Jefferson's Wheel

Karsten Nohl (SRG CpE PhD 2009) was on CBS’ 60 Minutes (April 17) as their “Moment of the Week”: Hacking into a congressman’s phone.

We heard we could find some of the world’s best hackers in Germany. So we headed for Berlin. Just off a trendy street and through this alley we rang the bell at the door of a former factory. That’s where we met Karsten Nohl, a German hacker, with a doctorate in computer engineering from the University of Virginia.

Karsten demonstrated to the reporter how to track a Congressman’s location and listen in on phone conversations using SS7 vulnerabilities (for a real Congressman, Ted Liu of California, who actually has a CS degree). With permission, of course!

We wanted to see whether Nohl’s group could actually do what they claimed — so we sent an off-the-shelf iPhone from 60 Minutes in New York to Representative Ted Lieu, a congressman from California. He has a computer science degree from Stanford and is a member of the House committee that oversees information technology. He agreed to use our phone to talk to his staff knowing they would be hacked and they were. All we gave Nohl, was the number of the 60 Minutes iPhone that we lent the congressman.

An excerpt from the show was also the 60 Minutes Moment of the Week.

I’m quoted in this article on the controversy over the FBI’s requests to Apple for assistance in unlocking an iPhone used by one of the San Bernardino terrorists: Unlocking Terrorist’s iPhone Won’t Risk Your Security, Discovery News, 24 February 2016.

“Backdoors are complicated and impossible technical challenges and would risk everyone’s privacy,” Evans said. “But what the FBI is asking for is different from what Apple says the FBI is asking for.”

For the most part, I think the article gets things right. It is very misleading to conflate what the FBI has asked for here with a cryptographic backdoor that would indeed dangerously risk everyone’s privacy and security. I covered some of the technical aspects of this in my introductory computing course last week.

Fraudulent mobile applications could trick users into entering sensitive passwords, and then send those passwords to rogue site operators. With current technologies, users have no way of knowing that when they enter a password it is going to the intended application. What is needed is a trusted path for password entry, so when users enter a password they can trust that it will only be visible to the trusted provider.

This paper presents a solution that does not require any modifications to existing apps or application servers, but modifies the Android kernel to establish a shared secret between the user and kernel as part of the boot process, and then uses that shared secret to provide a trusted path for password entry.

Tianhao Tong will present the paper at Moble Security Technologies (MoST) in San Francisco, CA, 23 May 2013.

Paper: Tianhao Tong and David Evans. GuarDroid: A Trusted Path for Password Entry. In Moble Security Technologies (MoST), San Francisco, CA, 23 May 2013. [PDF, 10 pages]

Code: GuarDroid.net

UVa Today has a story about our secure computation project: U.Va. Team Awarded $3 Million NSF Secure Computation Grant, Fariss Samarrai, UVa Today, 14 October 2011.

Photo: Cole Geddy

“Secure computation is the idea that you can have two people compute a function that depends on things that each one knows individually and wants to keep private without exposing their private data to the other person, or to anyone else,” Evans said.

The research has applications in everyday life, from private medical information, such as personal genomics, to privacy-preserving face recognition and electronic commerce.

As a simple example of how it works, consider two people who each have smartphones with personal address books. They would like to know if they know any of the same people by comparing their address books. But, they may not want to share their address books, which include potentially sensitive private information. So how can they find the common entries, without revealing anything about their other contacts?

Read More …

Forbes has an excellent interview with Karsten Nohl: Codebreaker Karsten Nohl: Why Your Phone Is Insecure By Design, Andy Greenberg, Forbes, 12 August 2011.

Nohl’s findings aren’t only meant to demonstrate that Nohl is an uber-skilled codebreaker. He argues that his work shows, more importantly, that phone encryption is made to be broken. Whether intentionally or unintentionally, he says, GPRS included flaws that its designers must have known about.

[Added 21 August] The Economist’s Babbage Blog also has an interesting article summarizing Karsten’s work on mobile phone security over the past few years: Living on the EDGE, 18 August 2011.

Dr Nohl stresses that the 11 minutes was just a first pass at writing the cracking software, and that his group used only modest equipment with no financial motive. Criminals, by contrast, could benefit mightily from accelerating the crack, he says, one reason his group has refrained from expounding the technique in detail. It has, however, pointed to some specific holes which ought to be plugged. The group found some networks disabled all security features, relying on the highly misguided notion that traffic could not be easily intercepted except by mobile operators. Having no security from the phone to a base station on a mast makes it easier to filter and monitor traffic.

In 2009 Dr Nohl and colleagues pointed out significant weaknesses to the base GSM standard. Their new attack focuses on General Packet Radio Service, better known as GPRS—a modest improvement to GSM—introduced commercially in 2000. GPRS allows rates of tens of kilobits per second (Kbps), while a subsequent tweak known as EDGE allows downstream rates of 200 to 400 Kbps. GPRS and EDGE are commonly referred to as 2.5G, sitting in between 2G and 3G network speeds.

The New York Times is covering Karsten Nohl’s work on vulnerabilities in cellular data networks: Hacker to Demonstrate ‘Weak’ Mobile Internet Security, New York Times, 9 August 2011.

Karsten Nohl, who published the algorithms used by mobile operators to encrypt voice conversations on digital phone networks in 2009, said during an interview he planned to demonstrate how he had intercepted and read the data during a presentation Wednesday.

Mr. Nohl said he and a colleague, Luca Melette, intercepted and decrypted wireless data using an inexpensive, modified, 7-year-old Motorola cellphone and several free software applications. The two intercepted and decrypted data traffic in a five-kilometer, or 3.1-mile, radius, Mr. Nohl said.

The interceptor phone was used to test networks in Germany, Italy and other European countries that Mr. Nohl declined to identify. In Germany, Mr. Nohl said he was able to decrypt and read data transmissions on all four mobile networks — T-Mobile, O2 Germany, Vodafone and E-Plus. He described the level of encryption provided by operators as “weak.”

In Italy, Mr. Nohl said his interceptions revealed that two operators, TIM, the mobile unit of the market leader, Telecom Italia, and Wind did not encrypt their mobile data transmissions at all. A third, Vodafone Italia, provided weak encryption, he said.

Technology Review also has an article: Researchers Hack Mobile Data Communications, Technology Review, 10 August 2011.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

The Register also has this story: Hackers crack crypto for GPRS mobile networks, The Register, 10 August 2011.

The details will be presented at Chaos Communications Camp today (August 10).

Peter Chapman presented our paper on Privacy-Preserving Applications on Smartphones at the 6th USENIX Workshop on Hot Topics in Security today. Here are the talk slides [PDF].

The CommonContacts demonstration app is now available in the Android Market.

Project Website

Our paper on Privacy-Preserving Applications on Smartphones is now available:

Yan Huang, Peter Chapman, and David Evans. Privacy-Preserving Applications on Smartphones. 6th USENIX Workshop on Hot Topics in Security (HotSec 2011), San Francisco. 9 August 2011. [PDF, 6 pages]

Abstract: Smartphones are increasingly becoming the most trusted computing device typical people own. They are often used to store highly sensitive information including email, financial accounts, and medical records. These properties make smartphones an ideal platform for privacy-preserving applications. To date, this area remains largely unexplored mainly because theoretical solutions to privacy-preserving computation were thought to be too heavyweight, even for standard PCs. We propose using smartphones to perform secure two (or more)-party computation. The limitations of smartphones provide a number of challenges for building such applications, but the novel trust model they provide, in particular the interactions between the phones and carriers, provides unique opportunities for useful secure computations against realistic adversaries. In this paper, we introduce the issues that make smartphones a unique platform for secure computation, identify some interesting potential applications, and describe our initial experiences creating privacy-preserving applications on Android devices.

You can also try our out demo applications and download the secure computation framework used to build them.

Peter Chapman will present the paper at HotSec on August 9 in San Francisco.