Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
Ξ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

[The Intercept] The Great SIM Heist

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

[The Intercept] The Great SIM Heist

Postby parityboy » Mon Mar 02, 2015 8:28 pm

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”


Source

User avatar

Topic Author
parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

Re: [The Intercept] The Great SIM Heist

Postby parityboy » Mon Mar 02, 2015 8:42 pm

@thread

So let me get a handle on this. Assuming the SIM keys are compromised for a given GPRS, EDGE or HSDPA data connection (and we must assume that from now on they will continue to be compromised even with new keys issued - mobile carrier networks are now permanently "hostile"), would SSL and TLS key exchange mechanisms (including HTTPS and OpenVPN) be compromised along with it and vulnerable to a MitM attack, or would that layer have to be attacked separately?

User avatar

marzametal
Posts: 505
Joined: Mon Aug 05, 2013 11:39 am

Re: [The Intercept] The Great SIM Heist

Postby marzametal » Tue Mar 03, 2015 10:36 am

For fucks sake, this just gets worse and worse... I AM GOING BACK TO TWO CANS AND A STRING for my telecommunication requirements!


Guest

Re: [The Intercept] The Great SIM Heist

Postby Guest » Tue Mar 03, 2015 3:36 pm

The concise answer is the only sure-fire way to use Cellular network resources securely is with a simple cellular wifi hotspot and a secure non cell computer. Cell Phones are irreparably fucked- but not because of this.

(TLDR- cell phones are likely hardware back doored; stingrays are likely collecting much more then is publicly acknowledged- supporting info links below)

Bear with me and I'll try and explain, while properly pointing out what is speculation and the (I believe reasonable) rational for such.
Sim's include a baseband co-prossor and firmware - but all cell phones have baseband processors/firmware even if the sim is built in.
Baseband is a functioning computer processor/firmware system that operates below/independent any other software on a cellphone.
Baseband firmware is proprietary, closed sourced, and extremely difficult (in some cases impossible) to audit/reverse engineer.
There are only a handful of producers of baseband processors and firmware. Qualcom (the markers of the samsung baseband where the backdoor was discovered) alone has more then 70% of the market.
Baseband resources cannot be accessed through the main system. (it's actions/functions are mostly hidden from any user auditable view)
Conversely, Baseband has full access to the phone storage and main system ram. Consequently it has unfettered authority over all system resources.

I've read the rumour (often stated as fact) that some systems provide meaningful isolation of baseband- but have yet to find ANY. Not even black phone claims baseband isolation- and surely they'd be screaming it from the tree tops if they had it. It's been almost a year since the baseband backdoor stories came out and literally NO company has come forward to say- hey that doesn't apply to us because we properly isolate baseband. I therefore speculate that all phones are compromised in this manor- and that's by intentional design. Whether this can be called 'back door' is semantically somewhat debatable, but it is undeniably capable of achieving the same functionality as a back door through exploitation of standard operational capabilities and trusted authority... see the various articles and the youtube blackhat vid posted below- they explain such better then I can.

The phone company has authority over baseband- regardless of whether the keys have been compromised.
Any and all active encryption keys can easily be scraped from main system ram
- likely in an automated fashion...
Because of this: the promise of ANY "secure" encryption on cell phones even with keys never in third party hands, is nothing more then marketing hype and misleading gov co-intel propaganda. As long as the phone is booted up, the keys can be scraped from ram- by anyone with control of the baseband. Shutting down the phone doesn't stop this, as the phone doesn't actually shut down unless you pull the battery. Once keys are compromised- FDE is worthless even if the phone is shut down.

Soo... if your following- the subtle context of that story isn't about how the gov stole previously unavailable access to cell phones- it's about how they got access without manually hacking each phone (tedious, time consuming, resource limited) or going through the phone company for access (toll both service, resource limited, may create an audit trail), but it speaks volumes on why there is now such a huge market for stingray devices.... (unlimited spying, likely better capabilities, and perhaps most importantly, no audit trail of questionable or outright illegal actions)

No offence to the magnificent iconoclast Greenwald intended- it's not proper for journalists to speculate as far as I am now; reasonable or not. This stuff has been properly suppressed, presumably with co-intel, as one may discern by reading articles claiming 'no backdoor' and comparing them to more legitimate technical sources- there's a waft of something one gets familiar with if reading stuff like this... It's not covered in mainstream sources, the facts don't add up, questions are left unanswered, hands are waved- and the media's beloved FUD is suspiciously set aside...nothing to see here, carry on.

...look into the massive success/growth of the Harris corp and other stingray manufacturers. -why?

What do stingrays offer that isn't available from intercept equipment at the phone company itself? What justifies this very expensive purchase? They put them on planes and fly them around constantly- what justifies this absurd expense? Is it realistic they'd do all this to just to collect imsi and esn numbers from a given location- or even random conversations- or even to opportunistically hack people real-time. I've read BS about tracking individual threats- but wouldn't that be easier just using the phone company resources and paying there bribe service fees...

I therefore suspect these stingrays are collecting much much more then is currently acknowledged- they're collecting a quality and quantity that authorities don't want the telco's to know about. Things so invasive that they would be considered at least controversial by even the most pro-authoritarian and surveillance state supporters...and the baseband hole is the key to this all. I'd speculate passwords, encryption keys, file index, known AP's, full contact list, web history, app data, email, sms history, photo geo-tags & thumbnails... literally any and everything that can be found in a known memory location and downloaded in the time/bandwidth available- most of it is small and could be downloaded very quickly.

ASLR you say? is the index in a known position?... is that open source and verified- I honestly don't know; I doubt it's a realistic mitigation to this level of compromise though- at best it would slow it down slightly.

Call me a tin hat- I could use a good laugh- the phrase is now misused so often it's all but lost meaning. Better yet, explain why I'm wrong or likely wrong, or maybe wrong- and make my day, because dog knows I don't want to believe this shit....what else could it be? Why are federal marshals literally so concerned with covering up stingray use documentation that they will go seize it to stop a legal court ordered subpoena??? imsi and esn collection? bullshit- there must be more to it. It's speculation- but I'd bet money these stingrays are using automated collection hacks exploiting baseband- sucking up as much data as possible for use to seed parallel constructed criminal cases.
https://www.techdirt.com/articles/20140 ... aclu.shtml


For reference to the baseband hole see:
http://www.osnews.com/story/27416/The_s ... bile_phone
http://www.extremetech.com/computing/17 ... e-insecure

Also see:
https://www.fsf.org/blogs/community/rep ... y-backdoor
note the line at the end...
"but if the modem can take control of the main processor and rewrite the software in the latter, there is no way for a main processor system such as Replicant to stop it. "

Yeah- unfortunately that's exactly how this works... with ram access you can change any system software.

Also see:
http://www.youtube.com/watch?v=fQqv0v14KKY
https://anonymous-proxy-servers.net/blo ... em....html
https://news.ycombinator.com/item?id=7388547
https://www.usenix.org/system/files/con ... inal24.pdf
https://together.jolla.com/question/379 ... -baseband/

https://blog.torproject.org/blog/missio ... nd-privacy
TOR labels android security as "mission impossible" They don't even bother to attempt to secure a device with a cellular modem. -as someone who tried and gave up, to go full asop and have authority at least over the 'visible' system via similar means as this article- I have to concur; it's pointless. After 100's of hours experimenting, tinkering and tweaking, I eventually came to the conclusion google doesn't want, and never intended android to be secure. Every single time I updated to a newer version of android- they'd broken something security critical- always in a way that wasn't immediately apparent, and with no reasonable explanation in sight as to why. (permissions, iptables, zombie logs, and non-sensical sandboxing changes/issues from what I recall- this was years ago...) it got to the point where I wouldn't update- because I just knew they were going to break something, and it would be weeks or months before people smarter then me figured it out and fixed it. I was a power user, striped down with minimal aosp rom, fde, fdroid, iptables, ovpn, xposed, system services userlanded & fine grain perm kneecapped- Briefly I felt very confident, but then every time I dug deeper I was still finding security issues and errant behaviour. Intentional or not- at the time android seamed like a very security/privacy hostile ecosystem- I seriously doubt it's improved since...and apple? just startpage 'apple backdoor' or 'apple spying' for numerous foul examples.

So...Fuck cellphones. I threw away my expensive spy device "smart" phone and now have a dumb no feature cell phone for emergencies- the battery is usually out of it. ting.com- 6$ a month. If I need mobile network, I use hotspot wifi and a proper foss linux or bsd computer. If I don't have final authority over a device I don't consider it something I own, and I'll be damned if I'm going to knowingly pay for my own surveillance/violation.

I imagine it's a great money maker- and perhaps some vpn duck tape on the screen door of the submarine security nightmare that is Orwells Telescreen a "smart" phone keeps most of the surface mist out... But CS would gain a hell of a lot of respect from me (my already massive respect doubled) if they'd just drop support of mobile clients. Or at least make people eminently aware of how dire the security situation with cellphones really is- i.e. common casual 'install a hundred apps from the app store' on a stock rom usage is 10,000x more dangerous then standard desktop OS use, and a phone can potentially compromise every other device you interoperate with them. USB, Bluetooth, and SD cards are assumed completely trustworthy by nearly all computers- they can easily pass virus's and such... You don't need any speculation to show that, and none of it is theoretical. These devices just aren't designed for security/privacy- the way things are going, they never will be.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

Re: [The Intercept] The Great SIM Heist

Postby parityboy » Tue Mar 03, 2015 11:17 pm

@Guest

Bear with me and I'll try and explain, while properly pointing out what is speculation and the (I believe reasonable) rational for such.
Sim's include a baseband co-prossor and firmware - but all cell phones have baseband processors/firmware even if the sim is built in.


So if you take the SIM out of a device, the device no longer has a baseband processor? Or does the SIM add an extra one?


Guest

Re: [The Intercept] The Great SIM Heist

Postby Guest » Wed Mar 04, 2015 2:19 am

I belive it's an extra one. I'm not sure really- I only learned that sims could even contain them last night- when plucking through some refference articles- previously had though they where only used for data credential storage and the BB was always in phone.

...and now that I look- wikipedia says zelch about any sims containing a baseband processor. hmm. maybe one of the artical writers was confused on that point. -I'm gonna try and figure out where I read that from.


Guest

Re: [The Intercept] The Great SIM Heist

Postby Guest » Wed Mar 04, 2015 3:04 am

I think I may have gotten confused while skimming the second article- which describes the sim as having a second independent OS that's similar in ways to the baseband processor (authoritative black box...etc). So- I'm thinking now the baseband processor is always in the phone. I'll look into it a bit more when I get more time. Apologies, it was late last night when I was writing all that- didn't spend enough time reading the articles I was posting for reference. I researched this alot when the BB backdoor story broke, which was actually over a year ago, and haven't spent much time on it since, my memory isn't always great.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

Re: [The Intercept] The Great SIM Heist

Postby parityboy » Wed Mar 04, 2015 4:55 am

@Guest

No worries. I think this entire situation is a holdover from the early days of digital cell phones; those devices now need a fundamental rethink in terms of the relationship between the baseband processor and the "main" CPU. It seems that "phones" - which are palm-sized microcomputers in their own right, with telephony as a small portion of their functionality - have a skewed relationship between the baseband processor and main CPU, i.e. it seems that the tail is wagging the dog.

As you know, a Single Board Computer slotted into a PC is communicated with through OS drivers, and does not have control over the PC (most of the time; BMCs in servers seem to suffer the same security issues as baseband processors). This is the kind of relationship which is needed in smart devices, which the main CPU is the one in charge and the baseband processor isn't.


Guest

Re: [The Intercept] The Great SIM Heist

Postby Guest » Fri Mar 06, 2015 3:47 am

So- I found this:

open source smart phone. quite expensive @ 650-850 EUR , and very dated specs. still proprietary firmware- but it looks like the baseband is genuinely isolated.
http://neo900.org/

Also:
It seams the just announced Black phone 2 is vulnerable to SS7 vulnerability- which with a little startpage foo is revealed to be a baseband service call "vulnerability". This seams to confirm BP doesn't have baseband isolation. Sadly they (agent JP Vossen) seams unaware of the true consequences/extent of this vulnerability and claims Silent phone app is not affected- as I've explained though; IF baseband leaves the keys vulnerable to be scraped from ram- yeah, it's affected- though pfs would presumably defeat non realtime ram scrapes. (the keys would need to be scraped during the silentphone call in order for it to be decrypted. assuming all else was right)
https://support.blackphone.ch/customer/ ... ?b_id=4314

In case it hasn't been clear- I've not at all been trying to pick on or detract from the BP teams efforts- they have an great team of people who've earned the trust and respect of many. If they can't make a secure/private phone then it likely can't be done in the current legal/technical/political environment- at least not on the scale they're doing it. Even if they can't get it right now, they may be able to in the future. If I had one complaint, it's that all that venture capital has given them a bad case of corpo-speak and an irrational fear of FOSS, and I suppose it's hard not to worry about the potential corrupting effects of all that cash and all those stakeholders...

Also I found this:
http://esdcryptophone.com/support/faq
100% opensource even the firmware! 3k$US for the gsmk 500- and it seams you can only connect securely to other cyrptphones. They where selling 400 a week when it came out and where unable to keep up with demand. This thing is based on the samsung galaxy S-3... which ironically was one of the samsung phones affected by the back door- it doesn't have baseband isolation. Interestingly they deal with that via a "baseband firewall"- though architecturally I don't even understand how that works given what I've read- perhaps their custom firmware somehow changes the authority relationship and transparency of the processors? Full source code is available with contact detail submission. -ohh how I wish I were knowledgeable enough to request that and dig deeper to see what's going on with all this. I wonder how hard it is (or how one would even go about) to learn to decipher firmware source code.


Guest

Re: [The Intercept] The Great SIM Heist

Postby Guest » Fri Mar 06, 2015 11:28 am

I've been digging a bit more and watching some vids; thought I'd share.

Good grief... Even If you watch no other video's I've posted- watch this- this lays it bare.
Blackhat 2014 Cellular Exploitation on a Global Scale: The rise and fall of the control protocol.
http://www.youtube.com/watch?v=wuO7yWkscP4

Phil Zimmermann on Black phone baseband. Confirms- no isolation; but they understand the situation and want it. Nvida baseband processor- Nvida says open to an audit.
http://www.youtube.com/watch?v=wgaa0quvW1o

CEO of Blackphone- "The reality is if people with enough power and authority want to pay attention to you they're probably going to be able to."
http://www.youtube.com/watch?v=njLKF-DEhIM

Cyptophone
http://www.youtube.com/watch?v=jWBMpsFaH9w

Baseband Exploitation in 2013
http://www.youtube.com/watch?v=lCcKk8R0LFI

Reverse engineering qualcomm baseband
http://www.youtube.com/watch?v=e1lYU0VMCoY

The baseband apocalypse
http://www.youtube.com/watch?v=c5GDUvTfhtU

Scaling up baseband attacks- More (unexpected) attack surfaces. A-GPS & SUPL -PAWNED via TCP with no control over a BTS required.
http://www.youtube.com/watch?v=mznkFkzKb94


Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: Bing [Bot] and 6 guests

cron

Login