2. This is the third year he’s done a GSM
presentation
Did a live demo on stage showing how to
sniff, crack, and impersonate a phone
A5/1 is dead AND improperly implemented
A5/3 is better but will be cracked (still 64bit
but a block cipher at least)
A5/4 is legit biznitch but operators are lazy
3. TMSI ~= username
KC ~= password
GSM != CDMA
Mitigations:
Implement padding randomization (blerg)
SI5/SI6 randomization (Google TS 44.018)
Implement A5/3
Implementing 1 and 2 are “easy” and
effectively stop 100% of current threats
4. Tools that they used:
Osmocom – turns a phone into a GSM hacking
tool
CaptureCapture – turns Osmocon into an IDS
for GSM attacks
GSMMap.org – ratings of countries based on
their GSM security
5. Baseband = the chipset of the phone that
handles telcoms
Facilitates the bridge to accept AT commands
Talks about Qualcom DIAG protocol
Download mode WRITE and EXECUTE anywhere
on the device
Normal mode accepts commands to rw memory
locations
Blerg blerg blerg. Good data if you want to
learn how to reverese your self but no output.
6. Print Me if you dare
MSNBC: Millions of printers open to devastating hack
attack
Ars technica: HP Printers can be remotely controlled
and set on fire
Gawker: Hackers could turn your printer into a
flaming death bomb
Gizmodo: Can hackers really use your HP printer to
steal your identity and blow up your house?
7. Print Me if you dare
No bomb/fire
56 firmwares were released to fix this flaw affecting
2005-2011 CVE-2011-4161
Found out that you can update the firmware with LPR
Found out that this process did not use digital
signatures or authentication
PJL – printer job language
Made a malicious remote firmware update in PJL
launguage
Can be used for phishing
8. Print Me if you dare
Takes apart a printer and reviews the chips
Downloads the datasheet for the flash chip (digikey)
Learns how to talk to the chip
Made an Arduino dumper for the ROM chip of the
printer
Runs output into IDA Pro
...Magic…
Writes a vxworks rootkit – 3k of ARM assembly
9. Print Me if you dare
Malware
Reverse proxy – NAT traversal
Print-job interceptor – send to another IP
Debug message redirection – telnet
Cause paper jams, “Control Controller”
Summary:
Made a rootkit to attack HP printers to use as a pivot for pen
tests.
Add RFU vulns to your pen tests (Not in Nessus, Nexpose
yet). Run RFU for printer model. If the firmware changes =
bad.
Can be included in legit documents (post script)
10. CELLULAR PROTOCOL STACKS
Awesome Intro To Mobile Protocols talk
Unfortunately nothing about CDMA and America
Goes into GSM, GPRS, the history, why everything is fucked up, extremely
thorough
Got boring quickly
Passed out
11. CELLULAR PROTOCLS STACKS
Is he still talking?
Holy crap
He’s just naming 1000 acronyms now
Punkrokk – do your joke
Did he do it?
Ok nevermind this talk was lame
Here look at this instead:
12. • Presentation references “Over 9000” but it flies over the
heads of all of Europe
• Created the tor_extend ruby library < neat
• Made a map of all the hidden routers < cute
Taking Over The Tor
Network
13.
14. “Taking Over” The Tor Network
• Created Tor malware that exploits a DLL in a Windows
box
• Did not release code
• Their malware implemented packet spinning which is an
attack vector discussed in 2008
• Did not talk to Tor Project at all
• “This doesn’t work with the new version of Tor anymore”
15. • There are more
than 600 bridge
• They have found “all” 181
nodes
bridge nodes • There are only
• They have found Over about 2500
9000!!!1!! ORs
“Taking Over” The Tor
Network
16. • They made Windows malware and then used
someone else’s attack then told the world they owned
the Tor network
• Hilarious last 10 minutes of the presentation where
Dingldine and IOError do a Q and A:
• Can you tell me what’s new and relevant about your
presentation?
• Why didn’t you talk to us?
• You published a lot of bridge nodes. Why do you want
to hurt third world countries?
• Why don’t you release the exploit?
“Taking Over” The Tor
Network
