How to prevent becoming the next victim of a phone hacking breach

The recent events involving the mobile phone hacking actions of News of the World journalists – and quite possibly many others – have highlighted the fact that there are insecurities in the world of mobile telephony.

And with approaching five billion mobiles in circulation – almost at the level of one handset for every person over the age of 10, it is perhaps inevitable that some elements of the services available may be found wanting when it comes to certain aspects of security.

Against this backdrop, much has been made of the fact that cellular phones operate across open radio channels that – with the right equipment in place – they can be subverted. But this isn’t actually true. Most of the hacks of mobiles in recent years – have involved the subversion of the cellular base station, rather than the handset.

As Karsten Nohl and his colleagues demonstrated at the December 2010 Chaos Computer Club meeting in Germany, it is now perfectly possible to subvert the 2G GSM cellular network – using a massive hash of the A5/1 crytpo tables – to eavesdrop on calls.

But it is also important to note that the A5/1 encryption system dates back to the 1980s when GSM was being developed. Since then the GSM standard has been developed extensively and, over the last eight years, we have seen the rise of the smartphone and the 3G standard.

3G, as any radiocommunications engineer will attest, does not use discrete radio channels with packet-driven data, but uses a radio scattering system known as spread spectrum. Spread spectrum involves the use of radio signals spread across multiple frequencies which utilise almost all of the available bandwidth in a given waveband.

It’s also interesting to note that the technology was originally developed to prevent eavesdropping. As a result, 3G voice and data calls (it’s actually all data) are almost impossible to monitor using today’s computing architecture.

On top of this, 3G data streams are encrypted using the A5/3 encryption system, which is several steps ahead of the A5/1 system that Nohl and his research team have cracked. As an encryption system, A5/3 is based on a stronger algorithm with larger keys that to date have never been hacked.

It’s also worth noting that as soon as the A5/1 flaw was discovered, a security patch fix came out almost immediately.

So where does this leave the security of text messaging?

At the RSA Europe conference in October last year, a US researcher called Zane Lackey – showed how, by subverting the data headers of SMS and MMS transmissions on cellular networks, all manner of social engineering-driven hacks are possible.

According to Lackey, because an MMS is actually a mobile Internet `call’ routine built into an SMS data string, it is possible to fool a user’s phone into polling a third-party (hacker’s) server for the MMS payload content, rather than the mobile phone company’s systems.

What Lackey’s demonstration at RSA Europe 2010 – later repeated at the Black Hat Abu Dhabi event in November – showed was how it is possible to generate a WBXMA-based message that appears on a user’s mobile and persuades them to access a rogue mobile Internet web site.

It did not, however, demonstrate how fake text messages could be inserted into a live GSM control channel, nor how it an SMS data stream could be eavesdropped upon as, whilst this would be technically feasible, it would involve the use of complex electronics and – given the nature of cellular networks – would only operate across a short range.

SMS tokens versus hardware tokens

Thus leads us neatly to the topic of whether an SMS-based token – often described as a tokenless two-factor-authentication (2FA) system – is as `strong’ as a hardware-based token such as the RSA SecurID system.

Before we examine this issue, let’s look at the security of a 2FA hardware token. Whilst the hardware itself is tamperproof, given the fact that RSA’s servers were publicly hacked earlier this year the integrity of the system is far from being unhackable.

Furthermore, if the token is `borrowed’ by a third party, and the electronics dissected – a process which has been carried out by countless researchers since the arrival of the 2FA hardware token (aka one-time password tokens) in the late 1980s – then it is possible to create a duplicate hardware token using the same algorithm.

Of course, this incredibly complex subversion process – which requires the physical possession of the hardware token for a lengthy period of time and the use of highly complex electronics and counterfeiting technology – can be neatly side-stepped if you simply hack the servers of the company owning the keys.

When this happened with the widely-publicised RSA systems hack in March of this year, the hackers effectively gained access to the seed record database that forms the foundation of the RSA 2FA system.

And it’s against this background that the integrity of all 2FA tokens – whether hardware or software – needs to be viewed.

All 2FA systems can be subverted, given enough time and resources, but a hardware-based system, just like a software-based system such as that seen using cellular text messages, takes a lot of time and effort that few people outside of US and other major government law enforcement staff have access to.

A text message might even be eavesdropped upon with malicious software on the phone, but the chances of this happening in the real world – outside the pages of a James Bond movie script – are minimal, just as they would be where the subversion of a hardware-based token is involved.

In addition, given the wide diversity of phone models and operating systems, any text message subversion technique would have to be adapted many dozens of times over to cover all eventualities.

And if the smartphone vendor issues a firmware update – or Google’s Android software development team updates the smartphone operating system (as frequently happens) – the cybercriminal would be back to square one.

Phones such as iPhone and Blackberry rely on the App Store that only publishes trusted software that has been checked to be virus free and ensures that the originators identity must be confirmed making it impossible for a hacker to install malicious software anonymously.

It should also be noted that those that have tried to hack personal phone data have ended up in prison, caused the down fall of the News of the World and lost billions (Rupert Murdoch).

The great bonus about putting authentication onto a mobile phone is users realise very quickly when they have lost their mobile phone and therefore report it far quicker than they would with a token. If for any reason someone does manage to retrieve a passcode from a user’s phone they will still need to know the User ID and PIN or Windows Password to log on.

The hacker will only get one attempt at getting this correct at which point even if they are denied the system will generate a new passcode that is sent to the user’s phone alerting the real user to an illegal log on attempt. A hardware token user would never know if someone had tried to hack them.

Many users leave their tokens in their laptop bags which is very much like gluing your car keys to your car, as opposed to a mobile phone which is almost certainly kept close to the user and separate to their laptop.

If you still don’t trust SMS please bear in mind you can still opt to use alternatives which have no reliance on SMS as they are isolated software versions of time sync tokens with the added security benefit that seed records are created at enrolment within your own server and can automatically resynchronise to any time zone in the world.

Conclusions

By now it should be clear to the reader that there is no such animal as a 100 per cent secure authentication token system. There are, however, highly secure systems that centre on hardware tokens, as well as less expensive and infinitely more flexible systems based on cellular handsets and 2G/3G text messages.

Which authentication system you select will depend on your budget and a return-on-investment plan. But given the immense flexibility – and rapid deployment – that software-based authentication systems offer, I think the software option wins hands-down on several fronts.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Andrew Kemshall is co-founder of SecurEnvoy. Before setting up SecurEnvoy, which specialises in tokenless two-factor authentication, Andrew worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two-factor authentication in the fields of architecture, design and development of next generation authentication software.