Why "carnivore" type systems can't be (entirely) open source

[Ross Anderson]

> And when this fails (which it has not done yet) they will steal information
> from end systems.

Phone companies already steal large amounts of money by exploiting
broken end systems. As often, billing and authentication are much more
worthy of close attention than is confidentiality.

Phone phreaking was portrayed in the popular press in the 1970s as
kids playing with blue boxes - Jobs and Woz being cited as examples -
but its real use was providing unobtrusive comms for organised
crime. Mobile phone cloning was the logical next step when signaling
went out-of-band, and attacks on end systems (PBX hacking of various
kinds) got big too.

What changed it all was the rise of the premium rate industry. All of
a sudden, real money could be made from `dial-through fraud'. You set
up an 0900 number, hack a few corporate PBXes, and program them to
call up until you make millions.  When that happens, the interest of
the phone company is to deny that it's possible, so they can collect
the phone bill (and their share of the proceeds of the crime).

In the old days, the phone company was (mildly) motivated to stamp out
fraud. But all of a sudden, they became the scamsters' retail outlet,
and now resort to all sorts of nasty little tricks to gouge their
customers. In the US, it's worse than here, as deregulation has gone
further, leading phone companies to attack each others' customers (and
each other). See <http://www.bell-atl.com/security/fraud/tips.htm>.

I have a whole chapter on this in my book. It's a fascinating if
depressing study; the Internet sems to be following the path beaten by
the phone companies, but about five times as quickly. The goal
nowadays is not to make systems secure; it's to make them secure
enough for you to blame the customer, without making them secure
enough that he can defend himself properly. (Remember ATM fraud?)

Seen in this context, whether GSM security was a success or a failure
depends on who you are.

* From the point of view of cryptography, it was a failure. (But from
the point of view of cryptographers, it provided plenty opportunities
to write research papers.)

* From the phone companies' point of view, it was a success. The GSM
operators have made vast amounts of money, and a (small) part of this
is due to the challenge-response mechanism stopping cloning. The
crypto weaknesses were irrelevant; they were never exploited in ways
that did significant harm to call revenue.

* From the criminals' point of view, GSM was also fine. It did not
stop them stealing phone service: the modus operandi merely changed,
from cloning to stealing mobiles or buying them using stolen cards.
The cost shifted from phone companies to credit card companies or on
individual victims of identity theft or street robbery. It did not
stop anonymous calls; the rise of the prepaid industry made them even
easier. And GSM did nothing about dial-through fraud.

* From the point of view of the large-country intelligence agencies,
GSM was fine. They have access to local and international traffic in
the clear anyway, and A5/2 makes tactical signint against developing
countries easier. And the second wave of GSM equipment is bringing
juicy features, such as remote control of handsets by the operator.

* From the point of view of the police and low-resource intelligence
agencies, things are not quite so bright. The problem isn't the added
technical complexity of GSM networks: court-ordered wiretaps can be
left to the phone company (although finding the number to tap can be a
hassle). The problem is the introduction of prepaid mobile phones.
This not only decreases the signal to noise ratio of traffic analysis
algorithms and makes it harder to target wiretaps, but also encourages
crimes such as extortion and stalking.

* From the customer's point of view, GSM was originally sold as being
completely secure. The encryption of the air link certainly did stop
Squidgygate-style casual eavesdropping. But almost all the phone
tapping in the world is done by large spook agencies, to whom the
encryption doesn't matter much. And things are bad for the subscriber
when we look at billing. Cryptographic authentication of handsets
can't stop the many frauds perpetrated by premium rate operators and
phone companies. If anything, it makes it harder to wriggle out of
bogus charges: the phone company can say in court that your smartcard
and your PIN must have been used in the handset that made the call.
The same will apply to 3gpp if micropayments aren't used (phone
companies seem to be trying to avoid them, surprise surprise). The one
minor compensation is that GSM facilitated the spread of prepaid
phones, which can limit your exposure to premium rate scams.

So the security features designed into GSM don't help the subscriber.
They were designed to provide `security' for the phone company: they
dump most of the toll fraud risk, while not interrupting the flow of
premium rate business -- whether genuine or fraudulent. The phone
company, the sex line operators, the spooks and the crooks get fat.
The losers are the subscribers, the police, the victims of stalking,
and the schoolkids who get beaten up for their mobiles.

I raised many of these points at several of the Scrambling for Safety
conferences (and elsewhere). Nigel and friends were not interested.
Neither was Charles Clarke. I think the Home Office has a cheek to
turn round now and start making a noise about phone muggings. I also
think the DTI has a cheek using our tax money to attach an ex-BT guy
to 3gpp to help with `security' - which appears to mean insisting on
an all-singing, all-dancing law enforcement interface to the content,
while not doing anything at all to protect citizens from fraud.

Ross