Security
GSM encryption crack made public
The schemes commonly used to encrypt GSM telephone calls, SMS messages, and data transmissions have been theoretically broken for years at both the protocol and cipher levels, but results presented in Berlin at the 26th Chaos Communication Congress (26C3) on December 27 demonstrate that a practical attack can be easily implemented. Researchers unveiled cracking tables requiring just two terabytes of disk space that can be used to look up a GSM encryption key and decrypt a transmission. The tables were computed on 40 commodity hardware PC nodes in just a few months' time, and are shared through Bittorrent. Furthermore, the presentation explains that the more difficult practical task of intercepting and capturing GSM calls can already be done with inexpensive radio equipment and open source software.
Background
The cipher under attack is known as A5/1; it was invented by the GSM Association in 1987. Due to the Cold War, A5/1 was deployed only in Western Europe and the United States, and was accompanied by a significantly weaker cipher called A5/2 for export to other regions. The GSM protocol supported both A5/1 and A5/2, plus A5/0, or unencrypted connections, a choice that left the protocol itself vulnerable to attack.
A5/1 was not published, but researchers began to reverse-engineer it almost immediately, work that was completed and publicized in 1999. Theoretical attacks based on weaknesses in the cipher date back to at least 1997, but real-world attacks on the system as implemented in the global GSM network only began to appear in 2003, when the team of Elad Barkan, Eli Biham, and Nathan Keller reported that phones use the same set of keys regardless of whether A5/1 or A5/2 encryption was enabled. [PULL QUOTE: Thus, by momentarily tricking a phone into using A5/2 (which can be cracked in seconds), a man-in-the-middle attacker can retrieve the session key for a call and continue to decrypt it even if it subsequently switches to A5/1 at the network's request. END QUOTE] Thus, by momentarily tricking a phone into using A5/2 (which can be cracked in seconds), a man-in-the-middle attacker can retrieve the session key for a call and continue to decrypt it even if it subsequently switches to A5/1 at the network's request. Shortly thereafter, networks were advised to discontinue use of A5/2.
Barkan, Biham, and Keller also published a ciphertext-only attack on A5/1 itself that relied on a time-memory tradeoff: building a lookup table of partially-precomputed hash values. A5/1 uses a 64-bit key (although, interestingly enough, 10 bits are fixed at 0 in all known deployments, making the practical strength 54-bits), which would require around 128 petabytes for a complete code book (a complete plaintext:ciphertext table for each key).
In 2008, a group called The Hackers Choice (THC) announced that it had computed the complete code book, in a more space-efficient format that required just three terabytes, running on a cluster of 70 field-programmable gate array (FPGA) boards. THC did not publish its tables, however.
A5/1 Security Project, technique and results
At the Hacking at Random conference in July of 2009, researchers Karsten Nohl and Sascha Krißler announced yet another effort to compute the code book, dubbed the A5/1 Security Project, utilizing distributed computing with publicly available source code. The A5/1 Security Project code was designed to run on NVIDIA and ATI graphics cards using the CUDA parallelization architecture; a participating node would claim a unique chunk of the code book from the project, then report its results back to the centralized server.
Nohl and Chris Paget announced in their 26C3 presentation that the project had completed computation of the tables, and that the complete result was available on Bittorrent. Around 40 nodes participated in the effort over three months; some false starts caused by bugs in the code slowed down the computation initially, but the results as presented at 26C3 are final. The format chosen by the project uses a combination of rainbow tables and distinguished point tables as a space-saving measure.
Rather than storing the entire code book as a plaintext:ciphertext lookup table, rainbow tables compute chains of encrypted values, and store only the first and last values in the chain. Decrypting a given value then involves generating a chain from the value, and looking at each step for a match in the rainbow table. Thus, using longer chains in the rainbow table requires less storage space, but demands more time in the decryption step by requiring more computation steps looking for a match. But once a match has been found, the key can then be determined allowing further decryption using the algorithm directly.
Distinguished point tables save space by selectively storing only those chains in the table that have an endpoint matching some helpful property — such as a long string of zero-bits. Chains that don't have that property are not stored saving a great deal of space, but turn the key extraction into a probabilistic search. Given enough ciphertext, though, key extraction should be possible.
The team eventually settled on a combined table approach that used 380 tables, each of which consists of 32 distinguished-point segments of length 2^15 merged into one rainbow table. In addition, they discovered ways to locate known plaintext in a GSM transmission (such as predictable ACK packets) that would save time and space by requiring a smaller subset of the code book to be computed. If those details do not communicate much to non-cryptographers, the practical results should: the final tables take up just 2 terabytes of storage space, and can be used to perform near-real-time decryption.
Reaction and better security
Nohl and Paget are quick to point out that the completion of the A5/1 tables itself does not constitute a measure for intercepting and listening in on GSM telephone calls. Shortly after news of the work went public, the GSM Association issued a press release playing down the result, based in large part on what it called the "practical complexity" of capturing and recording a GSM call.
Nohl and Paget dealt with that assertion in their talk, describing the components that would be required to receive, process, and record GSM calls, all of which are easy to obtain. At the hardware level, the Universal Software Radio Peripheral (USRP) developed for the GNU Radio project can tune and capture GSM spectrum. The OpenBTS software stack implements GSM and is designed for use with USRP, allowing the user to process and decode the data in a GSM channel, as well as to perform other feats in active attacks, such as faking a legitimate GSM base station. Other software packages, such as OpenBSC and Airprobe, can also be used for specific GSM-related tasks.
The GSM Association press release also implies that any real-world risk inherent in a broken A5/1 is moot because the stronger A5/3 is also available, and is not subject to the same algorithmic attacks. Nohl and Paget point out, however, that theoretical attacks on A5/3 have already been published, and that, despite its availability for over a decade, no carriers use it.
Moreover, the GSM protocol itself is still highly insecure; in fact the same technique Barkan, Biham, and Keller used in 2003 to trick a phone into downgrading from A5/1 to A5/2 can also be used to attack A5/3 — since A5/3 uses the same encryption keys as A5/1 and A5/2. In addition, lack of network authentication and the fact that GSM phones automatically attach to the strongest available base station make interception and man-in-the-middle attacks possible, that are independent of the encryption method deployed.
Securing mobile phone communications is vital in today's world. As Nohl and Paget's presentation noted, GSM is not only used for voice calls, but for SMS (which increasingly includes financial transactions) and EDGE data connections as well. Consumers have no control over the GSM network, and although most have little to worry about in the realm of criminal attackers intercepting their voice calls, business and government users do. 40 off-the-shelf graphics cards computed the A5/1 code book in less than three months; the estimated hardware needed to built a USRP-based GSM interceptor is less than US$3000. That is a trivial investment to anyone with a financial interest in eavesdropping. On top of that, as the weakness of WEP encryption demonstrated to WiFi router owners, a broken security system leaves the network open to mischief, bandwidth-theft, and other security problems beyond call interception. Hopefully, as the A5/1 Security Project suggests, the telecommunications sector will now take positive steps to correct the flaws in GSM and implement better security.
For the open source software community, however, there is another benefit to the project's success: the basic idea is reusable. The team built the distributed pre-computation framework to be generic; it can work on any cipher, with different table layouts, and on multiple hardware back-ends. In other words, if you have a cipher that needs a code book and you have access to 40 modern graphics cards, your job may have just gotten a lot easier.
Brief items
Critical PowerDNS Recursor security vulnerabilities
Those of you using PowerDNS Recursor 3.1.7.1 or earlier will want to upgrade to 3.1.7.2 quickly. "The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as well as cache poisoning, connecting your users to possibly malicious IP addresses." Distributor updates are on their way, but the advisory notes that Ubuntu will not be shipping an update, so Ubuntu users will need to do the upgrade manually.
The isolate utility
Isolate is a program designed to run otherwise unsafe programs in a secure manner. "This utility, isolate, runs processes in a chroot-ed environment, with constrained resource limits, as a random UID, and with limited access to the X server. An isolated program ('isolatee') no longer has all the authority of your user account, but you can still enjoy its legitimate functionality. You can play even maliciously-crafted songs in an unsafely implemented music player, with greatly minimized risk to your other data." As with so many security-related programs, its original inspiration comes from Daniel J. Bernstein.
New vulnerabilities
acl: symlink attack
| Package(s): | acl | CVE #(s): | CVE-2009-4411 | ||||||||||||||||
| Created: | December 29, 2009 | Updated: | April 19, 2011 | ||||||||||||||||
| Description: | From the Mandriva advisory: The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
automake: arbitrary code execution
| Package(s): | automake | CVE #(s): | CVE-2009-4029 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 4, 2010 | Updated: | October 27, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: Jim Meyering found a race condition in the way Automake used to prepare content of directories hierarchy (top-level directory and its subdirectories), when the "distdir" based Automake target was used. A local attacker could use this flaw to inject malicious content into the resulting directory and potentially subsequently execute arbitrary code with the privileges of the user issuing the "./configure" command. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gimp: integer overflows
| Package(s): | gimp | CVE #(s): | |||||
| Created: | January 5, 2010 | Updated: | January 6, 2010 | ||||
| Description: | Multiple bugs were fixed in GIMP 2.6.8, including several integer overflow vulnerabilities. | ||||||
| Alerts: |
| ||||||
jpgraph: multiple cross-site scripting vulnerabilities
| Package(s): | jpgraph | CVE #(s): | CVE-2009-4422 | ||||
| Created: | December 28, 2009 | Updated: | January 6, 2010 | ||||
| Description: | From the Mandriva advisory: Multiple cross-site scripting (XSS) vulnerabilities in the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph 3.0.6 allow remote attackers to inject arbitrary web script or HTML via a key to csim_in_html_ex1.php, and other unspecified vectors (CVE-2009-4422). | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-4410 | ||||||||
| Created: | December 25, 2009 | Updated: | January 6, 2010 | ||||||||
| Description: | From the Red Hat bugzilla: There is a problem in the ioctl handler in the fuse kernel code that causes a panic under some circumstances. | ||||||||||
| Alerts: |
| ||||||||||
krb5: denial of service
| Package(s): | krb5 | CVE #(s): | CVE-2009-3295 | ||||||||||||||||||||
| Created: | January 6, 2010 | Updated: | January 19, 2010 | ||||||||||||||||||||
| Description: | The krb5 key distribution center service can be caused to crash remotely by way of a specially-crafted request. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
NetworkManager: multiple vulnerabilities
| Package(s): | NetworkManager | CVE #(s): | CVE-2009-4145 CVE-2009-4144 | ||||||||||||||||||||
| Created: | January 4, 2010 | Updated: | February 23, 2010 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entries [1, 2]: CVE-2009-4145: nm-connection-editor inadvertently exported connection objects on the bus, and when a user changes those connections though the connection editor GUI, the editor may emit a summary of those changes onto the bus, leading to the information disclosure. CVE-2009-4144: If the user had set up a WPA Enterprise or 802.1x connection that used a CA certificate to verify the identity of the network to which the user was connecting, and the user deleted or moved that CA certificate file at a later point, NetworkManager will still connect to that network but without using the CA certificate. This could result in connections to a rogue network that is spoofing the original network as the identity of the network is not verified with the CA certificate after the certificate has been deleted. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
PHP: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2009-4142 CVE-2009-4143 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 6, 2010 | Updated: | February 23, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The PHP 5.2.12 release fixes a number of security-related bugs, including a cross-site scripting vulnerability (CVE-2009-4142) and a failure to properly handle session data with "unspecified impact" (CVE-2009-4143). See the release notes for more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpldapadmin: local file inclusion
| Package(s): | phpldapadmin | CVE #(s): | |||||
| Created: | December 25, 2009 | Updated: | January 6, 2010 | ||||
| Description: | From the Secunia advisory: A vulnerability has been discovered on phpLDAPadmin, which can be exploited by malicious people to disclose sensitive information. Input passed via the "cmd" parameter to cmd.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. The vulnerability is confirmed in version 1.1.0.7. Other versions may also be affected. | ||||||
| Alerts: |
| ||||||
slim: X session hijacking
| Package(s): | slim | CVE #(s): | CVE-2009-1756 | ||||||||
| Created: | January 4, 2010 | Updated: | September 9, 2010 | ||||||||
| Description: | From the Red Hat bugzilla entry: Potential man-in-the-middle attack was found in SLiM (Simple Login Manager) due to improper processing of authorization information used in connection to the X server. A local attacker could use this flaw to hijack X session of the victim by overhearing of certain information, needed for proper extraction of authorization records. | ||||||||||
| Alerts: |
| ||||||||||
stardict: information disclosure
| Package(s): | stardict | CVE #(s): | CVE-2009-2260 | ||||
| Created: | January 4, 2010 | Updated: | January 6, 2010 | ||||
| Description: | From the Red Hat bugzilla entry: stardict 3.0.1, when Enable Net Dict is configured, sends the contents of the clipboard to a dictionary server, which allows remote attackers to obtain sensitive information by sniffing the network. | ||||||
| Alerts: |
| ||||||
unbound: bad cryptographic implementation
| Package(s): | unbound | CVE #(s): | CVE-2009-3602 | ||||||||
| Created: | December 28, 2009 | Updated: | February 23, 2010 | ||||||||
| Description: | From the Debian advisory: It was discovered that Unbound, a DNS resolver, does not properly check cryptographic signatures on NSEC3 records. As a result, zones signed with the NSEC3 variant of DNSSEC lose their cryptographic protection. (An attacker would still have to carry out an ordinary cache poisoning attack to add bad data to the cache.) | ||||||||||
| Alerts: |
| ||||||||||
viewvc: multiple vulnerabilities
| Package(s): | viewvc | CVE #(s): | |||||||||
| Created: | December 29, 2009 | Updated: | January 6, 2010 | ||||||||
| Description: | From the Fedora advisory:
* security fix: add root listing support of per-root authz config * security fix: query.py requires 'forbidden' authorizer (or none) in config | ||||||||||
| Alerts: |
| ||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-4376 CVE-2009-4377 | ||||||||||||||||||||||||||||||||||||
| Created: | December 24, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora alert: The Daintree SNA file parser could overflow a buffer. (Bug 4294) CVE-2009-4376 The SMB and SMB2 dissectors could crash. (Bug 4301) CVE-2009-4377 | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>