Contact
QR code for the current URL

Press release Box-ID: 363942

Fortify Software, Inc 2215 Bridgepointe Pkwy, Suite 400 94404 San Mateo, CA, United States http://www.fortify.com
Contact Ms Yvonne Eskenzi +44 20 7183 2832
Company logo of Fortify Software, Inc
Fortify Software, Inc

Weekend DefCon 2010 hack of cellular networks highlights need for building security into technology from the start - not adding as an afterthought, says Fortify Software

(PresseBox) ( San Mateo, CA, )
A demonstration of how cellular transmissions from mobile phones can be subverted and users' mobiles fooled into logging into a rogue GSM station - so allowing calls to be eavesdropped and falsified - highlights the fact that the designers of the GSM standard never envisaged the need for ultrahigh levels of security on mobile calls.

"When the GSM standard was formulated more than 20 years ago, the developers were required to design a digital successor to the analogue cellular standards of the day. As a result, security was only added after the basic standard was developed," said Barmak Meftah, Fortify Software's chief products officer.

"Security was not built into the standard from day one, but essentially added as an afterthought. And that is why we have today's crackers able to subvert the technology using an 'evil twin' methodology that is widely used when hacking WiFi networks," he added.

According to the software security assurance expert, evil twin attacks - in which a rogue base station is placed close to the WiFi network that is to be hacked - has been around for a number of years, and fool the mobile into logging into the rogue base station, and handing over its handshaking credentials.

It's the same with Chris Paget's rogue micro cellular base station, says Meftah, as -- similar to the WiFi evil twin scenario -- the user session can be relayed onto the legitimate network, allowing the cracker to stage a maninthemiddle attack on the cellular user, eavesdropping on the call and the data handshaking procedures.

The bad news here, he explained, is that not only are the call contents recordable, but the cracker can then generate the handshake credentials at another cellular base station, and place outgoing calls on the cracked cellular users' account.

Call resale fraud was a major problem in the early analogue days of cellular, and allowed 'calling shops' on street corners to rent out mobiles for lengthy calls to foreign destinations for a few pounds/dollars, but end up with the legitimate cellular users footing the bill - or his operator, if the bill is extraordinarily high, he went on to say.

The really bad news about this hack, says the Fortify product chief, is that it exploits a structural flaw in the GSM standard that is difficult to fix retrospectively, as there are hundreds of millions of existing standard phones in regular usage.

"Sure, the networks can increase the security of their networks to beat this problem, but that leaves existing mobile users high and dry. It really shows how a lack of investment in security at the development stages - building security firmly into the technology - has not been made," he said.

"It all comes down to the program code that the GSM standard developments worked on. This could have serious repercussions for GSM users across the world," he added.

For more on the DefCon 2010 GSM cellular standard crack: http://bit.ly/b5P9qI

For more on Fortify Software: www.fortify.com
The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.
Important note:

Systematic data storage as well as the use of even parts of this database are only permitted with the written consent of unn | UNITED NEWS NETWORK GmbH.

unn | UNITED NEWS NETWORK GmbH 2002–2022, All rights reserved

The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.