Dr P Nobles

Security and the Convergenceof Wireless Standards

Dr Philip Nobles

P.Nobles@cranfield.ac.uk01793 785218

Dr P Nobles

Mobile services evolution

2G 2.5G 2.5G / 3G/WiFi 3G / HSDPA

P2PSMS

voicemail

SMSApplication

sRoaming

Colour contentMusicMMS

GamesVideo-messagingBusiness email

VideoIntegratedmessaging

Consumer emailShared content

Multiplayer gaming

Mobile Internet service

CRM/SAP solutions

Mobile TV

High qualitymobile video

Location based services

Mobile broadband

Rich multimedia

Public service applications

2003/4 2004/5 2006/72005/62002/3

D I G I T A L C O N T E N

T0

40

80

100

20

60

%

2002

2004

2003

GPRS handsets

GPRS users

Billions of text messages

05

10

15

20

25

30

99

00

01

02

03

04

courtesy of Mike Short (VP R&D O2)

Dr P Nobles

Wireless and mobile standards

• GSM

• 3G

• IEEE802.11 (WiFi)

• HiperLAN

• Bluetooth (?)

• WiMAX

Dr P Nobles

Security failures

• Security by obscurity doesn't work

• “A very common cause of (security) protocol failure is that the environment changes, so that assumptions that were originally true no longer hold”Ross Anderson, “Security Engineering”

Dr P Nobles

A security challenge 1980

• How do we prevent students bringing programmable calculators into exams?

Dr P Nobles

A security challenge 2006

• How do we prevent students wearing wireless computers in exams?

thanks to Prof Fred Piper

Dr P Nobles

GSM security

• April 1998 – University of California at Berkeley researchers crack A5 algorithm to allow cloning

• COMP128 algorithm stored on SIM

• 2001 - Wireless application protocol (WAP) gateway vulnerability

• Sept 2003 – Israeli researchers crack A5 and (potentially) intercept encrypted calls

• 2005 - Spoof base stations to buy for <£10 000

Dr P Nobles

WiFi security timeline

• Recent surveys found >50% of WLANs still with no security

802.

11 W

EP80

2.11

b

WEP

cra

cked

Airs

nort

EAP

vuln

s99 00 01 02 03 04

Cisc

o LE

APW

PA80

2.11

gCi

sco

LEAP

cra

cked

Cisc

o EA

P-FA

ST

802.

11i r

atifi

edW

PA2

Dr P Nobles

802.11 Bloodhound

shmoo.com

Dr P Nobles

WiFi hotspots

• 3868 public UK hotspots• http://www.wi-fihotspotlist.com/browse/intl/2000018/

Dr P Nobles

“Evil Twin” research in the media

Dr P Nobles

Mobile-wireless convergence

• 3G-WiFi interworking• Authentication• Trust when roaming

• Bluetooth• viruses (Caribe) and trojans

Dr P Nobles

Fixed-wireless convergence

• Next generation networking (NGN)

• IP multimedia subsystem (IMS)

• VoIP and the Session initiation protocol (SIP)

Dr P Nobles

Example SIP INVITE messageINVITE sip:grenache@10.0.1.12:8394 SIP/2.0Via: SIP/2.0/UDP 62.173.51.169:5060;branch=z9hG4bK83066;branched=FALSE;forward-point="62.173.51.167:5060"Record-Route: <sip:62.173.51.169:5060;lr>Route: <sip:62.173.51.167:5060;lr>Route: <sip:10.10.0.1:5060;lr>Via: SIP/2.0/TLS 10.10.1.90:1042;received=62.173.51.167Record-Route: <sip:cgp-nat@62.173.51.167:1042;transport=tls;lr>Contact: <sip:thom@communigate.com:1042;maddr=10.10.1.90;transport=tls>Max-Forwards: 69From: "thom@communigate.com" <sip:thom@communigate.com>;tag=8c7804f4318f4d44aae9e31498585a9b;epid=3d0c47842dTo: <sip:grenache@communigate.com>Call-ID: 2ddafe312aa44260b5b73477f5277515CSeq: 1 INVITEUser-Agent: RTC/1.3Content-Type: application/sdpContent-Length: 776

v=0o=- 0 0 IN IP4 10.10.1.90s=sessionc=IN IP4 62.173.51.169b=CT:1000

t=0 0a=mediagateway:mail.communigate.com:init-528C89C32AFE52m=audio 60000 RTP/AVP 0 3 4 5 6 8 97 101 111 112c=IN IP4 62.173.51.169k=base64:fchmooU0VjyhMvgu7AodbsyPOgG/6VzNKWRPaAsEVZAa=rtpmap:0 PCMU/8000a=rtpmap:3 GSM/8000a=rtpmap:4 G723/8000a=rtpmap:5 DVI4/8000a=rtpmap:6 DVI4/16000a=rtpmap:8 PCMA/8000a=rtpmap:97 red/8000a=rtpmap:101 telephone-event/8000a=rtpmap:112 G7221/16000a=encryption:optionala=fmtp:111 bitrate=16000a=fmtp:112 bitrate=24000a=fmtp:101 0-16m=video 60002 RTP/AVP 31 34c=IN IP4 64.173.55.169k=base64:D65D88jUiVKj32chZ0brYuYYtkyLVOgW8+1zcPH/5rQa=rtpmap:31 H261/90000a=rtpmap:34 H263/90000a=encryption:optional

courtesy of Thom O'Connor (CommuniGate)

Dr P Nobles

The digital citizen

• Podcasting• RSS syndication

• Citizen reporting• Scoopt, Spy Media• Center for Citizen's Media

Dr P Nobles

Content-mobile convergence

• imode

• Mobile TV

• Content clients on mobiles

Dr P Nobles

In summary

Dr P Nobles

Questions?

Dr P Nobles

WiMAX

• Wireless metropolitan area network

• Broadband wireless access

• 10+ miles range

• IEEE802.16 and ETSI HiperMAN

• Point-to-multipoint

• <10GHz up to 66GHz

• 268Mbps

• Quality of service (QoS)

• “Wireless ISPs”