CDMA security?
July 28, 2009 9:03 AM   Subscribe

As an attendant of Defcon for several years, my suggestion is to pop the battery of your cellphone when you enter.

There have been several demonstrations there of sniffing, and influencing cdma networks.

If you are going to do it, keep bluetooth off always.
Keep the radio on only when you have to.
posted by digividal at 9:17 AM on July 28

bad things which no one knows about are possible. What I'm more worried about are real security risks.

Bad things which no one knows about ARE real security risks at DEFCON.

"Better safe than sorry" isn't FUD, it's computer security standard operating procedure.
posted by toomuchpete at 10:23 AM on July 28

I have a friend who's given talks at DEFCON before. He said that he was wary of using anything that sends or receives a signal.
posted by reductiondesign at 10:49 AM on July 28

This can be an endless discussion in the way you're currently framing and directing it. digividal has provided a perfectly reasonable way to avoid the problem. Another way would be to get an older Nokia brick phone added to your cell account and use that during the conference and not bring your primary device.
posted by odinsdream at 10:58 AM on July 28

I have to agree with people who are saying "better safe than sorry." As others have said, of all the places some new vector might be utilized DEFCON or other security conferences seem kind of high on the list. If you have worries about the security of your device and the risk of compromise isn't acceptable to you, don't use it. If the risk of what is at heart an unknown is acceptable to you, use it. Having people speculate about what might or might not be present in that environment isn't going to make you any more or less secure.
posted by zennoshinjou at 11:15 AM on July 28

If your network security people are actually saying, "We have no idea what the dangers are, or even if there are any. Just turn everything off", you need to find new security people. Uncertainty is bad security.

That's completely unrealistic in the real world. You don't address each threat specifically because you are not smart or well connected enough to know what everyone else in the universe is going to do. You deal with as many threats as broadly as possible, and then with the specific ones that get through that defense. You don't know if a thief has a lockpick, a bump lock, a passkey or a fire axe, but you still lock your door. Seeing as you're attending a convention of hackers, some of whom are, for the first time, revealing research about new exploits you might not know about the attacks until it's too late.

Add to it the competitions for hacking devices in real world situations, (and the privately guarded libraries of hacks that the competitors use) why would you keep it on? Seriously. At least put it in airplane mode, it's just common sense.

If you really need a phone go buy a $20 pay-as-you-go phone, don't put any info on it and forward your calls there.
posted by Ookseer at 11:15 AM on July 28

Do a risk assessment on it. The threat value is high. What is the value of the asset to you in terms of loss of Confidentiality, Integrity & Availability, both at the con & afterwards? What is the likelihood of being able to discover a compromise has occurred? What are the costs associated with compromise of your account? The answers to questions like these will guide you towards an appropriate policy of behavior at and after the event.
posted by scalefree at 11:18 AM on July 28 [1 favorite]

y6y6y6, are you looking for specific examples of cell phone attacks and exploits? I can't name any, and even if I could I wouldn't be able to prove that those are all the vulnerabilities out there.

So if you're asking "how dangerous is it", you're really asking four questions:

1. How likely is it that vulnerabilities exist?
2. How likely is it that someone at DEFCON would be aware of those vulnerabilities?
3. How likely is it that they would be practicing it at DEFCON and you would be targeted?
4. How likely is it that the attacker would use the information to harm you, and how much harm could he or she do?

I'd say (1) is very likely to be true. Wireless technologies have been designed around access, not security. What security measures exist address the low-hanging fruit. Beyond that, the networks rely on safety in numbers and the overall lack of familiarity with these technologies to provide practical security coverage.

If you agree that (1) is likely, then (2) is likely. If there are vulnerabilities, then DEFCON is a self-selected group of the people most likely to know about them.

I've never been to DEFCON, so I can't say how likely (3) is, but fortunately someone in the thread already obliged:

digividal: "There have been several demonstrations there of sniffing, and influencing cdma networks."

Now unless you're someone particularly notable, you're not likely to be individually targeted, but there's every chance you'd end up randomly sniffed. I'd assume most of the people attending will be fairly paranoid about this sort of thing, so you won't necessarily have safety in numbers like you'd expect. I'd give (3) a pretty decent likelihood as well, not as much as (1) or (2) but enough to draw concern.

Which brings us to (4). Frankly, that depends mostly on you. What information are you likely to expose with your phone use? More identifying info than you expect may be discernable from the underlying protocols, so if you'd be concerned about being identified then "better safe than sorry" is indeed your best bet and you should pop the battery out.

Beyond that you should really just assume that anything you use the phone for will be potentially compromised. You're probably okay calling your family to tell them you love them, but I wouldn't go around texting your SSN to anyone.
posted by Riki tiki at 11:20 AM on July 28

I think it would be stupid to pop the battery just on the assumption that bad things which no one knows about are possible. What I'm more worried about are real security risks

Well, it's pretty much a given that bad things which no one knows about are possible. It's also a given that DEFCON is a place where they become known about, often through demonstration on attendees. However, it is unknown if this year will include CDMA hacking, so you have to decide for yourself what 'real risk' is in this context.
posted by jacalata at 11:26 AM on July 28

Again, you're either willfully missing the point or not reading what people are saying.

You're asking about known threats. Threats that are known threats were at one time unknown threats. DEFCON is about turning unknown threats into known threats. One or more of those threats may or may not be related to CDMA, may or may not affect your specific phone, and may or may not be known by someone who could cause you, personally, harm.

If you are legitimately interested in actually mitigating the threat to your data there are very few practical ways to do that, all of which have been shared already.
posted by odinsdream at 11:49 AM on July 28 [1 favorite]

The main vectors for attack for CDMA are the vectors you know about.

New hacks appear at DEFCON all the time. These are the unknowns (I will not descend into Rumsfeldian known knowns and known unknowns). We do not know what they are. No single person at DEFCON knows what amusing hacks might just appear. We can guess at most of the them, by looking at a presentation schedule, but that won't cover everything. Even more of them (but not all) will be known in retrospect.

How can you securely use the phone to check email without removing the possibility of threat (to the security for using the phone to check email)? You cannot; the two concepts are antithetical. If you could have security without considering threats, the world would be a very different place.

You might as well be asking "I am descending into a portion of the Amazon unknown to Western civilization; what could I catch? I would like to eat every plant I see without worrying about being poisoned." We can throw out some for-instances, but, yeah, you're heading into an area which is the very definition of new and surprising.
posted by adipocere at 12:38 PM on July 28

y6y6y6: "I'd be no more vulnerable at the convention than any else."

Think of it in terms of this analogy: I'm always vulnerable to gunshots, but I'm much more likely to be shot standing on a target range than in the supermarket.

You want a list of known exploits that apply to you, that's fine. Maybe you'll find someone in this askme with that specific knowledge. If you didn't find it on google, though, then there probably aren't enough people who do know for it to be likely that one of them will happen upon this thread.

In the meantime, people (including myself) tried to present an answer to your larger question in terms of what we see as common sense. "We don't know the risks" is not the same as "the risk is very low" despite your assertions to the contrary.

But since you seem to be offended by our non-answers, I expect you're planning to do as you said and use your phone. At that, I wish you good luck.
posted by Riki tiki at 12:41 PM on July 28

"The network security guy thinks popping the battery is paranoid enough to go in the 'stupid' category."

That's pretty typical for security guys - they think everyone else is an idiot.

If you're concerned about CDMA security, read this (PDF), then think about your risk factor. It's probably low, but seriously, you're going to DEFCON. Check your email, sure, but leave the company-sensitive/personally-identifying data transmissions for later. Your statement that you'd "be no more vulnerable at the convention than any else" is not correct. Since GSM calls can already apparently be accessed with field programmable gate arrays, if I was interested in something like that, I'd certainly be looking at cracking CDMA next. What a coup that would be. I mean, how awful.
posted by HopperFan at 2:19 PM on July 28

If I were you, I would just set up my e-mail to temporarily forward copies to a newly-created gmail account with a different password, and check that mail instead, deleting them as you read them and changing the password once per day.

That way, you almost entirely bypass your concern; anyone who hacked your mail during the conference would have access to less than a day's worth of messages, which makes the cost/benefit analysis much more likely to swing toward accessing your mail (as opposed to directly checking your mail, where someone with your password could download your entire mailfile). It should be trivial to set something like this up.
posted by helios at 2:47 PM on July 28

From a few years ago:
http://video.google.com/videoplay?docid=7354315958930963090
posted by digividal at 2:57 PM on July 28

If you can use Gmail's secure connection, that might help.

If there is a vulnerability, no matter how obscure it is, there will be someone ready to make use of it.

If the CDMA stream is recorded, too, the crypto cracking could be done at leisure later.
posted by Pronoiac at 4:21 PM on July 28

Those answers, what I'm hearing here, and the results of more Googling all make me confident that checking email at the convention should be fine. That is, the benefits far outweigh any added risk.

That's great. Good for you. Just be sure your e-mail client is accessing the server over SSL. Oh wait. Well, at least change your e-mail password so it isn't even remotely related to any other passwords you use.
posted by odinsdream at 6:25 PM on July 28

A nice new SMS vulnerability was just made public today.

Two security researchers, Charlie Miller and Collin Mulliner, have discovered a serious security vulnerability affecting SMS messaging on the iPhone that will be unveiled later today at the Black Hat security conference in Las Vegas. This flaw affects all iPhones and can allow an attacker to gain complete control of an iPhone, including the ability to make calls, browse the web and access the camera. This exploit is caused by corruption in the iPhone's memory handling and is executed by sending a burst of text messages by using a uncommon text character or by sending a hidden message. http://www.tuaw.com/2009/07/30/security-researchers-to-unveil-iphone-sms-vulnerability-later-to/

Granted it only affects the iPhone in this case, but it helps to illustrate the point the other commenters were trying to make...
posted by Redmond Cooper at 11:27 AM on July 30

I've read that they found a similar bug for Windows Mobile.
posted by Pronoiac at 12:40 PM on July 30

You're conflating risk with threat. They're separate (but related) things. Threat is the likelihood of a harmful event happening (expressed as a probability). Risk is the impact on an asset of a threat happening (expressed as a value amount, which could include dollars, time and sentimental value). Multiply threat by risk and you get risk severity. That combined value will guide your response. If the threat is high but the risk is low, you can afford to lose the value of your asset. But if the value of the asset at risk is high enough, even a low probability of compromise makes strong defensive measures worthwhile.

In this case the threat is unknown but much higher than almost anywhere else on the planet. Only you can assign a value to the asset at risk, the data & account information stored on your phone. If that value is high, take whatever measures you deem necessary to protect the value of the asset. If it's not that valuable to you after all, leave your phone on & have fun.
posted by scalefree at 4:48 PM on July 30

Because the density of people with the capability & motivation to discover, develop & execute the sort of attacks you envision is higher there than anywhere else, with the possible exception of CCC or HOPE.

Again you're imprecise with your terminology. What you're describing is either a vulnerability, which is a threat that has a known value, or an exploit, which is the practical implementation of a vulnerability. I'll take your word that there are no known vulnerabilities in either the CDMA protocol or its implementation in any handsets, but that doesn't diminish the potential for undiscovered ones or ones that've been discovered & developed in private. These are things you don't know, won't know until they're made public.

There's always a degree of uncertainty in the security field. You're never going to eliminate that. The best you can do is fill in as many of the blanks as you can & hedge your bets against the parts you still can't see.
posted by scalefree at 11:42 AM on July 31

Turns out it's your ATM card you should've left behind, not your phone.
posted by scalefree at 4:44 PM on August 2

« Older What free software (or adroit ...   |   Could you help me in making my... Newer »