All Articles Tagged exploits

The cracking of GSM “encryption” has been making the inter-rounds lately, and this week on the Security Now! Podcast, Steve Gibson takes a look at how badly it’s broken, and what the potential risks are. In simple terms, it means what you say on your iPhone — or any GSM phone, which includes all phones on AT&T, T-Mobile, Rogers, and almost all phones internationally — can be intercepted, decrypted, and listened to if a person has several thousand dollars worth of equipment and the motivation to do it. In more complex terms:

So again, we’re now at the hobby level. We’re at the level where the hobbyist with a couple thousand dollars can – needs to know nothing about radio and even hardware. And even all of the preprocessing steps for demultiplexing the data and analyzing it and performing spectrum analysis and finding the channels and everything, all of that’s been done. There’s even some people have taken – they’re not at the GPL licensing, but they are – so they’re proprietary licenses, but free, but they’re open source and free for personal use, where turnkey packages to pull all this data together have been produced. There’s even one which abstracts this USRP, this Universal Software Radio Peripheral, making it look like a network device so that Wireshark, our favorite packet capture utility, is able to capture GSM packets and decode them and show you all the bits and all the protocols and everything going on in a stream that you capture.

So, I mean, we’re way far along in making this possible. In my opinion, this GSM Alliance is – they’re saying what they have to say politically; but, if they really believe what they’re saying, that they’re in serious denial because this is no longer James Bond government-level sci-fi stuff. It would be entirely possible for a company who wanted to do some surveillance of a competitor to equip a van with some of this equipment, spending only tens of thousands of dollars, park it across the street from a competitor, aim their antennas at the competitor’s building, and spend a day just streaming in, sucking in all of the cellphone traffic that is being transacted by the employees within the building, and then drive the van off and decrypt those conversations offline afterwards and find out what was being said. I mean, it is no longer difficult to do. It’s entirely possible.

It should be noted that the GSMA (GSM Alliance) seems to consider this attack theoretical and impractical for now. If you’re interested in more, check out the audio podcast [MP3 link] or the transcript.

• Our podcast feed
• Download Directly
• Subscribe via iTunes

Join Dieter, Chad, and Rene for iPhone 3.1 Beta 3, Google Voice rejection, iTablet and Verizon rumors, Palm/iTunes escalation, SMS exploits, and all the news and how-tos. Listen in!

Read the rest of this entry »

Very little code is bullet-proof. Hackers will always find holes. The worst holes will be critical. The worst hacks will be zero-day and found in the wild — catching companies and users both by surprise.

Not sure we have any of that here. Macworld does report that, at the Black Hat Europe Security Conference, former NSA number cruncher Charlie Miller — who has rolled his ability to find exploits in the Mac version of Apple’s Safari Browser into tens of thousands of dollars and a couple free MacBooks at the annual Pwn2Own contest — claims to have:

…found a way to trick the iPhone into running code that enables shellcode. To run shellcode on an iPhone, however, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the Safari Web browser or the mobile’s operating system. Miller said he doesn’t have one now.

Miller previously gained attention for a Mobile Safari exploit that made for some quick early jailbreaking and led to Apple patching the problem in firmware 1.0.1.

What’s particularly disturbing, however, is that Miller also says he’s unsure whether or not Apple knows about the potential vulnerability.

He should know that absolutely dead cold, of course. He should have told Apple long before he made the information public, and only made the information public when Apple had a fix rolled out or ignored his warnings for so long that public pressure could reasonably be considered the only option in getting them to roll out a fix.

Either way, Miller should know that Apple knows because he told them first. Or do we no longer warn people in a house when we see a potential fire starting, but wait and see how much attention and cash we can get for the info first?