[fc-discuss] Financial Cryptography Update: New Threats on the Airwaves

iang@iang.org iang@iang.org
Mon, 29 Aug 2005 23:53:59 +0100 (BST) 

(((((( Financial Cryptography Update: New Threats on the Airwaves ))))))

                            August 29, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000542.html



------------------------------------------------------------------------

>From the "why won't wireless show me an MITM" department, Risks advises
of these new threats to consider to your secure phone app:

<blockquote><i><a
href="http://catless.ncl.ac.uk/Risks/24.02.html#subj13">"Andre Kramer"
... Thu, 18 Aug 2005 11:31:28 +0100</a>

The Cambridge Evening News reported yesterday ("Phone Pirates in seek
and steal mission" 17th August 2005) that several laptop computers have
been stolen from car boots (automobile trunks for US readers) in
Cambridge (UK). The article claimed that "Bluetooth" was used to detect
the laptops presence. While the thefts appear related, the claimed
modus operanti seems unlikely as short range wireless would be inactive
unless the laptops were powered on (to be fair, the article also
mentioned "other electronics"). The risk: thinking your devices are
safe in the car boot when they don't have wireless.</i></blockquote>

Makes sense.  Closing the top of a laptop may not have closed off
Bluetooth.  Or, it might be easy to construct something that otherwise
sniffs laptops in power saving mode.  Lead-lined laptop bags, anyone?

And, taking the shine off the cell/mobile phone as the ultimate in
secure platforms, consider just how much a peeping tom your telco is:

<blockquote><i><a href="">Cellphone carriers can listen in through your
phone?</a>

Posted Aug 5, 2005, 10:20 AM ET by Ryan Block

We’re always a little wary of that very blurry line between protection
of the general public and infringements on basic civil liberties, but
it would appear that according to the Financial Times by way of the
Guardian, at least one UK cellphone carrier not only has the power (and
mandate) to remotely install software over the air to users’ handsets
that would allow for the kind of monitoring we thought only perverts
and paranoiacs had access to: picking up audio from the phone’s mic
when the device isn’t on a call. While don’t think the backlash on this
one has really gotten underway yet, and though we do hate to rock a
cliché, we can’t help but be reminded of that classic Benjamin Franklin
quote, “They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety.” What’s worse, a
cellphone carrier and The Man are gonna take it from us without our
permission on the sly?</i></blockquote>

Now, the big issue here is whether a telco (or any other party) can
download a program to sniff out your keys.  For this reason, the
favoured platform is a PDA, with one and only one program on it, and no
comms 'cept those we said.  Anything else is a compromise, but that's
ok, for those markets that can deal with the risks.

These can be considered to be an addendum to <a
href="https://www.financialcryptography.com/mt/archives/000535.html">la
st week's wireless threats</a>, but alas, still no MITMs recorded.

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/