[Cryptography] Lenovo laptops with preloaded adware and an evil CA

Christian Huitema huitema at huitema.net
Sun Feb 22 19:47:37 EST 2015 

On Sunday, February 22, 2015, at 7:03 AM, Jerry Leichter wrote
> On Feb 22, 2015, at 12:21 AM, Christian Huitema <huitema at huitema.net>
wrote:
>> A particular example of phishing led to the recently disclosed attack on
SIM
>> cards. But phishing was not the only past mistake there. Static shared
>> secrets, really?
> And just what is your proposed alternative for a way to set up a shared,
mutually authenticated connection 
> between a phone and a network?  At some point, there have to be secrets.
You can use symmetric 
> cryptography and have a single secret, or asymmetric and have a pair of
them, but in either case, someone
> has to make those secrets available to the appropriate parties - and that
someone is the SIM card programmer.  
> If the SIM card programmer is fully penetrated, as is the case here ...
just what is it that you propose to do?  
> The only alternative I know of is pure DH - secure but inherently
unauthenticated.  Even so, probably 
> beyond the capability of most phones in the world even today - we in the
rich white west have a rather
> special idea of what makes for a minimally acceptable phone.

The real problem is the "static" part. Shared secrets may be an expedient
solution, but if the natural destiny of secrets is not eventually be shared
a little too much. Of course, there is the option of switching to a new SIM
card, but that only works if that card is not already compromised. The
reliance of pre-programmed SIM amounts to a design with a single point of
catastrophic failure.

>> No forward secrecy? What year is this, 1994? Or 1984 maybe?
> None of the above.  Forward secrecy was first proposed in 1992, but it
didn't really get much interest until 
> 2000 or so - and it would likely have been too compute-intensive for even
desk-top class machines (much 
> less phones) until years later.  SIM cards, on the other hand, go back
much further than you might expect:  
> The first one dates back to 1991!  Even the "modern" min-SIM dates to
1996.  These are dates of 
> introduction; given that these are international standards, design must go
back at least a year earlier, 
> probably more.

I worked in the field for over 30 years and somehow managed to never be
involved in the making of phone standards, so of course I can also blame
myself. We may naively believe that if more energy had be applied to the
subject we would have better designs. Or maybe not. The SIM card was a key
feature of the original GSM design, a feature very much liked because it
allowed users to change providers or devices by simply swapping a card. But
we are not in 1991 anymore, and even low end phones have enough computing
power to implement robust crypto. I am pretty sure that if we tried hard
enough we would find something.

> So we're not really talking about dumb design decisions here.  We're
talking about the inevitable delay 
> and inertia in changing literally billions of end-points, all over the
world, under the administrative 
> responsibility of hundreds of telco's.  The lesson *I* would take from
this is given what we now know 
> about the nature and scale of attacks on this massive infrastructure, the
mistake is to think it can 
> possibly be secure.  View it like the raw Internet:  Any security will
have to be built on top.

Evolving the telco standards will take several years. On the plus side, I am
sure there are plenty of very angry people in Europe or Asia right now, so I
would expect them to be quite motivated. 

As for building security on top of the IMS system, there are limits. Sure,
you can probably decide to use Skype or Snapchat instead of the regular
telco service, assuming that these IP-based alternatives are reasonably
secure. But you cannot build privacy that way. The current IMS protocols
disclose the IMSI identity when establishing a connection to a tower, and
the IMSI identifies your SIM card. Even if you never use the phone or text
services, IMSI catchers like the Stingrays will find your location and be
able to "tag" the IP addresses that you use for further analysis of the
metadata. That part at least will have to change if we want to get back
privacy in the phones.

-- Christian Huitema

More information about the cryptography mailing list