Share on Twitter.
Get the most reliable SMTP service for your business. You wished you got it sooner!
September 28, 2013
The FCC late yesterday issued a Notice of Proposed Rule Making (NPRM) which aims to improve wireless network reliability during
disasters by requiring wireless service providers to publicly disclose the percentage of cell sites within their networks that are
operational during and immediately after disasters.
The FCC argues that such a mandate would drive wireless carriers to improve their network reliability as a matter of competition.
For now, the FCC is seeking public comment on this proposal and other approaches. Acknowledging that some wireless service disruptions
may be unavoidable during emergencies, the FCC also noted that the impact tends to vary among wireless service providers.
Case in point-- last October, Superstorm Sandy disabled approximately 25 percent of all cell sites in the affected region, with
more than 50 percent of sites disabled in the hardest-hit counties, yet not all wireless networks were equally impaired in the manner.
The FCC suggests that the operational choices and practices of different wireless service providers may account for much of this
variation. The agency is asking for comment on whether the NPRM’s proposed disclosure requirement, by holding wireless providers publicly
accountable, could spur improvements to network resiliency while allowing providers flexibility in implementing these improvements.
The proposal would require wireless carriers to submit to the FCC, for public disclosure on a daily basis during and immediately
after disasters, the percentage of operational cell sites for each county within a designated disaster area.
Information yielding these percentages is already included in voluntary reports that wireless service providers submit to the
FCC daily during disasters, albeit on a presumptively confidential basis and as part of a larger set of data.
In July, CTIA submitted an ex parte filing with the FCC that urged the commission to defer a NPRM on mandatory disaster reliability
The CTIA said that it was concerned that the proposed rules under consideration were similar to recommendations submitted to
the FCC earlier this year by Consumers Union (CU).
Those rules suggest that wireless carriers report, and the Commission publicly disclose, the percentage of cell sites out of service
in a particular county during an event classified as a disaster by the FCC.
CTIA argued that CU’s proposed metric didn't provide an accurate picture of a network's true condition and such information would
not be of value to consumers.
"As many providers’ cellular sites are configured with overlapping coverage for the most part, the proposed metric risks overstating
the degree to which cell site outages adversely affect service availability," CTIA wrote in the filing.
"Ongoing and future deployments of “small cell” and Distributed Antenna System configurations that underlay existing coverage
would exacerbate that risk even further," it added.
In other mobile news
Karsten Nohl, the internet security researcher who hacked into SIM cards with a single text message, has told us he is dismayed
by the mobile industry's lukewarm response to his revelations, and has revealed exactly how he managed to pull it off.
Nohl believed that by exposing the security flaws in SIM cards, the issue would force wireless network providers to fix them.
Theoretically at least, the two security flaws would have worked in tandem to intercept calls and threaten the security of wireless
NFC applications such as pay-by-wave and other contactless payment apps.
Nohl claims that the most serious of the two flaws has been deliberately ignored by a wireless industry that wants to allegedly keep the
backdoor open so that it can silently roll out software updates to handsets-- a gaping access hole that may not be closed until it's too
Nohl also discovered that he could infiltrate SIM cards by sending specially formatted SMS messages, and discovered another flaw
that would enable him to break out from the cards' inbuilt security sandbox.
Yet he was astonished to discover that despite publicly announcing security patches and giving every impression of caring, the
wireless industry had actually done nothing to fix the problems.
"We thought our story was one of white-hat hacking preventing criminal activities," Nohl said, lamenting that "as there is no crime, so
no investigation". Despite CNN reporting that his own flaw had been used to distribute a fix, Nohl told us that the JavaCard bug was
here to stay and was so obvious that it has to be a backdoor, gross negligence, or both.
Nohl's first security exploit, enabling an attacker to install an application in the secure storage area of a SIM card, has been
examined in these pages before, but that only represents a threat if the injected software can break out of the JavaCard sandbox.
Nohl then claimed that it was possible, but until now he hasn't explained exactly how. To be clear, JavaCard is an operating system of sorts,
sharing only a name and some syntax with the Java language. JavaCard licensees get a reference implementation from Oracle and then
add their own secret source code to differentiate their products, so not all manufacturers' SIMs had this flaw – but many did, Nohl
was quick to point out.
Even the version used by JavaCard, Java is supposed to be memory safe in that there are no pointers with which one can read, or
write to, arbitrary locations in memory.
Cardlets (as JavaCard apps are known) can only reference data structures they create themselves, and there's no mechanism for inter-cardlet
What Nohl discovered was that by referencing a variable which referenced a variable which referenced an array he could bypass the
bounds check that JavaCard is supposed to perform.
Create an array of 10 elements, reference it from a distance and address the eleventh location, and secured memory is yours to
explore – and rewrite – as you wish. The whole process is even a lot easier than what most people think.
Nohl says he warned Gemalto, the world's largest SIM card manufacturer – which is among those SIM-makers whose cards exhibit
the security flaw – about the existence of the bug. Gemalto told him that it didn't matter – only signed applications could be run
so their ability to breach the sandbox was irrelevant.
But the researcher points out that in 2010 Gemalto was able to upgrade bank cards in the field after a calendar bug broke millions
of German cards. Bank cards are not designed to be upgraded after being issued, and Nohl contends that a similar flaw was exploited
We put both of Nohl's allegations to Gemalto, but it had not responded at the time of publication. It's the combination of SMS exploit
(to gain the application key) and JavaCard flaw (to break out of the sandbox) that makes the situation concerning, along with Nohl's
contention that network operators have become overly reliant on the GSM standard and are losing the skills necessary to secure their
"Smaller networks don't even know what the SIM cards are configured to do," he told us. He claimed that in the U.S., network operator Sprint
isn't authenticating or encrypting SIM updates at all, and that both Vodafone and Telefonica are still issuing SIM cards with the insufficiently
secure 56DES cryptography.
We've asked Voda and Telefonica about Nohl's claims, but only had a response from Vodafone U.K. by the time of publication-- the telco
said that strong encryption has been mandated for many, many years.
This is still quite an obscure attack, requiring a hacker familiar with the memory layout (the soft mask) of the SIM, and one prepared
to send the multiple SMS messages necessary to crack the software update key. For the moment, the effort probably outweighs the payoff,
but that will change as SIMs increasingly host banking and loyalty apps, as well as popular social networking services like Facebook Chat, making
them a more attractive hacker target.
As Nohl puts it-- "Skills are underdeveloped because the crimes are underdeveloped. Crime is even more convincing than anything." We think he has a
Until there's a serious crime committed using this security flaw, the vulnerabilities in our SIM cards will probably remain and continue
to lurk in the background for a while.
In other mobile news
Apple said earlier this morning that it sold no less than 9 million iPhone 5S and iPhone 5C models since they went on sale
Friday-- a new record opening weekend for the extremely popular iconic device. That's nearly double the five million iPhones that
the company sold during the first three days that the iPhone 5 was on sale last year, and sales were well above Wall Street analysts'
Apple stock jumped over 6 percent as a result Monday morning at the opening of the markets. However, this year's stellar opening weekend
for Apple comes with two sizable caveats-- Apple included China in the iPhone 5S and 5C launches. In 2012, China didn't get the new iPhone 5 until
Apple also launched two new iPhones this year, heavily marketing the colorful iPhone 5C. Last year, Apple only unveiled one new
kind of iPhone.
The iPhone 5S, which comes in gold, silver or space gray, is available in the United States for a suggested retail price of between
$199 to $399.
The iPhone 5C, which comes in blue, green, pink, yellow and white, is available for between $99 to $199. Still, the news was very
good for a company that has been living under a microscope lately, scrutinized for launching new devices with only incremental updates.
Apple said this weekend's heavy demand caused it to exhaust its initial supply of the iPhone 5S. As a result, Apple said it expects
its quarterly sales to come in at the high end of its estimated range of $34 billion to $37 billion.
The company also said it expects gross profit margins will be on the higher end of its guidance. The new flagship iPhone 5S is similar
in design to last year's iPhone 5, but it's twice as fast thanks to Apple's powerful A7 chip.
It also has a beefed-up camera that includes slow-motion video and a camera burst mode that shoots up to ten frames per second.
For its part, the iPhone 5C features a polycarbonate shell, instead of the glass-and-aluminum body of the previous iPhone 5S.
The company also said more than 200 million Apple devices are now running the completely redesigned iOS 7 operating system which
comes preloaded on the new iPhone, making it the fastest software upgrade in the company's history.
Share on Twitter.
Source: The FCC.
Advertise with us
This article was featured on Business 5.0 and on
Copyright © Wireless Industry News. All rights reserved.