Tuesday, March 16, 2010

ScotiaBank , A51 Encryption GOJ Security on Telecom Providers GSM Networks


It would seem that the idea that keys (and by extension security encryption, which are a type of key) do not provide some means of security and protection from unwanted intrusions by persons who are willing and determined to break into secure systems.

This came to be painfully obvious on Wednesday January 6th 2010 when the Bank of Nova Scotia announced on radio that persons were soliciting the card numbers and PIN (Personal Identification Numbers) of customers debit and credit card accounts via a phishing scam i.e. fake website requesting personal information. While this technique is nothing new, it is not the first time either, as Cable and Wireless (now LIME) used to put out advisories warning persons against giving out account information if they had received email of the type similar to what was described in the advisory.

What amuses me and others friends of mine with whom I spoke who used to work in the Telecoms Sector, is the fact that institutions like the Bank of Nova Scotia and Cable and Wireless, then and even now, have not addressed these recurrent security breaches to their respective systems, despite the obvious increase in access to higher, more powerful computers, decryption software and the World Wide Web (commonly called the Internet), which for the first time allows people to taste the fruit of the Tree of Knowledge that is “both good and evil”.

More than ever, especially in a Jamaican economy that is now feeling the effects of a Recession in the United States of America, this kind of access to technology is becoming a vehicle and means by which people will now attempt to take from those who are obviously more privileged in society that which they desire, be it information or money.

But it gets stranger. Keys, even if hidden, can be revealed via a variety of methods, especially in the world of interconnected Networks. One does not need to have access to a key, only to know what shape it has, in order to copy it, which is a bit of ancient wisdom from the mighty Egyptians, the originators of keys.

For years, persons like myself have complained of the lax level of security as it relates to keys and security passwords in various Telecoms Providers i.e. Telecom Provider C&W and recently Telecom Provider CLARO, at which I had worked. Even worse is the fact that a lot of persons in both these workplaces, especially in the office, are careless with keys, be they physical keys or virtual ones i.e. passwords, codebooks, etc.

On several instances while working in Telecoms Providers companies, I had access and the ability to copy the A5/1 and A5/3 codebook, which are used in the encryption and decryption of phone conversations on GSM-based (Global System for Mobile Communications) cell phones. Since leaving the murky secret world of Telecom Providers, I have encountered persons online who have the entire copy of not only the A5/1 codebook but the A5/3 codebook as well, albeit only partial decryptions which had errors.

However, with my own personal knowledge that the A5/1 codebook was a 64-bit encryption sequence and the increasing power of computers available to ordinary citizens, it was only a matter of time before someone with the technical expertise and know-how would make a complete decoding of the codebook.

Recently a German security expert Karsten Nohl indicated at a Hackers convention press conference in German that he had decrypted the A5/1 codebook, which uses a 64-bit encryption key, as stated in the article  Q&A: Researchers Karsten Nohl on Mobile eavesdropping”, published January 1, 2010 4:00 AM PST by Elinor Mills, InSecurity Complex – CNET News. For the layperson, this means that conversations on Telecoms Providers Networks that still use the A5/1 codebook are not only interceptable but decodable. It is thus being hoped that local Telecoms companies have upgraded to the more secure A5/3 codebook, which Dr. Karsten Kohl, who holds a PhD in computer engineering from the University of Virginia, has yet to decrypt…….at least for now.

What Dr. Karsten Kohl research means is that for the first time, the almost 80 billion users in the world on the older GSM Networks that have not yet gone 3G, which uses the stronger (and supposedly more secure A5/3 codebook), can have their conversations intercepted and reliably deciphered using off-the-shelf, easily available computer hardware. What is even worse, this information is now circulating on the Internet, as Dr. Karsten Kohl did this project with assistance from volunteers and developers from the Open Source community.

In practical terms, this means that not only is the knowledge of the process of how the codebook operates and is produced widely known, mobile conversations on older GSM Networks still using A5/1 codebooks can now be easily decrypted. Decryption was possible years ago with the right gear, but this equipment was specialized and required security clearance and registration and was very expensive.

Thus with this breakthrough, thanks to the Open Source Community, GSM mobile conversations can no longer be considered private and confidential, as now embassies and politicians will soon realize that persons with laptops with the right gear can intercept their conversations as far as a kilometer away.

Thus the recent Bank of Nova Scotia advisory must now appear to be alarmist news, as most wireless POS (Point Of Sale) at Gas Stations and Convenience Stores island wide are on GSM Networks, using the GPRS (Global Packet Radio System) and EDGE (Enhanced Data Rates for GSM Evolution) to transmit data for each transaction involving debit and credit cards accounts.

Thus, the layperson, armed with this information, is left to wonder where the real concern of the Bank of Nova Scotia should be focused: not the few hundred people, whose number admittedly are increasing, who do transactions online and often receive notifications via email and may mistake them as real when in fact they are part of a phishing scam, but the increasing thousands of people who are now using wireless POS (Point Of Sale) at Gas Stations and Convenience Stores island wide whose transactions are now interceptable and reliably decodable with equipment that is already easily available in Jamaica.

But then what of personal conversations? Are these too not interceptable? Do these not also contain valuable information, even more valuable than PIN numbers and account passwords?

Thus the arguments move away from the Bank of Nova Scotia and other banks and other financial institutions that use Debit/Credit Cards and POS (Point Of Sale) devices to the Telecoms Providers, most of whom operate GSM Networks, some with 3G and WiMaX 4G Fixed (IEEE 802.16a) and WiMaX 4G Mobile (IEEE 802.16d) compliant Networks, who may still be using A5/1 codebooks.

As Customers and Subscribers especially concerned private citizens and persons who work in sensitive industries such as consulates, embassies, politics and security, learn of the news, Telecoms Providers will have to increase their level of security as the 128 bit A5/3 codebooks will also soon be decrypted and then all mobile communications, both on 2G and 3G Networks will be easily interceptable.

1 comment:

  1. Hi there to all, how is everything, I think every one is getting more from this site, and your views are good for new visitors.
    My web blog : ajoinaz.com

    ReplyDelete

Please register and leave you comments. For contact, leave an email or phone number and I'll be sure to get back to you.