Computer Security Rants & Reverse Engineering

Saturday, December 10, 2011

WiFi Security & republic

In response to David Wright:

The concern that I'd like to address is air gap security. While I agree, Hotspot 2.0/802.11u will likely help to address this issue -- its not in the installed hardware/software base which is going to persist for a long time. Granted it could be added with a software update, but vendors tend to not support legacy hardware for very long. In my lexicon, legacy is anything older than roughly one year. Also, I'm not really aware of wide support for the standard in currently available hardware. Give that the standard is less than a year old (ratified 25 Feb 2011) this isn't at all surprising. All of that is beside the point, though.

There is a contextual difference between republic and typical wire line VoIP. I dove in to it a little here. But I want to drill into it a bit deeper, so here goes...

Most VoIP providers assume that their device (likely an ATA) is on a wired network, at a fixed premises. The assumption is that the user of the device controls the location its installed at, and thereby has some assumption of network security. By which I mean, the user would notice if someone had plugged in a monitoring device.

Its generally assumed that the networks you traverse outside the user premises are secure and unmonitored. Or at least comparably to POTS wire line service. While I don't agree with this assumption, lets just accept it for the sake of argument.

This brings me back to a question of context. Cell phones travel everywhere with us. We use them in a wide variety of locations, some of which are more secure than others. republic's business model is based on heavily incentivizing its customer base to use WiFi. The customer also has an incentive to connect to public WiFi, as in many places the quality of service (speed, latency, etc) is significantly better on WiFi than over the cellular network.

This means, that a customer sitting at an airport or in a hotel is very likely to connect their device to the location's WiFi.  This WiFi is almost certainly not encrypted. The moment they do that, republic's software will automatically attempt to negotiate a SIP connection to their service.

Anyone within wireless range, with the appropriate hardware -- pretty much every wireless card supports monitor mode these days, software -- readily available, and knowledge -- still a pretty low bar, can intercept their SIP credentials, monitor who they call (inbound and outbound calling numbers), and listen in on their voice traffic. This is a huge privacy and security concern. Granted, as I already observed, the SIP creds are being sent digest, meaning immediate SIP password recovery isn't possible.

Returning to context for another moment. A cell phone call is generally assumed to be moderately secure. While again I don't agree with this assumption, lets just accept it for the sake of argument as well. Why people talk about deeply private issues in public places is beyond me, but in this instance the person has to be within hearing range -- maybe 10-20 feet depending on noise level and they only hear half of the conversation.

In the case of WiFi interception the listener can be a up to a few hundred feet, hear both sides and actually know who was called / called the user.

When we combine the points I've already detailed the scenario isn't a sunny one. To recap:
  • republic heavily incentivizies WiFi use
  • People are already incentivized to use unsecure WiFi in public places, and do so often and without considering it
  • Most people assume their cellphone calls are secure
  • republic automatically sets up an unsecure SIP session the moment it connects to a wireless network
  • Interception of wireless traffic is relatively trivial, and surprisingly common.
At the bare minimum shouldn't the device throw up a huge warning if its on unsecure WiFi prior to starting a SIP session, forcing the user to agree what they're about to do is a Bad Idea? Or as I suggested previously, just refuse negotiate a SIP connection if on unsecure WiFi?

I understand that TLS and STRP aren't great solutions and that's why no one really uses them, but for an application like this -- a hybrid WiFi-cellphone -- not having any form of encryption is a recipe for failure. A laughable one at that.

TLS and STRP also aren't the only VoIP security options...

Suggesting VPNs are a solution is equally laughable. The vast majority of people haven't heard of them at all and those that have only know them as something they need to "run it before they connect to their work stuff". They're not going to have the foggiest idea how to set one up, maintain it or use it. To say nothing of the fact that republic will still automatically connect immediately on joining a WiFi network...

I bring all of this up because republic is still in beta and is actively soliciting input to improve its service. As a result can and should fix these things now, before they have a huge public roll out and end up looking silly or being culpable for some disaster. 

1 comment:

  1. I agree that HS 2.0/802.11u are just in early stage trials at this time. It will probably be mid-late 2012 before they start being widely deployed. I do think there will be a push to get them rolled out quickly, mostly because the MNOs are desperate for a way to ramp their data services without having to invest more than they already are in LTE RANs and backhaul. I think we may see some major announcements between ATT/Verizon with large hotspot operators (Boingo, McDonalds, Starbucks, etc...) in the spring.

    I do think this is the best longterm solution to the airlink security concern, but you're correct that it won't help for the next 6-9 months.

    I also agree that traditional VPN solutions don't make sense. Too much user awareness, need to tear down and recreate tunnel when moving, and suboptimal RTP routing are all against it.

    Personally, I'm cool with my calls being unencrypted, but I can understand that it will be an issue for some.