[CSS-research] 5G security paper

Freddy Martinez freddy at lucyparsonslabs.com
Mon Oct 1 16:08:09 PDT 2018


I guess another thing came to mind... This design reduces the attack
surface away from people with rogue BTS but the design also assumes that
someone like the FBI won't try to use CALEA or similar legislation to force
providers to give them the keys. So, I suspect in the future we will find
ourselves in another Apple vs FBI type of cryptowar. And if the FBI gets
access...then it will trickle down to local PDs...

I guess I am also skeptical that telecos have _any_ spine to push back
against this type of "exceptional" access given their close relationship
with the federal government over the years...

- F

On Tue, Sep 18, 2018 at 1:09 PM Freddy Martinez <freddy at lucyparsonslabs.com>
wrote:

> While I generally think that this approach looks interesting I worry about
> the unintended consequences.
>
> In the Ericson approach, I think the encrypted IMSI is built very
> analogous to a Diffie Helman handshake. Which may be fine for an approach
> on small scale. However, given that governments routinely hack phone
> providers (
> https://www.wired.com/2015/02/gemalto-confirms-hacked-insists-nsa-didnt-get-crypto-keys/)
> I am not sure that putting a private key on a phone is a good idea. That
> being said, physical access versus Over the Air access is still a higher
> barrier to entry but I don't know that its a _great_ design.
>
> Just some thoughts.
>
> - Freddy
>
> On Fri, Sep 14, 2018 at 10:45 AM, Joseph Lorenzo Hall <joe at cdt.org> wrote:
>
>> Yasss, that is good stuff. It might be useful to think of other
>> geographic locations where people suddenly hit cell phone towers and have
>> an IMSI rather than a TIMSI [1] sent to the tower. I'm thinking places like
>> the US southern border where you can imagine immigrants' phones suddenly
>> seeing towers in common paths they might take. Yikes.
>>
>> [1]: http://www.gsm-security.net/faq/timsi-temporary-imsi-gsm.shtml
>>
>>
>> On Fri, Sep 14, 2018 at 12:56 PM yomna n <yomnanasser at gmail.com> wrote:
>>
>>> I'm not finished reading this paper, but there's a subtle observation in
>>> it about passive IMSI-catching attacks I found interesting/haven't seen
>>> mentioned elsewhere: "However, the passive approach is slow since an
>>> attacker has to wait for a mobile device to transmit its IMSI
>>> spontaneously, which is an uncommon event in most locations *(exceptions
>>> are, e.g., airports)*" ... because as soon as people's planes land they
>>> turn on their phones. Since so many foreign mobile phone users pass through
>>> them, airports must have an interesting variety of cell network traffic!
>>> (Also, makes me vaguely curious what the presence of IMSI-catchers around
>>> the Vegas airport is like the week of Blackhat/Defcon/etc.)
>>>
>>> I really hope the authors submit to RWC (maybe I should email them and
>>> suggest this). There was only one talk related to IMSI-catching last year,
>>> and it was on how you can setup an IMSI-catcher without needing to write
>>> any actual code.
>>>
>>> On Fri, Sep 14, 2018 at 9:51 AM Joseph Lorenzo Hall <joe at cdt.org> wrote:
>>>
>>>> I'd be interested in that too... I'm curious if the IMSI-catcher
>>>> resistance will actually survive practicality and deployment.
>>>>
>>>> On Thu, Sep 13, 2018 at 9:53 PM yomna n <yomnanasser at gmail.com> wrote:
>>>>
>>>>> Does anyone know if there's a publicly accessible talk that
>>>>> accompanies this paper anywhere? I've done quite a bit of googling and
>>>>> haven't been able to find anything.
>>>>>
>>>>> On Thu, Sep 13, 2018 at 8:04 PM Cooper Quintin <cooperq at eff.org>
>>>>> wrote:
>>>>>
>>>>>> Hah nevemind, Seamus sent it months ago, which is probably why I had
>>>>>> the
>>>>>> tab open. Carry on! :)
>>>>>>
>>>>>> Cooper Quintin
>>>>>> Senior Staff Technologist | EFF
>>>>>> PGP: 75FB 9347 FA4B 22A0 5068 080B D0EA 7B6F F0AF E2CA
>>>>>> Twitter: @cooperq
>>>>>>
>>>>>> On 09/13/2018 05:03 PM, Cooper Quintin wrote:
>>>>>> > I can't remember if it already got sent to the list or not, but
>>>>>> this 5G
>>>>>> > security proposal from erricson was pretty interesting.
>>>>>> > https://www.ericsson.com/research-blog/protecting-5g-imsi-catchers/
>>>>>> >
>>>>>> > I was going to write to the guys who wrote it and see if any of
>>>>>> their
>>>>>> > proposals made it into the final spec.
>>>>>> >
>>>>>> _______________________________________________
>>>>>> CSS-research mailing list
>>>>>> CSS-research at lists.eff.org
>>>>>> https://lists.eff.org/mailman/listinfo/css-research
>>>>>>
>>>>> _______________________________________________
>>>>> CSS-research mailing list
>>>>> CSS-research at lists.eff.org
>>>>> https://lists.eff.org/mailman/listinfo/css-research
>>>>>
>>>>
>>>>
>>>> --
>>>> Joseph Lorenzo Hall
>>>> Chief Technologist, Center for Democracy & Technology [
>>>> https://www.cdt.org]
>>>> 1401 K ST NW STE 200, Washington DC 20005-3497
>>>> e: joe at cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
>>>> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>>>>
>>>>
>>
>> --
>> Joseph Lorenzo Hall
>> Chief Technologist, Center for Democracy & Technology [
>> https://www.cdt.org]
>> 1401 K ST NW STE 200, Washington DC 20005-3497
>> e: joe at cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
>> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>>
>>
>> _______________________________________________
>> CSS-research mailing list
>> CSS-research at lists.eff.org
>> https://lists.eff.org/mailman/listinfo/css-research
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/css-research/attachments/20181001/d191b4b1/attachment.html>


More information about the CSS-research mailing list