Monday, 9 May 2011

UMA – Unsafe Mobile Access?



I’ve been following Mobile Monday’s London chapter for a few years now and I know a few of the guys there, but I’ve never been able to get down to one of their events. I finally made it down to the April 2010 demo night and was suitably impressed by the number of attendees and the quality of the short 3 minute lightning presentations. I thought that I’d put a security spin on what I witnessed but ended up writing this blog on one particular presentation about ‘Smart Wi-Fi’.

Mark Powell from kineto.com talked about offloading data to wifi from the mobile. Increases in data traffic have caused some big headaches for operators, so this is clearly an attractive proposition for them. It is pre-loaded on some devices, partly because there are some custom APIs involved. It uses 3GPP GAN (Generic Access Network) as the underlying technology to get access to the mobile network and is also known under UMA (Unlicensed Mobile Access). Kind of like a ‘soft’ femtocell (I might even go as far as to say a potential femtocell killer). This is being marketed by T-Mobile as ‘Wi-Fi calling’ and Orange as ‘signal boost’. You’re going to get charged for your normal call on top of your broadband fee, but in general the benefits of having a better signal in the house is probably going to be quite attractive to people and may become a standard offering in the future. Kineto also explained that it helps avoid international roaming because once going Wi-Fi it will be just as if you’re in your home country.

As a paranoid security person, I always get a bit concerned when operators rush to a new technology to solve their problems (in this case network load). Converged technologies bring completely new threat scenarios which can re-enable old attacks with new vectors for achieving them. From a security point of view – there are some pretty obvious initial questions that spring to mind: 

  • What if you’re connected to a rogue router? Is any of my data going to be compromised?
  • Is a man-in-the-middle (MITM) attack possible on the access point?
  • Can fraud take place?


I searched around and found an interesting whitepaper from Motorola, produced back in 2006 which describes some high level threat scenarios: UMA Security – Beyond Technology . I also found Martin Eriksson’s thesis Security in Unlicensed Mobile Access . This states that the IMSI (International Mobile Subscriber Identity) is not secured well enough, leading to exposure of the subscriber who is attached to the router and therefore their physical location. Note that the thesis was written in 2005 and very much plays this issue down – in 2011 most readers would take a different view on this privacy breach. Issues with authentication and the potential for a MITM attack via the router allowing (fraudulent) free calls for other users of the access point all also seem to be areas of concern as the router would be open to data sniffing (particularly if it is a rogue access point in the first place). The problem here lies in the fact that the user is connecting to a less-trusted component than the normal mobile network, leaving them open to all sorts of potential attacks and manipulation.

Putting expensive hardware security into routers is not something I’ve seen and is difficult to protect – the problems with mobile device security often stem from the fact that you’re putting the device in the hands of your attacker to tamper and play with. There is already a healthy community for router hacking and modification around too such as DD-WRT .

UMA applications on phones need to use shared secrets which are stored on the UICC. It would be interesting to analyse how well protected this data is on the device and whether it would be possible to snatch that data or even whether other attacks could be created on the UICC.

Although some of the issues here may have been addressed by the mobile industry, it seems that UMA could be a bit of a risk for users. (I’d welcome any comments or updates by the way from those in the know). The technology is probably safe at the moment as it is in its infancy and hasn’t crossed the radar of most of the hacking community. However, I for one, will be steering clear for now.

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete