Ken Munro, partner at Pen Test Partners
Ken Munro, partner at Pen Test Partners

The cheeky hacking stunts carried out against conference delegates show just how much we all still have to learn.

As usual, there has been some really interesting research presentations flying around recently on the back of the Black Hat and Defcon conference. There is the typical vendor-bashing, both deserved and undeserved. However, the stories that I find most interesting are the ones about the hacks against the attending delegates.

When I was last at the conference, a back-doored ATM had been placed in the foyer, and several delegates and hotel residents used it. The result was cards scammed, against people who perhaps should have known better.

I'm always a bit paranoid about joining security conference networks. Never plug in, and switch off the wireless on the laptop and phone. But it will be OK to leave the phone on and collect emails; GSM is safe enough, isn't it?

I always used to advise organisations to avoid wireless where possible. Not because it can't be secured pretty effectively, but because of the potential for access-point spoofing against users. That's much harder to defend against, particularly when users are providing the mobile device themselves, rather than a corporate-standard smartphone.

Mobile data was much better – you could switch off the wireless and use that unlimited data plan the company had. Then, step by step, mobile data started to look less and less secure. After the antics at Defcon, showing a successful man-in-the-middle (MITM) attack waged over GSM, there followed some concerning coverage of further attacks using 4G/CDMA.

Security issues with the A5/1 stream cipher used to protect GSM in the past have been known about for a long time. Karsten Nohl and team showed a Rainbow Table-style attack at the 26C3 event in 2009, proving the potential for interception of data in transit. The newer A5/3 cipher is supposed to offer greater security, although that claim has already been brought into question by research carried out early last year.

Further concerns have been raised about the ability of the airtime provider to drop the call encryption strength. This would seem to satisfy some intelligence agencies, though the opportunity to force a handset to drop to ‘weak' or ‘no crypto' seems obvious.

The attacks at Defcon appear to have been via rogue 4G cells set up at the conference. Some form of man-in-the-middle attack was run, not that dissimilar to proven MITM hacks against 2G communications.

The wise among us should already be protecting traffic in transit over mobile data. For example, Exchange push email should be encrypted with SSL, and I would hope that anyone responsible for the sending of corporate email on a laptop over 3G would first create a VPN tunnel to a mail server.

Hence the best attack vector is going to be the end-user's device. I suspect that Android and iDevices will be the mostly likely targets, given their prevalence. The tech-savvy among you will be very suspicious about odd-looking updates and handset alerts generated from SSL spoofing. However, your users aren't likely to be so alert.

What can we do about this? At the moment, not a lot, other than keeping the handset OS bang up to date, and providing yet more user education about not accepting handset error and upgrade messages. Fortunately, rogue mobile cells seem to be pretty unusual, just as it's not that common to see faked wireless access points.

Where are rogue cells most commonly found? At security conferences. I think I'll be turning off my phone at the next one I attend.