How to secure Software Defined Radios
From: John Gilmore 9/14/02 
This 121-page report on "How to secure Software Defined Radios", written to help the FCC decide how to handle software radios, is very slanted toward monopoly-industry viewpoints.
The whole focus is on giving the system operator lots of flexibility to do whatever they want, while giving customers, experimenters, competitors, and citizens zero flexibility or opportunity.
They managed to suppress the few pages of actual information about the paucity of any actual threat to public safety (see last paragraph of this review).
The document reminds me of those eco-terror reports about how the world is falling to shit (whether it really is or not). On the page numbered 14 at the bottom (page 21 in the PDF -- I wish Adobe could get this straight), it says:
The impending widespread use of software changes, whether to add or improve user services or to reconfigure RF parameters of a wireless device, presents substantial new challenges to manufacturers and operators, particularly in the face of a youthful "digital generation"...
Having a whole generation of young people grow up full of knowledge about engineering, computers, and networking is a wonderful advance in the state of humanity. The authors of the paper apparently see it as a drawback, since they depend on their customers being ignorant.
The report pays little attention to the huge opportunities offered by separating the development of hardware from the development of software. If you look at the history of computers, the people who built great hardware tended to suck at software. The people who built great communications hardware built the worst networking software.
IBM mainframes are the most obvious example in computers. Not only the PC, but the 1970's minicomputer and the 1980's engineering workstation were great examples of how open hardware could allow software innovation to flourish.
Welded-shut systems tend to be terrible, compared to the innovation and cost reduction available in systems where one vendor supplies hardware, another supplies more plug-in hardware, and four or five more supply various bits of software (the OS, the applications, custom scripting, etc). The Bell System telephone is the obvious example of a welded-shut system that it took a 1950's FCC decision to open (the Carterfone decision), unleashing vendors to supply *modems* which permitted *data* traffic which permitted *computer-mediated communication* and eventual *networking*, eventually creating the public *internet* about forty years later. The US got a head start in creating the Internet because of the Carterfone decision and subsequent decisions on access to leased lines, while almost every other country's telephones were still run by a monopoly PTT whose interest was in preventing competing forms of communication.
Today's cellphones and Cable TV systems are similarly welded shut, resulting in endless lock-in that profits the vendors while beggaring the society; they provide only the minimal amount of innovation that keeps the vendors alive. (As a small example, there's still no decent mobile data networking; the one company that temporarily provided it, Metricom, grew out of the ham radio fraternity rather than the cellphone companies.)
The report's focus on "Wireless Threats" is obsessive about threats to their revenue models or to their "systems" or their control. For example, a software modification that would permit cellphones to talk directly to each other when in range of each other, without the use of a base station or its network, would be considered a threat to the integrity of the system ("unauthorized access to services"). However, it would be considered a positive feature by end users, who would be happy to pay third parties to write such software; it would serve more total users by reusing the spectrum locally; etc.
A really useful SDR communication device would have a jack that would take either an Ethernet or a phone line; if neither was plugged in, it would look for 802.11 local connectivity, or Metricom wide-area connectivity, or its own networking protocol if any similar station was in range, or failing that, would be able to use a terrible and expensive cellular data or voice network. All of this would be transparent to the user. None of the vendors who authored this report would ever build such a device, because the majority of the time it would not force users to pay them by the minute. And user or competitor attempts to reprogram existing devices to do this, or any part of it, would be warded off as "attacks" by "malicious hackers".
The report is followed by the individual company reports that were submitted to it. They make interesting if duplicative reading, since they reveal that the whole SDR Forum report just seems to be a stitching-together of the most self-serving parts of the documents submitted by various companies.
Wow! There's even an Appendix H (PDF page 100) that is a verbatim copy of a Digital Restrictions Management report from the Copy Protection Technical Working Group, which talks about how "Securing adequate protection for copyrighted works in the digital environment will allow development of viable business models. Viable business models will in turn help drive adoption of broadband ... and expanded consumer choices ..." Of course, it's full of horses--t; DRM is all about preventing UN-VIABLE monopoly business models from going extinct when they have been obsoleted by technology. This is even the report that talks about how the "broadcast flag" will save digital broadcasts that happen "in the clear". It's particularly incongruous in a report full of glowing public-key crypto recommendations.
PDF page 102 is a great overview of some companies that deserve cypherpunk scrutiny. E.g. "Signum Technology" provides iPak that lets you print packaging labels with "sophisticated invisible watermarking that allows incorporation of hidden identifying data" which can be revealed "in a matter of seconds" with "an inexpensive scanning device".
The report in general also follows the "academic paper" model of security: See, we're using public key algorithms. Therefore our systems will be secure. The impact of bugs, protocol design failures, social engineering, breach of trust, undersized keys, revelation or government appropriation of private keys, etc, are all ignored.
radio network satellite securing wireless networks radio phone service
On page 8 (PDF 15) it mischaracterizes the problems with 802.11 and WEP. First, it leads off with Adam Stubblefield's break of WEP -- failing to start with the 30-year history of trivial-to-crack wireless network protocols that were built under the guidance of the FCC and with active help and legal threats by the National Security Agency. WEP uses 40-bit keys because they were the largest available in exportable products until EFF's lawsuit cracked the unconstitutional export controls. Securing wireless networks has always been a second priority to making it trivial for the government to illegally wiretap them. This tension isn't going to go away.
Second, its 802.11 discussion directly lies that the popular practice of recreational listening for open wireless networks results from the ability to crack WEP-secured networks -- rather than the public's tendency to leave 802.11 networks unsecured because the industry and the vendors only provided painful hand-configured ways to secure them. I know of no "wardriving" that seeks and cracks WEP-secured nets; it's all merely probes for networks that people have left open, either by default or by intent. (The idea that someone would intentionally PERMIT the nearby public to freely use their wireless network infrastructure is apparently heresy to the authors of the report.)
The report also looks approvingly on digital-restrictions-management systems (DRM) as the solution. E.g. no SDR will be able to run code unless it has been digitally certified by the vendor. Like every other restrictions-management system, this will be deliberately used to cement established monopolies and prevent innovation. It even rates part of the "threat model" consequences as "Digital Rights Violation" -- defined not as a violation of the user's rights or privacy, but as "unauthorized access to, or theft of, digital content and software".
The report's focus is also inappropriately largely focused on "cellphones". It reminds me of a Motorola emp who told me in the early '90s "car phone" era that offering wireless data networking would be irresponsible because "you should keep your eyes on the road", implying that (1) only people in cars would want wireless data networking, and (2) they would use it while driving. This tunnel vision mindset doesn't enable the authors to notice that everything from car alarms to shipping crates to pets to ballpoint pens to automotive light bulbs already today, or soon will, come with data networking built in. Software-defined radios will be broadly useful throughout society, not just for "cellphones" but for ****everything****. So if the "SDR Forum" or the FCC denies society the benefits of rapid innovation, they won't just be denying it to cellphone users, but to auto owners, package shippers, pet owners, doctors, writers, lightbulb users, and everyone else.
Page 23 (PDF 30) jocularly reports that "Eavesdropping on user data (Breach of security, public safety has some experience in this scenario)". I think they meant that they have some experience being intercepted, but of course "public safety" agencies systematically intercept private citizen communications. The report goes on to suggest that:
Sophisticated encryption techniques should be made available to public safety users of SDR technology. AES voice encryption and 128-bit data encryption should be considered minimum standards for public safety SDR devices. Devices can be lost or stolen and, therefore, must be capable of remote revocation of service.
One would hate for the *citizens* to get access to AES voice encryption or 128-bit data encryption, therefore we had better only give those devices to cops, and "remotely revoke" them if they leak outside the Government Trust Barrier to ordinary untrustworthy voters or citizens.
Page 25 (PDF 32) lauds the "Trusted Computing Platform Alliance", Intel's fXXk-the-customers-for-Hollywood initiative, as being a model for SDR companies to follow. As usual, they completely obscure the critical question, which is "Who trusts who?". Their "Trusted" systems are trusted by monopolists to not be susceptible to unauthorized competition. This word game deceives people who foolishly think they're trying to build "systems the consumer can trust".
Page 29 (PDF 36) even pushes the "NTRUEncrypt" snake oil encryption system.
Page 30 and 31 (PDF 37 and 38) discuss GSM security, without bothering to mention that they kept their snake oil algorithm secret for years so that consumers would not find out how insecure it was. It bleats that the "Security Group has realized two important initiatives over the past 12 months": introducing AS/3 to replace the faulty algorithms, and a protocol for "authenticated key agreement", AKA. Until I hear differently, I'll assume that these are both more proprietary snake oil.
On page 34 (PDF 41) their prime example of how "public safety" users need priority and reliability is "best illustrated by the SWAT team commander notifying the sniper with the 'shoot' or 'don't shoot' command". Given the number of SWAT teams deployed against innocent civilian drug users, such as the raid on terminal cancer patients made in Santa Cruz last week by just such a machine-gun-toting SWAT team, this is an insulting example. Cops need good communication to know whether they've been ordered by a corrupt higher official to shoot a citizen from concealment. I see.
Page 40 (47) goes so far astray as to say:
"As a multitude of products and services still uses proprietary solutions there is no advantage to using secure standards which only give extra security if everyone else offers them."
The next page points up the monopoly control problem in wireless cellular networks as a positive feature:
5.2.2 Asymmetry of Information
Unlike the general IT situation where there is varying levels of control over client devices attached to a network; from closely controlled private networks, to no control of devices connected to the internet; commercial handsets must be qualified to operate on an operators network before they are allowed to connect. Therefore operators have complete control over the capabilities of devices they allow to connect to their network. As such there is no asymmetry of information in the case of handsets deployed on an operators network. The report then concludes without saying much more than these terrible things.
But then come a bunch of interesting submissions from various companies. Intel's reveals the source of the TCPA paragraphs (copied directly from Intel propaganda). It again skips over the REASON why 802.11 is insecure, and fails to mention the real cure (standardized mass-market end-to-end encryption, which is politically disfavored since it discourages wiretapping).
The paper from the "Mobile Virtual Center of Excellence" in the UK at least makes explicit the authoritarian model that's implicit throughout the rest of the document (PDF page 64):
Domains and regulatory bodies. We suppose that the world is divided into an number of administrative domains, which may correspond to single nations (e.g. the USA), or groups of nations (e.g. the EU). In some cases, it may also be the case that nations are sub-divided into separate domains. Each domain is assumed to have a single regulatory body, responsible for deciding which software is permitted to be downloaded and executed in SDR platforms.
Which software citizens will be permitted to download or execute. What a fascist concept.
The MVCE proceeds on page PDF 71 to say, "Also, issues relating to Digital Rights Management (DRM) may arise, i.e. where the SV restricts use of code modules to enforce payment for these modules."
Motorola's submission (PDF pg 74) seemingly ignores Kevin Mitnick's penetration of North Carolina cell site software, well documented in several books, when it says:
The data links which connect the OMC to the cell sites are private data networks controlled by the network operators, and offer no entry point for remote hackers. Furthermore, there is no internet or other publicly accessible external data connection into the OMC. The inherent security of base station equipment is demonstrated by the fact that second generation (2G) commercial base stations are remotely programmable, and have been operating in high volume for over ten years without any significant security issues. The focus of this report, therefore, will be on security issues surrounding commercial handsets.
Sorry, Kev, you were insignificant. The Moto document also has a 5-page slideshow tutorial on encryption, for the braindead who have nevertheless managed to read that far. (PDF 77)
The Moto document is the source of the "Security Threat Model" that included that "Digital Rights Violation" example above, and "Example Threat Scenarios" that are almost uniformly "hacker", "black market", "unethical", or "disreputable" parties modifying the system. (In one example, an "inadvertent" bug does not bring the repute or ethics of the creator into question, presumably since Motorola would be the originator of the bug.) There's no example of beneficial improvements made by third parties; of experimentation by scientists or university students; of innovation by competitors. The system is designed to block all those things.
Motorola's document surprisingly honestly says that security systems should be designed to work even when the entire design is known to opponents (page PDF 83). But then on page PDF 89 it argues for snake oil, which has served the wireless industry so well in the past:
Finally, it should be stressed that the very nature of the security challenge is that the "threat" is ever changing. Malicious hackers make it their business to try and decode the security systems designed to thwart their unscrupulous efforts. Therefore, regulatory mandate of specific security methods would be counterproductive. To do so would provide a blue print for the malicious hacker, and would impede the industry's responsiveness to an ever-changing security landscape.
Clearly, anyone who might want to put software of their own choice onto the equipment they have purchased is "malicious" and "unscrupulous" rather than "an honest competitor" or "a customer". And we can't have the laws merely say what is required, or that would provide a "blue print" for people who want to do something else.
The only really sane part of the Motorola document is the page and a half at PDF 86, which says how tiny the "SDR security threat" really is. Basically it says that people who design mobile radio gear are operating in a very tight design space and aren't going to put in a whole lot of expensive flexibility that would allow operation in multiple frequency bands, massive increases in output power, etc. I.e. the whole inquiry is basically a sham. This sensible part of the language never made it into the final report of the SDR Forum, though. Typical.