Schneier on Security

Clive Robinson • January 10, 2019 8:29 PM

The article is not what it could be…

The ideas behind both SS7 and GSM are quite a bit older than fourty years, look up what was the British General Post Office (GPO) System X[1] oh and the earlier “signaling systems”.

Back in the 1950’s through to the 1980’s when the problems of phone privacy etc could have been put in place it was not. Because in part the technology although envisioned was not available. But mainly those who started those developing the ideas were working under a Government Department and the “Post Master General” was a Government Minister.

Behind this pulling strings were other Government Departments not the least of which in Britain was MI5, MI6 and GCHQ who all had a very interesting working relationship with the GPO (look up the Operation Stopwatch Berlin tunnel[2] for instance it was one of many joint but secret tunnels and other projects).

Whilst some projects were abroad many were on UK soil, back when the telephone “trunk” used microwave radio the MI’s had an interest in “tapping every thing”. The advantage of the Microwaves to France and Ireland was the “spill efect” which enabled receivers on the side of the “boresight paths” to pick up both sides of the communications. These receivers were put in things like fake grain silos that gave the required hight whilst not looking out of place in rural locations. Thus GCHQ had collect it all access to these microwave links with a high degree of deniability[3] as there was no way to see it by “walking the wire”. The fact it was the GPO “secret squirrels” that put it all in with other microwave links back to the likes of Hanslope Park, Empress House and Century House was realy a case of “one hand washing the other” within the GPO.

The point is that RF based systems are easy to listen into, and unless extra precautions are taken with the basic link and message data then the traffic will be vulnerable to, at the very least, readily available “test equipment” or these days USB dongles that cost $10 a laptop and some open source software.

Further those precautions have to be way way more than just to get the assumed quivalent of “wired equivalent privacy” that we have seen with WiFi (that’s arguably still not secure). In essence they have to be not just leading edge when a system is designed but fully upgradable without the possability of “fallback attacks” because as history has shown crypto moves on fairly rapidly and a quater of a century realy is tops for it’s total service life (DES and RSA being just two examples).

Oh and watch out for standards, those “hiden hands” have been “finessing” International Standards for more than fifty years, in some cases more than a century. I’ve seen it at work first hand. You would think it’s amazing that they have been able to get away with it for so long, but the truth is few and I realy do mean few ever thought about it untill fairly recently. The fact is Victorian customers of telegraph companies appear to have been more aware of the need for communications security than the average Internet or Mobile phone customer today…

But why should making the likes of phones more secure be so dificult?

Well there are a number of reasons and it starts with the redundancy of the human voice, especially that of the average German male (I kid you not). Just behind your mobiles microphone and speaker is a compression system that takes as much redundancy out as it can with minimum time delays so that the data rate sent to the radio modem is “bandwidth efficient”. The main algorithms used are based on work (CELP) done at the NSA for DoD systems. Which might be cause for concern, we currently don’t know (but then we did not about a certain Digital Random Generator that NIST standardised and then had to withdraw).

Whilst the compression system works well with high redundancy voice, it “blows up” if you try to feed random audio waves that you would get from external “voice encryption” or even a sine wave used for Frequency Shift Keying (FSK). Someting I noted would happen with “Jackpair” and I don’t know if after more than four years of working on it if they have actually shipped production units yet (progress updates are only available to those who handed money over originally). Their web site does not have a “buy now” button on it or similar so I’m assuming not.

The second problem is that you still have the “analog” problem. There is no guarantee that the analog waveform you put in is what you will get out at the other end. The human ear is fairly immune to frequency, phase and higher frequency amplitude distortion which various trunk network systems will quite happily abuse. All of which a crypto system would be sensitive to unless it was of very low bandwidth.

So for voice encryption it would be considerably easier not to use the voice path of a mobile and use either the inbuilt modem to modem (see AT command set) or digital connection to a data service such as the Internet. That is use a voice encryption system on a PC that is connected by WiFi or USB to the mobile and send it across the internet, it’s probably cheaper for many people anyway (check how your subscriptions services are capped).

But the big issue is there is no “Man On The Middle” attack protection in the way mobile phones work. This is due to the way the system was originally designed. In essence the earliest “analog” mobile phones back in the 1980’s had lots of security issues to do with people stealing service to make free long distance / over seas calls. GSM 2G had “features” added to stop this but the “trust interface” was put at the “Over The Air” (OTA) Demarcation line (Demarc). This was because it fit in with the way the system worked for “roaming” and “emergancy” calls. That is the phone could connect to any base station based on a simple signal strength algorithm, the phone would connect to the backend network and then request “service” or more correctly services based not just on what was in the phones SIM but also recorded in the database of the subscribers “home network”.

Importantly neither the phone or the home network controled the OTA interface, so encryption and other security features are controled by the owner of the base station…

These issues still happen for two backwards compatability reasons. Firstly the issue of “fallback” and secondly “layered compatability”. Fallback happens when a base station can not provide a service at a better rate. This can happen when you switch cell sites and when you have marginal signal quality due to other users etc. Thus you might not have data, but can do voice and texting, or it drops right down to just being able to text. The reason they do not alow handsets to stop fallback is the old notion of “reliability” but from the service providers point of view it’s actually a revenue view. Something the “hidden hands” actively promote to keep “fallback” which they can use to there advantage.

The other backwards compatability issue is “layered compatability”. This goes back to ISDN and it’s notion of modularisation. It provides what is a “framework” standard into which moduals can be freely swapped. But it also has to work across multiple revisions etc. Telecommunications Engineers by nature are conservative in their outlook and don’t like to change things that work, even augmenting can give them the hives. Thus once something works it stays unless there is a significant reason to change things, which is actually very rare these days. So whilst the OTA,might get upgraded at the bottom of the stack, and new services get added to the top of the stack the layers inbetween don’t get changed. Some of those layers effectively go back to the pre ISDN times…

This again suits the “hidden hands” as it makes their life considerably easier.

But those “hidden hands” are still at it, upto their eyeballs and beyond, and are,still getting caught[4]. The fact is they just don’t care between them the extended Five-Eyes employ hundreds of thousands of people, who’s jobs are to spy on the enemy, which is every one including themselves. A goodly percentage of those people spend their entire working lives subverting telecommunications systems in every which way they can. They will not stop doing this because that is not just their only way of earning a living but in many cases their sole reason to live. They have made their mark on a Devil’s contract and have no real way out, they are owned not just for life but in the hear after as well.

The fact they are scared of loosing their battle to destroy your privacy is why we see the ludicrous legislation and over reach by the state LEO’s to prosecute into ruination both financialy and freedom of existance.

[1] System X is a family of advanced digital switching systems that evolved from the JERC agreement of 1956 as a co-ordinated project between the General Post Office and industry. As part of it’s history it spawnrd both ISDN and ATM. It had been realised some time prior to 1956 that the existing mechanical dialing systems in use, though reliable were becoming more expensive and less responsive to the changing needs of both industry and society. One major issue was that any changes had to be done with a “wire wrap tool” in a frame room often in a building in some village or town with the cost of labour and training rising it was seen as unsustainable. In 1966 the GPO published a ground breaking report about telecommunications systems of the future. It laid the foundations that in time would become known as System X and give us in time ISDN and ATM. A second follow up report, completed in 1971, concluded that the only way to forfill future requirments of telecommunications systems was an all digital one. By 1975 agreement was reached with the leading manufacturers, with the original industry partners being GEC, Plessey and STC, with STC later dropping out. Much of the work was well ahead of it’s time and had to wait for technology to become available (UK Semiconductor development was quite advanced, but due to the UK Treasury only available for “defence projects”). In 1971 Wood Street international exchange in London became the first installation to use a computer as part of its control equipment. But the UK Treasury decided to cut funding to the GPO and thus time almost stood still in the UK telecommunications industry that in some parts went into recession because of it. Because of this the first public view of System X was in 1979 with the first demonstration of a System X exchange at the international communications exhibition in Geneva. This gave rise to a large amount of interest world wide and initial orders for a first eight local through trunk and tandem exchanges came into service in less than two years starting in 1981. During this low time the GPO engineers had been quite active in Europe with the CCITT working on the standards that would give X.25 and the Integrated Services Digital Network (ISDN). It was launched in the UK on June 25th 1985, Originally called Inegrated Digital Access (IDA),
It was the first ISDN system in the world and British Petroleum (BP) was the first customer on the new network. Put simply ISDN was initially the extending of the digital phone trunk network through local exchanges directly to the customers premises or desk top. In the process enabling very much faster data transfer of 64Kbit/barer chann that could be aggrigated to thirty or more synchronised channels enabling almost unimaginable data rates than had previously been possible over phone lines. Thus high speed computer communications, FM Broadcast quality audio and video and new services such as personal video calling became possible, all of which we take very much for granted these days from our mobile phones. Group Special Mobile (GSM) was based on the experiences by CCITT of gaining harmony across international telecommunications networks. Few realise these days just how politically controled national telecommunications networks were and how they were deliberatly designed to be incompatable to “protect home industry” a policy that fell flat on it’s face and actually harmed the nations involved (a lesson some realy should learn today). The result was GSM was initially largely based on X.25 and ISDN both of which were derived from System X development and unfortunatly the “hidden hand” of the security services in the UK and other Five-Eyes nations ensuring that they would always have access usually under the unarguable case of consumer/user “Safety” a process known as “finessing” which takes it’s name from the card game Bridge that was a very important part of the social lives of the “Diplomatic and intelligence set” from Cambridge and Oxford from WWII and well into the 1990’s to my direct knowledge, and not being able to play Bridge well could significantly hamper your promotion prospects (I’m told that in the US it’s the less tactical game Poker that is considered the game de facto of the Diplomatic and IC set).

[2] https://en.m.wikipedia.org/wiki/Operation_Gold

[3] That is untill somebody decided to analyse the UK’s microwave link systems for the Open University in effect “publishing it to the world” it so infuriated “Mad” Maggie Thatcher who was then UK Prime Minister she insisted that the author Duncan Campbell be prosecuted under the Official Secrets Acts. An unwise move as she was told at the time but she insisted and the entire prosecution case when in court descended into farce. One by one their arguments were destroyed often by their own witnesses, eventually they had one card left, the publishing of the “Oh so super secret” address of GCHQ in Cheltenham (where everbody knew it and you could get a taxi at the station to take you there just by saying “GCHQ please”). The prosecution played what it thought was their “ace in the hole”, and were absolutly slaughtered when the defence council held up a copy of the inside back page of the world wide distributed magazine “Wireless World” where every month GCHQ published a recruitment add not just with it’s address but a backround image of it’s “architecture award wining” main building…

[4] https://www.telegraph.co.uk/technology/2016/01/26/gchq-developed-software-for-secure-phone-calls-open-to-eavesdrop/

Clive Robinson • January 10, 2019 9:17 PM

If you are unsure about where things are going in mobile communications and why you might hear people talking about 3gpp being resurrected in 5G. This might help,

http://mvnoblog.com/the-5g-core-network-3gpp-standards-progress-computerworld/

Oh and keep your eyes open for 10G “to your door” it’s nothing to do with mobile service it’s the revenge of the cable companies 😉 It appears they are trying to muddy the waters and 10G is not likely to appear if at all for half a decade or so. 😉

http://mvnoblog.com/big-cables-10g-campaign-betrays-a-fear-of-wireless-5g-the-verge/

Oh and some mighy know that the Consumer Electronics Show (CES) is on currentl. Apparently there is a lot of 5G stuff being anounced,

http://mvnoblog.com/qualcomm-intel-make-5g-announcements-at-ces-business-insider/

Atleast on thing in there I reckon will come up on this blog in the future will be the new killer “5G conected cars”… With the amount of bandwidth and silly apps it will cause the attack surface will be immense, but as we know the auto industry is oh so competative corners get cut…

Clive Robinson • January 14, 2019 11:29 AM

@ ,

As a side-remark, I’m willing to bet that there were people issuing warnings about security in 1975.

I think you would win that bet.

I can not say for certain back in 75 it’s self, but in the 80’s I got to know both working engineers and standards body members.

I raised the issue that everything was in plaintext over what was a fully open network, where the desire to “cheat” for monetary gain would have been trivial to do and almost as trivial to get away with.

The attitude was security was not required, plaintext and open networking made interfacing easy. Oh and nobody would think of cheating, but even if they did the customer would pay it…

It also quickly became clear that some of the standards people were watering security down any which way they could… Worse at international meets certain countries would in effect play yag and back each other up on the security avoidance / weakening.

We would call them the “Extended Five-Eyes” these days.

It was clear from the technical people that the watering down of security had been taking place atleast as far back as the 1950’s…

One such area was “inband signaling” in theory Law Enforcment could only put a “pen register” in which recorded the time the handset was “Off Hook” and any numbers dialed. However some people would cheat, and that “one pair of croc clips” on the line would get not just the inband signalling but also all the speach.

Thus people in an exchange would see an audio tap written up as a signaling “pen” tap. Thus providing a degree of deniabilty as the recording boxes were not available to exchange technicians just the “Secret Squirrels”… Thus they were misled that the tap was for Law Enforcment when in fact it was for the Intel community…

Clive Robinson • January 14, 2019 10:03 PM

@ Peter,

I doubt anyone here [lurking or posting] has a Threat Level that requires them to avoid missile attacks….

Actually I suspect a number do.

Anti-Radiation Missiles (ARM) are “Standard Ordinance” in many nations armouries especially those with some measure of stealth technology in the deployment systems. ARMs are in effect first kinetic strike weapons against any transmitter, be it forward post, command and control or for what ARM’s were originally developed for which is military radar systems used to detect and launch missiles at incoming aircraft. There use back in Gulf War II was mentioned in the MSM at the time and subsequently in quite a few documentaries and the like.

Thus there are likely to be a number of military comms and other RF oriented personnel that read this web site, and I know that some have commentrd in the past.

The fact that a terrorist/freedom fighter was targeted and killed with a lightly modified ARM weapon whilst using a satellite phone is as they say “A matter of record” as was Osama bin Laden suddenly stopping using his satellite phone shortly there after.

Also in the weapons arsenal there are the likes of Boeing’s RC-135 “Rivet Joint” stand off surveillance aircraft that can locate the use of satellite phones and other “emmiter intelligence” from over 100 nautical miles. Well outside of any realistic response range. Because that would be picked up on any AWACS system like the E3 “Sentry” in the same region way before it could engage with the RC-135.

Those are the hard facts of reality that both regular and iregular forces have to take into account in their planning. Likewise anyone doing commercial or military covert activities of which there are any number going on all over the place at any one time.

You don’t need to be worldly wise to know about the above Osama bin Laden behaviour and what is assumed to have caused it. It was in most MSM at one point or another.

Likewise Boeings civilian airframes decked out for military and SigInt use are not a secret a simple google search will bring them up. Further details can be found in the appropriate “Janes” which large libraries used to have and are available via “inter library loan” services.

Perhaps less well known are some hobbyists have converted surplus US Navy training target drones into RF surveillance aircraft,

https://www.popsci.com/diy/article/2010-08/diy-wi-fi-drone-finds-wireless-hotspots-raises-privacy-questions

As for my original comment I would have thought it’s “butler/waiter speak” tongue in cheek presentation would have been obvious. And thus it was ment to add a little levity to anotherwise heavy and dry subject (in which I have some experience and knowledge).

But I guess not in some peoples cases.

But for your information I also have a proffessional interest in micro and nano satellites for communications and I have a working prototype sitting on one of my work benches. If you want to know more about the technical ins and outs of Comms Sat capabilities, you can purchase quite cheaply a number of books published by AMSAT / ARRL / RSGB about the Ham/Amateur use of not just man made satellites but celestial bodies such as the Moon (EME comms) and Venus (EVE comms). You can also look up details of the fees etc to use Inmarsat phone data and video services on their website,

https://www.inmarsat.com/

Or if you happen to be in London’s City Road pop into their HQ which I’ve been known to frequent in the past and pick up a few glossies from the foyer. They own and run one of the largest satellite networks for both the air and maratime industries, with attendent “mobile comms” for undeveloped areas.