Mord Behar <mord...@gmail.com> writes: > The real diference between using a mobile phone and using a laptop is > that first hop, from the device to the tower. I know that on the > laptop it is secure, there are no man in the middle attacks since I > control every device on the network (and I'm assuming that from my > router to the bank there is no MiM attack either, probably a safe > assumption).
Is it? Not if you are suitably paranoid. ;-) Just kidding, but see below. > But what about from the phone to the tower? Are all communications > between the phone and the tower encrypted? Supposedly. However, you cannot be sure that you are actually talking to your mobile service provider. It *is* possible to spoof a tower - there are portable devices, "IMSI catchers", that are even available to consumers, e.g., as signal boosters (at least abroad, not sure about Israel), see, e.g., http://www.theregister.co.uk/2011/07/14/vodafone_femtocell_hack/ http://www.theregister.co.uk/2011/08/09/femtocell_security_fail/ http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/ (I was involved in a bit of a discussion with a friend a couple of days ago so I have the links handy - not that I follow the state of the art closely, mind you). I assume that the fact that with 2G the tower does not even need to authenticate against the handet is irrelevant, but note that even with 3G-4G spoofing is possible. This is relevant to your question about MITM between handset and tower n general, and it may be a privacy problem (e.g., someone may track your location and/or listen to your calls and/or read your texts), but it is likely to be IRRELEVANT for your banking - the traffic between your handset and the bank is hopefully encrypted independently of the cellular communication protocols, e.g, with SSL (after all, it's internet traffic). See below. > Are some devices and/or carriers more secure than others? Are some > bank's apps more secure than others? I have no idea. > How about just using the web interface from a browser? It's a question of TRUST, obviously. 2 IMHO relevant points follow. 1) You are certainly aware of the fact that things like SSL are based on a chain of trust rather than on true end-to-end security. It is entirely conceivable that a major communications provider may have a rather wide-ranging ability to sign certificates, and may present your handset with a certificate that the handset will trust, even though what looks like your bank's site is actually a proxy. This is not endemic to cellular communications, unless you regard your mobile service provider as more sinister or more influential (in terms of getting a wildcard certificate, e.g., for *.co.il) than your home ISP. It's for you to decide... 2) You also need to trust your handset's browser (or the banking app if you use one), the mobile OS, and all the other apps to be secure. My *intuitive* impression at the moment is that the security of, say, Android+apps (especially if you tend to install random apps) is not yet at par with the security of a properly maintained Linux system, but I may be wrong. Personally, I freak out whenever I see a stupid app demand complete network access as well as complete storage access even though in my mind it has no legitimate need for either, but that's just me. If you decide to trust all of the components mentioned as much as you trust everything between your home PC and your bank then I suppose you can feel safe. -- Oleg Goldshmidt | p...@goldshmidt.org _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il