![2-Secure communication over GSM
• Secure communication is a protective measure that should be taken to ensure the state of
inviolability from hostile acts or influences. The ciphering algorithm used in GSM network is
specifically designed to prevent unauthorized access and to protect confidentiality across the
network; however, the encryption scheme is applied for ensuring traffic confidentiality only across
the radio access channel. While the voice is transmitted in clear form over the core network in the
form of PCM (Pulse Code Modulation) and ADPCM speech. Therefore, the GSM system is not able
to provide the traffic end-to-end confidentiality between two communication parties and is
completely vulnerable to several attacks like man-in-the-middle, interleaving and replay attacks.
• GSM is essential in our everyday lives because to its availability, robustness, and dependability.
GSM security is weak and vulnerable to assaults. One of the most significant problems is voice
security via GSM. It is essential to have a solution that offers end-to-end secure speech assurance,
even if the system provides minimal voice security via air connections using encryption. To make
the conversation safe (end-to-end), the speech may be encrypted and sent via GSM.
• Due to GSM voice channel technological limitations, it is difficult to utilise encrypted speech
transmission over such an unsecured channel. The 4 kHz bandwidth of GSM voice channels restricts
data speeds. A GSM channel takes 28–31 seconds to connect, of which 18 seconds are spent
handshaking [3]. The GSM channel utilizes Automatic Repeat Request (ARP) for error detection and
correction within a 300-3400 Hz bandwidth. Due to the restricted bandwidth, it is difficult to convert
digital to analogue and send it across the channel.](https://image.slidesharecdn.com/communicationsecurity-210821182037/85/Communication-security-2021-7-320.jpg)
Communication security 2021
- 1. Communication Security Muhammad Usman Rana Department of Computer Science COMSATS University, Islamabad, Pakistan Usman.amir90@gmail.com
- 2. Overview 1-Secure phone design 2-Secure communication over GSM 3-Secure phone design software specifications 4- Pegasus spyware 5-Secure phone design hardware specifications 6-Custom encryption algorithms for security much like WhatsApp
- 3. Introduction • If hackers target mobile devices, it's time to take phone security seriously. Mobile devices are as vulnerable as PCs, if not more so. Malware, social engineering, web attacks, network attacks, and physical theft are all threats. Be prepared, whether you are in charge of an organization's security or just want to safeguard your personal devices. Begin with security awareness training and policies, then move on to more technical countermeasures. still call the devices in our pockets “phones,” but they're so much more. Phones nowadays are networked computers with data storage and recording capabilities. Also, a photo gallery, a mobile bank and social network hub. That's fantastic! True, but all of these features make our phones prime targets for hackers. Since most of us don’t want to give up the ease of having all of our needs on one device, what can we do to stay safe?
- 4. Contrast between Value and Risk • Mobile apps may provide huge value to businesses. – New types of applications using mobile capabilities such as GPS, camera, etc. – Innovating applications for workers and consumers’ • There are several dangers associated with mobile devices and mobile apps. – Inevitably, sensitive data is kept on the device (email, contacts) – Connect to a variety of untrusted networks (carrier, WiFi) • The majority of developers are not qualified to create secure apps – A fact of life, but slowly improving• • The majority of developers are inexperienced with developing mobile apps - Different platforms have varying levels of security and capabilities.
- 5. Security Implications • In the end, you should be concerned with the system. Application plus… – 3rd party web services – Enterprise services And so on. • Intruders may obtain unauthorized access in many ways. Attacker steals or accesses a lost device – Malicious application – Attacker reverse engineers an application to access corporate resources – And so on… • The most “interesting” weaknesses and vulnerabilities we find are in mobile applications’ interactions with supporting services
- 6. 1-Phone protection steps, regardless of your operating system: • Set up fingerprint or facial scanning: Having a secure password (particularly anything like fingerprint/facial recognition) can keep your phone safe from anybody who finds it. • Use a VPNVPNs: allow you to securely connect to a private server rather than sharing it with everyone else on the public network. Your data is safer since it is encrypted as it moves between servers. • Encrypt data: If your device doesn't already have encryption enabled, you'll need to activate it. In order to prevent hackers from accessing your data while it is being sent from server to server, data encryption is used. • Set up remote erasing: This feature allows you to delete data from your phone even if you no longer own it. It's a fantastic security feature in case your phone is misplaced. Setting up remote wipe varies per device. This tutorial from Northern Michigan University's IT department will show you how to enable remote wipe on any device. • “Remote wiping is likely included in a device management software like Prey, along with additional features like tracking.” • “With Prey, you may remotely format your phone to ensure no sensitive data is accessible at any time. Wipe should only be done when recovering the device is less essential than protecting your data.”
- 7. 2-Secure communication over GSM • Secure communication is a protective measure that should be taken to ensure the state of inviolability from hostile acts or influences. The ciphering algorithm used in GSM network is specifically designed to prevent unauthorized access and to protect confidentiality across the network; however, the encryption scheme is applied for ensuring traffic confidentiality only across the radio access channel. While the voice is transmitted in clear form over the core network in the form of PCM (Pulse Code Modulation) and ADPCM speech. Therefore, the GSM system is not able to provide the traffic end-to-end confidentiality between two communication parties and is completely vulnerable to several attacks like man-in-the-middle, interleaving and replay attacks. • GSM is essential in our everyday lives because to its availability, robustness, and dependability. GSM security is weak and vulnerable to assaults. One of the most significant problems is voice security via GSM. It is essential to have a solution that offers end-to-end secure speech assurance, even if the system provides minimal voice security via air connections using encryption. To make the conversation safe (end-to-end), the speech may be encrypted and sent via GSM. • Due to GSM voice channel technological limitations, it is difficult to utilise encrypted speech transmission over such an unsecured channel. The 4 kHz bandwidth of GSM voice channels restricts data speeds. A GSM channel takes 28–31 seconds to connect, of which 18 seconds are spent handshaking [3]. The GSM channel utilizes Automatic Repeat Request (ARP) for error detection and correction within a 300-3400 Hz bandwidth. Due to the restricted bandwidth, it is difficult to convert digital to analogue and send it across the channel.
- 8. Conti.... • GSM utilizes A5 encryption for voice calls. However, the A5 algorithm has several security flaws, and the A5/1 and A5/2 modes are considered compromised and unreliable for secure transmission. Thus, A5 cannot fully secure voice call for GSM users. Lesser control over encryption security is given to network providers and phone manufacturers. Because the encryption method is controlled by a third party, illegal access to a GSM voice channel may undermine call security. Thus, an independent external end-to-end solution for secure phone call transmission via GSM voice channel is required. Aside from the inherent technological constraints of the GSM voice channel, other factors such as cost, bandwidth, and delays must be considered.
- 9. 3-Secure phone design software specifications Smartphone apps such as Android, iOS, and Windows Phone are subject to mobile application security. This includes apps for both phones and tablets. It includes evaluating applications' security in relation to the platforms, frameworks, and people they are intended to serve (e.g., employees vs. end users). Many businesses rely solely on mobile apps to connect with users worldwide.
- 10. 5-Custom encryption algorithms for security much like WhatsApp • WhatsApp is a popular instant messaging application with over two billion users worldwide. India has approximately 12 million users on this Facebook-owned network, making it one of its largest marketplaces. With WhatsApp, messages are encrypted from end-to-end, so only the sender and recipient can see them. WhatsApp seems to be a safe and private chat app. However, In May of that year, WhatsApp disclosed that Pegasus had infected over 1,400 Android and iPhone phones in this manner, including those of government officials, journalists, and human rights activists. It quickly resolved the issue. Additionally, Pegasus exploits vulnerabilities in iMessage, granting it backdoor access to millions of iPhones. Additionally, spyware can be installed via a wireless transceiver (radio transmitter and receiver) near the target.
- 11. WhatsApp’s end-to-end encryption & Is WhatsApp's encryption secure? • WhatsApp implemented end-to-end encryption in 2016. All calls and messages sent to contacts using the newest version of the app are now end-to-end encrypted by default. End-to-end encryption is enabled by default. That means only you and the other person can read what you send, not WhatsApp. Your communications are locked, and only you and the receiver have the unique key to open and read them. Every communication you send has its own lock and key for extra security. No need to enable settings or create hidden conversations to protect your messages.” • Though WhatsApp's conversations and calls are protected by end-to-end encryption, there have been instances of software glitches leading to system breaches. In 2019, the NSO Group reportedly used a video chat to install spyware on a phone, using a malware program called Pegasus. The technology may enable hackers to install malware through video call, even if the victim never responded. WhatsApp sued the Israeli company, blaming it for the cyber-attacks.
- 12. • Pegasus spyware is a surveillance Software developed by Israeli cyber intelligence company NSO Group. This firm is known to build sophisticated software and technology for selling solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts, as claimed by the company. Pegasus is one such Software that is designed to get access to your phone without permission and collect personal and sensitive information and send it to the user that is spying on you. Pegasus?
- 13. Pegasus spyware: When was it first discovered? • Pegasus malware was first detected in an iOS version in 2016, and subsequently in a slightly modified form on Android in 2017. Kaspersky adds that one of the primary methods of infection in the early days was through SMS. The victim received an SMS with a link. If the user clicks on it, the malware is installed on their device. • Pegasus, on the other hand, has developed over the past half-decade from a primitive system dependent on social engineering to a piece of software capable of compromising a phone without the user clicking on a single link, or what the cyber world refers to as zero- click vulnerabilities.
- 14. Brief history of Pegasus 2016: Researchers at Canadian cybersecurity organization The Citizen Lab first encountered Pegasus on a smartphone of human rights activist Ahmed Mansoor. September 2018: The Citizen Lab published a report that identified 45 countries in which Pegasus was being used. As with the latest revelations, the list included India. October 2019: WhatsApp revealed that journalists and human rights activists in India had been targets of surveillance by operators using Pegasus. July 2021: The Pegasus Project, an international investigative journalism effort, revealed that various governments used the software to spy on government officials, opposition politicians, journalists, activists and many others. It said the Indian government used it to spy on around 300 people between 2017 and 2019.
- 15. How does it work? Pegasus takes advantage of previously unknown vulnerabilities, or bugs, in Android and iOS. This means that even if a phone has the most recent security patch installed, it may become infected. An earlier version of the spyware — from 2016 — infected smartphones through a technique known as "spear-fishing": text messages or emails containing a malicious link were sent to the target. It was conditional on the target clicking the link—a stipulation that was removed in subsequent versions. By 2019, Pegasus could infiltrate a device via a missed WhatsApp call and even delete the record of the missed call, obliterating the user's awareness of being targeted. In May of that year, WhatsApp disclosed that Pegasus had infected over 1,400 Android and iPhone phones in this manner, including those of government officials, journalists, and human rights activists. It quickly resolved the issue. Additionally, Pegasus exploits vulnerabilities in iMessage, granting it backdoor access to millions of iPhones. Additionally, spyware can be installed via a wireless transceiver (radio transmitter and receiver) in close proximity to the target.
- 16. Pegasus spyware: How does it infect a phone? According to the Organized Crime and Corruption Reporting Project (OCCRP), as the public became more aware of these tactics and improved their ability to identify malicious spam, a zero-click exploit solution was eventually discovered. Pegasus does not need the victim to do anything in order to compromise their device using this technique. Zero-click exploits take advantage of bugs in popular apps such as iMessage, WhatsApp, and FaceTime, which all receive and sort data from a variety of sources, including unknown ones. Once a vulnerability is discovered, Pegasus may infect a device through the app's protocol. The user is not required to click on a link, read a message, or respond to a call — in fact, they may not even notice a missed call or message. "It integrates with the majority of messaging systems, including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, and Telegram, as well as Apple's built-in messaging and email apps. With this lineup, nearly the whole world's population could be spied on. NSO is providing an intelligence agency as a service,” Timothy Summers, a former cyber engineer at a US intelligence agency, stated. Apart from zero-click exploits, OCCRP describes another technique called "network injections" for silently infiltrating a target's device. Without them clicking on a specially designed malicious link, a target's Web browsing can expose them to attack.
- 17. Pegasus spyware: How does it infect a phone? This strategy entails waiting for the target to visit an unsecure website as part of their regular online activities. When they click on an unprotected link, the NSO Group's software can gain access to the phone and initiate an infection. Amnesty International recently reported that the NSO Group's spyware has been used to infect newer iPhone models, specifically the iPhone 11 and iPhone 12. The spyware can masquerade as an application downloaded to an iPhone and transmit itself via Apple's servers as push notifications. Thousands of iPhone handsets may have been compromised as a result of the NSO spyware. Pegasus for Android, according to Kaspersky, does not rely on zero-day vulnerabilities. Rather than that, it employs a well-known rooting technique known as Frameproof. Another distinction is that if the iOS version fails to jailbreak the device, the entire attack will fail; however, if the Android version fails to obtain the necessary root access to install surveillance software, the malware will still attempt to directly ask the user for the permissions necessary to exfiltrate at least some data.
- 18. What can it do? Pegasus can intercept and steal almost any information on a phone after it is installed, including SMSes, contacts, call history, calendars, emails, and browser histories. It can record calls and other conversations using the microphone on your phone, covertly film you with its camera, or follow you using GPS.
- 19. NSO Group Pegasus Indicator of Compromise https://github.com/AmnestyTech/investigations/tree/master/2021- 07-18_nso Amnesty International researchers have created a method to determine if your phone has been compromised by malware. The Mobile Verification Toolkit (MVT) is designed to assist you in determining whether your device has been infected with Pegasus. While it is compatible with both Android and iOS devices, it currently requires some command line knowledge to operate. However, MVT may eventually get a graphical user interface (GUI).
- 20. Tips to Boost Mobile Security •Use PINs to lock your phone. Either use the longer numeric PIN or your face or finger to unlock the phone. The second or two delay is worth the extra security. As part of your Touch/Face ID and Passcode settings is an option to “erase data” after entering 10 incorrect PIN attempts. •Use additional security apps. Network Solutions has a Cyber Security Solution that bundles Lookout and SkOUT along with a VPN. There are also other free anti-malware products from Avira, Avast, ESET, Kaspersky and Sophos all have free AV for Android for example. And there are numerous free VPN providers, such as Proton VPN and Cloudflare’s Warp that are worth using too. •Use a password manager. Having a common repository of passwords among all your devices — and having complex and unique passwords — is a major improvement over shared and simple passwords. •Think before you connect to any public WiFi network. Don’t automatically connect to WiFi hotspots by name: hackers like to fool you into thinking that just because something is named “Starbucks WiFi” it’s safe. Apple makes a Configurator app that can be used to further lock down its devices: use it. “Ask to Join Networks” should always be set to the “Ask” option. •Always download apps from the official Google Play and Apple iTunes stores. Make sure you have connected properly before you click on that download link. And while you are checking, make sure you understand the app’s permissions and that they match what the app is doing. Some developers, such as the financial app Mint, actually go a step further and have a menu option in their apps that can show you their privacy policy too. •Turn on the Verify Apps feature on Android devices to prevent malicious or questionable apps from being downloaded. •Finally, update your device’s operating system when new versions are available. This is the best way to stay ahead of potential exploits found in older versions.
- 21. Get Proven Security with BlackBerry There are phones that say they are secure and then there are phones that live and breathe security. Phones with BlackBerry software or apps don’t just tack on security, it’s built-in. BlackBerry is trusted by thousands of companies and governments around the world to securely enable business on mobile. With BlackBerry, you can be confident that extra precautions are taken at both the hardware and software levels to protect your BlackBerry smartphone from malicious tampering. Security starts with the manufacturing process and stays with your smartphone from that point forward. When you boot up, each component of hardware and software is validated to ensure your device hasn’t been tampered with. Then your device is continuously monitored for events or changes that indicate a compromise to device security.