1 files changed, 362 insertions, 0 deletions

diff --git a/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp b/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp
new file mode 100644
index 0000000..95ad2ea
--- /dev/null
+++ b/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp
@@ -0,0 +1,362 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+
+%center
+%size 5
+Network Security
+beyond TCP/IP/Ethernet
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Introduction
+
+Who is speaking to you?
+
+		an independent Free Software developer, consultant and trainer
+		who is a member of the Free Software community for 13 years
+		who actually has a professional background in hardware
+		who has co-developed the netfiter/iptables packet filter
+		who has started gpl-violations.org
+		and who's been lead hardware + system software architect for Openmoko until recently
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Content
+
+	Data Communications
+	Security Research
+	TCP/IP hacks for every layer
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Data Communications
+
+
+	Data communications protocols are all around us
+		Internet and Intranet (Ethernet/TCP/IP)
+		2G/2.5G cellular networks (GSM)
+		3G/3.5G cellular networks (UMTS)
+		Cordless Phones (DECT)
+		Various RFID technologies
+		TETRA for police / fire brigade
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Internet Security Research
+
+
+	Security Research on the Internet
+		by independent hackers
+		by security consultants
+		by independent research organizations
+		by the academia
+
+	Motivation
+		academic interest
+		ethical hackers
+		criminal entities
+		reputation/fame in the community
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Examples of past IP issues
+
+
+	The various levels of TCP/IP protocols security (examples)
+		Layer 2
+			MAC spoofing
+			overflowing MAC address table of switches
+			promiscuous mode for packet sniffing
+		Layer 3
+			IP address spoofing
+			source routing
+			invalid options / option parsing
+			fragmentation re-assembly attacks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Examples of past IP issues
+
+
+		Layer 4
+			port number prediction
+			TCP session hijacking
+			RST/FIN spoofing
+			invalid flag combinations
+		Layer 5+
+			buffer overflows
+			format string vulnerabilities
+			stack smashing
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Reasons for Internet scrutiny
+
+
+	Why do we have that much TCP/IP security research?
+		Open specification of protocols (IETF, W3C)
+		Lots of 3rd party textbooks on those protocols
+		Same Technology around for multiple decades
+		Network widely deployed, everyone can get access
+		Attractive targets on the network
+		Cheap hardware to get low-level bitstream access
+		Intelligence of protocols in end nodes, not network
+		Protocols implemented in host software, not firmware
+		Many open source implementations of protocols
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Comparison with GSM
+
+
+	Lets compare this with e.g. the GSM network
+		Open specification of protocols (ETSI/3GPP)
+		! Almost zero 3rd party literature on protocols
+		! Technology only around since early 1990s
+		Network widely deployed, everyone can get access
+		Attractive targets on the network
+		! No hardware for low-level bitstream access
+		! Intelligence in the network as well as end nodes
+		! Protocols implemented in device firmware
+		! Zero open source implementations of the protocols
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Comparison with DECT
+
+
+	Lets compare this with e.g. the DECT protocols
+		Open specification of protocols (ETSI)
+		! Almost zero 3rd party literature on protocols
+		! Technology only around since early 1990s
+		! Only smaller networks in companies, or single-cell home installations
+		! Attractive targets, but not accessible remotely
+		! No hardware for low-level bitstream access
+		! Intelligence in the network as well as end nodes
+		! Protocols implemented in device firmware
+		! Zero open source implementations of the protocols
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Comparison with RFID
+
+
+	Lets compare this with e.g. the RFID world
+		! Many protocols proprietary and not openly specified
+		! Very few 3rd party literature on protocols
+		! Technology only around since late 1990s
+		! Widely deployed in access control and payment systems
+		! Attractive targets, but not accessible remotely
+		! No hardware for low-level bitstream access
+		Intelligence of protocol in end nodes
+		! Protocols implemented in device firmware
+		! Only one open source implementation of very few protocols
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Conclusions (1/3)
+
+
+	Knowledge about non-Internet communications protocols hard to obtain
+		standards documents very verbose and hard to read
+		no good books
+		very few people know it, very few courses/classes
+		no open source protocol implementations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Conclusions (2/3)
+
+
+	Bitstream access to low level protocol data close to impossible
+		there is a lack of the equivalent of an 'Ethernet card in promiscuous mode with tcpdump/wireshark'
+		only device manufacturers inside the industry have the technology
+		they are very secretive and closed
+		very few commercial implementations (two to five in all devices world wide!)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Conclusions (3/3)
+
+
+	Security researchers are software/crypto/maths geeks
+		usually have very limited knowledge about hardware
+		even less knowledge about RF / radio / signal processing
+	There are very few hardware developers with 'Free Software' spirit
+		usually have very limited knowledge about security
+	The industry is aware of their security issues and they're afraid
+		they will not provide any technical assistance
+		they profit from security by obscurity
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Results
+
+
+		Non-Internet communications doesn't receive any reasonable amount of scrutiny at all
+
+		Many existing attacks or attack principles that have been long known in the Internet are not known or haven't been tried in other protocols
+
+		Overall security of non-Internet networks is much weaker
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+How to change it
+
+How do we change this?
+	By developing hardware for low-level bitstream access
+		Universal Software Radio Peripheral (USRP)
+			Open Hardware SDR platform 
+		OpenPCD, OpenPICC
+			specifically for 13.56MHz RFID
+	By developing Open Source low level protocol implementations
+		GSM: http://wiki.thc.org/gsm/decode
+		DECT: work behind the scenes in CCC
+		RFID: http://www.openmrtd.org/projects/librfid
+	By rising awareness about the lack of securtiy
+	By having more people try to understand hardware
+		
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Closer look at USRP project
+
+
+	Project scope
+		develop Open Source software defined radio platform
+		develop RF frontends for receive and transmit on all bands
+
+	Project status
+		USRP1 finished and in production for a number of yearsI
+		Various frontends for 0...2.7GHz Rx + Tx available
+		USRP2 in final R&D stage (gigabit ethernet, no USB2)
+
+	Result
+		Hardware is used by THC GSM, CCC DECT and other projects
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Closer look at gnuradio project
+
+
+	Project scope
+		develop Free Software toolkit for SDR
+		implement all major algorithms (de/modulator, filter, interpolator,  bit sync, frame sync, ...)
+		implement software for as many protocols as possible
+
+	Project status
+		All analog modulations (AM/FM/SSB/...) for amateur radio and commercial broadcast
+		Demodulation of ASK, FSK, GMSK, BPSK, QPSK, QAM and others
+		Full ATSC implementation years ago (broadcast flag debate)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Closer look at THC GSM project
+
+
+	Project has wide scope:
+		cracking of A5/1 and A5/2 algorithms
+		demodulation/decoding/demultiplex of GSM Um Interface
+		GSM Um protocol plugin for wireshark
+		finally, they aim for GSM transmit side, too!
+	
+	Project status (GSM Rx side)
+		demodulation/decoding/demultiplex with gnuradio+USRP
+		wireshark plugin coming nicely along
+		code is public, anyone can use it today!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Closer look at CCC DECT security project
+
+
+	Project scope
+		implement software for DECT receive/decode in gnuradio
+		implement custom cheap hardware for DECT Rx+Tx
+		implement wireshark DECT plugin
+		attempt to discover DSC (on-die in DECT burst controllers)
+		attempt to discover DSAA (in device firmware)
+
+	Project status
+		custom hardware, gnuradio software and wireshark plugin working
+		DSAA shows good progress
+		DSC progress very slow
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Closer look at OpenPCD project
+
+
+	Project scope
+		open hardware design for 13.56MHz RFID reader
+		open source firmware for reader
+		open source protocol stack (librfid)
+		open source sniffer and RFID card emulator (OpenPICC)
+	Project status
+		OpenPCD hardware is finished and in production
+		supports MIFARE, ISO 14443-1,2,3,4 A+B, ISO15693
+		no GUI and stable high-level API yet
+		OpenPICC R&D painful, but expected to be finished Q3/2008
+	Result for security researchers
+		OpenPCD and OpenPICC used extensively in MIFARE classic attacks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Communications Security
+Thanks
+
+
+		Motorola, HTC
+			for producing mobile phones with security holes, enabling people to hack
+		OpenMoko, Inc.
+			for trying to bring more openness into the closed mobile market
+		Philips / NXP
+			for encrypting the documentation on their RFID chipsets with only 40bit, thus enabling OpenPCD and librfid development
+		Chaos Computer Club
+			for providing a forum (home?) to many ethical hackers
+		Milosch, starbug, Henryk
+			for their great work on Mifare Classic / CRYPTO1 hacking
+		THC
+			for starting and driving the GSM hacking project
+		Matt Ettus and Eric Blossom
+			for the marvels of USRP and gnuradio
+		Linuxtag, specifically Nils Magnus
+			for inviting me to speak here