SlideShare a Scribd company logo

Neo900: Crafting The Private Phone

Sebastian Krzyszkowiak
Sebastian Krzyszkowiak

A tale of the Neo900 project about the obstacles on its way to achieve The Ultimate Private Phone. What are the threats for smartphone user's privacy? How to deal with them? Is it possible to make a phone that will protect us so well that it will let us forget about privacy at all? The talk has been given via videoconference on 2014-11-29 at OpenPhoenux Hard- and Software Workshop 2014 in Garching, Munich. Recording: https://www.youtube.com/watch?v=ahPFCFooBv0&list=PL-s0IumBit8Mofxj0Fn2kH6RB9VtnKS4K

Technology
1 of 40
Download to read offline
Neo900 Crafting The Private Phone Sebastian Krzyszkowiak dos http://dosowisko.net/ OHSW 2014 Garching, 29.11.2014 CC-BY-SA 4.0 http://neo900.org/stuff/ohsw2014/
2 Neo900 Neo900 The truly open smartphone that cares about your privacy. Merge of GTA04 and Nokia N900... and beyond http://neo900.org/
3 Neo900 ● TI OMAP3 DM3730 @ 1 GHz ● 1 GB RAM ● 512 MB NAND + 32/64 GB eMMC ● Cinterion PHS8/PLS8 modem (LTE) ● GPS/GLONASS ● Dualtouch resistive screen ● Modem sandbox and monitoring solution ● Hackerbus ● http://neo900.org/specs
4 The Hardware Problem ● I'm the admin of my PC. Why can't I be the admin of my phone as well? ● We don't use App Stores on PCs. Why should we need them on phones? ● We can choose from hundreds of systems to install on PC. Why can't we do that on mobiles as well?
5 The Hardware Problem
6 The Hardware Problem Does a cellphone really differ so much from your average laptop? It doesn't. It's just smaller and more integrated.
7 The Hardware Problem ● Lack of documentation ● Closed components ● Porting – the neverending story ● Upstream? In your dreams. ● Planned obsolescence ● When you have to break into your own device in order to use it as you wish, something is completely wrong!
8 Privacy
9 How can your privacy suffer? ● Data on your storage gets damaged or destroyed ● Data gests leaked via: – The Internet – Other wireless technology – Removable media ● Your life gets spied on: – Location tracking – Audio/video eavesdropping – Logging your activities, collecting metadata
10 Privacy? ● Turns out a good, open, hackable device is a perfect first step towards better privacy.
Baseband processor ● A big, proprietary black box. ● Known to often be vulnerable. ● All Your Baseband Are Belong To Us Ralf-Philipp Weinmann, Black Hat conf 2011
Baseband processor ● Having control under the main operating system (like Android) is not enough ● Main problem with projects like Blackphone
13 Baseband processor ● The baseband is often tightly integrated with rest of the system – Direct connection to microphone – Direct Memory Access
Baseband processor
Baseband processor
Baseband processor
Baseband processor
Baseband processor
Baseband processor
Baseband processor
21 Open baseband? ● Unfortunately, it's not going to happen for both economical and legal reasons. ● Basebands are cryptographically locked and any change in their firmware results in revokation of their certification, rendering them illegal to use in public networks.
22 OsmocomBB ● Open baseband firmware ● Runs on TI Calypso (the same as in GTA01/02) ● Illegal to use as a phone outside the lab ● http://bb.osmocom.org
23 Open baseband? ● However, open baseband does not magically fix all the privacy problems.
24 The threats ● Tracking – Trilateration based (IPL, OTDOA, E-OTD, U-TDOA) – GPS-assisted (RRLP) ● Eavesdropping ● Data leakage ● Security bugs in firmware, SIM cards ● Direct access to main RAM
25 The threats ● GSM hacking – It's not hard to do fun rogue stuff with GSM. – Encryption (A5/1, A5/3) was broken long ago ● It was actually deliberately weakened in specs to make live of governmental surveilance agencies easier. – Denial of Service attacks are easy – The only „protection” is... illegality
„Private Phone” Private Trustable Open
27 Not solvable ● Eavesdropping of calls ● Eavesdropping of Internet connection ● Trilateration while connected to the network It can (and does) happen outside of the device or is necessary for it to function. Aside from encryption, there's nothing we can do against it.
28 Neo900 concept ● Counter-surveillance rather than audit and trust ● Everything not 100% in control is considered rogue ● Rogue stuff is sandboxed and constantly monitored
29 Neo900 design x breaker x The baseband processor is locked into a cage breaker
30 Neo900 design ● If the modem is compromised, the main system remains safe use the encryption, Luke ● If the modem is supposed to be off, but it isn't – we know that and react accordingly before anything bad happens ● If the GPS is in use when not requested – we know that but the antenna will be disabled anyway ● If the modem tries to record audio when not requested – we know that but it won't be able to do it
31 Neo900 design ● When modem act badly, user is notified and automatic hard reset via emergency_off line and/or hard shutdown by cutting power can be applied.
32 Neo900 concept ● This way, when something fishy is going on, software kicks off an alarm to make user do efficient measures to stop the threat: – Removing the battery – Destroying the device – Hiding it under the seat in bus and leaving ● With basic solutions like external power switch, user is not aware that his device has been tampered with. – ...but it can be used post-mortem
33 Neo900 design ● Our monitoring approach can also reveal some „rogue” activities from outside – like packet-storms on airports. https://www.schneier.com/blog/archives/20 14/04/gogo_wireless_a.html#c5459667
34 Neo900 design ● In the end, it's the user who gets the full control over how their device works and how it reacts to possible threats. ● Staying secure may need some effort, but without it there's only false sense of security – which is even worse than no security at all.
35 Interesting resources ● https://srlabs.de/rooting-sim-cards/ ● https://srlabs.de/gsmmap/ ● http://openbsc.osmocom.org/trac/raw-attachmen t/wiki/FieldTests/HAR2009/har2009-gsm-report. pdf ● https://media.blackhat.com/bh-dc-11/Perez-Pico /BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Sl ides.pdf ● http://events.ccc.de/congress/2008/Fahrplan/ev ents/2997.en.html
36 SIMtrace ● Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. http://bb.osmocom.org/trac/wiki/SIMtrace
37 Neo900: current status ● Almost 400 devices already „preordered” – That's twice as much as we needed to proceed ● Most of the design finished ● Schematics catching up with the design ● Sourcing is tough – components slowly fade away in the market
38 Neo900: current status http://neo900.org/stuff/block-diagrams/
39 Neo900: next steps ● Sourcing the risk parts (like 1GB RAM) ● Ordering the cases ● BB-xM based proto_v2 expected in February
40 Thank you! http://neo900.org/stuff/ohsw2014/ http://neo900.org/resources/ QA: IRC - #neo900 on Freenode http://webchat.freenode.net/?channels=neo900

Recommended

EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)Helen Williams
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security
CODE BLUE
 
Surveon Professional NVR3000 Product Introduction
Surveon Professional NVR3000 Product IntroductionSurveon Professional NVR3000 Product Introduction
Surveon Professional NVR3000 Product Introduction
Surveon Technology Inc.
 
ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without Whitelisting
Alexandru Gherman
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever Alone
Olga Kochetova
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionage
Muts Byte
 
Ultimate Surveillance Solution
Ultimate Surveillance SolutionUltimate Surveillance Solution
Ultimate Surveillance Solutiondplsurve
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
Olga Kochetova
 

Recommended

EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)Helen Williams
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security
CODE BLUE
 
Surveon Professional NVR3000 Product Introduction
Surveon Professional NVR3000 Product IntroductionSurveon Professional NVR3000 Product Introduction
Surveon Professional NVR3000 Product Introduction
Surveon Technology Inc.
 
ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without Whitelisting
Alexandru Gherman
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever Alone
Olga Kochetova
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionage
Muts Byte
 
Ultimate Surveillance Solution
Ultimate Surveillance SolutionUltimate Surveillance Solution
Ultimate Surveillance Solutiondplsurve
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
Olga Kochetova
 
Guard do
Guard doGuard do
Guard do
Департамент науки, промышленной политики и предпринимательства города Москвы
 
Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelinesviplavsarkar
 
Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Mail Box Production
 
groundview-sentinel-v3
groundview-sentinel-v3groundview-sentinel-v3
groundview-sentinel-v3Mark Cromwell
 
Twig Embody - the wearable 3G/GSM/GNSS personal alarm device
Twig Embody - the wearable 3G/GSM/GNSS personal alarm deviceTwig Embody - the wearable 3G/GSM/GNSS personal alarm device
Twig Embody - the wearable 3G/GSM/GNSS personal alarm device
Jane Lindell
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAE
securitysytem
 
Muco-2
Muco-2Muco-2
Muco-2
Mohamad CHEHADI
 
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)Thermostat (gsm bug) hidden audio monitoring device (buy or rent)
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)dplsurve
 
Updated Nu Surveillance Power Point
Updated Nu Surveillance Power PointUpdated Nu Surveillance Power Point
Updated Nu Surveillance Power Point
ch1ris
 
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User ManualCordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Thorne & Derrick International
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animationviplavsarkar
 
STI 6400-FRE Data Sheet
STI 6400-FRE Data SheetSTI 6400-FRE Data Sheet
STI 6400-FRE Data Sheet
JMAC Supply
 
Wireless portable digital video recorder and camera (buy or rent)
Wireless portable digital video recorder and camera (buy or rent) Wireless portable digital video recorder and camera (buy or rent)
Wireless portable digital video recorder and camera (buy or rent) dplsurve
 
Introducing SAMSUNG Chromebook(XE303)
Introducing SAMSUNG Chromebook(XE303)Introducing SAMSUNG Chromebook(XE303)
Introducing SAMSUNG Chromebook(XE303)JJ Wu
 
Software Vendor (Norton Anti-Virus)
Software Vendor (Norton Anti-Virus)Software Vendor (Norton Anti-Virus)
Software Vendor (Norton Anti-Virus)John Joseph San Juan
 
Free Mobile - when Android is not enough
Free Mobile - when Android is not enoughFree Mobile - when Android is not enough
Free Mobile - when Android is not enough
Sebastian Krzyszkowiak
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
David Busby, CISSP
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
Robert Rowley
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
dino715195
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
HKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoTHKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoT
Linaro
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
Felipe Prado
 

More Related Content

What's hot

Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelinesviplavsarkar
 
Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Mail Box Production
 
groundview-sentinel-v3
groundview-sentinel-v3groundview-sentinel-v3
groundview-sentinel-v3Mark Cromwell
 
Twig Embody - the wearable 3G/GSM/GNSS personal alarm device
Twig Embody - the wearable 3G/GSM/GNSS personal alarm deviceTwig Embody - the wearable 3G/GSM/GNSS personal alarm device
Twig Embody - the wearable 3G/GSM/GNSS personal alarm device
Jane Lindell
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAE
securitysytem
 
Muco-2
Muco-2Muco-2
Muco-2
Mohamad CHEHADI
 
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)Thermostat (gsm bug) hidden audio monitoring device (buy or rent)
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)dplsurve
 
Updated Nu Surveillance Power Point
Updated Nu Surveillance Power PointUpdated Nu Surveillance Power Point
Updated Nu Surveillance Power Point
ch1ris
 
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User ManualCordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Thorne & Derrick International
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animationviplavsarkar
 
STI 6400-FRE Data Sheet
STI 6400-FRE Data SheetSTI 6400-FRE Data Sheet
STI 6400-FRE Data Sheet
JMAC Supply
 
Wireless portable digital video recorder and camera (buy or rent)
Wireless portable digital video recorder and camera (buy or rent) Wireless portable digital video recorder and camera (buy or rent)
Wireless portable digital video recorder and camera (buy or rent) dplsurve
 
Introducing SAMSUNG Chromebook(XE303)
Introducing SAMSUNG Chromebook(XE303)Introducing SAMSUNG Chromebook(XE303)
Introducing SAMSUNG Chromebook(XE303)JJ Wu
 
Software Vendor (Norton Anti-Virus)
Software Vendor (Norton Anti-Virus)Software Vendor (Norton Anti-Virus)
Software Vendor (Norton Anti-Virus)John Joseph San Juan
 

What's hot (15)

Guard do
Guard doGuard do
Guard do
 
Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelines
 
Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01
 
groundview-sentinel-v3
groundview-sentinel-v3groundview-sentinel-v3
groundview-sentinel-v3
 
Twig Embody - the wearable 3G/GSM/GNSS personal alarm device
Twig Embody - the wearable 3G/GSM/GNSS personal alarm deviceTwig Embody - the wearable 3G/GSM/GNSS personal alarm device
Twig Embody - the wearable 3G/GSM/GNSS personal alarm device
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAE
 
Muco-2
Muco-2Muco-2
Muco-2
 
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)Thermostat (gsm bug) hidden audio monitoring device (buy or rent)
Thermostat (gsm bug) hidden audio monitoring device (buy or rent)
 
Updated Nu Surveillance Power Point
Updated Nu Surveillance Power PointUpdated Nu Surveillance Power Point
Updated Nu Surveillance Power Point
 
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User ManualCordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
Cordex ToughPIX 2302XP ATEX Hazardous Area Digital Camera - User Manual
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animation
 
STI 6400-FRE Data Sheet
STI 6400-FRE Data SheetSTI 6400-FRE Data Sheet
STI 6400-FRE Data Sheet
 
Wireless portable digital video recorder and camera (buy or rent)
Wireless portable digital video recorder and camera (buy or rent) Wireless portable digital video recorder and camera (buy or rent)
Wireless portable digital video recorder and camera (buy or rent)
 
Introducing SAMSUNG Chromebook(XE303)
Introducing SAMSUNG Chromebook(XE303)Introducing SAMSUNG Chromebook(XE303)
Introducing SAMSUNG Chromebook(XE303)
 
Software Vendor (Norton Anti-Virus)
Software Vendor (Norton Anti-Virus)Software Vendor (Norton Anti-Virus)
Software Vendor (Norton Anti-Virus)
 

Similar to Neo900: Crafting The Private Phone

Free Mobile - when Android is not enough
Free Mobile - when Android is not enoughFree Mobile - when Android is not enough
Free Mobile - when Android is not enough
Sebastian Krzyszkowiak
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
David Busby, CISSP
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
Robert Rowley
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
dino715195
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
HKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoTHKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoT
Linaro
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
Felipe Prado
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Cloud Security Practices and Principles
Cloud Security Practices and PrinciplesCloud Security Practices and Principles
Cloud Security Practices and PrinciplesSumo Logic
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
Cc internet of things @ Thomas More
Cc internet of things @ Thomas MoreCc internet of things @ Thomas More
Cc internet of things @ Thomas More
JWORKS powered by Ordina
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning security
Felipe Prado
 
Assignment sheet cctv
Assignment sheet cctvAssignment sheet cctv
Assignment sheet cctv
AnuragSagar8
 
The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?
SecuRing
 
Digital Security for the IoT Presentation
Digital Security for the IoT PresentationDigital Security for the IoT Presentation
Digital Security for the IoT PresentationVera Ho
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
Antonio Parata
 

Similar to Neo900: Crafting The Private Phone (20)

Free Mobile - when Android is not enough
Free Mobile - when Android is not enoughFree Mobile - when Android is not enough
Free Mobile - when Android is not enough
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
HKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoTHKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoT
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Cloud Security Practices and Principles
Cloud Security Practices and PrinciplesCloud Security Practices and Principles
Cloud Security Practices and Principles
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
IoT Session Thomas More
IoT Session Thomas MoreIoT Session Thomas More
IoT Session Thomas More
 
Cc internet of things @ Thomas More
Cc internet of things @ Thomas MoreCc internet of things @ Thomas More
Cc internet of things @ Thomas More
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning security
 
Assignment sheet cctv
Assignment sheet cctvAssignment sheet cctv
Assignment sheet cctv
 
The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?
 
Digital Security for the IoT Presentation
Digital Security for the IoT PresentationDigital Security for the IoT Presentation
Digital Security for the IoT Presentation
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
 

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 

Neo900: Crafting The Private Phone

  • 1. Neo900 Crafting The Private Phone Sebastian Krzyszkowiak dos http://dosowisko.net/ OHSW 2014 Garching, 29.11.2014 CC-BY-SA 4.0 http://neo900.org/stuff/ohsw2014/
  • 2. 2 Neo900 Neo900 The truly open smartphone that cares about your privacy. Merge of GTA04 and Nokia N900... and beyond http://neo900.org/
  • 3. 3 Neo900 ● TI OMAP3 DM3730 @ 1 GHz ● 1 GB RAM ● 512 MB NAND + 32/64 GB eMMC ● Cinterion PHS8/PLS8 modem (LTE) ● GPS/GLONASS ● Dualtouch resistive screen ● Modem sandbox and monitoring solution ● Hackerbus ● http://neo900.org/specs
  • 4. 4 The Hardware Problem ● I'm the admin of my PC. Why can't I be the admin of my phone as well? ● We don't use App Stores on PCs. Why should we need them on phones? ● We can choose from hundreds of systems to install on PC. Why can't we do that on mobiles as well?
  • 5. 5 The Hardware Problem
  • 6. 6 The Hardware Problem Does a cellphone really differ so much from your average laptop? It doesn't. It's just smaller and more integrated.
  • 7. 7 The Hardware Problem ● Lack of documentation ● Closed components ● Porting – the neverending story ● Upstream? In your dreams. ● Planned obsolescence ● When you have to break into your own device in order to use it as you wish, something is completely wrong!
  • 9. 9 How can your privacy suffer? ● Data on your storage gets damaged or destroyed ● Data gests leaked via: – The Internet – Other wireless technology – Removable media ● Your life gets spied on: – Location tracking – Audio/video eavesdropping – Logging your activities, collecting metadata
  • 10. 10 Privacy? ● Turns out a good, open, hackable device is a perfect first step towards better privacy.
  • 11. Baseband processor ● A big, proprietary black box. ● Known to often be vulnerable. ● All Your Baseband Are Belong To Us Ralf-Philipp Weinmann, Black Hat conf 2011
  • 12. Baseband processor ● Having control under the main operating system (like Android) is not enough ● Main problem with projects like Blackphone
  • 13. 13 Baseband processor ● The baseband is often tightly integrated with rest of the system – Direct connection to microphone – Direct Memory Access
  • 21. 21 Open baseband? ● Unfortunately, it's not going to happen for both economical and legal reasons. ● Basebands are cryptographically locked and any change in their firmware results in revokation of their certification, rendering them illegal to use in public networks.
  • 22. 22 OsmocomBB ● Open baseband firmware ● Runs on TI Calypso (the same as in GTA01/02) ● Illegal to use as a phone outside the lab ● http://bb.osmocom.org
  • 23. 23 Open baseband? ● However, open baseband does not magically fix all the privacy problems.
  • 24. 24 The threats ● Tracking – Trilateration based (IPL, OTDOA, E-OTD, U-TDOA) – GPS-assisted (RRLP) ● Eavesdropping ● Data leakage ● Security bugs in firmware, SIM cards ● Direct access to main RAM
  • 25. 25 The threats ● GSM hacking – It's not hard to do fun rogue stuff with GSM. – Encryption (A5/1, A5/3) was broken long ago ● It was actually deliberately weakened in specs to make live of governmental surveilance agencies easier. – Denial of Service attacks are easy – The only „protection” is... illegality
  • 26. „Private Phone” Private Trustable Open
  • 27. 27 Not solvable ● Eavesdropping of calls ● Eavesdropping of Internet connection ● Trilateration while connected to the network It can (and does) happen outside of the device or is necessary for it to function. Aside from encryption, there's nothing we can do against it.
  • 28. 28 Neo900 concept ● Counter-surveillance rather than audit and trust ● Everything not 100% in control is considered rogue ● Rogue stuff is sandboxed and constantly monitored
  • 29. 29 Neo900 design x breaker x The baseband processor is locked into a cage breaker
  • 30. 30 Neo900 design ● If the modem is compromised, the main system remains safe use the encryption, Luke ● If the modem is supposed to be off, but it isn't – we know that and react accordingly before anything bad happens ● If the GPS is in use when not requested – we know that but the antenna will be disabled anyway ● If the modem tries to record audio when not requested – we know that but it won't be able to do it
  • 31. 31 Neo900 design ● When modem act badly, user is notified and automatic hard reset via emergency_off line and/or hard shutdown by cutting power can be applied.
  • 32. 32 Neo900 concept ● This way, when something fishy is going on, software kicks off an alarm to make user do efficient measures to stop the threat: – Removing the battery – Destroying the device – Hiding it under the seat in bus and leaving ● With basic solutions like external power switch, user is not aware that his device has been tampered with. – ...but it can be used post-mortem
  • 33. 33 Neo900 design ● Our monitoring approach can also reveal some „rogue” activities from outside – like packet-storms on airports. https://www.schneier.com/blog/archives/20 14/04/gogo_wireless_a.html#c5459667
  • 34. 34 Neo900 design ● In the end, it's the user who gets the full control over how their device works and how it reacts to possible threats. ● Staying secure may need some effort, but without it there's only false sense of security – which is even worse than no security at all.
  • 35. 35 Interesting resources ● https://srlabs.de/rooting-sim-cards/ ● https://srlabs.de/gsmmap/ ● http://openbsc.osmocom.org/trac/raw-attachmen t/wiki/FieldTests/HAR2009/har2009-gsm-report. pdf ● https://media.blackhat.com/bh-dc-11/Perez-Pico /BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Sl ides.pdf ● http://events.ccc.de/congress/2008/Fahrplan/ev ents/2997.en.html
  • 36. 36 SIMtrace ● Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. http://bb.osmocom.org/trac/wiki/SIMtrace
  • 37. 37 Neo900: current status ● Almost 400 devices already „preordered” – That's twice as much as we needed to proceed ● Most of the design finished ● Schematics catching up with the design ● Sourcing is tough – components slowly fade away in the market
  • 38. 38 Neo900: current status http://neo900.org/stuff/block-diagrams/
  • 39. 39 Neo900: next steps ● Sourcing the risk parts (like 1GB RAM) ● Ordering the cases ● BB-xM based proto_v2 expected in February
  • 40. 40 Thank you! http://neo900.org/stuff/ohsw2014/ http://neo900.org/resources/ QA: IRC - #neo900 on Freenode http://webchat.freenode.net/?channels=neo900