Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: GPRS/IP-session from Nokia/Symbian mobilephonestays up
From: James Tucker <jftucker () gmail com>
Date: Tue, 14 Dec 2004 23:49:17 -0400

Why can't the MS be given an IP connection through a NAT with a
private IP class? (removing the specific attack vector described as
the range could be made much larger). Obviously this is less
preferential for financial transactions as one would desire to know
more about the endpoint, however it could be argued that in reality
the switch carries the end of the IP circuit, and thus there is no
real argument here (except by paranoid auditors who've lost an
appreciation of reality (not uncommon (*clears throat*))).

When you are discussing wireless data circuits at these speeds and
over subscription rates the overhead associated with adding IPv6 as an
optional function is quite significant (data, cost, interoperability
with the outside world, MS support, etc, etc). As was stated moving to
only IPv6 is problematic in terms of end user support. Furthermore
there are support issues with some of the IPv6 implementations anyway
(meaning even those IPv6 devices may not work either). See the eastern
GSM networks for detail on that (who've been suffering IP range issues
for some time now).

In terms of address depletion there is the over subscription to be
considered also; it is likely that the IP infrastructure will not be
the bottleneck here and in fact the network probably does not support
enough concurrent users in order to fully deplete the range prior to
RF equipment saturation.

This leaves the cost issue, and leads to the understanding that
firewalls (with connection/application knowledge) are probably
required (as it is only the end user device that will ever know if it
needs the connection again). IMO it shouldn't even have been this long
before people start switching on to attacking these networks. Cost of
course is one of the reasons for the lack of prior abuse in this area
(outside of some professional efforts). Some users are already having
cost related issues with IP services on GPRS, the common one being IM
over GPRS which has lead to quite a few un-paid bills already.

Finally, IPv6 doesn't completely eradicate the possibility of a
similar attack, it simply changes the scale. Let me explain: 10 years
ago, scales had quite a different ratio than they do now. Back then it
would not take me a day to crack every password hash on the local
machine, nor were there consultants carrying around hash dvd's for
near instant cracking services. At the time, 9Gb of data was quite a
large volume. Moreover programmatic generation of it, whilst not a
complex algorithm as such, was a long (in terms of time quanta)
operation. Now though, systems are faster, memories are bigger and
thus the scale of the search space is different to the scale of
process ability. Similar thing here, as the scales change ratios the
impact of scalar-reliant attacks will also change.

The moral of the story is that scalar attacks should be somewhat
predictable, and thus known and prepared for. We know that passwords
are getting weak, so we are moving to pass phrases and biometrics. If
you know that address ranges are a problem for this technology, then
don't just try to change the length of the range, change the system
functionality until it's not possible to abuse it anymore.

m/2cents
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]