unity-api-bugs team mailing list archive

Thread
Date

[Bug 1412444] Re: need to indicate when the cellular network connection is not encrypted

To: unity-api-bugs@xxxxxxxxxxxxxxxxxxx
From: Matthew Paul Thomas <mpt@xxxxxxxxxxxxx>
Date: Tue, 20 Jan 2015 10:29:28 -0000
Reply-to: Bug 1412444 <1412444@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

TS 100 920: http://www.etsi.org/deliver/etsi_ts/100900_100999/100920/08.00.01_60/ts_100920v080001p.pdf
GSM 02.07: http://www.etsi.org/deliver/etsi_gts/02/0207/05.00.00_60/gsmts_0207v050000p.pdf

As usual, "need" in the summary indicates that the problem is under-specified. What is the threat model here? Are we trying to protect users against interceptor cell towers? Are we trying to protect against anything else?
<http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-be-intercepting-your-calls>

Assuming that interceptors are the only relevant threat:

1. What is the Type I error: About what percentage of voice calls or
data connections, going through interceptors, are nevertheless
encrypted? (This might be unknowable, but if it is known it would be
useful.)

2. What is the Type II error: About what percentage of voice calls or
data connections, going through legitimate cell towers, are unencrypted?
(If the answer is depressingly high, it may be useful to compare with
the gradual effort by Chrome to warn about unencrypted HTTP.
<http://www.chromium.org/Home/chromium-security/marking-http-as-non-
secure>)

3. Why would anyone use Signal or Telegram instead of relying on this
encryption?

4. Which, if any, of the seven encryption algorithms are worthwhile? Are
any of them so weak that it would be misleading to mark them as secure?
(If so, we might present them as insecure, as with SHA-1 in HTTPS.
<http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-
sunsetting-sha-1.html>)

** Changed in: ubuntu-ux
Assignee: (unassigned) => Matthew Paul Thomas (mpt)

--
You received this bug notification because you are a member of Unity API
bugs, which is subscribed to Network Menu.
https://bugs.launchpad.net/bugs/1412444

Title:
need to indicate when the cellular network connection is not encrypted

Status in the base for Ubuntu mobile products:
New
Status in Network Menu:
New
Status in Ubuntu UX bugs:
New
Status in ofono package in Ubuntu:
New

Bug description:
From TS 100 920 - V8.1.0:

3.3.3 Functional Requirements:

"""
The ME has to check if the user data confidentiality is switched on using one of the seven algorithms. In the event that
the ME detects that this is not the case, or ceases to be the case (e.g. during handover), then an indication is given to the
user.

This ciphering indicator feature may be disabled by the SIM (see GSM
11.11).

In case the SIM does not support the feature that disables the ciphering indicator, then the ciphering indicator feature in
the ME shall be enabled by default.
"""

My understanding of this is that we should at least show a warning
icon and maybe explanatory text inside the i-network and maybe
relevant apps like phone-app and messaging-app that the cellular
communication channel is not encrypted. Without encryption anyone with
sufficient equipment can eavesdrop the voice and data communication
between the cell tower and users phone.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1412444/+subscriptions

References

[Bug 1412444] [NEW] need to indicate when the cellular network connection is not encrypted
From: Antti Kaijanmäki, 2015-01-19