Kazakhstan pauses interception of encrypted traffic, but for how long? - Advox

Posted: 30 Aug 2019 07:01 AM PDT

The Kazakh authorities have backtracked on their latest intervention in cyberspace — for now. Photo: Maxim Edwards

In late July, mobile network providers in Kazakhstan started sending out SMS messages demanding that their clients install a "national security certificate" on all personal digital devices with internet access. These messages claimed that the certificate would protect citizens from cyberattacks. They also assured users who did not install the application that they would encounter problems accessing certain websites (particularly those with HTTPS encryption.)

This news came one and a half months after Kazakhstan's government blocked access to internet and streaming services on June 9, when the country held presidential elections. The victory of Kassym-Zhomart Tokayev, the intended successor to Elbasy ("Leader of the Nation" in Kazakh) Nursultan Nazarbayev, came amid mass protests calling for fair elections. Meanwhile, an internet blackout prevented protesters from coordinating their actions, helping police to arrest them.

These moves led some observers to fear the beginning of a wider crackdown on digital rights in Kazakhstan. So while Tokayev called off the introduction of the controversial "national security certificates" on August 6, there are grounds to doubt that this will be the government's last attempt to intrude on cyberspace.

Fear and suspicion on social media

"In the first days [after receiving the SMS messages] we faced lots of panic. People were afraid that they would indeed be deprived of access to certain websites without installing the security certificate," Gulmira Birzhanova, a lawyer at the North Kazakhstan Legal Media Centre, an NGO based in the capital Nur-Sultan, told GV.

However, few users rushed to obey the SMS messages. "I didn't install [the application]. I don't even know if any of my acquaintances did," added Birzhanova.

Nevertheless, the demands to install an unknown security tool caused a wave of distrust and outrage on social media. Yelena Shvetsova, a civic activist and executive director of Erkindik Kanaty (an NGO whose name translates as "Wings of Freedom") described the measure as a government attempt to access personal information. "I am sure that interception of our correspondence and total access to our phones will follow. And then arrests and prosecutions!" she wrote on Facebook.

An SMS from mobile service provider Kcell shared by Irina Sevostyanova on Facebook, demanding that she install the "digital security certificate."

Irina Sevostyanova, a journalist based in Nur-Sultan, called the national security certificate a "big brother," and wondered if would limit access to Virtual Private Networks (VPNs), tools that allow users to circumvent censorship and to browse the web privately. Daniil Vartanov, an IT expert from neighbouring Kyrgyzstan, was one of the first people to react to the launch of the certificate and confirmed users' suspicions.

"Now they can read and replace everything you look at online […] Your personal information can be accessed by anybody in the state security services, ministry of internal affairs, or even the illicitly hired nephew of some top official. This isn't an exaggeration; this is really how bad it is," wrote Vartanov on Facebook.

Man in the Middle

On August 1, Kazakhstan's prosecutor general issued a statement reassuring citizens that the national security certificate was aimed to protect internet users from illicit content and cyberattacks, stressing that the state guaranteed their right to privacy.

IT experts proved otherwise. Censored Planet, a project at the University of Michigan which monitors network interference in over 170 countries, warned that the Kazakh authorities had started attempting to intercept encrypted traffic using "man in the middle" attacks on July 17. At least 37 domains were affected, including social media networks.

"Man in the middle" or HTTPS interception attacks are attempts to replace genuine online security certificates with fake ones.

"Normally, a security certificate helps a browser or application (for example, Instagram or Snapchat) to ensure that it connects to the real server. If a state, [internet] provider or illegal intruder tries to intercept traffic, the application will stop working and the browser will display a certificate error. The Kazakh authorities push citizens to install this certificate so that the browser and application continue to work after the interception is spotted," explained Vartanov in an interview to GV in early August.

History repeats itself

This was the authorities' third attempt to enforce the use of a national security certificate. The first came in late November 2015, right after certificate-related amendments were made to Kazakhstan's law on communication. The law obliges telecom operators to apply a national security certificate to all encrypted traffic except in cases where the encryption originates from Kazakhstan.

"The law doesn't oblige users to install the certificate; [internet service] providers are the ones responsible for it. Failure to do so may lead to a fine of approximately 250,000 tenge [about $645]," explained Birzhanova.

That same month, service providers announced that a national security certificate would come into force by January 2016. The announcement was soon taken down, and the issue remained forgotten for three years. The second attempt came in March 2019, and was barely noticed by the public until they started to receive the aforementioned SMS messages in July.

After two weeks of turmoil on social media, Tokayev called off the certificate on August 6.

КНБ по моему поручению провёл тестирование сертификата безопасности в рамках программы Киберщит. Доказана защищенность информационного пространства РК и возможность использования сертификата только в случаях вторжения извне. Неудобств пользователям интернета нет. Благодарю КНБ.

— Qasym-Jomart Toqayev (@TokayevKZ) August 6, 2019

On my order, the KNB [state security service] conducted a test of the security certificate as part of the "Cybershield" programme. It demonstrated the security of the information space of the Republic of Kazakhstan and the possibility of using the certificate only [against] cases of intrusion from without. It presents no inconvenience to internet users. Thanks to the KNB.

— Qasym-Jomart Toqayev (@TokayevKZ) August 6, 2019

Nothing personal, just business

Why did Tokayev put the initiative on hold?

Dmitry Doroshenko, an expert with over 15 years of experience in Central Asia's telecommunications sector, believes that concern about the security of online transactions played a major role.

"In case of a man in the middle attack, an illegal intruder or state can use any decrypted data at their own discretion. That compromises all participants in any exchange of information. Most players in online markets would not be able to guarantee data privacy and security," said Doroshenko. "It's obvious that neither internet giants nor banks or international payment systems are ready to take this blow to their reputation. If information were leaked, users would hold them to account rather than the state, which would not be unable to conduct any objective investigation," the IT specialist told Global Voices.

It is also worth remembering that a scandal concerning leaked data has made the issue of privacy particularly sensitive in Kazakhstan in recent months. During June's presidential elections, the personal details of 11 million Kazakh citizens became publicly available. On August 9, an investigation found employees of the central electoral committee responsible for the accident.

Citizens of Kazakhstan also appealed to tech giants to intervene and prevent the government from setting a dangerous precedent. On August 21, Mozilla, Google, and Apple agreed to block the Kazakh government's encryption certificate. In its statement, Mozilla noted that the country's authorities had already tried to have a certificate included in Mozilla's trusted root store program in 2015. "After it was discovered that they were intending to use the certificate to intercept user data, Mozilla denied the request," explained the company.

The companies' separate statements each included promises to develop unique technical solutions allowing each browser to better protect users' privacy.

What's next?

"No-one has ever tried what Kazakhstan is trying to achieve nationwide. The only example, on a smaller scale, would be the Chinese authorities' installation of spyware on the mobile phones of tourists travelling to Xinjiang," remarked a Russian IT expert who asked to remain anonymous.

Indeed, Kazakhstan is hardly the only country where the right to digital privacy is under threat. The British government wants to create a backdoor to access encrypted communications, as do its partners in the US. The Kremlin wants to make social media companies store data on servers located in Russia.

Some journalists and experts compare Kazakhstan's national security certificate to the "Great Firewall" of neighbouring China.

Vartanov dismissed this comparison, saying that Kazakhstan simply does not have the resources to launch Chinese-style "internet sovereignty." "The Chinese internet market has enough capacity to have its own clones of Facebook or Twitter, while Kazakhstan's does not," he explained. Another important difference is that Kazakhstan is attempting to make internet users themselves responsible for giving up protection from government intrusion.

Many questions remain unanswered since Tokayev's announcement about the certificate. How many people have installed it? Once installed, did they manage to delete it? Will the law on communication be changed to free service providers from the responsibility of making users install it? And why did Tokayev call the national security certificate a "test"?

"I don't understand why the government didn't say it was a test from the beginning. I think they either decided to wait for better timing to launch the certificate, or they are solving technical problems that arose during the test," concluded Birzhanova, who is certain that Kazakhstan's authorities will try again.

Hackers Could Decrypt Your GSM Phone Calls - WIRED

Posted: 10 Aug 2019 12:00 AM PDT

Most mobile calls around the world are made over the Global System for Mobile Communications standard; in the US, GSM underpins any call made over AT&T or T-Mobile networks. But at the DefCon security conference in Las Vegas on Saturday, researchers from BlackBerry are presenting an attack that can intercept GSM calls as they're transmitted over the air and then decrypt them to listen back to what was said. What's more, this vulnerability has been around for decades.

Regular GSM calls aren't fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can't just tune into phone calls over the air like radio stations. The researchers found, though, that they can target the encryption algorithms used to protect calls and listen in on basically anything.

"GSM is a well-documented and analyzed standard, but it's an aging standard and it's had a pretty typical cybersecurity journey," says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity. "The weaknesses we found are in any GSM implementation up to 5G. Regardless of which GSM implementation you're using there is a flaw historically created and engineered that you're exposing."

The problem is in the encryption key exchange that establishes a secure connection between a phone and a nearby cell tower every time you initiate a call. This exchange gives both your device and the tower the keys to unlock the data that is about to be encrypted. In analyzing this interaction, the researchers realized that the way the GSM documentation is written, there are flaws in the error control mechanisms governing how the keys are encoded. This makes the keys vulnerable to a cracking attack.

"It's a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed."

Campbell Murray, BlackBerry

As a result, a hacker could set up equipment to intercept call connections in a given area, capture the key exchanges between phones and cellular base stations, digitally record the calls in their unintelligible, encrypted form, crack the keys, and then use them to decrypt the calls. The findings analyze two of GSM's proprietary cryptographic algorithms that are widely used in call encryption—A5/1 and A5/3. The researchers found that they can crack the keys in most implementations of A5/1 within about an hour. For A5/3 the attack is theoretically possible, but it would take many years to actually crack the keys.

"We spent a lot of time looking at the standards and reading the implementations and reverse engineering what the key exchange process looks like," Murray says. "You can see how people believed that this was a good solution. It's a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed."

The researchers emphasize that because GSM is such an old and thoroughly analyzed standard, there are already other known attacks against it that are easier to carry out in practice, like using malicious base stations, often called stingrays, to intercept calls or track a cell phone's location. Additional research into the A5 family of ciphers over the years has turned up other flaws as well. And there are ways to configure the key exchange encryption that would make it more difficult for attackers to crack the keys. But Murray adds that the theoretical risk always remains.

Short of totally overhauling the GSM encryption scheme, which seems unlikely, the documentation for implementing A5/1 and A5/3 could be revised to make key interception and cracking attacks even more impractical. The researchers say that they are in the early phases of discussing the work with the standards body GSMA.

Search This Blog

Android Full Encryption