Web Application Security
SMS protection Oct 21 2011 05:57PM
Marcel Tudorache (marceltudorache yahoo com) (4 replies)
Re: SMS protection Oct 25 2011 08:45PM
Robin Wood (robin digininja org)
RE: SMS protection Oct 25 2011 05:26PM
Jesse Mundis (jesse voltage com)
Re: SMS protection Oct 25 2011 02:07AM
Francois Yang (francois y gmail com)
Re: SMS protection Oct 25 2011 12:11AM
Fyodor (fygrave gmail com) (1 replies)
Re: SMS protection Oct 29 2011 10:55PM
Marcel Tudorache (marceltudorache yahoo com)
Dear Fyodor, Dea all,

First of all I would like to thank you very much for your answers.
I have the same feeling that I have that SMS as such is good but has certain weaknesses. This is why I'm trying to understand which are these residual risks.

It is true that the SMS will go through the network of the SMS provider... but I thought that it is not very easy to break into it, I guess that each mobile phone operator has certain security measures in place already, so that unauthorised access is prevented. I know that the reality is harsh and that there is no 100% security and that there are always certain risks.

Assuming that the mobile phone provider has taken at least some security measures for online attacks from the outside: firewalls, antivirus, access control... is it that easy to tap into the communications between two providers and read the traffic?(including the SMSes sent from one provide to another?).

I udnerstood that the A5/1 is not supposed to be in use anymore. I hope that this is what you were refering to when you mentioned "and this part of the crypto is known to be flawed as well)."

I'm also trying to understand the effort that an attacker would have to put in to manage to read the SMS-es, is it easy for any attacker, is it more like state sponsored attacks?

Thank you,
Marcel

----- Original Message -----
From: Fyodor <fygrave (at) gmail (dot) com [email concealed]>
To: Marcel Tudorache <marceltudorache (at) yahoo (dot) com [email concealed]>
Cc: "webappsec (at) securityfocus (dot) com [email concealed]" <webappsec (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, October 25, 2011 2:11 AM
Subject: Re: SMS protection

Well, keep in mind that as SMS traverses through Telco, it is being
stored/transmitted as plain text, so the only part of communication
path that goes over encrypted link is handset <--> base station. (and
this part of the crypto is known to be flawed as well).

anyway, to make things short - SMS might be good enough to act as 2nd
factor auth (i.e. one time passwords) but I wouldn't solely relay on
its security much.

if that helps,
-Fyodor

On Sat, Oct 22, 2011 at 1:57 AM, Marcel Tudorache
<marceltudorache (at) yahoo (dot) com [email concealed]> wrote:
> Hi,
>
>
> I was wondering how secure is an SMS to be used as authentication/transaction signing means for an application similar with online banking.
>
> To make the analysis more targeted the following assumptions are made:
> - I understand that the new smartphones can get viruses, but I would like to analyse the simple case where we assume that the user does his due dilligence and either does not navigate on the internet or navigates on limited number of trusted websites, so the assumption is that the user does not have an trojan/malware/virus on the smartphone.
> -bluetooth is off
> - Wifi off...
> - the attacker does not have phisycal access to the mobile phone
>
> I think that the SIM card is pretty difficult to be hacked, from my smart card experience(limited), I would assume that before allowing the access to the network of a cloned SIM card the operator might validate some signature of the sim-card (I guess that when the operator issues SIM cards they sign them with their private key... or a similar process).
>
> The question is merely about the intrinsic security of receiving an SMS, and how easy would be for an attacker to read the SMS of somebody else taking into account the above assumptions.
>
> I think it should be pretty secure, what do you think?
>
> Thank you very much,
> Marcel
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

--
http://www.o0o.nu

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus