Public Access BlackSpots?

CANNES, France -- 3GSM Congress -- There's a big problem with connecting public wireless LAN access points to GSM/GPRS cellular networks, according to SIM card vendor SchulmbergerSema. 802.11b hotspots provide hackers with an easy way to grab user information from the wide-area network itself, the company tells Unstrung.

The heart of the problem is that when the GSM standard was being defined back in the late 80s, no one imagined that a hacker could set up his own wireless network to gain access to an operator's network and the user data therein. Therefore, GSM networks only authenticate the details held on the SIM card in a user's device before starting a session on the network. The user's device doesn't check the credentials of the network it is attempting to access.

This was fine before the advent of wireless LAN. But now for a minimal outlay anyone can own a wireless network.

At the same time, vendors and operators are starting to use SIM card-based authentication front-end systems for public wireless LAN networks, which allow them to link the user back to the home location register (HLR) database on the GSM network and thus manage and bill a subscriber on the WLAN network in the same way as they would on the wide-area network.

This all adds up to networks that could be vulnerable to hacker attacks, according to Schlumberger.

Hackers can set up "rogue" hotspots that users will access in the belief they are on the genuine public wireless LAN network. Once users are on the fake network, it is easy for the hacker to access data held on the device via the 802.11 connection (see WLAN: The Four S's and this paper for more on the insecurity of wireless LAN). Hackers can then break into the SIM software on the user's device and get the codes held there. They can then use that information to fool the GSM authentication system and thus gain access to the network.

Schlumberger say that this won't be a problem once UMTS networks are available, because the 3G standard ensures what's known as "mutual authentication" -- the network authenticates a user device, and the device confirms that it is actually on a valid network before the session can proceed.

However, for public wireless LAN implementations that will connect to backend systems on GSM and GPRS networks, Schlumberger has developed a SIM card-based system (surprise!) that enables mutual authentication between the device and networks that are accessed via the gateway of public wireless LAN hotspots. The mutual authentication takes place via algorithms on the card itself rather than in SIM card software on the device.

Schlumberger is showing a system at the 3GSM congress that uses a separate smartcard and reader plugged into a WLAN-enabled laptop. However, the firm says that the smartcard and radio could be integrated into one PCMCIA card, much in the way that Nokia Corp. (NYSE: NOK) has done.

Orange France is currently testing Schlumberger's security system. Schlumberger expects that operators will start to roll it out before the end of this year.

— Dan Jones, Senior Editor, Unstrung
Be the first to post a comment regarding this story.
Sign In