STE WILLIAMS

Cellphone Snooping Now Easier & Cheaper

Cryptographers have devised a low-cost way to intercept phone calls and text messages sent over the majority of the world’s mobile networks.

The attack, which requires four $15 Motorola handsets, a medium-end computer and a 2TB hard drive, was demonstrated last week at the 27th annual Chaos Communication Congress in Berlin. It builds off of last year’s crack of the A5/1 encryption algorithm used to protect communications sent using GSM, or Global System for Mobile Communications, technology, which carries an estimated 80 percent of the world’s mobile traffic.

The method, cooked up by researchers Karsten Nohl and Sylvain Manaut, is a significant improvement over previous techniques, which required two USRP2 receivers and software to rapidly change radio frequencies over a spectrum of 80 channels. Equipment costs of the new attack are about $650, compared with more than $4,000 using the previous method.

“GSM is as insecure as Wi-Fi was ten years ago,” Nohl, who is chief scientist at Berlin-based Security Research Labs, told The Register. “It will be attacked by the same ‘war-driving’ script kiddies soon. Any discussion over whether the attacks available in the community are incomplete or impractical should have been put to rest with the last demonstration so that we can now start discussing how to fix the networks.”

Nohl, a cryptographer who has identified gaping holes in smart cards, cordless phones and car immobilizers designed to thwart auto thieves, was alluding to comments last year from the GSM Alliance, which claimed eavesdropping on GSM communications wasn’t practical.

Nohl has long nudged mobile operators to adopt the significantly more secure A5/3 algorithm, which still isn’t widely deployed – presumably because of the cost of upgrading a huge amount of equipment that’s already in place. He also counsels them to take several “low-hanging fruit” measures. One fix involves restricting access to the HLR, or Home Location Register, which is the database that keeps track of a handset’s location on a carrier’s network. Another suggestion is for operators to randomize message padding when encrypting communications.

GSM is the most widely used mobile phone technology. It connects more than 5 billion phones, according to the GSMA. In the US, it’s used by AT&T and T-Mobile. It’s used by all major carriers in the UK.

The revised attack uses home-brewed firmware to turn the Motorola phones into wire-tapping devices that pull conversations and text messages off of a carrier’s base station. They are connected to a PC that has access to a 2TB rainbow table used to decrypt messages protected by the decades-old A5/1 algorithm. H-online.com and Wired.com have more technical details here and here. Slides from the presentation are here.

Popular sites caught sniffing user browser history

Boffins from Southern California have caught YouPorn.com and 45 other sites pilfering visitors’ surfing habits in what is believed to be the first study to measure in-the-wild exploits of a decade-old browser vulnerability.

YouPorn, which fancies itself the YouTube of smut, uses JavaScript to detect whether visitors have recently browsed to PornHub.com, tube8.com and 21 other sites, according to the study. It tracked the 50,000 most popular websites and found a total of 46 other offenders, including news sites charter.net and newsmax.com, finance site morningstar.com and sports site espnf1.com.

“We found that several popular sites – including an Alexa global top-100 site – make use of history sniffing to exfiltrate information about users’ browsing history, and, in some cases, do so in an obfuscated manner to avoid easy detection,” the report states. “While researchers have known about the possibility of such attacks, hitherto it was not known how prevalent they are in real, popular websites.”

To cover its tracks, YouPorn encodes its JavaScript to hide the sites it searches for and decodes it only when used. Other websites dynamically generate the snoop code to prevent detection by simple inspection. Still others rely on third-party history-stealing libraries from services that include interclick.com and meaningtool.com.

The scientists detected the history stealing by concocting their own version of Google’s Chrome browser with a JavaScript information flow engine that “uses a dynamic source-to-source rewriting approach.”

The 46 sites exploit a widely known vulnerability that currently exists in all production version browsers except of Apple’s Safari, which earlier this year became the first major browser to insulate users against the threat. Google Chrome, which is based on the same Webkit engine, soon followed. Beta versions of Mozilla Firefox and Microsoft Internet Explorer also fix the problem, but production versions of those browsers are still wide open.

The exploit works by using JavaScript to read cascading style sheet technologies included in virtually every browser that causes visited links to appear in purple rather than blue. Developers have known of the weakness for a decade or more but until recently said it couldn’t be easily repaired without removing core functionality.

The study also detected code on sites maintained by Microsoft, YouTube, Yahoo and About.com that perform what the scientists called “behavioral sniffing.” They employ JavaScript that covertly tracks mouse movements on a page to detect what a user does after visiting it.

A PDF of the paper, which was written by Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham, is here. ®