From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- .../security_beyond_internet.mgp | 362 +++++++++++++++++++++ 1 file changed, 362 insertions(+) create mode 100644 2008/security_beyond_internet-lt2008/security_beyond_internet.mgp (limited to '2008/security_beyond_internet-lt2008') diff --git a/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp b/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp new file mode 100644 index 0000000..95ad2ea --- /dev/null +++ b/2008/security_beyond_internet-lt2008/security_beyond_internet.mgp @@ -0,0 +1,362 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + + +%center +%size 5 +Network Security +beyond TCP/IP/Ethernet + + +%center +%size 4 +by + +Harald Welte + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Introduction + +Who is speaking to you? + + an independent Free Software developer, consultant and trainer + who is a member of the Free Software community for 13 years + who actually has a professional background in hardware + who has co-developed the netfiter/iptables packet filter + who has started gpl-violations.org + and who's been lead hardware + system software architect for Openmoko until recently + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Content + + Data Communications + Security Research + TCP/IP hacks for every layer + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Data Communications + + + Data communications protocols are all around us + Internet and Intranet (Ethernet/TCP/IP) + 2G/2.5G cellular networks (GSM) + 3G/3.5G cellular networks (UMTS) + Cordless Phones (DECT) + Various RFID technologies + TETRA for police / fire brigade + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Internet Security Research + + + Security Research on the Internet + by independent hackers + by security consultants + by independent research organizations + by the academia + + Motivation + academic interest + ethical hackers + criminal entities + reputation/fame in the community + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Examples of past IP issues + + + The various levels of TCP/IP protocols security (examples) + Layer 2 + MAC spoofing + overflowing MAC address table of switches + promiscuous mode for packet sniffing + Layer 3 + IP address spoofing + source routing + invalid options / option parsing + fragmentation re-assembly attacks + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Examples of past IP issues + + + Layer 4 + port number prediction + TCP session hijacking + RST/FIN spoofing + invalid flag combinations + Layer 5+ + buffer overflows + format string vulnerabilities + stack smashing + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Reasons for Internet scrutiny + + + Why do we have that much TCP/IP security research? + Open specification of protocols (IETF, W3C) + Lots of 3rd party textbooks on those protocols + Same Technology around for multiple decades + Network widely deployed, everyone can get access + Attractive targets on the network + Cheap hardware to get low-level bitstream access + Intelligence of protocols in end nodes, not network + Protocols implemented in host software, not firmware + Many open source implementations of protocols + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Comparison with GSM + + + Lets compare this with e.g. the GSM network + Open specification of protocols (ETSI/3GPP) + ! Almost zero 3rd party literature on protocols + ! Technology only around since early 1990s + Network widely deployed, everyone can get access + Attractive targets on the network + ! No hardware for low-level bitstream access + ! Intelligence in the network as well as end nodes + ! Protocols implemented in device firmware + ! Zero open source implementations of the protocols + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Comparison with DECT + + + Lets compare this with e.g. the DECT protocols + Open specification of protocols (ETSI) + ! Almost zero 3rd party literature on protocols + ! Technology only around since early 1990s + ! Only smaller networks in companies, or single-cell home installations + ! Attractive targets, but not accessible remotely + ! No hardware for low-level bitstream access + ! Intelligence in the network as well as end nodes + ! Protocols implemented in device firmware + ! Zero open source implementations of the protocols + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Comparison with RFID + + + Lets compare this with e.g. the RFID world + ! Many protocols proprietary and not openly specified + ! Very few 3rd party literature on protocols + ! Technology only around since late 1990s + ! Widely deployed in access control and payment systems + ! Attractive targets, but not accessible remotely + ! No hardware for low-level bitstream access + Intelligence of protocol in end nodes + ! Protocols implemented in device firmware + ! Only one open source implementation of very few protocols + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Conclusions (1/3) + + + Knowledge about non-Internet communications protocols hard to obtain + standards documents very verbose and hard to read + no good books + very few people know it, very few courses/classes + no open source protocol implementations + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Conclusions (2/3) + + + Bitstream access to low level protocol data close to impossible + there is a lack of the equivalent of an 'Ethernet card in promiscuous mode with tcpdump/wireshark' + only device manufacturers inside the industry have the technology + they are very secretive and closed + very few commercial implementations (two to five in all devices world wide!) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Conclusions (3/3) + + + Security researchers are software/crypto/maths geeks + usually have very limited knowledge about hardware + even less knowledge about RF / radio / signal processing + There are very few hardware developers with 'Free Software' spirit + usually have very limited knowledge about security + The industry is aware of their security issues and they're afraid + they will not provide any technical assistance + they profit from security by obscurity + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Results + + + Non-Internet communications doesn't receive any reasonable amount of scrutiny at all + + Many existing attacks or attack principles that have been long known in the Internet are not known or haven't been tried in other protocols + + Overall security of non-Internet networks is much weaker + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +How to change it + +How do we change this? + By developing hardware for low-level bitstream access + Universal Software Radio Peripheral (USRP) + Open Hardware SDR platform + OpenPCD, OpenPICC + specifically for 13.56MHz RFID + By developing Open Source low level protocol implementations + GSM: http://wiki.thc.org/gsm/decode + DECT: work behind the scenes in CCC + RFID: http://www.openmrtd.org/projects/librfid + By rising awareness about the lack of securtiy + By having more people try to understand hardware + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Closer look at USRP project + + + Project scope + develop Open Source software defined radio platform + develop RF frontends for receive and transmit on all bands + + Project status + USRP1 finished and in production for a number of yearsI + Various frontends for 0...2.7GHz Rx + Tx available + USRP2 in final R&D stage (gigabit ethernet, no USB2) + + Result + Hardware is used by THC GSM, CCC DECT and other projects + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Closer look at gnuradio project + + + Project scope + develop Free Software toolkit for SDR + implement all major algorithms (de/modulator, filter, interpolator, bit sync, frame sync, ...) + implement software for as many protocols as possible + + Project status + All analog modulations (AM/FM/SSB/...) for amateur radio and commercial broadcast + Demodulation of ASK, FSK, GMSK, BPSK, QPSK, QAM and others + Full ATSC implementation years ago (broadcast flag debate) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Closer look at THC GSM project + + + Project has wide scope: + cracking of A5/1 and A5/2 algorithms + demodulation/decoding/demultiplex of GSM Um Interface + GSM Um protocol plugin for wireshark + finally, they aim for GSM transmit side, too! + + Project status (GSM Rx side) + demodulation/decoding/demultiplex with gnuradio+USRP + wireshark plugin coming nicely along + code is public, anyone can use it today! + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Closer look at CCC DECT security project + + + Project scope + implement software for DECT receive/decode in gnuradio + implement custom cheap hardware for DECT Rx+Tx + implement wireshark DECT plugin + attempt to discover DSC (on-die in DECT burst controllers) + attempt to discover DSAA (in device firmware) + + Project status + custom hardware, gnuradio software and wireshark plugin working + DSAA shows good progress + DSC progress very slow + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Closer look at OpenPCD project + + + Project scope + open hardware design for 13.56MHz RFID reader + open source firmware for reader + open source protocol stack (librfid) + open source sniffer and RFID card emulator (OpenPICC) + Project status + OpenPCD hardware is finished and in production + supports MIFARE, ISO 14443-1,2,3,4 A+B, ISO15693 + no GUI and stable high-level API yet + OpenPICC R&D painful, but expected to be finished Q3/2008 + Result for security researchers + OpenPCD and OpenPICC used extensively in MIFARE classic attacks + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Communications Security +Thanks + + + Motorola, HTC + for producing mobile phones with security holes, enabling people to hack + OpenMoko, Inc. + for trying to bring more openness into the closed mobile market + Philips / NXP + for encrypting the documentation on their RFID chipsets with only 40bit, thus enabling OpenPCD and librfid development + Chaos Computer Club + for providing a forum (home?) to many ethical hackers + Milosch, starbug, Henryk + for their great work on Mifare Classic / CRYPTO1 hacking + THC + for starting and driving the GSM hacking project + Matt Ettus and Eric Blossom + for the marvels of USRP and gnuradio + Linuxtag, specifically Nils Magnus + for inviting me to speak here -- cgit v1.2.3