How safe is GPRS / EDGE

[krishnandu]

Well guys....I just wanted to know how safe is GPRS and EDGE access??

I mean I login to orkut, facebook, twitter, gtalk, yahoo messenger etc etc. So how safe are they?? There is no HTTPS I think. So is it encrypted in any other way??

Do you recommend accessing my online bank site though GPRS?? I don't have any idea. Please comment.

One more thing I would like to ask about GPRS, my mobile supports accessing Email over POP, IMAP. I hope so. I'm using Nokia 2730. Please correct me if I'm wrong. And I'm using Airtel Mobile Office(98/- pack). So does it supports this email feature?? I mean if I access my email using IMAP and POP charges won't get deducted from the main balance na??

 

[sibot]

I'm not too sure about security over Edge, but I regularly access Facebook and my mail via Airtel Edge, I don't think they would be snooping for packets to access my email. I'm sure these apps have secure protocols for data transfer over the internet.

As for IMAP, POP over the Airtel Mobile Office, it would not be deducted from your credit balance, it would be accounted from the 2GB free you get, I'm on the same plan and use IMAP mail services.

 

[krishnandu]

Ok thank you for your comments and confirmation about IMAP and POP over Airtel MO. I want some more comments please

Specially about the security

And what about accessing online banking site??

 

[adi_vastava]

Well your questions does not make a lot of sense, but than that is why you posted it here isn't it.

In short http, https, ftp etc are protocols (read rules) to receive data from server.

Next broadband, dialup, cable modem etc and similarly edge are ways to connect to internet. i.e. way to send and receive packets between server and client(different than protocols).

Now https is actually using http over encrypted layer and transmit the packets which than be decrypted by client and viceversa.

edge will just transfer them to server, it does not bother about what is there inside a packet, whether it is encrypted or not, its the duty of server and client, for edge its just a binary stream which it needs to deliver to some location.

I used to attach my nokia to pc and access internet through it, and than used to open all type of sites, so no problem at all with edge.

Now in short you can use secure sites on your phone over edge, only problem is that most of the time secure sites supports some specific browsers, in that case they may not open on your phone browser.

hope it helps and will not create confusion

cheers

Aditya

 

[Praks]

Why dont you use https://gmail.com when opening from mobile browser ?

 

[Tanuj]

Just use common sense when you are on the internet. There is no harm in accessing any site from gprs/edge. And for getting mails in your mailbox you just have to configure it properly and no extra money is deducted from main balance.

 

[killerz]

Good Q. I too use Internet Banking via egde when my broadband fails. I hope ur right @adi_vastava , anyone else could enlighten on the security?

 

[..:: Free Radical ::..]

whatever you do, do not store your passwords on your mobile coz lest it stolen, you also risk losing your account details, not that a thief may know how to retrieve them but its not a good idea anyway.

and always prefer https wherever banking is involved ofc

 

[Praks]

Well, whenever you open site from browser just open using https from mobile also.

As long as authentication happens on https, even if someone at GPRS server sniffs traffic they cant do anything.

Dont use WAP sites as it uses WTLS protocol as optional layer which decrypts your data for few seconds & converts to plain text before converting to normal TCP/IP traffic data.

 

[krishnandu]

Ok, Thanks a lot guys.

I really didn't have any idea about this. So I'll be opening https ones from now on using Opera Mini 5

So as you said it'll support IMAP, POP etc, so I can configure email then too.

So can I connect my mobile to PC and access Internet?? Is it possible and supported??

As I said before I'm using Nokia 2730c, Airtel MO(98/- pack)

 

[blr_p]

Well guys....I just wanted to know how safe is GPRS and EDGE access??

I think he means whether anyone can sniff his passwords 'off the air'.

The short answer to that is no, because one of the characteristics of a 2G network is it encrypts the communication between the sender & the tower with a key derived form the senders IMEI. So just to get onto the network the communication is already encrypted. More here.

Once it reaches the provider then it gets onto the net as usual, so if there is no HTTPS to the site you are accessing then, your passwords will be sent in plain text. So at this point its no different to using a wired connection.

But...there's still a loophole --the provider-- as this interesting pak blog post indicates. The provider uses a proxy to get onto the web and in this particular case due to a misconfigured cache there is nothing the user can do that will make it safe. I guess you will have to be alert to this if and when it ever happens.

Customer data at the provider's end is always subject to how serious the provider is with securing such data regardless of whether the connection used is wired or wireless

 

[Praks]

Good point blr_p

Well there is already a method out there where researcher are claiming to sniff data out of GSM networks. Tested in lab environment. No official exploit is out yet.

till then its safe.

 

[krishnandu]

Thanks everyone. Ya that was what I wanted to know. Actually I use HTTPS for some site. And just got curiousity to know if HTTPS works in GRPS/EDGE connection.

Like when I login to Orkut the login procedure is done using HTTPS and then it goes back to HTTP. So when I was accessing orkut using my mobile I didn't see this. So just wanted to know whether this data's are encrypted any way and can I use https.

Thanks.....My query got cleared.

And the other query was about IMAP and POP. That too cleared

Now only one query (though it's off-topic), Can I connect my mobile to PC and access Internet?? I know this is possible. But I want to know is this possible in Airtel Mobile Office?? I'm using 98/- Pack.

Well...can anyone say me how can I access mCheck?? When I inserted the SIM I registered for mCheck and created a 6 digit PIN. But how would I access it??

I'm sorry I'm asking the basic ques. which I should ask to CC. But CC is not working for me. Wheneven I choose to speak to a CC Executive the IVR says "To know about billing for your a/c.....etc etc". Did they banned me?? Or any other problem??

 

[blr_p]

Well there is already a method out there where researcher are claiming to sniff data out of GSM networks. Tested in lab environment. No official exploit is out yet.

Any link for this ?

 

[Praks]

Could not find the link, but remember technical details of it.

Here is pdf, grab it & see the tech details.

25C3: Locating Mobile Phones using SS7

Will try to post details about GSM sniffing soon. This ain't hac*ing forum so cant post core tech stuff.

 

[blr_p]

Here is pdf, grab it & see the tech details.

25C3: Locating Mobile Phones using SS7.

This is to do with locating a caller within a cell, it easier nowadays compared to having to do it with triangulation.

But that's quite different to eavesdropping on someone's elses call and grabbing stuff out of the air.

Will try to post details about GSM sniffing soon. This ain't hac*ing forum so cant post core tech stuff.

It was possible with 1G phones, and quite a few celebs had their calls monitored and the details splashed in the tabloid press. I've not heard of similar with 2G and after so this is the main reason i give that its not possible to do through the air.

Course if the line is tapped anything is possible. but this is usually beyond the scope of your avg hack.

 

[Praks]

Here is brief what I found. not able to locate GSM Encryption whitepaper. If will find from HDD will upload here.

Welcome to TechNewsWorld

 

[blr_p]

Ok, now I understand what you're referring to and agree, given the motivation and right equipment, it is possible to pull stuff 'out of the air'.

But AFAICT this hack only applies to voice & SMS and not GPRS (which uses the GEA3 encryption algorithm, not A5/2) see this

Wonder if the simple way to get around this hack is to use Reliance which uses TDMA and not GSM. Tho i'm not sure if Reliance still uses TDMA anymore. Vaguely recall they were moving to GSM cpl years back.

 

[dasgupta_arup]

well i did a few online bank transactions over the inbuilt html browser on nokia e63
keeping me fingers crossed
.....think i'll change pwd