Friday, May 18, 2007

Public wifi vs 3G mobile broadband

Wireless sans wifi

In my last post, I pointed out that public wifi is too dangerous to use. Web/2.0 is fundamentally insecure around eavesdroppers. It allows hackers to break into your accounts and/or your computer.

One option is "mobile broadband", or "tethering" your computer to a 3G mobile phone's Internet connection. The speeds are competitive with public access points. It's a bit of security-through-obscurity, though. It's safer because robust hacking tools to eavesdrop and interact with 3G don't exist. However, since hackers haven't been testing it, 3G is likely no more secure than wifi was in the early days with WEP. Thus, it's not really a good long term security solution.

Anyway, I signed up for a 3G phone service with a Blackjack from Cingular. It's not going to be the first thing that hackers attack when I go to conferences, and it's actually a lot more convenient. I can hook-up/tether the Blackjack mobile phone to my computer, then surf the web from my computer like I was connected to a public wifi.

Setting up tethering was a bit of a pain. Even though this feature has been around for many years, phone companies don't really support it well. While going through the support process, I found some poorly (or not all at) documented features. Typing *#1234# is the secret code to get your version on the Blackjack, *#2222# is the secret code for getting the hardware revision, and pressing the "up" button on the nav-wheel while powering on will completely reset the device (wiping out your data).

I wanted to be able to tether with Bluetooth as well as USB, which was particularly problematic. I could only do so after removing the Toshiba Bluetooth stack and replacing it with Microsoft's Bluetooth stack on WinXP SP2. Then, following the instructions found on the Internet, I was able to get it to work. Tethering via Bluetooth is a bit slower than USB, and of course, a lot less safe. However, I lose cables quiet often while traveling, so having that as an option is pretty important to me. Otherwise, I was going to buy a new computer with 3G like HSDPA or EVDO built in.

Speed is good. I suppose I should measure ping times and DSLtest reports, but I'm too lazy. All I want to know is that I can surf the web, pull up maps, read mail, and do my normal activity. It does this quiet well. It seems that the latency is a bit higher, but the bandwidth is just as good. I'll have to wait until I get into crowded areas like airports to see how well it degrades as more people are using it. EDIT: Most importantly, the phone works while surfing (most other tethered phones cannot both receive a call and surf the web at the same time).

I'm exploring other options than just changing from wifi to 3G. A lot of Web/2.0 companies support SSL for full access, they just don't advertise it because they don't have enough crypto acceleration. You can often find the SSL option if you search enough. Another option that doesn't seem to be used much on the public Internet is automatically establishing an IPsec session between two machines: this is well supported in Windows, but it's never turned on. VPNing back to home, then surfing out from there is really a desperate measure: Web/2.0 should really be secure enough such that it's not necessary.

As a side note, Cingular wanted to my SSN, and of course I didn't give it to them. I got the same reaction I usually get. It's usually an option to provide a deposit instead of an SSN, but they consider that so unreasonable they never tell me about it. They aren't hiding the option, they just assume that nobody would ever choose it. In the case of Cingular, when the sales guy told me that I had to give him my SSN, I said "ok, then I won't buy the service" and was walking out the door before I remembered to ask about the deposit. He was willing to let me go rather than suggest the option. I often wonder why customers think that paying a deposit is such an unreasonable alternative to disclosing your SSN. Does anybody know? Also: everyone in the cybersecurity community refuses to disclose their SSN, right?


Roland said...

Why mess around with tethering a phone when you can get an EVDO or HSDPA card or USB dongle? The phone would be useful in areas without EVDO (i.e., outside the US) or HSDPA, but as a backup, not as primary.

And why not simply set up your own VPN concentrator (commercial or open-source), or just tunnel everything through ssh, on/to a network under your control? That way, you avoid the problem of sniffing on the local access link, at least.

Landon Lewis said...

I think the problem with the broadband cellular service has been the insanely expensive equipment required to even look at it. A project started up a few months back that looks like it is now at THC ( It appears that folks from the community are donating money to make a cheap scanner, so we will soon see some results. =)

Martin Roesch said...

Hey Robert, two options that may be worth looking at.

1) If you're on Cingular you can get an independent PCMCIA or ExpressCard HSDPA modem for your laptop. I've been using (unlocked) Novatel Wireless ones lately and they work well and have the added bonus that your phone still works when you're using it. Also frequently easier than tethering a phone...

2) If you just have to use the hotel 802.11 connection for whatever reason it's never a bad idea to have a server somewhere out on the net with an SSH listener that you can use as a SOCKS proxy. Tunnel through to that and you can keep your web 2.0 insecurities just down to client-sides and the like. :)

Robert Graham said...

I forgot to mention. I have a Dell X1. It does not have a PCMCIA/CardBus/ExpressCard slot, although it does have SDIO, CompactFlash, and USB slots. But I can't find a SD, CF, or USB 3G adapter.

I could change notebooks, such as the new generation that have built-in 3G, but I'm finicky about notebooks and don't like changing them often.

Lastly, my phone works while surfing. I should probably update the post to mention that.

Martin Roesch said...

Nova Media sells USB HSDPA modems, if you get a global roaming data service (Cingular has them although they're expensive) it's a pretty nice option. Of course, if you already have your phone working and the performance is good it's all moot anyway. :)

dre said...

I concur that you should be using 1xEVDO Rev A via USB. There is at least one card out there that fits the bill.

I don't understand how public WiFi is less safe than Bluetooth. If you are using SSHv2-only RSA or DSA keys for tunneling and have already pre-connected to the host (I prefer to do this on setup of the server over a cross-over cable), then it doesn't matter what wireless medium you travel over. Bluetooth drivers are probably also vulnerable in similar ways to WiFi. I wonder how well grsecurity or Vista prevent these types of driver attacks. Probably better than Mac OS X does.

I am using EVDO over BT with my laptop (Thinkpad) and pdaphone (Samsung i730) combination. But I use the web in safe ways (DieHard with multi-instance Firefox, NoScript, CookieSafe, LocalRodeo, PublicFox, Firekeeper, secure cookies over SSL - modified if I have to). I never allow more than one site to run Javascript at any time, and even then I close that browser instance both before and afterwards.

I plan on moving to USB EVDO Rev A once Rev A is available in my area. I don't consider it full-proof. Even GSM encryption can be downgraded to nothing if you have MITM. Right now saying HSDPA (or EVDO) is more secure than WiFi is simply a matter of security through obscurity. Neither are secure; I'd be interested to hear about any commercially-available wireless medium that is any more secure than any other. I can think of at least one that might stand some scrutiny: the Secure OLSR plugin.

@landon: I wasn't aware of the THC GSM Scanning project, but I used to play a lot with software defined radio (SDR/gnuradio) and GSM. These projects just prove that you don't need expensive equipment to sniff GSM, EDGE, etc. Hello, Apple iPhones.

Roland said...

Sprint offer the Novatel Ovation 720 USB dongle - works quite well.

Wade said...

I believe that it's not just security-through-obscurity for WCDMA.

Authentication Center (AUC) is used in WCDMA for data ciphering. This has a 5 set vector used to generate a key for each subscriber.

Communications between the handset(UE) and network elements (EG SGSN and MSC) are encrypted over the radio path for both voice and data using this AUC. Data integrity also exists on this path for MITM and reply.

This functionality also exists in GSM network.


ben said...

If you tether in order to avoid unsecure wifi, please make sure your phone is not using the same unsecure wifi. Recently I was surprised at my speed test results while in Sprint's 4g coverage area, comparing to 3g. While in 3g, the phone was using its wifi connection instead of EVDO, so it was acting as a simple wifi modem card, not as an EVDO modem. Had to expressly turn phone's wifi off.