summaryrefslogtreecommitdiff
path: root/2008/security_beyond_internet-lt2008
diff options
context:
space:
mode:
Diffstat (limited to '2008/security_beyond_internet-lt2008')
-rw-r--r--2008/security_beyond_internet-lt2008/security_beyond_internet.mgp362
1 files changed, 362 insertions, 0 deletions
diff --git a/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp b/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp
new file mode 100644
index 0000000..95ad2ea
--- /dev/null
+++ b/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp
@@ -0,0 +1,362 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+
+%center
+%size 5
+Network Security
+beyond TCP/IP/Ethernet
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Introduction
+
+Who is speaking to you?
+
+ an independent Free Software developer, consultant and trainer
+ who is a member of the Free Software community for 13 years
+ who actually has a professional background in hardware
+ who has co-developed the netfiter/iptables packet filter
+ who has started gpl-violations.org
+ and who's been lead hardware + system software architect for Openmoko until recently
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Content
+
+ Data Communications
+ Security Research
+ TCP/IP hacks for every layer
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Data Communications
+
+
+ Data communications protocols are all around us
+ Internet and Intranet (Ethernet/TCP/IP)
+ 2G/2.5G cellular networks (GSM)
+ 3G/3.5G cellular networks (UMTS)
+ Cordless Phones (DECT)
+ Various RFID technologies
+ TETRA for police / fire brigade
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Internet Security Research
+
+
+ Security Research on the Internet
+ by independent hackers
+ by security consultants
+ by independent research organizations
+ by the academia
+
+ Motivation
+ academic interest
+ ethical hackers
+ criminal entities
+ reputation/fame in the community
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Examples of past IP issues
+
+
+ The various levels of TCP/IP protocols security (examples)
+ Layer 2
+ MAC spoofing
+ overflowing MAC address table of switches
+ promiscuous mode for packet sniffing
+ Layer 3
+ IP address spoofing
+ source routing
+ invalid options / option parsing
+ fragmentation re-assembly attacks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Examples of past IP issues
+
+
+ Layer 4
+ port number prediction
+ TCP session hijacking
+ RST/FIN spoofing
+ invalid flag combinations
+ Layer 5+
+ buffer overflows
+ format string vulnerabilities
+ stack smashing
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Reasons for Internet scrutiny
+
+
+ Why do we have that much TCP/IP security research?
+ Open specification of protocols (IETF, W3C)
+ Lots of 3rd party textbooks on those protocols
+ Same Technology around for multiple decades
+ Network widely deployed, everyone can get access
+ Attractive targets on the network
+ Cheap hardware to get low-level bitstream access
+ Intelligence of protocols in end nodes, not network
+ Protocols implemented in host software, not firmware
+ Many open source implementations of protocols
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Comparison with GSM
+
+
+ Lets compare this with e.g. the GSM network
+ Open specification of protocols (ETSI/3GPP)
+ ! Almost zero 3rd party literature on protocols
+ ! Technology only around since early 1990s
+ Network widely deployed, everyone can get access
+ Attractive targets on the network
+ ! No hardware for low-level bitstream access
+ ! Intelligence in the network as well as end nodes
+ ! Protocols implemented in device firmware
+ ! Zero open source implementations of the protocols
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Comparison with DECT
+
+
+ Lets compare this with e.g. the DECT protocols
+ Open specification of protocols (ETSI)
+ ! Almost zero 3rd party literature on protocols
+ ! Technology only around since early 1990s
+ ! Only smaller networks in companies, or single-cell home installations
+ ! Attractive targets, but not accessible remotely
+ ! No hardware for low-level bitstream access
+ ! Intelligence in the network as well as end nodes
+ ! Protocols implemented in device firmware
+ ! Zero open source implementations of the protocols
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Comparison with RFID
+
+
+ Lets compare this with e.g. the RFID world
+ ! Many protocols proprietary and not openly specified
+ ! Very few 3rd party literature on protocols
+ ! Technology only around since late 1990s
+ ! Widely deployed in access control and payment systems
+ ! Attractive targets, but not accessible remotely
+ ! No hardware for low-level bitstream access
+ Intelligence of protocol in end nodes
+ ! Protocols implemented in device firmware
+ ! Only one open source implementation of very few protocols
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Conclusions (1/3)
+
+
+ Knowledge about non-Internet communications protocols hard to obtain
+ standards documents very verbose and hard to read
+ no good books
+ very few people know it, very few courses/classes
+ no open source protocol implementations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Conclusions (2/3)
+
+
+ Bitstream access to low level protocol data close to impossible
+ there is a lack of the equivalent of an 'Ethernet card in promiscuous mode with tcpdump/wireshark'
+ only device manufacturers inside the industry have the technology
+ they are very secretive and closed
+ very few commercial implementations (two to five in all devices world wide!)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Conclusions (3/3)
+
+
+ Security researchers are software/crypto/maths geeks
+ usually have very limited knowledge about hardware
+ even less knowledge about RF / radio / signal processing
+ There are very few hardware developers with 'Free Software' spirit
+ usually have very limited knowledge about security
+ The industry is aware of their security issues and they're afraid
+ they will not provide any technical assistance
+ they profit from security by obscurity
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Results
+
+
+ Non-Internet communications doesn't receive any reasonable amount of scrutiny at all
+
+ Many existing attacks or attack principles that have been long known in the Internet are not known or haven't been tried in other protocols
+
+ Overall security of non-Internet networks is much weaker
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+How to change it
+
+How do we change this?
+ By developing hardware for low-level bitstream access
+ Universal Software Radio Peripheral (USRP)
+ Open Hardware SDR platform
+ OpenPCD, OpenPICC
+ specifically for 13.56MHz RFID
+ By developing Open Source low level protocol implementations
+ GSM: http://wiki.thc.org/gsm/decode
+ DECT: work behind the scenes in CCC
+ RFID: http://www.openmrtd.org/projects/librfid
+ By rising awareness about the lack of securtiy
+ By having more people try to understand hardware
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Closer look at USRP project
+
+
+ Project scope
+ develop Open Source software defined radio platform
+ develop RF frontends for receive and transmit on all bands
+
+ Project status
+ USRP1 finished and in production for a number of yearsI
+ Various frontends for 0...2.7GHz Rx + Tx available
+ USRP2 in final R&D stage (gigabit ethernet, no USB2)
+
+ Result
+ Hardware is used by THC GSM, CCC DECT and other projects
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Closer look at gnuradio project
+
+
+ Project scope
+ develop Free Software toolkit for SDR
+ implement all major algorithms (de/modulator, filter, interpolator, bit sync, frame sync, ...)
+ implement software for as many protocols as possible
+
+ Project status
+ All analog modulations (AM/FM/SSB/...) for amateur radio and commercial broadcast
+ Demodulation of ASK, FSK, GMSK, BPSK, QPSK, QAM and others
+ Full ATSC implementation years ago (broadcast flag debate)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Closer look at THC GSM project
+
+
+ Project has wide scope:
+ cracking of A5/1 and A5/2 algorithms
+ demodulation/decoding/demultiplex of GSM Um Interface
+ GSM Um protocol plugin for wireshark
+ finally, they aim for GSM transmit side, too!
+
+ Project status (GSM Rx side)
+ demodulation/decoding/demultiplex with gnuradio+USRP
+ wireshark plugin coming nicely along
+ code is public, anyone can use it today!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Closer look at CCC DECT security project
+
+
+ Project scope
+ implement software for DECT receive/decode in gnuradio
+ implement custom cheap hardware for DECT Rx+Tx
+ implement wireshark DECT plugin
+ attempt to discover DSC (on-die in DECT burst controllers)
+ attempt to discover DSAA (in device firmware)
+
+ Project status
+ custom hardware, gnuradio software and wireshark plugin working
+ DSAA shows good progress
+ DSC progress very slow
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Closer look at OpenPCD project
+
+
+ Project scope
+ open hardware design for 13.56MHz RFID reader
+ open source firmware for reader
+ open source protocol stack (librfid)
+ open source sniffer and RFID card emulator (OpenPICC)
+ Project status
+ OpenPCD hardware is finished and in production
+ supports MIFARE, ISO 14443-1,2,3,4 A+B, ISO15693
+ no GUI and stable high-level API yet
+ OpenPICC R&D painful, but expected to be finished Q3/2008
+ Result for security researchers
+ OpenPCD and OpenPICC used extensively in MIFARE classic attacks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Communications Security
+Thanks
+
+
+ Motorola, HTC
+ for producing mobile phones with security holes, enabling people to hack
+ OpenMoko, Inc.
+ for trying to bring more openness into the closed mobile market
+ Philips / NXP
+ for encrypting the documentation on their RFID chipsets with only 40bit, thus enabling OpenPCD and librfid development
+ Chaos Computer Club
+ for providing a forum (home?) to many ethical hackers
+ Milosch, starbug, Henryk
+ for their great work on Mifare Classic / CRYPTO1 hacking
+ THC
+ for starting and driving the GSM hacking project
+ Matt Ettus and Eric Blossom
+ for the marvels of USRP and gnuradio
+ Linuxtag, specifically Nils Magnus
+ for inviting me to speak here
personal git repositories of Harald Welte. Your mileage may vary