The Wireless Industry News Portal Advertise on Wireless Industry News and reach over 300,000 potential new buyers. Click here to learn more.
Post a News Story        Resources        News Archives        Home - Mobile News

Click here to order our special clearance dedicated servers.

Wireless Industry News is read by over 300,000 people a month. Learn how you can increase your sales by advertising on our news portal -- Click here.

Sign up now and save more than $30 a month on your new Linux server.

Click here to order our special clearance dedicated servers.

Wireless Industry News is read by over 300,000 people a month. Learn how you can increase your sales by advertising on our news portal -- Click here.

The FCC to ask wireless carriers to improve their network reliability

Share on Twitter.

Get the most reliable SMTP service for your business. You wished you got it sooner!

September 28, 2013

The FCC late yesterday issued a Notice of Proposed Rule Making (NPRM) which aims to improve wireless network reliability during disasters by requiring wireless service providers to publicly disclose the percentage of cell sites within their networks that are operational during and immediately after disasters.

The FCC argues that such a mandate would drive wireless carriers to improve their network reliability as a matter of competition.

For now, the FCC is seeking public comment on this proposal and other approaches. Acknowledging that some wireless service disruptions may be unavoidable during emergencies, the FCC also noted that the impact tends to vary among wireless service providers.

Case in point-- last October, Superstorm Sandy disabled approximately 25 percent of all cell sites in the affected region, with more than 50 percent of sites disabled in the hardest-hit counties, yet not all wireless networks were equally impaired in the manner.

The FCC suggests that the operational choices and practices of different wireless service providers may account for much of this variation. The agency is asking for comment on whether the NPRM’s proposed disclosure requirement, by holding wireless providers publicly accountable, could spur improvements to network resiliency while allowing providers flexibility in implementing these improvements.

The proposal would require wireless carriers to submit to the FCC, for public disclosure on a daily basis during and immediately after disasters, the percentage of operational cell sites for each county within a designated disaster area.

Information yielding these percentages is already included in voluntary reports that wireless service providers submit to the FCC daily during disasters, albeit on a presumptively confidential basis and as part of a larger set of data.

In July, CTIA submitted an ex parte filing with the FCC that urged the commission to defer a NPRM on mandatory disaster reliability reporting.

The CTIA said that it was concerned that the proposed rules under consideration were similar to recommendations submitted to the FCC earlier this year by Consumers Union (CU).

Those rules suggest that wireless carriers report, and the Commission publicly disclose, the percentage of cell sites out of service in a particular county during an event classified as a disaster by the FCC.

CTIA argued that CU’s proposed metric didn't provide an accurate picture of a network's true condition and such information would not be of value to consumers.

"As many providers’ cellular sites are configured with overlapping coverage for the most part, the proposed metric risks overstating the degree to which cell site outages adversely affect service availability," CTIA wrote in the filing.

"Ongoing and future deployments of “small cell” and Distributed Antenna System configurations that underlay existing coverage would exacerbate that risk even further," it added.

In other mobile news

Karsten Nohl, the internet security researcher who hacked into SIM cards with a single text message, has told us he is dismayed by the mobile industry's lukewarm response to his revelations, and has revealed exactly how he managed to pull it off.

Nohl believed that by exposing the security flaws in SIM cards, the issue would force wireless network providers to fix them.

Theoretically at least, the two security flaws would have worked in tandem to intercept calls and threaten the security of wireless NFC applications such as pay-by-wave and other contactless payment apps.

Nohl claims that the most serious of the two flaws has been deliberately ignored by a wireless industry that wants to allegedly keep the backdoor open so that it can silently roll out software updates to handsets-- a gaping access hole that may not be closed until it's too late.

Nohl also discovered that he could infiltrate SIM cards by sending specially formatted SMS messages, and discovered another flaw that would enable him to break out from the cards' inbuilt security sandbox.

Yet he was astonished to discover that despite publicly announcing security patches and giving every impression of caring, the wireless industry had actually done nothing to fix the problems.

"We thought our story was one of white-hat hacking preventing criminal activities," Nohl said, lamenting that "as there is no crime, so no investigation". Despite CNN reporting that his own flaw had been used to distribute a fix, Nohl told us that the JavaCard bug was here to stay and was so obvious that it has to be a backdoor, gross negligence, or both.

Nohl's first security exploit, enabling an attacker to install an application in the secure storage area of a SIM card, has been examined in these pages before, but that only represents a threat if the injected software can break out of the JavaCard sandbox.

Nohl then claimed that it was possible, but until now he hasn't explained exactly how. To be clear, JavaCard is an operating system of sorts, sharing only a name and some syntax with the Java language. JavaCard licensees get a reference implementation from Oracle and then add their own secret source code to differentiate their products, so not all manufacturers' SIMs had this flaw – but many did, Nohl was quick to point out.

Even the version used by JavaCard, Java is supposed to be memory safe in that there are no pointers with which one can read, or write to, arbitrary locations in memory.

Cardlets (as JavaCard apps are known) can only reference data structures they create themselves, and there's no mechanism for inter-cardlet communications.

What Nohl discovered was that by referencing a variable which referenced a variable which referenced an array he could bypass the bounds check that JavaCard is supposed to perform.

Create an array of 10 elements, reference it from a distance and address the eleventh location, and secured memory is yours to explore – and rewrite – as you wish. The whole process is even a lot easier than what most people think.

Nohl says he warned Gemalto, the world's largest SIM card manufacturer – which is among those SIM-makers whose cards exhibit the security flaw – about the existence of the bug. Gemalto told him that it didn't matter – only signed applications could be run so their ability to breach the sandbox was irrelevant.

But the researcher points out that in 2010 Gemalto was able to upgrade bank cards in the field after a calendar bug broke millions of German cards. Bank cards are not designed to be upgraded after being issued, and Nohl contends that a similar flaw was exploited then.

We put both of Nohl's allegations to Gemalto, but it had not responded at the time of publication. It's the combination of SMS exploit (to gain the application key) and JavaCard flaw (to break out of the sandbox) that makes the situation concerning, along with Nohl's contention that network operators have become overly reliant on the GSM standard and are losing the skills necessary to secure their systems.

"Smaller networks don't even know what the SIM cards are configured to do," he told us. He claimed that in the U.S., network operator Sprint isn't authenticating or encrypting SIM updates at all, and that both Vodafone and Telefonica are still issuing SIM cards with the insufficiently secure 56DES cryptography.

We've asked Voda and Telefonica about Nohl's claims, but only had a response from Vodafone U.K. by the time of publication-- the telco said that strong encryption has been mandated for many, many years.

This is still quite an obscure attack, requiring a hacker familiar with the memory layout (the soft mask) of the SIM, and one prepared to send the multiple SMS messages necessary to crack the software update key. For the moment, the effort probably outweighs the payoff, but that will change as SIMs increasingly host banking and loyalty apps, as well as popular social networking services like Facebook Chat, making them a more attractive hacker target.

As Nohl puts it-- "Skills are underdeveloped because the crimes are underdeveloped. Crime is even more convincing than anything." We think he has a point there.

Until there's a serious crime committed using this security flaw, the vulnerabilities in our SIM cards will probably remain and continue to lurk in the background for a while.

In other mobile news

Apple said earlier this morning that it sold no less than 9 million iPhone 5S and iPhone 5C models since they went on sale Friday-- a new record opening weekend for the extremely popular iconic device. That's nearly double the five million iPhones that the company sold during the first three days that the iPhone 5 was on sale last year, and sales were well above Wall Street analysts' expectations.

Get a great deal on a fully dedicated Linux or Windows server. Order here.

Apple stock jumped over 6 percent as a result Monday morning at the opening of the markets. However, this year's stellar opening weekend for Apple comes with two sizable caveats-- Apple included China in the iPhone 5S and 5C launches. In 2012, China didn't get the new iPhone 5 until December.

Apple also launched two new iPhones this year, heavily marketing the colorful iPhone 5C. Last year, Apple only unveiled one new kind of iPhone.

The iPhone 5S, which comes in gold, silver or space gray, is available in the United States for a suggested retail price of between $199 to $399.

The iPhone 5C, which comes in blue, green, pink, yellow and white, is available for between $99 to $199. Still, the news was very good for a company that has been living under a microscope lately, scrutinized for launching new devices with only incremental updates.

Apple said this weekend's heavy demand caused it to exhaust its initial supply of the iPhone 5S. As a result, Apple said it expects its quarterly sales to come in at the high end of its estimated range of $34 billion to $37 billion.

The company also said it expects gross profit margins will be on the higher end of its guidance. The new flagship iPhone 5S is similar in design to last year's iPhone 5, but it's twice as fast thanks to Apple's powerful A7 chip.

It also has a beefed-up camera that includes slow-motion video and a camera burst mode that shoots up to ten frames per second.

For its part, the iPhone 5C features a polycarbonate shell, instead of the glass-and-aluminum body of the previous iPhone 5S.

The company also said more than 200 million Apple devices are now running the completely redesigned iOS 7 operating system which comes preloaded on the new iPhone, making it the fastest software upgrade in the company's history.

Share on Twitter.

Source: The FCC.

Advertise with us Advertise with us and see your sales grow rapidly. Learn more.

This article was featured on the Business 5.0 portal. Click here to visit the site.     This article was featured on Business 5.0 and on Tech Blog.

Copyright © Wireless Industry News. All rights reserved.