Security problems with WAP
There are some security problems with WAP. The most important threat associated with WAP is the use of the WAP gateway. There are however also some security weaknesses in the WTLS protocol and some possible threats by using mobile devices. The most important security problems will now be discussed.
3.1 WAP gateway
WAP does not offer end-to-end security. As explained in section 2.1, WAP devices communicate with web servers through an intermediate WAP gate- way. WTLS is only used between the device and the gateway, while SSL/TLS can be used between the gateway and the web server on the Internet. This means that the WAP gateway contains, at least for some period of time, unencrypted data (which can be highly confidential). The gateway vendors have to take steps to ensure that the decryption and re-encryption takes place in memory, that keys and unencrypted data are never saved to disk, and that all memory used as part of the encryption and decryption process is cleared before handed back to the operating system. But how sure can you be that this happens, there are no standards or guarantees about these precautions? How do you know that the WAP gateway prevents the operating system from swapping memory pages out to swap space . . . ?
The problem is even worse! The WAP architecture implicitly assumes that the user of the mobile phone (and the web server) trust the WAP gate- way. All the (sensitive) data gets unencrypted by the WAP gateway. This means that in sensitive services, such as for example electronic banking, the bank should not rely on the client’s default (and untrusted) WAP gateway! A solution for this problem is proposed in section 4.
3.2 WTLS allows for weak encryption algorithms
The encryption protocol used to encrypt data during a WTLS session is negotiated in the handshake phase. There is the possibility to choose the 40-bit DES encryption method. In this method, a 5 byte key is used which contains 5 parity bits. This means that there are only 35 effective key bits in the DES key. It is very easy to find this DES key by a brute force attack. A 40-bit DES encryption is a very weak encryption algorithm!
3.3 Predictable IVs
The WTLS protocol should be able to operate above an unreliable transport layer, so datagrams may be lost, duplicated or reordered. If CBC-encryption mode is used, this means that it is necessary for the IV (Initial Value) to be contained in the packet itself or that the IV for that block can be derived from data that is already available to the recipient. WTLS always uses a lineair lineair IV computation. When a block cipher is used in CBC mode, the IV for encrypting each packet is computed as follows:
IVs = IV0 ? (s|s|s|s)
In this formula, s is a 16-bit sequence nummer of the packet and IV0 is the original IV , derived during key generation.
When CBC mode is used in combination with a terminal application where each keypress is sent as an individual packet (such as telnet), this can give problems when low-entropy secrets (such as passwords) are entered in the application. An attacker can guess every character of the password and can immediately check if his guess was correct. This makes it very easy to perform a brute force attacks. Details of this attack can be found in 5.
3.4 Potential for viruses
Mobile phones are getting more and more advanced and have a sophisti- cated operating system. Furthermore, WAP contains a scripting language (WMLScript). This makes it easier for virusses to affect a mobile phone. What makes it even more dangerous is that it is not possible to run sophis- ticated anti-virus software on a mobile phone. The first virus for a mobile phone has to appear yet, but experts agree that it propably will not take years anymore.
3.5 Physical security
The weakest link of the system will be the mobile phone itself. It easily gets lost1 or stolen and it is likely to be used more and more for the storage of sensitive data. The PIN code offers some protection, but it only consists of 4 digits and most users choose weak PINS (e.g., 1234 or 0000). If one makes a risk analysis of WAP, then the physical security of the mobile phone certainly has to be considered too!
Security problems with WAP