Upload
antitree
View
816
Download
0
Tags:
Embed Size (px)
Citation preview
28C3 IN 15 MINUTES
GSM HACKING: KARSTEN NOHLS This is the third year he’s done a GSM
presentation Did a live demo on stage showing how
to sniff, crack, and impersonate a phone A5/1 is dead AND improperly
implemented A5/3 is better but will be cracked (still
64bit but a block cipher at least) A5/4 is legit biznitch but operators are
lazy
GSM HACKING: KARSTEN NOHLS TMSI ~= username KC ~= password GSM != CDMA Mitigations:
Implement padding randomization (blerg)SI5/SI6 randomization (Google TS 44.018) Implement A5/3
Implementing 1 and 2 are “easy” and effectively stop 100% of current threats
GSM HACKING: KARSTEN NOHLSTools that they used:
Osmocom – turns a phone into a GSM hacking tool
CaptureCapture – turns Osmocon into an IDS for GSM attacks
GSMMap.org – ratings of countries based on their GSM security
Reverse Engineering Qualcom Baseband
Baseband = the chipset of the phone that handles telcoms
Facilitates the bridge to accept AT commands
Talks about Qualcom DIAG protocol Download mode WRITE and EXECUTE
anywhere on the device Normal mode accepts commands to rw
memory locations Blerg blerg blerg. Good data if you want
to learn how to reverese your self but no output.
Print Me if you dareMSNBC: Millions of printers open to
devastating hack attackArs technica: HP Printers can be remotely
controlled and set on fireGawker: Hackers could turn your printer into
a flaming death bombGizmodo: Can hackers really use your HP
printer to steal your identity and blow up your house?
Print Me if you dareNo bomb/fire56 firmwares were released to fix this flaw
affecting 2005-2011 CVE-2011-4161Found out that you can update the firmware with
LPRFound out that this process did not use digital
signatures or authenticationPJL – printer job languageMade a malicious remote firmware update in PJL
launguageCan be used for phishing
Print Me if you dareTakes apart a printer and reviews the chipsDownloads the datasheet for the flash chip
(digikey)Learns how to talk to the chipMade an Arduino dumper for the ROM chip
of the printerRuns output into IDA Pro...Magic…Writes a vxworks rootkit – 3k of ARM
assembly
Print Me if you dareMalware
Reverse proxy – NAT traversalPrint-job interceptor – send to another IPDebug message redirection – telnetCause paper jams, “Control Controller”
Summary:Made a rootkit to attack HP printers to use as a
pivot for pen tests.Add RFU vulns to your pen tests (Not in Nessus,
Nexpose yet). Run RFU for printer model. If the firmware changes = bad.
Can be included in legit documents (post script)
Awesome Intro To Mobile Protocols talk
Unfortunately nothing about CDMA and America
Goes into GSM, GPRS, the history, why everything is fucked up, extremely thorough
Got boring quickly
Passed out
CELLULAR PROTOCOL STACKS
Is he still talking?
Holy crap
He’s just naming 1000 acronyms now
Punkrokk – do your joke
Did he do it?
Ok nevermind this talk was lame
Here look at this instead:
CELLULAR PROTOCLS STACKS
Taking Over The Tor Network
• Presentation references “Over 9000” but it flies over the heads of all of Europe
• Created the tor_extend ruby library < neat• Made a map of all the hidden routers < cute
• Created Tor malware that exploits a DLL in a Windows box
• Did not release code• Their malware implemented packet spinning which is an
attack vector discussed in 2008• Did not talk to Tor Project at all• “This doesn’t work with the new version of Tor anymore”
“Taking Over” The Tor Network
“Taking Over” The Tor Network
• They have found “all” 181 bridge nodes
• They have found Over 9000!!!1!! ORs
• There are more than 600 bridge nodes
• There are only about 2500
“Taking Over” The Tor Network
• They made Windows malware and then used someone else’s attack then told the world they owned the Tor network
• Hilarious last 10 minutes of the presentation where Dingldine and IOError do a Q and A:• Can you tell me what’s new and relevant about your
presentation?• Why didn’t you talk to us?• You published a lot of bridge nodes. Why do you
want to hurt third world countries?• Why don’t you release the exploit?
“Taking Over” The Tor Network
Dingldine: “UR STUPD I FUK UR FACE!”
DOWNLOAD
All the things: http://mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/
END