33C3 notes & keywords part 7
Post date: May 14, 2017 3:44:23 AM
- Intercoms Hacking - Awesome, security through obscurity. We trust that your technology is so awesome and elite, that nobody can understand or hack it! - Or maybe not. ;) Liked their RF snooping / debugging tools. Tools: USRP, SysmoBTS, BladeRF, libmich, Wireshark, OsmocomBB, OpenLTE. Group: SynAcktiv digital security - Device doesn't authenticate the base station with GSM / GPRS as is widely known, allowing fake / rogue base stations. A5/1, KASUMI, SNOW 3G. Mobile phone jamming attacks and protocol downgrade attacks. Software Defined Radio (SDR). Capturing IMSI, installing back door, capturing command and control setup information and authentication tokens, impersonation, trapping, tracking calls, using auto answer to listen conversations. Attacking M2M environments. Attack vectors and vulnerabilities. Brute forcing accounts. Proof of Concept (PoC). No brute force attack mitigation, unlimited tries. Using virtual network as attack vector. Capturing pin codes using SIM trace MITM. Bad/null SSL checks, making MITM possible. Some credentials hard coded. They also provided nice list of security recommendations for M2M solutions at the end of tal (30+ minutes). It was very nice list, but reality is, that most likely nobody cares about the mentioned matters. They just want the system to run as cheaply as possible. Security would be expensive and that's why it's totally secondary priority.
- Shining some light on the Amazon Dash button - More IoT stuff, Amazon Dash aka Dash button. This device uses WiFi (WLAN) connection. Internet-of-Sh*t (IoS) device. Monitoring network traffic, 802.11 probe, auth, association, DHCP, ARP, DNS. Of course it stores WiFi configuration. Nice, 160 kB of RAM. 512 kB Flash. Atmel Wifi-IC, with built-in IP-stack. Also contains Bluetooth Low-Energy (BLE) Cypress chip. And all this is powered by single AAA battery. No news, wifi is using lot of power. AAA battery can power the device only for 75 minutes. Serial Wire Debug (SWD). Nice the Dev Mode Menu is still included in production devices. ECDH public keys, secret keys, customer secret. Temporary symmetric encryption, AES-GCM. TLV encoding. JSON encoded. Security conclusions: evil twin & MitM attacks. Obtaining WiFi credentials & dash token. Replay attack prevention. Cyber security risk rating negligible. Flash content, contains firmware and dynamic storage with journaling. Nice! Also the devmode console on UART is nice, as well that the SWD debug interface was left enabled. During config phase there's also the audio config protocol. That's awesome! FSK with 4 carriers instead of ASK. Audio configuration protocol payload analyzed.
- The Moon and European Space Exploration - Just happened to be an interesting topic to listen. Very nice talk. Moon village it is.
- Lightning talks day 3 - Comments: pwntools exploitation framework written in Python for CTF competitions. Personal Information Management (PIM). Common Vulnerabilities and Exposures (CVE). National Vulnerability Database (NVD). Common Platform Enumeration (CPE). - Discrete Linux. Hacking Euro-DOCSIS, laughable security. - Opencast - A streaming video application, decentralized, scalable and naturally free open source. Hacking Keyless Entry Systems / Keyless GO Systems on Cars (125 kHz / 430 MHz). Once again ridiculous security, or no security at all. So it's as secure, as you could have expected. No security at all. - S in IoT stands for secure. - Got the joke?
- On Smart Cities, Smart Energy, And Dumb Security - Comments: Smart Meters, GSM GPRS A5, insecurity, Zigbee protocols, PLC. Flaws to be exploited in design, implementation and management. Network key hack. Huh? He said that network key is aes128. But his emails are encrypted with 2000 bits. bleep, bleep, bleep. If you mix symmetric and asymmetric key lengths. It clearly tells me that something is seriously wrong! Extremely classic encryption BS without facts. Thank you for that! (I've written about this earlier, several times.) I just created 8 million bit encryption, it uses xor and OTP, darn I'm smart. Just don't use longer message than the key and don't reuse the key. kw: Leaking encryption keys, memory corruption, hard coded credentials, debug ports, bad encryption, no monitoring.