28c3 in 15

28C3 IN 15 MINUTES

GSM HACKING: KARSTEN NOHLS This is the third year he’s done a GSM

presentation Did a live demo on stage showing how

to sniff, crack, and impersonate a phone A5/1 is dead AND improperly

implemented A5/3 is better but will be cracked (still

64bit but a block cipher at least) A5/4 is legit biznitch but operators are

lazy

GSM HACKING: KARSTEN NOHLS TMSI ~= username KC ~= password GSM != CDMA Mitigations:

Implement padding randomization (blerg)SI5/SI6 randomization (Google TS 44.018) Implement A5/3

Implementing 1 and 2 are “easy” and effectively stop 100% of current threats

GSM HACKING: KARSTEN NOHLSTools that they used:

Osmocom – turns a phone into a GSM hacking tool

CaptureCapture – turns Osmocon into an IDS for GSM attacks

GSMMap.org – ratings of countries based on their GSM security

Reverse Engineering Qualcom Baseband

Baseband = the chipset of the phone that handles telcoms

Facilitates the bridge to accept AT commands

Talks about Qualcom DIAG protocol Download mode WRITE and EXECUTE

anywhere on the device Normal mode accepts commands to rw

memory locations Blerg blerg blerg. Good data if you want

to learn how to reverese your self but no output.

Print Me if you dareMSNBC: Millions of printers open to

devastating hack attackArs technica: HP Printers can be remotely

controlled and set on fireGawker: Hackers could turn your printer into

a flaming death bombGizmodo: Can hackers really use your HP

printer to steal your identity and blow up your house?

Print Me if you dareNo bomb/fire56 firmwares were released to fix this flaw

affecting 2005-2011 CVE-2011-4161Found out that you can update the firmware with

LPRFound out that this process did not use digital

signatures or authenticationPJL – printer job languageMade a malicious remote firmware update in PJL

launguageCan be used for phishing

Print Me if you dareTakes apart a printer and reviews the chipsDownloads the datasheet for the flash chip

(digikey)Learns how to talk to the chipMade an Arduino dumper for the ROM chip

of the printerRuns output into IDA Pro...Magic…Writes a vxworks rootkit – 3k of ARM

assembly

Print Me if you dareMalware

Reverse proxy – NAT traversalPrint-job interceptor – send to another IPDebug message redirection – telnetCause paper jams, “Control Controller”

Summary:Made a rootkit to attack HP printers to use as a

pivot for pen tests.Add RFU vulns to your pen tests (Not in Nessus,

Nexpose yet). Run RFU for printer model. If the firmware changes = bad.

Can be included in legit documents (post script)

Awesome Intro To Mobile Protocols talk

Unfortunately nothing about CDMA and America

Goes into GSM, GPRS, the history, why everything is fucked up, extremely thorough

Got boring quickly

Passed out

CELLULAR PROTOCOL STACKS

Is he still talking?

Holy crap

He’s just naming 1000 acronyms now

Punkrokk – do your joke

Did he do it?

Ok nevermind this talk was lame

Here look at this instead:

CELLULAR PROTOCLS STACKS

Taking Over The Tor Network

• Presentation references “Over 9000” but it flies over the heads of all of Europe

• Created the tor_extend ruby library < neat• Made a map of all the hidden routers < cute

• Created Tor malware that exploits a DLL in a Windows box

• Did not release code• Their malware implemented packet spinning which is an

attack vector discussed in 2008• Did not talk to Tor Project at all• “This doesn’t work with the new version of Tor anymore”

“Taking Over” The Tor Network


• They have found “all” 181 bridge nodes

• They have found Over 9000!!!1!! ORs

• There are more than 600 bridge nodes

• There are only about 2500


• They made Windows malware and then used someone else’s attack then told the world they owned the Tor network

• Hilarious last 10 minutes of the presentation where Dingldine and IOError do a Q and A:• Can you tell me what’s new and relevant about your

presentation?• Why didn’t you talk to us?• You published a lot of bridge nodes. Why do you

want to hurt third world countries?• Why don’t you release the exploit?


Dingldine: “UR STUPD I FUK UR FACE!”

DOWNLOAD

All the things: http://mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/

28c3 in 15

Technology

Transcript of 28c3 in 15