LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

28C3: New attacks on GSM mobiles and security measures shown (The H)

28C3: New attacks on GSM mobiles and security measures shown (The H)

Posted Jan 4, 2012 11:12 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
In reply to: 28C3: New attacks on GSM mobiles and security measures shown (The H) by lambda
Parent article: 28C3: New attacks on GSM mobiles and security measures shown (The H)

>Do you have a citation for this claim? That seems farfetched to me.

Yes. I'll use Russia as an example:
1) "Communication regulations law" states (41, F3) that mobile devices must be certified (have a "certificate of correspondence" [to the terms of the regulations]) for use if their owner doesn't have a personal license for radio frequency: http://www.zakonrf.info/zosvyazi/41/

2) There's even a special provision which allows manufacturers to re-declare devices as compatible in case of software changes (by notifying the regulator and paying a fee for registration).

3) "Radioelectronic device" refers to a device _and_ its software as a whole.

>Furthermore, even if it is, technically, illegal, in certain jurisdictions, how would anyone know? If it meets all of the requirements and doesn't interfere with the network, who would ever notice?

Yes, there's that. It's a bit like crypto export laws in the US back in 90-s - there was no way to enforce them but they still made a lot of projects impossible.

>And with a knife, you can also affect a lot of people around you, by stabbing them or mugging them. Knives are plenty dangerous; probably more dangerous than rogue GSM devices, which, if the networks are at all responsible, could at most create a temporary denial of service for a service that we've managed to live without up until a dozen or so years ago.

That has been before people started to rely on mobile phones for 911 and other emergency services. I don't even _have_ a fixed-line phone anymore, for example.

So yes, I think that something that has a very real potential to disrupt an important service should be controlled somehow.

(Log in to post comments)

28C3: New attacks on GSM mobiles and security measures shown (The H)

Posted Jan 4, 2012 18:29 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]

> So yes, I think that something that has a very real potential to disrupt an important service should be controlled somehow.

by this argument you end up controlling just about everything.

shovels have the ability to cause major disruption to major services (just dig in the wrong place and cut fiber, ever hear of a 'backhoe outage'?)

at some point you need to hold people responsible for doing the disruption (and account for true accidents) rather than trying to outlaw every possible means of disruption.

28C3: New attacks on GSM mobiles and security measures shown (The H)

Posted Jan 5, 2012 14:55 UTC (Thu) by yaap (subscriber, #71398) [Link]

With the knife example above, it's obvious when you create a problem.

With the shovel problem you mention, it may not be so obvious you create a big problem. A cable is a cable, it's not necessarily obvious what will be the consequence of a bad shovel move cutting a cable. But it's rare, and easy to detect and locate.

With telecommunications, it's hard to realize you're creating a problem in the first place. And it's very hard to pin-point and solve. Hence the strict laws to prevent the issue in the first place.

As an example of how easy it is to be a problem without realizing it. There was an article in LWN (too lazy to track the ref...) about guys doing a free software 2G stack. They were quoted saying that they just did tests with the transmit power stuck at the maximum because it was easier (yes, AGC is tricky). And they were doing the tests on a live network.
Does this mean anything to you? Well, to a telecom engineer this is pure evil incarnate. You just don't mess with power, and don't create interference in neighboring cells and being a nuisance for all but yourself.

People expert in one field tend to consider themselves good in other fields, particularly if they're both technical. And when you're new to something, many times things seem simpler than they are just because you don't even realize the problems lurking behind the surface. One has to be very careful when dealing with telecommunications not to be bitten by this. It's a very complex domain, no person can cover it all actually.

28C3: New attacks on GSM mobiles and security measures shown (The H)

Posted Jan 5, 2012 16:50 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, shovels that can do real accidental damage (yes, they're called 'backhoes') are actually licensed. So your example is quite good, in fact.

You have to have a special license to operate a backhoe (at least in my country) and you also have to get a work permit to dig at a public territory.

Phones are like backhoes - they have real potential to cause disruptions in public networks and so they are regulated. It's just that regulation framework for mobile phones is quite well designed so it's essentially invisible for end-users.

>at some point you need to hold people responsible for doing the disruption (and account for true accidents) rather than trying to outlaw every possible means of disruption.

Let me quote the GPL for you:

>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Do you agree as a GSM stack developer to be liable for disruptions (up to and including loss of life) caused by the code you distribute? If the answer is 'yes' then how this liability is going to be enforced?

IMO, the answer to this problem should lie in well-defined interfaces (hardware and software) between radiomodems and the rest of the device.

28C3: New attacks on GSM mobiles and security measures shown (The H)

Posted Jan 5, 2012 17:37 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

In the US you do not need any license to use a backhoe

Sorry, but this just not true...

Posted Jan 5, 2012 18:41 UTC (Thu) by khim (subscriber, #9252) [Link]

Most (all?) states require at least heavy equipment operator license and Class A of CDL. Some have specialized license for backhoes.

People like to pretend that all these licenses and permits are problems of the "Old World" and in a brave new "Free World" you can do whatever you want whenever you want, but it may surprise you if you'll actually try to dig deeper and see how many things require a license in US.

Sorry, but this just not true...

Posted Jan 5, 2012 19:02 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

it depends on what you are doing. you can go down to the local rental yard and rent a small backhoe (plenty large enough to cut cables) with no special license needed.

If you are going to be employed running a backhoe, and especially if you are going to drive one on public streets, then the licensing that you are talking about will come into play.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds