Crypto not being used where needed
At CES someone was showing a cellular credit card machine. It had an antenna and a regular card reader, and was battery powered, so it could be used anywhere. The machine was designed to be used in taxicabs, at swapmeets, and wherever there were no phone lines available. I asked the rep about its security - does it use encryption? No, it does not use encryption. It sends your credit card number and expiration date over the cellular link in clear. Most credit card machines use low-speed modems which are trivial to intercept. This one is probably no exception. Here is a case where DES is badly needed and not being used. If this machine becomes popular, thieves will be trailing taxicabs with scanners and tape recorders.
Mike Ingle writes :
At CES someone was showing a cellular credit card machine. It had an antenna and a regular card reader, and was battery powered, so it could be used anywhere. The machine was designed to be used in taxicabs, at swapmeets, and wherever there were no phone lines available.
I asked the rep about its security - does it use encryption? No, it does not use encryption. It sends your credit card number and expiration date over the cellular link in clear. Most credit card machines use low-speed modems which are trivial to intercept. This one is probably no exception. Here is a case where DES is badly needed and not being used. If this machine becomes popular, thieves will be trailing taxicabs with scanners and tape recorders.
Although I sincerely agree that the data should be encrypted, is it really that easy to intercept cellular phone calls? I thought you had to go to considerably more effort than programming a scanner to pick up these transmissions - I don't know much about cellular phones, but I thought they hopped frequencies and so forth such that it was a real pain to listen in. The reason I ask is that I have a buddy who works for local law enforcement. His group is about to roll out a network of laptops in their cars, linked by modem to the AS/400 that serves as their gateway to NCIC. We've talked about how easy it is to intercept/spoof transmissions in the clear on a single channel, but we both figured it would be considerably more difficult to intercept cellular calls. Given the level of understanding of the fuzz, they'll probably slap a Hayes modem on their Barney Fife Cop Car Radios anyway, and I'll gleefully try to trap their transmissions.... just as an exercise, of course, to educate them as to the error of their ways... Seriously, folks, this issue is a valid one. If [insert favorite bogeyman here] can dial a scanner and pick up credit card numbers, vehicle and driver's license data, and criminal histories, our privacy is due for another beating. The way I got my friend's attention was to ask whether the police department is liable for revealing private information - in other words, if Charles Manson grabs my license data off the cops' data net, can I sue the cops? -- ........................................................................ Philippe D. Nave, Jr. | The person who does not use message encryption pdn@dwroll.dw.att.com | will soon be at the mercy of those who DO... Denver, Colorado USA | PGP public key: by arrangement.
Although I sincerely agree that the data should be encrypted, is it really that easy to intercept cellular phone calls? I thought you had to go to considerably more effort than programming a scanner to pick up these transmissions - I don't know much about cellular phones, but I thought they hopped frequencies and so forth such that it was a real pain to listen in.
Technically it is that easy. Cellular phones only "hop frequencies" when they are mobile. In other words as I am driving along the highway my phone is changing frequencies as I change cells. If I am stationary, however, my phone will most likely stay on one frequency within that cell. However, the MTSO (Mobile Telephone Switching Office) may command my phone to change to a different frequency if another user moves into my cell and the MTSO "decides" that my current frequency would be better allocated to the other user. In any case, there are two solutions to tracking the frequency of a particular cellular user. First, and most expensive. Get the users ESN (Electronic Serial Number) from the phone and listen in on the control channel. I do not know how the control data is modulated on the control frequency, but once you can decode that data you can "see" the MTSO command the phone to change frequencies and cells. Secondly, simply get a frequency counter and a yagi antenna. By pointing the antenna at the cellular antenna you should be able to get the frequency the phone is currently on. When the phone switches frequencies, simply follow the same procedure. Labor intensive, but cheap! Note, these are general ideas based on what I know about cellular. I am most definetely *not* an expert on cellular technology.
The reason I ask is that I have a buddy who works for local law enforcement. His group is about to roll out a network of laptops in their cars, linked by modem to the AS/400 that serves as their gateway to NCIC. We've talked about how easy it is to intercept/spoof transmissions in the clear on a single channel, but we both figured it would be considerably more difficult to intercept cellular calls. Given the level of understanding of the fuzz, they'll probably slap a Hayes modem on their Barney Fife Cop Car Radios anyway, and I'll gleefully try to trap their transmissions.... just as an exercise, of course, to educate them as to the error of their ways...
Seriously, folks, this issue is a valid one. If [insert favorite bogeyman here] can dial a scanner and pick up credit card numbers, vehicle and driver's license data, and criminal histories, our privacy is due for another beating. The way I got my friend's attention was to ask whether the police department is liable for revealing private information - in other words, if Charles Manson grabs my license data off the cops' data net, can I sue the cops?
I would be willing to bet that it would be "fairly" easy for the average techie to be able to intercept and decode your PD's data. And only a "little" more difficult to spoof one of the mobile data terminals. If they are using off-the-shelf hardware then you can assume that you could buy the same hardware! -- Pat Hykkonen ** N5NPL ** pat@tstc.edu ** CNSA ** (817) 867-4831 "The pen is mightier than the sword! And my pen is bigger than your pen!" - Jason Henderson, the emenintly quotable
There are several commercially available "RF service monitors" with option modules specifically designed for AMPS (the North American cellular standard). Manufacturers include IFR, HP and Marconi. Among many other things, these monitors can be programmed to monitor cellular access channels. Whenever someone nearby hits the SEND key on their phone, the monitor instantly displays the called number, the user's MIN (phone number) and ESN (electronic serial number). Furthermore, it can be told to automatically follow the conversation channel assignment message and any subsequent handoff messages. Or the unit can be programmed to monitor the forward paging link for pages (land-to-mobile) calls directed to any particular mobile. When a page is found, the unit can again switch to the appropriate conversation channel and follow the conversation through any subsequent handoffs. You do, of course, have to remain physically close enough to the mobile in question to be able to hear the same cell sites it is using. As a manufacturer of cellular phones, we have legitimate need for such units in testing our phones. We had one of these units in house a while back and I had a chance to play with it. I can attest to its effectiveness. It's not cheap, of course, but if we can afford one, than so can any motivated government agency. Phil
participants (5)
-
Eric Blossom -
karn@qualcomm.com -
Mike Ingle -
pat@tstc.edu -
Philippe Nave