What to Watch at Black Hat and Defcon
3) Mobile bugs
Unleash the Kraken! That’s just what GSM security researchers are going to do at Black Hat this year, in what could ultimately become a major headache for U.S. and European mobile network operators. Kraken is open-source GSM cracking softwarethat’s just been completed. Combined with some highly optimized rainbow tables (lists of codes that help speed up the encryption-breaking process), it gives hackers a way to decrypt GSM calls and messages.
What Kraken doesn’t do is pull the calls out of the air. But there is another GSM-sniffing project — called AirProbe — that’s looking to make that a reality. The researchers working on these tools say that they want to show regular users what spies and security geeks have known for a long time: that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak, and can be easily broken.
But why break GSM encryption when you can simply trick phones into connecting with a fake basestation and then drop encryption? That’s just what Chris Paget plans to demo in Las Vegas this week, where he says he’ll invite conference attendees to have their calls intercepted. Should be a fun demo, if it’s legal. Paget thinks it is. He has also developed what he calls the “world record” for reading RFID tags at a distance — hundreds of meters — which he’ll be discussing at a Black Hat talk.
Another researcher, known only as The Grugq, will talk about building malicious GSM network base stations and components on mobile devices. “Trust us, you’ll *want* to turn off your phone for the duration of this talk,” the talk’s description reads.
And on a week that was kicked off with Citibank’s admission that it had messed up security on its iPhone app, another talk to watch will be Lookout Security’s “App Atttack,” which will shed light on insecurities in mobile applications.
No comments yet.