Apps for the Paranoid Needed?

I can’t let Karsten Nohl‘s presentation at 26C3 go without comment. To be clear, he was only talking about weaknesses that were already known (so headlines like “Secret mobile phone codes cracked” are at best misleading) but his purpose was to demonstrate that those theoretically known attacks are now practical. His point is a very valid one, and holds for most (all?) cryptographic algorithms: researchers will discover more efficient attack techniques, and technology will evolve to make such attacks practical, so you’d better design your cryptographic protocols so you can switch to different algorithms if and when the future need arises.* Happily this is the case for the GSM protocols, and all (!) that is needed is for the phone manufacturers and network operators to deploy the A5/3 algorithm and we can all go about our business.

That said, there is an interesting point made, almost in passing, in the presentation. (more…)

Femtocells and Security

The Femtocells World Summit is in London this week; I haven’t attended, but I have seen articles about it that have me wondering whether there are interesting security issues emerging.

First, what’s a femtocell? Essentially, it’s a short-range, miniaturised version of a mobile phone mast. However, instead of being directly plumbed in to the phone network, calls made through a femtocell are routed over broadband Internet connections so they can be used in areas where the normal phone network coverage is poor or non-existent.

(more…)