How much time should vendors of popular technology be given to fix a known security flaw?
That’s the central question of the “full disclosure” debate – and one that is being tested again via Karsten Nohl’s campaign to compile a decryption handbook useful for eavesdropping on transmissions from AT&T and Tmobile phones, including iPhones and GPhones.
Nohl, a computer science PhD candidate from the University of Virginia, is calling for the global community of hackers to crack the encryption used on GSM phones. He plans to compile this work into a code book that can be used to eavesdrop on conversations and data transfers to and from GSM phones.
(See The Tech Herald’s Steve Ragan’s detailed description of Nohl’s project here.)
Nohl’s motive is the same as HD Moore’s; chief researcher for the Metasploit Project, and the brains behind campaigns like the Month of Apple Bugs and Month of Browser Bugs.
Taking the morally debatable high ground
Nohl says he wants to compel the telecoms to address a security weakness that has been known for some 15 years. He estimates it will take 80 volunteer programmers using high-performance computers six months to carry out a brute-force attack to break the GSM encryption code; 160 volunteers could cut that time to six weeks.
“We’re not creating a vulnerability but publicizing a flaw that’s already being exploited very widely,” Nohl told CNET’s Elinor Mills in this report. “Clearly we are making the attack more practical and much cheaper.”
He claims the same (morally debatable) high ground as Moore and other grey hat hackers who push out new vulnerability findings as fast as they can: “We are informing (people) about a longstanding vulnerability and hopefully preventing more systems from adopting this,” says Nohl.
Somehow, Scott Chasin’s original goal launching Bugtraq back in 1993 seems to have gotten perverted. Buqtraq emerged as the go-to mailing list where researchers could discuss vulnerabilities without fear of vendor backlash.
When eEye’s Marc Maiffret discovered a gaping vulnerability in Windows IIS server software back in 2001, he reported it to Microsoft and waited months for Microsoft to issue a patch – and credit eEye for the discovery. Then 26 days later, Maiffret and Ryan Permeh (who’s now at McAfee) were the first to catch a worm released by a Chinese hacking group crawling the Web in search of unpatched PCs. They named the worm: Code Red.
You can read an excerpted chapter from my award-winning book,  Zero Day Threat, recounting the emergence of Code Red and other milestone worms and viruses here.
Black Hats vs. Grey Hats
How quaint that now all seems. As this timeline depicting the emergence of the Conficker worm shows, the bad guys pay big bucks to black hat researchers adept at finding vulnerabilities, which can be immediately exploited for profit — before anyone issues a patch.
And now grey hat researchers, like Moore and Nohl, build careers out of concocting campaigns to embarrass vendors under the banner of compelling vendors to resolve security flaws in popular products – usually highly profitable cash cows — in a timely manner.
“Everybody has known for quite some time that a theoretical hack of GSM existed,” observes Simon Bransfield-Garth, CEO of Cellcrypt. “This news means that the theoretical risk will become a very real one.
“It looks like in a matter of months criminals world-wide will be able to intercept mobile phone conversations. The immediate impact is not just businesses and corporations, but potentially all of us who use mobile phones.”
Hackers could go after sensitive information exchanged while using Web apps for phone banking and stock trading; or they could eavesdrop on sensitive conversations, discussion about medical histories, for instance.
A recent survey of corporate users found 79% of people discuss confidential issues by phone every few days, with 64% making such calls daily, according to ABI Research.
It is widely accepted that that governments have had the capacity to intercept and decrypt cell calls. But if Nohl succeeds “anyone with a PC will soon be able to decrypt GSM calls,” says Stan Schatt, Vice President Security, ABI Research. “Now there is a group of hackers who say they will make it virtually impossible to stop.”
Photos of Karsten Nohl and Simon Bransfield-Garth
–By Byron Acohido
Just another puff of over hyped security research. Calling for hackers? Cmon, why’s that? To meet a morally ambiguous goal of providing and informing people about security…?…perhaps…?…to make communications more secure…?…maybe…?…but consider who benefits from the discovery. The end-user, sure, “hackers”, meh, the “discoverer” and the entity embodying their concept, quite so. It’s rather enjoyable to see someone pursuant of sticking it to the man, so to say, however please remind yourself of the concept of humility. This is not a brilliant idea, nor is it nearly comparable to real work that, in some humanly distorted way, laid the grounds… Read more »