Gregory Steuck <gregNEST.CX> writes:
> This is the part the whole authentication mechanism depends on. You made
> at least 2 assumptions here:

I'm tempted to quote Samuel Jackson here - "as everyone knows, when
you make an assumption, you make an ass out of you and mption" :)

> 1) GSM phone network is secure between the endpoints (phones) and can
> not be sniffed.

This is a serious problem. GSM does not offer end-to-end encryption.
See further down.

> 2) SMS source address can not be forged.

They can - it's trivial if you have the right phone (or rather, the
right firmware). This is less serious though, since the one-time
password is sent to the registered phone number, so even if a third
party forges your MSN he will not receive the OTP. It does allow for
some interesting DoS or harassment attacks though.

This is a situation which GSM operators could easily remedy if they
wanted to - just like ISPs could easily kill certain types of DoS
attacks at the source with egress routing - there just doesn't seem to
be any incentive to do so.

(It's even possible to forge so-called network-originated messages,
which can be used to reprogram the recipient's SIM card etc.)

> I am pretty sure that both assumptions are wrong. Phone company (or
> companies, I don't know how the messages are routed) will most certainly
> be able to sniff your messages and forge the source address.

The situation is even worse if the sender and receiver are on
different GSM networks - GSM operators typically exchange SMS messages
over unencrypted TCP/IP connections.

DES

-- 
Dag-Erling Smørgrav - desthinksec.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]