28c3 in 15


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

28c3 in 15

  1. 1.  This is the third year he’s done a GSM presentation Did a live demo on stage showing how to sniff, crack, and impersonate a phone A5/1 is dead AND improperly implemented A5/3 is better but will be cracked (still 64bit but a block cipher at least) A5/4 is legit biznitch but operators are lazy
  2. 2.  TMSI ~= username KC ~= password GSM != CDMA Mitigations:  Implement padding randomization (blerg)  SI5/SI6 randomization (Google TS 44.018)  Implement A5/3 Implementing 1 and 2 are “easy” and effectively stop 100% of current threats
  3. 3. Tools that they used: Osmocom – turns a phone into a GSM hacking tool CaptureCapture – turns Osmocon into an IDS for GSM attacks GSMMap.org – ratings of countries based on their GSM security
  4. 4.  Baseband = the chipset of the phone that handles telcoms Facilitates the bridge to accept AT commands Talks about Qualcom DIAG protocol  Download mode WRITE and EXECUTE anywhere on the device  Normal mode accepts commands to rw memory locations Blerg blerg blerg. Good data if you want to learn how to reverese your self but no output.
  5. 5. Print Me if you dare MSNBC: Millions of printers open to devastating hack attack Ars technica: HP Printers can be remotely controlled and set on fire Gawker: Hackers could turn your printer into a flaming death bomb Gizmodo: Can hackers really use your HP printer to steal your identity and blow up your house?
  6. 6. Print Me if you dare No bomb/fire 56 firmwares were released to fix this flaw affecting 2005-2011 CVE-2011-4161 Found out that you can update the firmware with LPR Found out that this process did not use digital signatures or authentication PJL – printer job language Made a malicious remote firmware update in PJL launguage Can be used for phishing
  7. 7. Print Me if you dare Takes apart a printer and reviews the chips Downloads the datasheet for the flash chip (digikey) Learns how to talk to the chip Made an Arduino dumper for the ROM chip of the printer Runs output into IDA Pro ...Magic… Writes a vxworks rootkit – 3k of ARM assembly
  8. 8. Print Me if you dare Malware  Reverse proxy – NAT traversal  Print-job interceptor – send to another IP  Debug message redirection – telnet  Cause paper jams, “Control Controller” Summary:  Made a rootkit to attack HP printers to use as a pivot for pen tests.  Add RFU vulns to your pen tests (Not in Nessus, Nexpose yet). Run RFU for printer model. If the firmware changes = bad.  Can be included in legit documents (post script)
  9. 9. CELLULAR PROTOCOL STACKS Awesome Intro To Mobile Protocols talk Unfortunately nothing about CDMA and AmericaGoes into GSM, GPRS, the history, why everything is fucked up, extremely thorough Got boring quickly Passed out
  10. 10. CELLULAR PROTOCLS STACKS Is he still talking? Holy crapHe’s just naming 1000 acronyms now Punkrokk – do your joke Did he do it? Ok nevermind this talk was lame Here look at this instead:
  11. 11. • Presentation references “Over 9000” but it flies over the heads of all of Europe• Created the tor_extend ruby library < neat• Made a map of all the hidden routers < cuteTaking Over The TorNetwork
  12. 12. “Taking Over” The Tor Network• Created Tor malware that exploits a DLL in a Windows box• Did not release code• Their malware implemented packet spinning which is an attack vector discussed in 2008• Did not talk to Tor Project at all• “This doesn’t work with the new version of Tor anymore”
  13. 13. • There are more than 600 bridge• They have found “all” 181 nodes bridge nodes • There are only• They have found Over about 2500 9000!!!1!! ORs “Taking Over” The Tor Network
  14. 14. • They made Windows malware and then used someone else’s attack then told the world they owned the Tor network• Hilarious last 10 minutes of the presentation where Dingldine and IOError do a Q and A: • Can you tell me what’s new and relevant about your presentation? • Why didn’t you talk to us? • You published a lot of bridge nodes. Why do you want to hurt third world countries? • Why don’t you release the exploit?“Taking Over” The TorNetwork
  15. 15. Dingldine: “UR STUPD I FUK UR FACE!”“Taking Over” The TorNetwork
  16. 16. DOWNLOADAll the things: http://mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/
  17. 17. END