Europe 2009

I attended RSA Conference Europe 2009 in London the other week, where I gave a presentation on something I blogged about before (combining ePassports and Information Card, a project sponsored by NLnet). My talk was scheduled for the very last slot on the very last day, which means I had plenty of time to go and listen to the other talks. Some of my impressions are below.

I checked out the booths of the conference's sponsors and noticed a relative large number of authentication factor vendors (G&D, Kobil, smspasscode.com) and of course the big guys (RSA Security, Microsoft, Qualys, CA).

As for the presentations, there were at least 4 different tracks, and all talks had catchy titles. Very difficult to choose from. There were a lot of "securing the cloud" talks. I've heard people claim that 'cloud==deperimeterization'. Others claim that 'cloud==virtualization', and yet others claim that 'cloud==SaaS', and even 'cloud==social networks'. Most of the talks dealt with managing the risks of enterprise cloud computing (sharing resources is risky, you'll need good SLA contracts for that). I especially liked the Collateral Hacking panel session which focused on the risk presented by totally unrelated parties you happen to share services with.

There were a few hacking-presentations. I really enjoyed Björn Brolin and Marcus Murray's Breaking the Windows driver signing model. Great live reversing demo. Bottom line: Running an anti-virus suite with badly engineered (yet Microsoft signed) kernel drivers can actually render your PC less secure from malware.

Talking about anti-virus software vendors. Both McAfee's Anthony Bettini's and Kaspersky labs' Stefan Tanase's presentation focused on threats from social networks (personalized spam, Twitter based C&C, targeted attacks based on synchronization between personal and enterprise information). Anthony had the best sound-bites IMHO: 'open-sourcing one's life', 'keep your enemies closer'. Stefan showed a glimpse of crawler based technology that Kaspersky's R&D team in Romania is working on.

More targeted social network threats came from Brian Honan who introduced the audience to some of the tools of the trade, notable pipl.com and Maltego. Interestingly, in Ireland, anyone can request everyone else's birth certificate (apparently for reasons of genealogical research), and the only thing needed to request a driver's license or passport in Ireland is a birth certificate.

Microsoft's keynote was delivered by Amy Barzdukas. She made some valid points about the perception of privacy and security by the average computer user. The FUD (initially directed at Google: Chrome's auto-completing address bar will send packets to Google, OMG, better stick with IE8) was a little too much for my taste. They're going to make it more difficult to download and install third party software through IE because of the fake virus scanner scams.

The keynote by special agent Mularski of the FBI and Andy Auld of SOCA about the Russian Business Network was so secret that I cannot blog about it. The keynote by Dave Hansen of CA on content-aware extensions of RBAC was pretty interesting and included another secret agent.

Andrew Nash of PayPal gave an insightful presentation on the consumer identity bootstrap problem. After explained the clever big bang/steady state analogy he showed just how big the problem is. What's the most important feature an Identity Provider should offer to its users? Right. Anonymity. The other PayPal presentation was by Hadi Nahari who put forward some requirements (or rather, desirements) for identity in mobile computing. It appears that PayPal is trying to get some of these ideas into the Global Platform specifications.

Ira Winkler went on a one-hour rant over the use of the term information warfare. Funny stuff, except for the one Estonian guy in the audience.