You are currently browsing the category archive for the ‘Ideas’ category.

Authentication in mobile networks is executed leveraging a symmetric key system. For each mobile subscriber, there is a secret key that is known only by the mobile device and the network operator. Actually, it is not the device itself holding the key, but the SIM card. On the network side, in the case of LTE, the secret key is stored in the Home Subscriber Server (HSS).

Based on this pre-shared secret key, a mobile device and the network can mutually authenticate itself. Though, this is not necessarily the case. For some reason someone must have thought, when designing 2G-GSM, that having the end point authenticate the mobile network was not a requirement… too bad that not having mutual authentication opens the door to all types of rogue base station MitM attacks. Bad things also happen when this pre-shared “secret” key is sent from the SIM card manufacturer to the mobile operator in the clear in a bunch of DVDs and someone manages to steal them.

After years or security research in mobile networks, identifying, implementing and testing protocol exploits, I started thinking that perhaps it would be a good idea to transition the security architecture of a mobile networks towards a PKI-based system. This is why I really enjoy reading research papers with PKI proposals for mobile networks, which is a rather rare topic in the research community. Thanks to Google Scholar, a very interesting paper showed up in my radar: Chandrasekaran, Varun, and Lakshminarayanan Subramanian. “A Decentralized PKI In A Mobile Ecosystem.

PKI would increase the complexity of each cryptographic operation, but it is not like device and network authenticate each other constantly. Definitively, a lot of research would have to be done to validate whether it would be possible.

With a PKI-based authentication architecture in mobile networks, so many cool things could potentially be done. For example, it is very well understood that, regardless of mutual authentication and strong encryption, a mobile device engages in a substantial exchange of unprotected messages  with *any* LTE base station (malicious or not) that advertises itself with the right broadcast information (and this broadcast information is transmitted in the clear in the SIB broadcast messages). And this is the source of a series of protocol exploits and attacks. Perhaps, by means of PKI, broadcast messages could be “signed” by the operator in a way that mobile devices could verify their freshness (to avoid replay attacks) and verify that the base station is legitimate. This would allow mobile devices to verify the legitimacy of a base station before starting to engage in RACH procedures, RRC connection establishments, NAS attach exchanges, etc.

Anyhow, very interesting paper on cool things that could be done applying PKI to mobile networks. Worth reading it.

 

Advertisements

As Christmas approaches and most of you might be doing last minute shopping – like me – I wanted to recommend an excellent article in this month’s IEEE Spectrum Magazine. In it, David Schneider comments on some “toys” that can be bought to kids that are about 8 years old or so as a soft introduction to the world of robotics. I am not going to claim that my school degrees are thanks to the toys from my childhood, but most of my passion for engineering comes from my Lego toys and, specially, my Lego Technic toys. A quick glimpse on the Lego Technic website made it clear for me that those toys have evolved so much since I was a kid, but their spirit is intact.

I still remember how much I wanted, desired and craved for this, but I never got it. However, I remember owning all these: a big truck, an excavator and a super cool helicopter. I remember that the car I really wanted and never got had a stick-shift that worked. So I spent many hours building a car myself that would have a stick-shift as well. Once I had succeeded, I noticed that the fancy car had a special piece that allowed the stick-shift to work, which made me feel even prouder of my creation.

Anyhow, apparently Lego stuff has become much fancier over the last few years and now there is a product that can allow kids to get a first adventure with robotics.

First released in 2001, the Lego Mindstorms Robotics Invention System got a significant upgrade in 2006, with the introduction of Mindstorms-NXT. Its 577 parts included four different kinds of sensors and three rather sophisticated servomotors. The most recent edition, the Mindstorms-NXT 2.0 Robotics Kit ($240 from Amazon), released in 2009, boosts the overall parts count to 619, contains a slightly different mix of sensors (one ultrasonic range finder, one color sensor, and two contact sensors), and offers such niceties as a built-in Bluetooth radio and the ability to do floating-point calculations.

I’d read about Mindstorms many times, including in this magazine [PDF], but I hadn’t appreciated how well this system was put together. Hats off to the folks at Lego for producing something that works so well at so many levels.

Any child who can piece together Lego bricks should have little trouble assembling the starter robot, a small tracked vehicle described in the kit’s 62-page instruction booklet. The heart of the kit is its computer module, the NXT “brick,” which the starter robot holds at a convenient angle for viewing the LCD screen and operating the four buttons. With just that simple user interface, youngsters can quickly get their creations moving and doing various interesting things.

I really recommend that you read the entire article, since it discusses on other “toys” that are beyond interesting.

I would have loved to have these toys as a kid….

Update: For you guys who were Lego Technic fans as kids, this link brought me so many memories.

Everyone already knows what happened yesterday on the East Coast so I will not give many details. An earthquake, centered somewhere in Virginia, was felt all over the north-east coast of the US. The Capitol Building and the White House were evacuated in DC, people felt the tremor as far up as in Toronto and many people got quite scared in New York, especially the ones that work in a very tall building.

Related to that, this morning I was watching the “news” (if you can call the Good Morning NY shows a news show…) and one of the reporters explained something that was very interesting. His family lives in Virginia and his mom called him about the earthquake before it even hit New York. In a similar way, the tsunami of tweets and Facebook posts scattered across the East Coast way faster than the actual tremor.

A friend of mine posted an old XKCD comic that describes this interesting effect:

I have been thinking about two things:

  • Could we somehow use Twitter and other social media to alert citizens of upcoming disasters? Even better, could we use the combination (social network data + location data) to predict the trajectory of a disaster, its intensity gradient and other characteristics of the event to improve alert systems?
  • If there is ever a major disaster, what will people do? Run and then tweet? Tweet and then run? Tweet while running?

As a final comment I’d like to add that feeling an earthquake on a 25th floor of a tall New York building was very scary. It might have not been felt that much on the street level, but up there…

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me: http://rogerpiquerasjover.net/

Blog Stats

  • 128,168 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.