1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 5
Network Security
beyond TCP/IP/Ethernet
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Introduction
Who is speaking to you?
an independent Free Software developer, consultant and trainer
who is a member of the Free Software community for 13 years
who actually has a professional background in hardware
who has co-developed the netfiter/iptables packet filter
who has started gpl-violations.org
and who's been lead hardware + system software architect for Openmoko until recently
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Content
Data Communications
Security Research
TCP/IP hacks for every layer
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Data Communications
Data communications protocols are all around us
Internet and Intranet (Ethernet/TCP/IP)
2G/2.5G cellular networks (GSM)
3G/3.5G cellular networks (UMTS)
Cordless Phones (DECT)
Various RFID technologies
TETRA for police / fire brigade
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Internet Security Research
Security Research on the Internet
by independent hackers
by security consultants
by independent research organizations
by the academia
Motivation
academic interest
ethical hackers
criminal entities
reputation/fame in the community
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Examples of past IP issues
The various levels of TCP/IP protocols security (examples)
Layer 2
MAC spoofing
overflowing MAC address table of switches
promiscuous mode for packet sniffing
Layer 3
IP address spoofing
source routing
invalid options / option parsing
fragmentation re-assembly attacks
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Examples of past IP issues
Layer 4
port number prediction
TCP session hijacking
RST/FIN spoofing
invalid flag combinations
Layer 5+
buffer overflows
format string vulnerabilities
stack smashing
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Reasons for Internet scrutiny
Why do we have that much TCP/IP security research?
Open specification of protocols (IETF, W3C)
Lots of 3rd party textbooks on those protocols
Same Technology around for multiple decades
Network widely deployed, everyone can get access
Attractive targets on the network
Cheap hardware to get low-level bitstream access
Intelligence of protocols in end nodes, not network
Protocols implemented in host software, not firmware
Many open source implementations of protocols
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Comparison with GSM
Lets compare this with e.g. the GSM network
Open specification of protocols (ETSI/3GPP)
! Almost zero 3rd party literature on protocols
! Technology only around since early 1990s
Network widely deployed, everyone can get access
Attractive targets on the network
! No hardware for low-level bitstream access
! Intelligence in the network as well as end nodes
! Protocols implemented in device firmware
! Zero open source implementations of the protocols
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Comparison with DECT
Lets compare this with e.g. the DECT protocols
Open specification of protocols (ETSI)
! Almost zero 3rd party literature on protocols
! Technology only around since early 1990s
! Only smaller networks in companies, or single-cell home installations
! Attractive targets, but not accessible remotely
! No hardware for low-level bitstream access
! Intelligence in the network as well as end nodes
! Protocols implemented in device firmware
! Zero open source implementations of the protocols
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Comparison with RFID
Lets compare this with e.g. the RFID world
! Many protocols proprietary and not openly specified
! Very few 3rd party literature on protocols
! Technology only around since late 1990s
! Widely deployed in access control and payment systems
! Attractive targets, but not accessible remotely
! No hardware for low-level bitstream access
Intelligence of protocol in end nodes
! Protocols implemented in device firmware
! Only one open source implementation of very few protocols
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Conclusions (1/3)
Knowledge about non-Internet communications protocols hard to obtain
standards documents very verbose and hard to read
no good books
very few people know it, very few courses/classes
no open source protocol implementations
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Conclusions (2/3)
Bitstream access to low level protocol data close to impossible
there is a lack of the equivalent of an 'Ethernet card in promiscuous mode with tcpdump/wireshark'
only device manufacturers inside the industry have the technology
they are very secretive and closed
very few commercial implementations (two to five in all devices world wide!)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Conclusions (3/3)
Security researchers are software/crypto/maths geeks
usually have very limited knowledge about hardware
even less knowledge about RF / radio / signal processing
There are very few hardware developers with 'Free Software' spirit
usually have very limited knowledge about security
The industry is aware of their security issues and they're afraid
they will not provide any technical assistance
they profit from security by obscurity
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Results
Non-Internet communications doesn't receive any reasonable amount of scrutiny at all
Many existing attacks or attack principles that have been long known in the Internet are not known or haven't been tried in other protocols
Overall security of non-Internet networks is much weaker
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
How to change it
How do we change this?
By developing hardware for low-level bitstream access
Universal Software Radio Peripheral (USRP)
Open Hardware SDR platform
OpenPCD, OpenPICC
specifically for 13.56MHz RFID
By developing Open Source low level protocol implementations
GSM: http://wiki.thc.org/gsm/decode
DECT: work behind the scenes in CCC
RFID: http://www.openmrtd.org/projects/librfid
By rising awareness about the lack of securtiy
By having more people try to understand hardware
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Closer look at USRP project
Project scope
develop Open Source software defined radio platform
develop RF frontends for receive and transmit on all bands
Project status
USRP1 finished and in production for a number of yearsI
Various frontends for 0...2.7GHz Rx + Tx available
USRP2 in final R&D stage (gigabit ethernet, no USB2)
Result
Hardware is used by THC GSM, CCC DECT and other projects
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Closer look at gnuradio project
Project scope
develop Free Software toolkit for SDR
implement all major algorithms (de/modulator, filter, interpolator, bit sync, frame sync, ...)
implement software for as many protocols as possible
Project status
All analog modulations (AM/FM/SSB/...) for amateur radio and commercial broadcast
Demodulation of ASK, FSK, GMSK, BPSK, QPSK, QAM and others
Full ATSC implementation years ago (broadcast flag debate)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Closer look at THC GSM project
Project has wide scope:
cracking of A5/1 and A5/2 algorithms
demodulation/decoding/demultiplex of GSM Um Interface
GSM Um protocol plugin for wireshark
finally, they aim for GSM transmit side, too!
Project status (GSM Rx side)
demodulation/decoding/demultiplex with gnuradio+USRP
wireshark plugin coming nicely along
code is public, anyone can use it today!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Closer look at CCC DECT security project
Project scope
implement software for DECT receive/decode in gnuradio
implement custom cheap hardware for DECT Rx+Tx
implement wireshark DECT plugin
attempt to discover DSC (on-die in DECT burst controllers)
attempt to discover DSAA (in device firmware)
Project status
custom hardware, gnuradio software and wireshark plugin working
DSAA shows good progress
DSC progress very slow
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Closer look at OpenPCD project
Project scope
open hardware design for 13.56MHz RFID reader
open source firmware for reader
open source protocol stack (librfid)
open source sniffer and RFID card emulator (OpenPICC)
Project status
OpenPCD hardware is finished and in production
supports MIFARE, ISO 14443-1,2,3,4 A+B, ISO15693
no GUI and stable high-level API yet
OpenPICC R&D painful, but expected to be finished Q3/2008
Result for security researchers
OpenPCD and OpenPICC used extensively in MIFARE classic attacks
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Communications Security
Thanks
Motorola, HTC
for producing mobile phones with security holes, enabling people to hack
OpenMoko, Inc.
for trying to bring more openness into the closed mobile market
Philips / NXP
for encrypting the documentation on their RFID chipsets with only 40bit, thus enabling OpenPCD and librfid development
Chaos Computer Club
for providing a forum (home?) to many ethical hackers
Milosch, starbug, Henryk
for their great work on Mifare Classic / CRYPTO1 hacking
THC
for starting and driving the GSM hacking project
Matt Ettus and Eric Blossom
for the marvels of USRP and gnuradio
Linuxtag, specifically Nils Magnus
for inviting me to speak here
|
