I found this video today featuring Dr Yan Wong from the BBC. Whilst it is very short, the video does provide a nice simple introduction to some of the ideas behind public key cryptography, which secures most of e-commerce on the web. Definitely worth a watch if you don’t want to get into the messy details.
However, if you do want to get into the messy details of public key cryptography, I suggest perusing the Wikipedia article on the subject.
This is a very good article from Webmonkey explaining why the vast majority of the web is stuck using the HTTP protocol, which sends all information (including usernames & passwords) as plaintext, as opposed to HTTPS, which encrypts it. Whilst HTTP is fine for a lot of static websites, it is very insecure for websites that have access to personal information, or that are accessed using some kind of password.
The problem of HTTP based login sessions doesn’t stop with passwords being sent in the clear though. Whilst users usually only enter their password once per session, their associated session cookie is sent with every request, and so stealing this cookie is a lot easier than stealing the password. The stolen cookie can then be used to hijack the current session of that user.
The main reasons why most websites don’t move to HTTPS has nothing to do with complexity in setup, but rather the high cost of digital certificates, slower speeds of transfer (due to the initial key exchange), and the inability for browsers to cache web pages. So for now, it doesn’t seem likely that your favourite forum or blog (even this one!) will switch to HTTPS.
So what can you do? Well, if you do use websites that require passwords to access, or that store session cookies on your computer, make sure you are using a network that is trusted. In other words, use a network that you know (such as one at your home or work), and in the case of wireless networks, make sure it is secured by at least WPA. Public WiFi access points that are usually found in coffee shops should be avoided, mainly because they are susceptible to Evil Twin attacks.
For users of Firefox who are more concerned about security and less about speed or caching, I highly recommend HTTPS Everywhere, an addon that forces HTTPS on popular websites that are usually served over HTTP.
What appears to be unique to this type of attack on GSM is that an attacker can specify an actual target device to eavesdrop on. Using a set of cheap Motorola phones with open-source firmware, the researchers were able to see all data being broadcast by the GSM base station. Once a target device is located, the relevant data can be unencrypted by finding the GSM encryption key using a set of rainbow tables. The set of tables used by the researchers was generated over a two month period in a previous research project, and is 2TB in size. An attacker only needs two encrypted known plaintext messages to have a 90% chance of finding the secret key.
In Nohl’s own words, “Now there’s a path from your telephone number to me finding you and listening to your calls, the whole way.”
Let’s just hope the GSM Association (GSMA) take on board the research, and pay special attention to the relative easiness and low cost of actually executing the attack. According to the BBC News write-up, the association have yet to comment on the attack.