[19829] in bugtraq
Re: otp - the next generation
daemon@ATHENA.MIT.EDU (Dag-Erling Smorgrav)
Sat Mar 24 01:40:46 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-ID: <xzp66h0lgn7.fsf@aes.thinksec.com>
Date: Fri, 23 Mar 2001 15:11:08 +0100
Reply-To: des@THINKSEC.COM
From: Dag-Erling Smorgrav <des@THINKSEC.COM>
X-To: Gregory Steuck <greg@NEST.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Gregory Steuck's message of "Thu, 22 Mar 2001 15:46:44 -0800"
Content-Transfer-Encoding: 8bit
Gregory Steuck <greg@NEST.CX> writes:
> This is the part the whole authentication mechanism depends on. You made
> at least 2 assumptions here:
I'm tempted to quote Samuel Jackson here - "as everyone knows, when
you make an assumption, you make an ass out of you and mption" :)
> 1) GSM phone network is secure between the endpoints (phones) and can
> not be sniffed.
This is a serious problem. GSM does not offer end-to-end encryption.
See further down.
> 2) SMS source address can not be forged.
They can - it's trivial if you have the right phone (or rather, the
right firmware). This is less serious though, since the one-time
password is sent to the registered phone number, so even if a third
party forges your MSN he will not receive the OTP. It does allow for
some interesting DoS or harassment attacks though.
This is a situation which GSM operators could easily remedy if they
wanted to - just like ISPs could easily kill certain types of DoS
attacks at the source with egress routing - there just doesn't seem to
be any incentive to do so.
(It's even possible to forge so-called network-originated messages,
which can be used to reprogram the recipient's SIM card etc.)
> I am pretty sure that both assumptions are wrong. Phone company (or
> companies, I don't know how the messages are routed) will most certainly
> be able to sniff your messages and forge the source address.
The situation is even worse if the sender and receiver are on
different GSM networks - GSM operators typically exchange SMS messages
over unencrypted TCP/IP connections.
DES
--
Dag-Erling Smørgrav - des@thinksec.com
