Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Dag-Erling Smorgrav (desTHINKSEC.COM)
Date: Fri Mar 23 2001 - 08:11:08 CST
Gregory Steuck <gregNEST.CX> writes:
> This is the part the whole authentication mechanism depends on. You made
> at least 2 assumptions here:
I'm tempted to quote Samuel Jackson here - "as everyone knows, when
you make an assumption, you make an ass out of you and mption" :)
> 1) GSM phone network is secure between the endpoints (phones) and can
> not be sniffed.
This is a serious problem. GSM does not offer end-to-end encryption.
See further down.
> 2) SMS source address can not be forged.
They can - it's trivial if you have the right phone (or rather, the
right firmware). This is less serious though, since the one-time
password is sent to the registered phone number, so even if a third
party forges your MSN he will not receive the OTP. It does allow for
some interesting DoS or harassment attacks though.
This is a situation which GSM operators could easily remedy if they
wanted to - just like ISPs could easily kill certain types of DoS
attacks at the source with egress routing - there just doesn't seem to
be any incentive to do so.
(It's even possible to forge so-called network-originated messages,
which can be used to reprogram the recipient's SIM card etc.)
> I am pretty sure that both assumptions are wrong. Phone company (or
> companies, I don't know how the messages are routed) will most certainly
> be able to sniff your messages and forge the source address.
The situation is even worse if the sender and receiver are on
different GSM networks - GSM operators typically exchange SMS messages
over unencrypted TCP/IP connections.
-- Dag-Erling Smørgrav - desthinksec.com