This is the third year he’s done a GSM presentation Did a live demo on stage showing how to sniff, crack, and impersonate a phone A5/1 is dead AND improperly implemented A5/3 is better but will be cracked (still 64bit but a block cipher at least) A5/4 is legit biznitch but operators are lazy
TMSI ~= username KC ~= password GSM != CDMA Mitigations: Implement padding randomization (blerg) SI5/SI6 randomization (Google TS 44.018) Implement A5/3 Implementing 1 and 2 are “easy” and effectively stop 100% of current threats
Tools that they used: Osmocom – turns a phone into a GSM hacking tool CaptureCapture – turns Osmocon into an IDS for GSM attacks GSMMap.org – ratings of countries based on their GSM security
Baseband = the chipset of the phone that handles telcoms Facilitates the bridge to accept AT commands Talks about Qualcom DIAG protocol Download mode WRITE and EXECUTE anywhere on the device Normal mode accepts commands to rw memory locations Blerg blerg blerg. Good data if you want to learn how to reverese your self but no output.
Print Me if you dare MSNBC: Millions of printers open to devastating hack attack Ars technica: HP Printers can be remotely controlled and set on fire Gawker: Hackers could turn your printer into a flaming death bomb Gizmodo: Can hackers really use your HP printer to steal your identity and blow up your house?
Print Me if you dare No bomb/fire 56 firmwares were released to fix this flaw affecting 2005-2011 CVE-2011-4161 Found out that you can update the firmware with LPR Found out that this process did not use digital signatures or authentication PJL – printer job language Made a malicious remote firmware update in PJL launguage Can be used for phishing
Print Me if you dare Takes apart a printer and reviews the chips Downloads the datasheet for the flash chip (digikey) Learns how to talk to the chip Made an Arduino dumper for the ROM chip of the printer Runs output into IDA Pro ...Magic… Writes a vxworks rootkit – 3k of ARM assembly
Print Me if you dare Malware Reverse proxy – NAT traversal Print-job interceptor – send to another IP Debug message redirection – telnet Cause paper jams, “Control Controller” Summary: Made a rootkit to attack HP printers to use as a pivot for pen tests. Add RFU vulns to your pen tests (Not in Nessus, Nexpose yet). Run RFU for printer model. If the firmware changes = bad. Can be included in legit documents (post script)
CELLULAR PROTOCOL STACKS Awesome Intro To Mobile Protocols talk Unfortunately nothing about CDMA and AmericaGoes into GSM, GPRS, the history, why everything is fucked up, extremely thorough Got boring quickly Passed out
CELLULAR PROTOCLS STACKS Is he still talking? Holy crapHe’s just naming 1000 acronyms now Punkrokk – do your joke Did he do it? Ok nevermind this talk was lame Here look at this instead:
• Presentation references “Over 9000” but it flies over the heads of all of Europe• Created the tor_extend ruby library < neat• Made a map of all the hidden routers < cuteTaking Over The TorNetwork
“Taking Over” The Tor Network• Created Tor malware that exploits a DLL in a Windows box• Did not release code• Their malware implemented packet spinning which is an attack vector discussed in 2008• Did not talk to Tor Project at all• “This doesn’t work with the new version of Tor anymore”
• There are more than 600 bridge• They have found “all” 181 nodes bridge nodes • There are only• They have found Over about 2500 9000!!!1!! ORs “Taking Over” The Tor Network
• They made Windows malware and then used someone else’s attack then told the world they owned the Tor network• Hilarious last 10 minutes of the presentation where Dingldine and IOError do a Q and A: • Can you tell me what’s new and relevant about your presentation? • Why didn’t you talk to us? • You published a lot of bridge nodes. Why do you want to hurt third world countries? • Why don’t you release the exploit?“Taking Over” The TorNetwork
Dingldine: “UR STUPD I FUK UR FACE!”“Taking Over” The TorNetwork
DOWNLOADAll the things: http://mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/