October 2013

Edward Snowden Revelations on 4G

Edward Snowden Revelations on 4G

More evidence has crept out from the mass of government information revealed by whistle-blower, Edward Snowden, on the National Security Agency (NSA) PRISM program. In the latest papers - revealed to the Guardian Newspaper, the New York Times and ProPublica - it is shown that the NSA has a $255 million per year program against the defences offered by encryption products used for PCs and mobile phones on the internet. Apparently, 4G phones are a particular target of this research. This newly revealed program dwarfs the $20m PRISM program which collects data directly by demands to the appropriate internet companies such as Google.

According to reports obtained from the Guardian, these papers reveal:

  • The 10 year old program made a cryptographic breakthrough in 2010 which has caused data tapped from internet cables to be newly exploitable. The UK GCHQ has also been revealed to have a similar interception program, which has been called Operation Tempora.
  • The program works to influence cryptographically related standards (NIST has been cited).

This is a technically correct way of saying; don't bother with the front door because it is too strong. But as with all security there is no such thing as perfection and conceptually anything can be broken if you have enough time and resources. The better cryptographic algorithms behind SSL, if correctly implemented, will withstand an attack by any known computer resources and will not be routinely broken by any organisation, governments included.

However, and here comes the big 'but', these protocols must be correctly implemented and used. It is no good using the best cryptography if you allow the protocol to default to no cryptography or a chosen weak algorithm, as can be done when establishing an SSL session. It actually gets worse than this, from personal experience I have regularly encountered SSL gateways where the server has been left in default password mode. Who needs to break the cryptography if you can just break into the computer? It goes without saying that if you can get the keys then the cryptographic algorithm is irrelevant. The basis of all modern cryptography is that the security is dependent on the key and that the algorithm is assumed to be public knowledge.

The other concept, that is vital when looking at internet security, is to understand the required security service drawn from confidentiality, integrity and availability. In the payments world, for example, the core requirement is integrity and authentication. The bank needs to be assured that the correct payment instructions are actually from their authentic user and are of course authorised. The most popular way of achieving this today is to use digital signatures. This is not the prime interest of governments who receive all the necessary reporting from the FIs, who are appropriately regulated. In fact, it is the opposite as no government would want major electronic payment systems to be compromised because that would destabilise the economy. I would suggest that if they were aware of any such failing in the security used by electronic payment schemes that they are more likely to make such knowledge available to the operators.

The papers obtained from Snowden and revealed by the Guardian also suggest that there is a core focus of the programs on mobile phones. The 4G phones were mentioned in particular as if the cryptography is deeply flawed. The reality is far more likely to be around the security of the smart mobile phones and not the particular algorithms. Although there have been some weaknesses identified, this is unlikely to be the major problem.

In July, the US Department of Homeland Security warned police officers, fire fighters, emergency medical services and security personnel about the security issues in earlier versions of the Android operating system, subsequently patched by Google. One example cites the possibility of making secret charges to a user's phone bill due to unauthorised premium text messages. This was the primary attack of early Android malware that was loaded down from the internet from non-authorised sites. However, in early July the security research firm BlueBox discovered a way to make changes to an applications code without affecting the signature used to protect the phone from installing unapproved applications. Apparently, hackers have now exploited this vulnerability to install malware called Android Skullkey which steals data from the phone, monitors SMS messages and sends premium SMS messages at a cost to the user.

The activities of the NSA and GCHQ may be of concern to some, but really the problem is not to do with the cryptographic algorithms but the surrounding platforms and their implementation - including key management.

The greater concern is that many modern mobile phone platforms do not offer adequate security and that the industry is moving rather slowly to address these concerns.

Dr David Everett, SCN Technical Researcher.





Whitepapers

21/09/2018 Headlines

Equifax IT Staff had to Rerun Hackers' database queries to work out what was nicked - audit

Equifax was so unsure how much data had been stolen during its 2017 mega-hack that its IT staff spent weeks rerunning the hackers' database queries on a test sy.....Read More

CCTV Vulnerability Could Allow Cyber Criminals to Hack Video Surveillance Recordings

A glitch affecting thousands of CCTV surveillance cameras could allow cyber criminals to view and tamper with video recordings remotely, experts have warned. Read More

Why Cybercrime Remains Impossible to Eradicate

Running cybercrime schemes remains inexpensive and accessible to anyone with criminal intent: To send spam emails, admitted botnet herder Peter Levashov quoted .....Read More

Malta Stakes New Claim on Crypto Leadership with Delta Summit

Malta, which has gained a reputation as a "blockchain island" on account of its positive attitude to digital assets and distributed ledger technologies (DLT), w.....Read More

Synthetic Identity Fraud: Exposing the Modern-day Frankenstein Monster

Fraudsters have found a new, innovative way to steal money. As data breaches proliferate, countless stolen identity credentials and other critical information a.....Read More

The Only Thing Rising in Today's Crypto Markets is Lawsuits

According to a report by legal analytics platform Lex Machina, 2018 saw a significant rise in litigation regarding securities and digital currencies. The 2018 S.....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication