2

If I'm using a 3G modem on USB, is that secured or easily hackable? Is there some form of encryption built into it?

frenchie
  • 1,091
  • 2
  • 12
  • 17

3 Answers3

4

Is there some form of encryption built into it?

Yes, 3G has encryption. It usually is strong enough for attacks based on observation alone.

is that secured or easily hackable?

Sigh. Could we move away from using words like "hackable" or "I've been hacked" in general? They're super non-descriptive.

If "hacking" means cracking the cipher used to encrypt the over-the-air data, no, that's pretty hard and I don't know whether that is done anywhere. That is, assuming that in a post-2010 world, operators have learned to use the right ciphers and periodically exchange keys.

If "hacking" means swindling and imposing as a legit base station to capture the traffic of a telephone, maybe with or without cooperation of the network operator: That's a lot easier.

If "hacking" includes your computer, to which you connect your modem: Well, you might have noticed that there's thousands of new malwares every month. There's certainly some security holes in your system. And that might be used to gain access to your data, regardless of encryption.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
  • Ok; would you do a remote TCP connection to a database to update some tables over 3G? – frenchie Dec 04 '16 at 12:43
  • I wouldn't do an unencrypted connection to a database over **any** connection. – Marcus Müller Dec 04 '16 at 12:45
  • I mean, how is that even a question? Any half-way reasonable database admin won't allow you to connect to their database externally without at least a layer of TLS! – Marcus Müller Dec 04 '16 at 12:50
  • Any half-way reasonable administrator won't expose their production systems to the Internet *at all* except through a tightly controlled firewall. If it isn't a production system, then it doesn't matter. (At work, I don't really care if my development databases get corrupted, because for the very most part, I can just deploy a fresh instance of the database on top of the corrupted one and go on my merry way. Sure, I might lose a little bit of test data, but so what? And *even the development database server* is only accessible internally or through a VPN terminated at the office concentrator.) – user Dec 04 '16 at 17:40
  • The question was just a hypothetical to see if 3G was secure. – frenchie Dec 04 '16 at 17:54
  • 1
    @frenchie then you picked the wrong question. I answered your "is it secure" question with my answer above – as always, it's a "it depends on your understanding of secure and the actual network". – Marcus Müller Dec 04 '16 at 18:01
1

I'm going to copy a comment of OP's into this answer, because it's relevant to understanding the context in which this question was asked:

The question was just a hypothetical to see if 3G was secure. – frenchie 2016-12-04 17:54:31Z

This shows a flawed understanding of what "security" is and means.

"Secure" isn't a binary property of a technology. It depends on implementation (largely fixed in this case, albeit details can vary between manufacturers) and varies with threat model, and is a set of points on many continuums. It isn't even a point on a single continuum because each distinct threat is a different continuum.

Is a 3G mobile connection secure against eavesdropping by my little sister? Probably. The data is highly likely to be encrypted while in transit, and I suspect that my little sister does not possess the equipment or expertise to meaningfully receive, demodulate and decrypt data not intended for a specific handset or subscriber identity in her possession.

Is a 3G mobile connection in some particular location secure against denial of service by a nation-state adversary? Probably not; if nothing else, they could place a powerful transmitter closer to me than the nearest base station, overpowering the legitimate signal and thus denying me service. The technology for doing that is fairly simple; a powerful broadband white noise transmitter isn't too hard to build.

Is a 3G mobile connection secure against the computer it's attached to getting hacked by an organized crime group? In that case, the fact that the data is carried over 3G is irrelevant, just as much as the fact that a computer would be connected over fiber or ADSL would be irrelevant. What matters then is how the system is protected and configured, what software is running on it, and how that software is configured.

Unless you define your threat model, asking whether something is "secure" is meaningless. It's similar to asking whether a Formula 1 car is a good car. Sure, it's a good car for its designed purpose; for that, it's a great car, even. But it might not be the best choice for commuting to and from work on public roads.

user
  • 7,670
  • 2
  • 30
  • 54
-1

As an example, I will relate what a techie I spoke to has done with a HackRF One: - set up IMSI catcher with OpenBTS - downgrade client crypto - sniff network traffic - listen in on phonecalls

He did this in EU, and I have no reason to believe US/rest of world is hardened against this.

Always use end-to-end encryption (Signal app for example, even WhatsApp or Skype etc) if it matters - remember eg a VPN doesn't encapsulate normal mobile calls.

Assume you are compromised (but don't be paranoid), and don't trust networking devices more than you trust speaking in front of an audience.

user400344
  • 863
  • 5
  • 9