CompSofts.com

MUMBAI/NEW DELHI: Even as the Atomic Energy Commission confirmed that the contamination of drinking water at the Kaiga atomic plant in Karnataka was an “inside job”, the heavy water that was introduced into a water cooler has been traced to vials kept in labs within the complex.

The heavy water, used as a coolant in the nuclear plant, is collected for lab tests before being released for use.

It is suspected that some vials of heavy water were diverted to “spike” the water cooler instead of being released into specified areas. The heavy water was pushed into the cooler through an outflow pipe as the machine itself is sealed and authorities do not rule out the act of sabotage being carried out by a disgruntled nuclear scientist.

“The staff who had access to vials and the various points in the chain where the vials could have been diverted are being examined,” said MoS in PMO, Prithviraj Chavan.

He said all safety related procedures would be thoroughly reviewed and those responsible for the act would be traced. The government is examining whether there was an intent to sabotage the functioning of the plant or whether a disgruntled individual had played a “vicious prank”.

The water cooler is located outside the reactor area and was found contaminated by radioactivity on the night of November 24.

While not ruling out sabotage, senior nuclear scientists emphasized there was no radiation leak in the plant itself as reported in a section of the media.

Outgoing chairman of the Atomic Energy Commission, Anil Kakodkar, who is laying down office on Monday, was quoted as saying that it “clearly is a malevolent act”. Sabotage has not been ruled out, he said, adding that somebody had “deliberately” put radioactive vials in a water cooler.

The heavy water samples need to be accounted for more carefully in future, sources admitted. Tritium is a radioactive isotope of hydrogen, which is used for research, and in fusion reactors and neutron generators.

The alleged act of sabotage took place a fortnight after intelligence agencies warned of a terrorist attack on the country’s atomic plants. After the alert, security at all the units had been stepped up. Years ago, a similar incident took place at the Tarapur atomic power station. An inquiry was held, leading to the dismissal of an employee.

According to the AEC chief, investigations are now focusing on two angles. The authorities are working to identify the worker who contaminated the water cooler with tritiated (or super heavy) water. They will also review security aspects related to radiation hazard.

Kakodkar said normally small quantities of tritiated heavy water are tested for chemical parameters.
Speaking to TOI on Sunday, chairman and managing director of Nuclear Power Corporation (NPC), S K Jain, said the water cooler had been padlocked and the person in charge of maintenance on the night of November 24 was being examined. “The whole area has computer-accessed control. So in course of time we will be able to narrow down on the person who did the mischief,” he said.

“I will certainly describe this as a very serious incident because it has taken place even after we initiated special security checks following the advice of the Intelligence Bureau recently,” he said.

Asked why any staffer should resort to sabotage, Jain, said he could not rule out a “small percentage of employees being disgruntled for one reason or the other”. “In a place with a manpower strength of nearly 700, discontent among a small section of workers is inevitable,” he said.

He said that credentials of workers at the plant are cleared by intelligence agencies prior to their appointment.

In an earlier statement, Jain said there were a number of measures for routine monitoring of radiation exposure of workers at a nuclear power plant. One of them is urine sampling, in which some samples had indicated contamination.

NPC chief engineer N Nagaich said the water cooler served both Kaiga 1 and 2 units, which are 220 megawatt pressurized heavy water reactors. Kaiga 1 has been shut for maintenance. “Not a single person was hospitalized because their condition was not serious,” he said. Kaiga 2 was operating normally.

Preliminary investigations were being conducted by the Atomic Energy Regulatory Board and NPC.

Former chairman of AEC, P K Iyengar, told TOI that prima facie it appeared that the primary motive of the employee who contaminated the water cooler was “merely to create a scare”. Another former AEC chief, M
R Srinivasan, has called for strengthening of nuclear security.

The reported act of sabotage at Kaiga has triggered speculation among a section of nuclear scientists as to whether it could possibly be a “dry run” by a disgruntled staffer.

“By resorting to such mischief he perhaps wanted to gauge the reaction of other employees and the department as a whole,” a scientist said on condition of anonymity.

Vulnerability Advisory
======================

Remote SMS/MMS Denial of Service – “Curse Of Silence”
for Nokia S60 phones

URL

https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

Video
=====

https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi

Affected Products
=================

All Nokia Series60 2.6, 2.8, 3.0, 3.1 devices, see detailed list at
the end of the document.

Requirements to Execute Attack
==============================

- MSISDN of the target
- mobile phone contract that allows sending of SMS messages
- (almost) any Nokia phone (or some other means of sending SMS
messages with TP-PID set to “Internet Electronic Mail”)

Risk Level
==========

Medium (for S60 2.8 and 3.1 devices): Target will not be able to
receive any SMS or MMS messages while the attack is ongoing. After
that, only very limited message receiving is possible until the device
is Factory Resetted

High (for S60 2.6 and 3.0 devices): Target will not be able to receive
any SMS or MMS messages until the device is Factory Resetted

Summary
=======

Emails can be sent via SMS by setting the messages Protocol Identifier
to “Internet Electronic Mail” and formatting the message like this:

If such messages contain an with more than 32
characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive
other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after
only one message, 2.8 and 3.1 devices after 11 messages.

Details
=======

3GPP TS 23.040 specifies a method for sending emails via SMS in
section 3.8 (”SMS and Internet Electronic Mail interworking”). In its
most basic form, such a SMS message starts with the from- (MT-SMS) or
to-email-address (MO-SMS), followed by a space character, and then the
message body. The TP-Procotol-Identifier of the SMS message has to be
set to “Internet Electronic Mail” (value: 50 / 0×32).

It is not specified how such a message should be displayed when
received by the phone. Before S60 2.6, Series60 devices displayed such
messages exactly as they were sent. Starting with S60 2.6, when the
part of the message that should contain the from-address looks
anything like an email address (i.e. it contains an “@” somewhere),
this address is then displayed as the message sender instead of the
usually shown TP-Originating-Address.

If this email address is longer than 32 characters, Series60 2.6, 2.8,
3.0 and 3.1 devices fail to display the message or give any indication
on the user interface that such a message has been received. They do,
however, signal to the SMSC that they received the message by sending
an RP-ACK.

Devices running S60 2.6 or 3.0 will not be able to receive any other
SMS message after that. The user interface does not give any
indication of this situation. The only action to remedy this situation
seems to be a Factory Reset of the device (by entering “*#7370#”).

Devices running S60 2.8 or 3.1 react a little different: They do not
lock up until they received at least 11 SMS-email messages with an
email address that is longer than 32 characters. The device will not
be able to receive any other SMS message after that – upon receiving
the next message, the phone will just display a warning that there is
not enough memory to receive further messages and that data should be
deleted first. This message is even displayed on an otherwise
completely “empty” device.

After switching the phone off and on again, it has limited capability
for receiving SMS messages again: If it receives a SMS message that is
split up into several parts (3GPP TS 23.040, 9.2.3.24.1 Concatenated
Short Messages) it is only able to receive the first part and will
display the “not enough memory” warning again. After powercycling the
device again, it can then receive the second part. If there is a third
part, it has to be powercycled again, and so on.

Also, an attacker now just needs to send one more “Curse Of Silence”
message to lock the phone up again. By always sending yet another one
as soon as the status report for delivery of the previous message is
received, the attacker could completely prevent a target from
receiving any other SMS/MMS messages.

Only Factory Resetting the device will restore its full message
receiving capabilities. Note that, if a backup is made using Nokia
PC-Suite *after* being attacked, the blocking messages are also
backuped and will be sent to the device again when restoring the
backup after the Factory Reset.

Note that not being able to receive SMS messages also means not being
able to receive MMS messages, since they are signalled by sending an
SMS message to the device.

“Curse Of Silence” messages can be generated with any phone or
cellular modem that supports 3GPP TS 27.005 AT commands and with most
Nokia phones also directly from the user interface. For example, on
S60 devices, when in the message editor, the type of the message can
be switched to “E-mail” under “Options” -> “Sending options” ->
“Message sent as”. The 6310i conveniently offers a “Write email” menu
entry in the messaging menu.

The simplest form of content for a Curse Of Silence would be something
like “123456789@123456789.1234567890123 ” (the digits are used only to
illustrate the length of the “email address” of more than 32
characters). Note the space at the end of the message!

Workaround
==========

None known for the user side.

Until a firmware fix is available, network operators should filter
messages with TP-PID “Internet Electronic Mail” and an email address
of more than 32 characters or reset the TP-PID of these messages to 0.

Credits
=======

Tobias Engel
November 9, 2008

Many thanks to Frank Rieger for spending countless hours cutting and
editing the video.

Detailed List of Affected Products
==================================

Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable
component is a S60 base functionality, it seems safe to assume that
all devices with these OS versions are affected.

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

Change History
==============

December 30, 2008:
Removed auth details since they are no longer required

December 21, 2008:
Corrected version numbers for S60 2nd Edition

December 13, 2008:
S60 2.8 devices react like S60 3.1 devices, not like S60 2.6 or 3.0
devices