A tale of the Neo900 project about the obstacles on its way to achieve The Ultimate Private Phone.
What are the threats for smartphone user's privacy? How to deal with them? Is it possible to make a phone that will protect us so well that it will let us forget about privacy at all?
The talk has been given via videoconference on 2014-11-29 at OpenPhoenux Hard- and Software Workshop 2014 in Garching, Munich.
Recording: https://www.youtube.com/watch?v=ahPFCFooBv0&list=PL-s0IumBit8Mofxj0Fn2kH6RB9VtnKS4K
In the time when software is so complex and rapidly changing so, the users cannot trust their own computers and smartphones to protect their secrets from attackers, more and more solutions rely on hardware to be the last measure of protection. As a result, there are a number of manufacturers developing hardware wallets which are meant to protect cryptocurrency private keys.
This talk presents a wide range of attacks, which can be successfully applied to most popular hardware wallets on the market, from app isolation bypass to fault injection attacks on the microcontroller. Additionally the talk presents secure design requirements and countermeasures making life of an attacker much more difficult, which are applicable to all kings of secure hardware devices.
ATM compromise through the use of malicious software is on the increase across the world. At EAST FCS 2015 a demonstration showed how a Windows ATM platform can be compromised by known malware. The demo featured a virtual ATM machine running on Windows 7, emulating a XFS layer.
This was an ISACA presentation by Nsale Ronnie a top hacker in Africa working with Ernst and Young. He demonstrated how other governments are leading by far in the nature of their espionage through hardware.
In the time when software is so complex and rapidly changing so, the users cannot trust their own computers and smartphones to protect their secrets from attackers, more and more solutions rely on hardware to be the last measure of protection. As a result, there are a number of manufacturers developing hardware wallets which are meant to protect cryptocurrency private keys.
This talk presents a wide range of attacks, which can be successfully applied to most popular hardware wallets on the market, from app isolation bypass to fault injection attacks on the microcontroller. Additionally the talk presents secure design requirements and countermeasures making life of an attacker much more difficult, which are applicable to all kings of secure hardware devices.
ATM compromise through the use of malicious software is on the increase across the world. At EAST FCS 2015 a demonstration showed how a Windows ATM platform can be compromised by known malware. The demo featured a virtual ATM machine running on Windows 7, emulating a XFS layer.
This was an ISACA presentation by Nsale Ronnie a top hacker in Africa working with Ernst and Young. He demonstrated how other governments are leading by far in the nature of their espionage through hardware.
Twig Embody - the wearable 3G/GSM/GNSS personal alarm deviceJane Lindell
TWIG Embody is a wearable 3G/GSM/GNSS personal alarm with
• an all new wearing concept with multiple carrying options,
• a device scalability multiplying device versions for specific customer needs
• software and services integrating the overall personal safety system
TWIG Embody is IP67 waterproof, small and smart, dedicated alarm device with
• selectable mobile network 2G/3G,
• optional GNSS (multi constellation GPS),
• optional ManDown
• optional SRD (short range device) compatibility
Get familiar with the wearable TWIG Embody personal alarm and TWIG Point Software and Services on our new TWIG Embody product pages https://twigcom.com/shop/category/personal-alarms-2
CCTV UAE, DVR CCTV Camera, IP Camera UAEsecuritysytem
The Avi-8C-DVR1030 is a high end heavy duty rack mounted digital recording surveillance system designed by AVI Infosys which uses all the latest technologies to deliver reliable and durable performance for a variety of applications.
for more information about DVR CCTV security systems, time attendance system, ID card printer, Loyalty card, access control system in Dubai, Abu Dhabi and other Emirates please visit http://www.avi-infosys.com
Check us on Facebook http://www.facebook.com/WelcomeToAVI
Follow us on Linkedin http://ae.linkedin.com/in/aviinfosys
Follow us on Youtube: http://www.youtube.com/user/aviinfosysllc
For Online Shopping In UAE Visit Our Online Store :- http://www.avi-store.com/
An OpenPhoenux talk given at P.I.W.O. X (Poznań Free Software Event) at 2014-05-17.
Problem of openness, user freedom and privacy in modern smartphones and other mobile devices. Introduction to Neo900 project and it's unique take on user's privacy.
Recording (in Polish): http://neo900.org/stuff/piwo/wolne-mobilne-gdy-android-to-za-malo.ogg - "Wolne Mobile - gdy Android to za mało"
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
Juice Jacking 101 covers the hisotry behind why and what we learned from building malicious cell phone charging kiosks (and then setting them up at various hacker conferences)
Session ID: HKG18-219
Session Name: HKG18-219 - Threat Modeling for IoT
Speaker: David Brown
Track: Iot, Security
★ Session Summary ★
Security is important for IoT. This presentation will cover security threat modeling LITE has been doing.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-219/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-219.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-219.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Iot, Security
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Twig Embody - the wearable 3G/GSM/GNSS personal alarm deviceJane Lindell
TWIG Embody is a wearable 3G/GSM/GNSS personal alarm with
• an all new wearing concept with multiple carrying options,
• a device scalability multiplying device versions for specific customer needs
• software and services integrating the overall personal safety system
TWIG Embody is IP67 waterproof, small and smart, dedicated alarm device with
• selectable mobile network 2G/3G,
• optional GNSS (multi constellation GPS),
• optional ManDown
• optional SRD (short range device) compatibility
Get familiar with the wearable TWIG Embody personal alarm and TWIG Point Software and Services on our new TWIG Embody product pages https://twigcom.com/shop/category/personal-alarms-2
CCTV UAE, DVR CCTV Camera, IP Camera UAEsecuritysytem
The Avi-8C-DVR1030 is a high end heavy duty rack mounted digital recording surveillance system designed by AVI Infosys which uses all the latest technologies to deliver reliable and durable performance for a variety of applications.
for more information about DVR CCTV security systems, time attendance system, ID card printer, Loyalty card, access control system in Dubai, Abu Dhabi and other Emirates please visit http://www.avi-infosys.com
Check us on Facebook http://www.facebook.com/WelcomeToAVI
Follow us on Linkedin http://ae.linkedin.com/in/aviinfosys
Follow us on Youtube: http://www.youtube.com/user/aviinfosysllc
For Online Shopping In UAE Visit Our Online Store :- http://www.avi-store.com/
An OpenPhoenux talk given at P.I.W.O. X (Poznań Free Software Event) at 2014-05-17.
Problem of openness, user freedom and privacy in modern smartphones and other mobile devices. Introduction to Neo900 project and it's unique take on user's privacy.
Recording (in Polish): http://neo900.org/stuff/piwo/wolne-mobilne-gdy-android-to-za-malo.ogg - "Wolne Mobile - gdy Android to za mało"
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
Juice Jacking 101 covers the hisotry behind why and what we learned from building malicious cell phone charging kiosks (and then setting them up at various hacker conferences)
Session ID: HKG18-219
Session Name: HKG18-219 - Threat Modeling for IoT
Speaker: David Brown
Track: Iot, Security
★ Session Summary ★
Security is important for IoT. This presentation will cover security threat modeling LITE has been doing.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-219/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-219.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-219.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Iot, Security
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Though the potential of the IoT is vast, adoption can easily be curtailed by security worries. No company wants their products to be a victim of a hack, yet many do not appear to consider security as a primary driver of design decisions. This presentation will look at IoT security and describe what product designers – regardless of platform – need to be aware of if they want to build a secure and successful device.
IoT security encompasses requirements that are new for many product designers – such as provisioning, authentication, OTA upgrades and link encryption – and weaknesses in any one could potentially be used to compromise the security of the end product. From physical attacks to analysis of communications channels, there are many possible attack vectors that need to be considered.
From hacked routers to refrigerators sending spam email, there have been a lot of scary news stories about Internet of Things (IoT) security, or lack of it. According to the 2014 Hewlett-Packard Internet of Things Research Study, 70% of Internet connected devices they surveyed didn’t even use encrypted network connections. The US Federal Trade Commission (FTC) recently weighed in on the issue too, releasing a report that outlines potential IoT security risks, ranging from unauthorized access and misuse of personal information, to facilitation of attacks on other systems and risks to personal safety.
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution.
During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet.
All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.
The (Io)Things you don't even need to hack. Should we worry?SecuRing
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
4. 4
The Hardware Problem
● I'm the admin of my PC.
Why can't I be the admin of my phone as
well?
● We don't use App Stores on PCs.
Why should we need them on phones?
● We can choose from hundreds of systems to
install on PC.
Why can't we do that on mobiles as well?
6. 6
The Hardware Problem
Does a cellphone really differ so much from
your average laptop?
It doesn't.
It's just smaller and more integrated.
7. 7
The Hardware Problem
● Lack of documentation
● Closed components
● Porting – the neverending story
● Upstream? In your dreams.
● Planned obsolescence
● When you have to break into your own device in
order to use it as you wish, something is
completely wrong!
9. 9
How can your privacy suffer?
● Data on your storage gets damaged or destroyed
● Data gests leaked via:
– The Internet
– Other wireless technology
– Removable media
● Your life gets spied on:
– Location tracking
– Audio/video eavesdropping
– Logging your activities, collecting metadata
10. 10
Privacy?
● Turns out a good, open, hackable device is a
perfect first step towards better privacy.
11. Baseband processor
● A big, proprietary black box.
● Known to often be vulnerable.
● All Your Baseband Are Belong To Us
Ralf-Philipp Weinmann, Black Hat conf 2011
12. Baseband processor
● Having control under the main operating
system (like Android) is not enough
● Main problem with projects like Blackphone
13. 13
Baseband processor
● The baseband is often tightly integrated with
rest of the system
– Direct connection to microphone
– Direct Memory Access
21. 21
Open baseband?
● Unfortunately, it's not going to happen for
both economical and legal reasons.
● Basebands are cryptographically locked and
any change in their firmware results in
revokation of their certification, rendering
them illegal to use in public networks.
22. 22
OsmocomBB
● Open baseband firmware
● Runs on TI Calypso (the same as in GTA01/02)
● Illegal to use as a phone outside the lab
● http://bb.osmocom.org
23. 23
Open baseband?
● However, open baseband does not magically
fix all the privacy problems.
24. 24
The threats
● Tracking
– Trilateration based (IPL, OTDOA, E-OTD, U-TDOA)
– GPS-assisted (RRLP)
● Eavesdropping
● Data leakage
● Security bugs in firmware, SIM cards
● Direct access to main RAM
25. 25
The threats
● GSM hacking
– It's not hard to do fun rogue stuff with GSM.
– Encryption (A5/1, A5/3) was broken long ago
● It was actually deliberately weakened in specs to make
live of governmental surveilance agencies easier.
– Denial of Service attacks are easy
– The only „protection” is... illegality
27. 27
Not solvable
● Eavesdropping of calls
● Eavesdropping of Internet connection
● Trilateration while connected to the network
It can (and does) happen outside of the device or
is necessary for it to function. Aside from
encryption, there's nothing we can do against it.
28. 28
Neo900 concept
● Counter-surveillance rather than audit and
trust
● Everything not 100% in control is considered
rogue
● Rogue stuff is sandboxed and constantly
monitored
29. 29
Neo900 design
x
breaker
x The baseband processor
is locked into a cage
breaker
30. 30
Neo900 design
● If the modem is compromised, the main system
remains safe use the encryption, Luke
● If the modem is supposed to be off, but it isn't – we
know that and react accordingly before anything bad happens
● If the GPS is in use when not requested – we know
that but the antenna will be disabled anyway
● If the modem tries to record audio when not
requested – we know that but it won't be able to do it
31. 31
Neo900 design
● When modem act badly, user is notified and
automatic hard reset via emergency_off line
and/or hard shutdown by cutting power can
be applied.
32. 32
Neo900 concept
● This way, when something fishy is going on, software
kicks off an alarm to make user do efficient
measures to stop the threat:
– Removing the battery
– Destroying the device
– Hiding it under the seat in bus and leaving
● With basic solutions like external power switch, user
is not aware that his device has been tampered with.
– ...but it can be used post-mortem
33. 33
Neo900 design
● Our monitoring approach can also reveal
some „rogue” activities from outside – like
packet-storms on airports.
https://www.schneier.com/blog/archives/20
14/04/gogo_wireless_a.html#c5459667
34. 34
Neo900 design
● In the end, it's the user who gets the full
control over how their device works and how
it reacts to possible threats.
● Staying secure may need some effort, but
without it there's only false sense of security –
which is even worse than no security at all.
36. 36
SIMtrace
● Osmocom SIMtrace is a software and hardware
system for passively tracing SIM-ME
communication between the SIM card and the
mobile phone.
http://bb.osmocom.org/trac/wiki/SIMtrace
37. 37
Neo900: current status
● Almost 400 devices already „preordered”
– That's twice as much as we needed to proceed
● Most of the design finished
● Schematics catching up with the design
● Sourcing is tough – components slowly fade
away in the market