Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deutsche Telecom Upgrades T-Mobile 2G Encryption In US

Posted by timothy on from the tell-all-your-grandparents dept.

An anonymous reader writes T-Mobile, a major wireless carrier in the U.S. and subsidiary of German Deutsche Telecom, is hardening the encryption on its 2G cellular network in the U.S., reports the Washington Post. According to Cisco, 2G cellular calls still account for 13% of calls in the US and 68% of wireless calls worldwide. T-Mobile's upgrades will bring the encryption of older and inexpensive 2G GSM phone signals in the US up to par with that of more expensive 3G and 4G handsets. Parent company Deutsche Telecom had announced a similar upgrade of its German 2G network after last year's revelations of NSA surveillance. 2G is still important not only for that 13 percent of calls, but because lots of connected devices rely on it, or will, even while the 2G clock is ticking. The "internet of things" focuses on cheap and ubiquitous, and in the U.S. that still means 2G, but lots of things that might be connected that way are ones you'd like to be encrypted.

27 comments

  1. How's this affect StingRay(tm)s by cant_get_a_good_nick · · Score: 2

    Obligatory Ars Link. From what I understand, fake towers work by forcing you to downgrade to 2G. Will this obviate that risk?

    1. Re:How's this affect StingRay(tm)s by lart2150 · · Score: 2

      There's two types of attacks. One is a fake tower the other is just listening in/relay of signal to a real tower with out any funny business. The change T-mobile is making will help prevent the later but the downgrade attack will still work. As long as the device supports the insecure standards the fake towers will work for downgrade attacks (assuming they prevent you from connecting to a better tower).

    2. Re:How's this affect StingRay(tm)s by Anonymous Coward · · Score: 0

      "Will this obviate that risk?"

      No, GSM has a protocol weakness, in that a fake tower can control the level of encryption used by your phone. Therefore a stingray device can still tell your phone not to use encryption. This stops mass surveillance via listening stations. Mass surveillance is still possible with the co-operation of telecoms.

    3. Re:How's this affect StingRay(tm)s by Ceriel+Nosforit · · Score: 1

      From what I have read on A5, the newer versions made a strange mistake which actually leaves A1/2&3 slightly weaker against brute force attacks than A5/1.

      It is possible to use rainbow tables against A5, which seems to mean it isn't salted. - There should be more than enough performance in modern devices to support stronger encryption.

      --
      All rites reversed 2010
  2. But disabling GSM when possible is still smart by IamTheRealMike · · Score: 2

    GSM (2G) encryption did not authenticate the cell tower, whereas UMTS (3G) and above do. Cell tower authentication should break devices like the Stingray and other forms of fake base station, unless/until governments start forcing cell carriers to hand over the signing keys for tower identities. But as devices like Stingray exist more or less exclusively to get around the warrant requirement and no carrier would assist in that way without a court order, that places the police in the awkward position of asking a judge to write an order than can only be for avoiding the same judges authority....

    1. Re:But disabling GSM when possible is still smart by Anonymous Coward · · Score: 0

      [...] no carrier would assist in that way without a court order [...]

      HA! That's a good one - the same carriers that gave access to metadata? I think tower signing keys fall somewhat more squarely in the company's property that they can turn over as they like; and given their eagerness, I suspect they'll like it a lot.

    2. Re:But disabling GSM when possible is still smart by Qzukk · · Score: 1

      They're eager to do things they can charge for. I bet AT&T charges a pretty penny for the connections to room 641A

      They're a little less eager to do things they can't make money on. Of course, if they don't participate they might find themselves like Qwest's CEO, who lost all the government contracts because he wouldn't play ball with the NSA, then got arrested on securities charges for losing stockholders' money by losing the government contracts.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    3. Re:But disabling GSM when possible is still smart by Anonymous Coward · · Score: 0

      Cell tower authentication should break devices like the Stingray and other forms of fake base station,

      Fine, yet given what we know the safer assumption seems to be that it doesn't break.

      These protocols are hard to get right, and telco cartel seems to make little effort. I suspect the whole mess is still vulnerable to many forms of downgrade attack.

  3. Oh, things like our... by TWX · · Score: 1

    ...security system?
    ...server room HVAC system?
    ...Halon fire suppression system?


    Fairly low-tech, but rather important none the less, and monitored via cell network as a backup in case the WAN link goes down...

    --
    Do not look into laser with remaining eye.
    1. Re:Oh, things like our... by Anonymous Coward · · Score: 0

      Nail, head hit. I normally detest the IoT with a passion because it will be delivered to us sans security, and the first guy who manages to kill someone from afar via these means will get get a lot of notoriety.

      However, I can name a few items where I want a connection (assuming they are connecting out to send info to a server, and can't be easily hacked via incoming traffic):

      As above, security/fire/environmental.

      The "help, I've fallen and I can't get up" system. POTS lines are all but gone these days, and 3G+ can be pegged to the wall if there is something going on (for example, SXSW in Austin.)

      The UPS. If it is on battery and there is a failure, it needs to alert people.

      The generator. Stuff like oil life, fuel levels, filter life, voltages.

      A silent alarm. It wasn't that long ago when a server room in Chicago got robbed three times in less than a year. Other places (storefronts) might need it as well. (Especially true in the US where the more firearms on the street means more gun crimes committed.)

    2. Re:Oh, things like our... by TWX · · Score: 1

      Unfortunately any large collection of people destroys the ability of a modern cell network to communicate with handsets. When I go to conventions I bring my 2m HT. Granted that means I'm limited to talking with other hams, but still better than absolutely nothing.

      --
      Do not look into laser with remaining eye.
    3. Re:Oh, things like our... by Anonymous Coward · · Score: 0

      ...the first guy who manages to kill someone from afar via these means will get get a lot of notoriety.

      He already has a Top 100 quote on bash.org. What more does he need?

  4. Does their encyption procotol... by DoofusOfDeath · · Score: 1

    foil National Security Letters?

    When people with guns ignore the Constitution, technical solutions seem insufficient.

    1. Re:Does their encyption procotol... by Verdatum · · Score: 1

      Nope. Look into CALEA.

    2. Re:Does their encyption procotol... by Anonymous Coward · · Score: 0

      There are no other solutions.

    3. Re:Does their encyption procotol... by AHuxley · · Score: 1

      +1. If it works and is for sale in the USA, the standard will be ready as sold for CALEA.
      Thats ready for tracking, remote turn on, software update and voice recording at a village, town, city, sate, federal level as sold.
      Some much older tech or kits in private hands for security work may need upgrading.

      --
      Domestic spying is now "Benign Information Gathering"
  5. Not so sure by Verdatum · · Score: 1

    They can use a great encryption algorithm, but if they continue to not authenticate the basestation, as per 2G specs, then it doesn't really help. It wasn't until LTE that this finally started happening.

    1. Re:Not so sure by Anonymous Coward · · Score: 0

      UMTS (GSM 3G) does authenticate at the basestation, though. LTE brings this property from the UMTS network forward. Technologies designed before 2000 generally didn't have this. UMTS was the first, I believe.

    2. Re:Not so sure by TuringCheck · · Score: 1

      They can use a great encryption algorithm, but if they continue to not authenticate the basestation, as per 2G specs, then it doesn't really help. It wasn't until LTE that this finally started happening.

      This problem can be solved at the Mobile Station or SIM by refusing to register or call over a network that does not support at least UMTS authentication of the network and replay protection or that does not activate encryption. This would break connections to 2G networks whose MSC was not updated to support UMTS authentication but it could be implemented as an user option.

  6. Good luck, as carriers stop using 2G by billstewart · · Score: 1

    My Garmin Nuvi GPS no longer gets traffic data, and can't use a few other 2-way features like Google Search, because the 2G wireless network it used will be going away early next year, and the carrier's no longer renewing contracts for them. So it's back to being a dumb GPS, with maps and built-in data points, but no live search.

    Carriers really want to reallocate their 2G spectrum to 4G or at least 3G, because it lets them get more calls and a lot more data in the same amount of bandwidth, and because the movement of users to newer standards means that their remaining 2G bands are very underused.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:Good luck, as carriers stop using 2G by Anonymous Coward · · Score: 0

      My Garmin uses an FM traffic provider, instead of 2G.

    2. Re:Good luck, as carriers stop using 2G by RubberDogBone · · Score: 1

      My Garmin also uses FM for real time traffic, however FM traffic is being phased out in favor of data over the "HD" radio signal, which is a different kind of thing. You'll need a new GPS to take advantage of it, and at some point the older FM signal you get now will cease to exist.

      Honestly though, I use my phone GPS (Waze) exclusively now. It has all the real time traffic and updated maps and other benefits. My Garmin sits in a drawer and never gets used.

      --
      Sig for hire.
  7. AT&T 2G by certsoft · · Score: 1

    Meanwhile, AT&T will be shutting down it's 2G network by the end of 2016.

    http://www.business.att.com/enterprise/Family/mobility-services/machine-to-machine/m2m-applications/cd2migration/page=addl-info/

  8. Really? by Anonymous Coward · · Score: 0

    "German Deutsche Telecom" is redundant and "Telecom" should be "Telekom." FFS.

    1. Re: Really? by Anonymous Coward · · Score: 0

      Deutsche Telekom is the company name. Sounds weird but not technically redundant.

  9. Phone navigation vs. Car Radio by billstewart · · Score: 1

    My car radio has Bluetooth. Works really well for phone calls, and has a good microphone built into the car ceiling near the driver. Unfortunately, it doesn't get along with the navigation applications in my phone; they're not phone calls, so it doesn't play them. (Maybe it would if I set the radio for MP3 mode or something, instead of radio? But then it wouldn't be playing the radio, whereas my Garmin doesn't care about the radio and just talks, and I pick the snarky British GPS voice because it usually doesn't sound like anybody on the radio except some BBC programs.)

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks