%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 5 Network Security beyond TCP/IP/Ethernet %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Introduction Who is speaking to you? an independent Free Software developer, consultant and trainer who is a member of the Free Software community for 13 years who actually has a professional background in hardware who has co-developed the netfiter/iptables packet filter who has started gpl-violations.org and who's been lead hardware + system software architect for Openmoko until recently %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Content Data Communications Security Research TCP/IP hacks for every layer %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Data Communications Data communications protocols are all around us Internet and Intranet (Ethernet/TCP/IP) 2G/2.5G cellular networks (GSM) 3G/3.5G cellular networks (UMTS) Cordless Phones (DECT) Various RFID technologies TETRA for police / fire brigade %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Internet Security Research Security Research on the Internet by independent hackers by security consultants by independent research organizations by the academia Motivation academic interest ethical hackers criminal entities reputation/fame in the community %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Examples of past IP issues The various levels of TCP/IP protocols security (examples) Layer 2 MAC spoofing overflowing MAC address table of switches promiscuous mode for packet sniffing Layer 3 IP address spoofing source routing invalid options / option parsing fragmentation re-assembly attacks %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Examples of past IP issues Layer 4 port number prediction TCP session hijacking RST/FIN spoofing invalid flag combinations Layer 5+ buffer overflows format string vulnerabilities stack smashing %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Reasons for Internet scrutiny Why do we have that much TCP/IP security research? Open specification of protocols (IETF, W3C) Lots of 3rd party textbooks on those protocols Same Technology around for multiple decades Network widely deployed, everyone can get access Attractive targets on the network Cheap hardware to get low-level bitstream access Intelligence of protocols in end nodes, not network Protocols implemented in host software, not firmware Many open source implementations of protocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Comparison with GSM Lets compare this with e.g. the GSM network Open specification of protocols (ETSI/3GPP) ! Almost zero 3rd party literature on protocols ! Technology only around since early 1990s Network widely deployed, everyone can get access Attractive targets on the network ! No hardware for low-level bitstream access ! Intelligence in the network as well as end nodes ! Protocols implemented in device firmware ! Zero open source implementations of the protocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Comparison with DECT Lets compare this with e.g. the DECT protocols Open specification of protocols (ETSI) ! Almost zero 3rd party literature on protocols ! Technology only around since early 1990s ! Only smaller networks in companies, or single-cell home installations ! Attractive targets, but not accessible remotely ! No hardware for low-level bitstream access ! Intelligence in the network as well as end nodes ! Protocols implemented in device firmware ! Zero open source implementations of the protocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Comparison with RFID Lets compare this with e.g. the RFID world ! Many protocols proprietary and not openly specified ! Very few 3rd party literature on protocols ! Technology only around since late 1990s ! Widely deployed in access control and payment systems ! Attractive targets, but not accessible remotely ! No hardware for low-level bitstream access Intelligence of protocol in end nodes ! Protocols implemented in device firmware ! Only one open source implementation of very few protocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Conclusions (1/3) Knowledge about non-Internet communications protocols hard to obtain standards documents very verbose and hard to read no good books very few people know it, very few courses/classes no open source protocol implementations %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Conclusions (2/3) Bitstream access to low level protocol data close to impossible there is a lack of the equivalent of an 'Ethernet card in promiscuous mode with tcpdump/wireshark' only device manufacturers inside the industry have the technology they are very secretive and closed very few commercial implementations (two to five in all devices world wide!) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Conclusions (3/3) Security researchers are software/crypto/maths geeks usually have very limited knowledge about hardware even less knowledge about RF / radio / signal processing There are very few hardware developers with 'Free Software' spirit usually have very limited knowledge about security The industry is aware of their security issues and they're afraid they will not provide any technical assistance they profit from security by obscurity %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Results Non-Internet communications doesn't receive any reasonable amount of scrutiny at all Many existing attacks or attack principles that have been long known in the Internet are not known or haven't been tried in other protocols Overall security of non-Internet networks is much weaker %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security How to change it How do we change this? By developing hardware for low-level bitstream access Universal Software Radio Peripheral (USRP) Open Hardware SDR platform OpenPCD, OpenPICC specifically for 13.56MHz RFID By developing Open Source low level protocol implementations GSM: http://wiki.thc.org/gsm/decode DECT: work behind the scenes in CCC RFID: http://www.openmrtd.org/projects/librfid By rising awareness about the lack of securtiy By having more people try to understand hardware %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Closer look at USRP project Project scope develop Open Source software defined radio platform develop RF frontends for receive and transmit on all bands Project status USRP1 finished and in production for a number of yearsI Various frontends for 0...2.7GHz Rx + Tx available USRP2 in final R&D stage (gigabit ethernet, no USB2) Result Hardware is used by THC GSM, CCC DECT and other projects %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Closer look at gnuradio project Project scope develop Free Software toolkit for SDR implement all major algorithms (de/modulator, filter, interpolator, bit sync, frame sync, ...) implement software for as many protocols as possible Project status All analog modulations (AM/FM/SSB/...) for amateur radio and commercial broadcast Demodulation of ASK, FSK, GMSK, BPSK, QPSK, QAM and others Full ATSC implementation years ago (broadcast flag debate) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Closer look at THC GSM project Project has wide scope: cracking of A5/1 and A5/2 algorithms demodulation/decoding/demultiplex of GSM Um Interface GSM Um protocol plugin for wireshark finally, they aim for GSM transmit side, too! Project status (GSM Rx side) demodulation/decoding/demultiplex with gnuradio+USRP wireshark plugin coming nicely along code is public, anyone can use it today! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Closer look at CCC DECT security project Project scope implement software for DECT receive/decode in gnuradio implement custom cheap hardware for DECT Rx+Tx implement wireshark DECT plugin attempt to discover DSC (on-die in DECT burst controllers) attempt to discover DSAA (in device firmware) Project status custom hardware, gnuradio software and wireshark plugin working DSAA shows good progress DSC progress very slow %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Closer look at OpenPCD project Project scope open hardware design for 13.56MHz RFID reader open source firmware for reader open source protocol stack (librfid) open source sniffer and RFID card emulator (OpenPICC) Project status OpenPCD hardware is finished and in production supports MIFARE, ISO 14443-1,2,3,4 A+B, ISO15693 no GUI and stable high-level API yet OpenPICC R&D painful, but expected to be finished Q3/2008 Result for security researchers OpenPCD and OpenPICC used extensively in MIFARE classic attacks %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Communications Security Thanks Motorola, HTC for producing mobile phones with security holes, enabling people to hack OpenMoko, Inc. for trying to bring more openness into the closed mobile market Philips / NXP for encrypting the documentation on their RFID chipsets with only 40bit, thus enabling OpenPCD and librfid development Chaos Computer Club for providing a forum (home?) to many ethical hackers Milosch, starbug, Henryk for their great work on Mifare Classic / CRYPTO1 hacking THC for starting and driving the GSM hacking project Matt Ettus and Eric Blossom for the marvels of USRP and gnuradio Linuxtag, specifically Nils Magnus for inviting me to speak here