Menu

Timesdelhi.com

May 23, 2019
Category archive

mobile security

Google recalls its Bluetooth Titan Security Keys because of a security bug

in Bluetooth/computer security/cryptography/cybercrime/Delhi/Google/India/key/Keys/mobile security/Password/phishing/Politics/security token/TC/wireless by

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says that the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including YubiCo, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” YubiCo founder Stina Ehrensvard wrote when Google launched its Titan keys.

News Source = techcrunch.com

New flaws in 4G, 5G allow attackers to intercept calls and track phone locations

in 5g/Asia/Delhi/Europe/GSM/India/mobile security/Politics/privacy/san diego/Security/spokesperson/surveillance/Technology/telecommunications/torpedo/United States/Verizon by

A group of academics have found three new security flaws in 4G and 5G, which they say can be used to intercept phone calls and track the locations of cell phone users.

The findings are said to be the first time vulnerabilities have affected both 4G and the incoming 5G standard, which promises faster speeds and better security, particularly against law enforcement use of cell site simulators, known as “stingrays.” But the researchers say that their new attacks can defeat newer protections that were believed to make it more difficult to snoop on phone users.

“Any person with a little knowledge of cellular paging protocols can carry out this attack,” said Syed Rafiul Hussain, one of the co-authors of the paper, told TechCrunch in an email.

Hussain, along with Ninghui Li and Elisa Bertino at Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa are set to reveal their findings at the Network and Distributed System Security Symposium in San Diego on Tuesday.

“Any person with a little knowledge of cellular paging protocols can carry out this attack… such as phone call interception, location tracking, or targeted phishing attacks.” Syed Rafiul Hussain, Purdue University

The paper, seen by TechCrunch prior to the talk, details the attacks: the first is Torpedo, which exploits a weakness in the paging protocol that carriers use to notify a phone before a call or text message comes through. The researchers found that several phone calls placed and cancelled in a short period can trigger a paging message without alerting the target device to an incoming call, which an attacker can use to track a victim’s location. Knowing the victim’s paging occasion also lets an attacker hijack the paging channel and inject or deny paging messages, by spoofing messages like as Amber alerts or blocking messages altogether, the researchers say.

Torpedo opens the door to two other attacks: Piercer, which the researchers say allows an attacker to determine an international mobile subscriber identity (IMSI) on the 4G network; and the aptly named IMSI-Cracking attack, which can brute force an IMSI number in both 4G and 5G networks, where IMSI numbers are encrypted.

That puts even the newest 5G-capable devices at risk from stingrays, said Hussain, which law enforcement use to identify someone’s real-time location and log all the phones within its range. Some of the more advanced devices are believed to be able to intercept calls and text messages, he said.

According to Hussain, all four major U.S. operators — AT&T, Verizon (which owns TechCrunch), Sprint and T-Mobile — are affected by Torpedo, and the attacks can carried out with radio equipment costing as little as $200. One U.S. network, which he would not name, was also vulnerable to the Piercer attack.

The Torpedo attack — or “TRacking via Paging mEssage DistributiOn. (Image: supplied)

We contacted the big four cell giants, but none provided comment by the time of writing. If that changes, we’ll update.

Given two of the attacks exploit flaws in the 4G and 5G standards, almost all the cell networks outside the U.S. are vulnerable to these attacks, said Hussain.  Several networks in Europe and Asia are also vulnerable.

Given the nature of the attacks, he said, the researchers are not releasing the proof-of-concept code to exploit the flaws.

It’s the latest blow to cellular network security, which has faced intense scrutiny no more so than in the last year for flaws that have allowed the interception of calls and text messages. Vulnerabilities in Signaling System 7, used by cell networks to route calls and messages across networks, are under active exploitation by hackers. While 4G was meant to be more secure, research shows that it’s just as vulnerable as its 3G predecessor. And, 5G was meant to fix many of the intercepting capabilities but European data security authorities warned of similar flaws.

Hussain said the flaws were reported to the GSMA, an industry body that represents mobile operators. GSMA recognized the flaws, but a spokesperson was unable to provide comment when reached. It isn’t known when the flaws will be fixed.

Hussain said the Torpedo and IMSI-Cracking flaws would have to be first fixed by the GSMA, whereas a fix for Piercer depends solely on the carriers. Torpedo remains the priority as it precursors the other flaws, said Hussain.

The paper comes almost exactly a year after Hussain et al revealed ten separate weaknesses in 4G LTE that allowed eavesdropping on phone calls and text messages, and spoofing emergency alerts.

News Source = techcrunch.com

A simple solution to end the encryption debate

in Atlanta/Column/computer security/computing/crypto wars/cryptography/Cyberwarfare/Delhi/encryption/executive/Federal Bureau of Investigation/India/law enforcement/mobile devices/mobile security/Politics/smartphone/smartphones/Symphony Communications by

Criminals and terrorists, like millions of others, rely on smartphone encryption to protect the information on their mobile devices. But unlike most of us, the data on their phones could endanger lives and pose a great threat to national security.

The challenge for law enforcement, and for us as a society, is how to reconcile the advantages of gaining access to the plans of dangerous individuals with the cost of opening a door to the lives of everyone else. It is the modern manifestation of the age-old conflict between privacy versus security, playing out in our pockets and palms.

One-size-fits all technological solutions, like a manufacturer-built universal backdoor tool for smartphones, likely create more dangers than they prevent. While no solution will be perfect, the best ways to square data access with security concerns require a more nuanced approach that rely on non-technological procedures.

The FBI has increasingly pressed the case that criminals and terrorists use smartphone security measures to avoid detection and investigation, arguing for a technological, cryptographic solution to stop these bad actors from “going dark.” In fact, there are recent reports that the Executive Branch is engaged in discussions to compel manufacturers to build technological tools so law enforcement can read otherwise-encrypted data on smartphones.

But the FBI is also tasked with protecting our nation against cyber threats. Encryption has a critical role in protecting our digital systems against compromises by hackers and thieves. And of course, a centralized data access tool would be a prime target for hackers and criminals. As recent events prove – from the 2016 elections to the recent ransomware attack against government computers in Atlanta – the problem will likely only become worse. Anything that weakens our cyber defenses will only make it more challenging for authorities to balance these “dual mandates” of cybersecurity and law enforcement access.

There is also the problem of internal threats: when they have access to customer data, service providers themselves can misuse or sell it without permission. Once someone’s data is out of their control, they have very limited means to protect it against exploitation. The current, growing scandal around the data harvesting practices on social networking platforms illustrates this risk. Indeed, our company Symphony Communications, a strongly encrypted messaging platform, was formed in the wake of a data misuse scandal by a service provider in the financial services sector.

(Photo by Chip Somodevilla/Getty Images)

So how do we help law enforcement without making data privacy even thornier than it already is? A potential solution is through a non-technological method, sensitive to the needs of all parties involved, that can sometimes solve the tension between government access and data protection while preventing abuse by service providers.

Agreements between some of our clients and the New York State Department of Financial Services (“NYSDFS”), proved popular enough that FBI Director Wray recently pointed to them as a model of “responsible encryption” that solves the problem of “going dark” without compromising robust encryption critical to our nation’s business infrastructure.

The solution requires storage of encryption keys — the codes needed to decrypt data — with third party custodians. Those custodians would not keep these client’s encryption keys. Rather, they give the access tool to clients, and then clients can choose how to use it and to whom they wish to give access. A core component of strong digital security is that a service provider should not have access to client’s unencrypted data nor control over a client’s encryption keys.

The distinction is crucial. This solution is not technological, like backdoor access built by manufacturers or service providers, but a human solution built around customer control.  Such arrangements provide robust protection from criminals hacking the service, but they also prevent customer data harvesting by service providers.

Where clients choose their own custodians, they may subject those custodians to their own, rigorous security requirements. The clients can even split their encryption keys into multiple pieces distributed over different third parties, so that no one custodian can access a client’s data without the cooperation of the others.

This solution protects against hacking and espionage while safeguarding against the misuse of customer content by the service provider. But it is not a model that supports service provider or manufacturer built back doors; our approach keeps the encryption key control in clients’ hands, not ours or the government’s.

A custodial mechanism that utilizes customer-selected third parties is not the answer to every part of the cybersecurity and privacy dilemma. Indeed, it is hard to imagine that this dilemma will submit to a single solution, especially a purely technological one. Our experience shows that reasonable, effective solutions can exist. Technological features are core to such solutions, but just as critical are non-technological considerations. Advancing purely technical answers – no matter how inventive – without working through the checks, balances and risks of implementation would be a mistake.

News Source = techcrunch.com

Go to Top