Continuing notes from DeepSec 2009, see also Notes from DeepSec 2009, day 1.
Weapons of Mass Pwnage: Attacking Deployment Solutions
A few words about attacks on systems for managing large networks
(provisioning, thin client management) in general (with a single standard
build it is only necessary to compromise or steal the standard build and
crack the password), then talked about specific attacks on Symatec Altiris
= Dell OpenManage = HP Rapid Deployment.
Cracking GSM Encryption
The GSM A5/1 cipher is known weak (too small key space), and attack devices
are "readily available" on the market, yet GSM is still considered secure by
users (online banking, payments, authentication. The presenter wants to
"demonstrate" GSM insecurity by precomputing rainbow tables that allow easy
decryption of GSM traffic by anyone.
Implementation notes: In principle the mapping of known output to secret state
can be precomputed (188 petabytes of raw data). Rainbow tables are used to
cut down the data size; to avoid many hard disk lookups, each chain ends
with a specific value (e.g. a key that ends with 0x00). Chosen a 4TB total
storage, 32-element chains. The implemented framework can be used for any
cipher with small key space.
Possible attacks on GSM:
- Passive listening, needs the above-described rainbow tables.
- Active: make the victim phone subscribe to a fake base station. Can be
detected, but no one is looking. GSM standard requires that phones must
be able to warn the user that encryption is disabled, but this can be
disabled by the SIM card and "all operators" do so (a "SIM proxy" can be
used to override the setting if you want the notification).
- "Semi-active": Record an encrypted call. Later, force the victim phone to subscribe to a fake base station, ask it to use
the A5/2 cipher (weak, used for export to semi-friendly countries) with
the same initial state (hence using same encryption key), crack the cipher to get the key,
use it to decrypt the A5/1-encrypted call. All tools for this attack (base station code, A5/2 cracking) are freely available.
Mitigation suggestions:
- Disable A5/2 to prevent the semi-active attack.
- A5/3 cipher was defined for 3G, many phones support it, but no network
operator supports it. The semi-active attack still allows cracking A5/3
if A5/1 is cracked, so the phones would have to disable A5/1 (completely
breaking compatibility with current networks).
Exploiting Printers by Analyzing Their Firmware
Printers are a quite easy target (they are not patched regularly, don't have an
anti-virus, quite a few printers are connected directly to the internet and
can be found using Google), are attractive (lots of confidential information,
larger printers have a hard drive that may contain even jobs printed before
the attack). Furthermore, firmware updates are usually available on the
internet, can be unpacked and examined for vulnerabilities (vulnerable
configuration, default accounts, vulnerable web scripts...). The firmware
image can often be run in qemu, which allows fuzzing the fimware without
testing on a live printer.
Curiously, byte frequencies can be used to distinguish between encrypted
images (uniform frequencies) and compressed images (non-uniform frequencies).
Also demonstrated a few discovered vulnerabilities, including a
deliberately planted backdoor.
Hijacking Mobile Data Connections 2.0: Automated and Improved
Using the "provisioning" facilities to reconfigure data connection.
Provisioning is usually authenticated either by requiring the user to enter a
PIN, or by IMSI (supposedly a shared secret between the SIM and network
operator, in practice can be bought for €0.02). Depending on a phone, the new
configuration may be used as a new default, or added as an alternative. The
provisioned configuration can replace DNS servers (not supported by some
phones), or set up a proxy (always supported). Due to the tiny UI users
probably won't notice if a
https connection is redirected to http.Countermeasures:
- Filter provisioning messages from the network
- Provide details of the new configuration in the phone UI
- Deny access to external DNS servers
Malware for SoHo Routers
Due to market pressure, routers are cheap, manufacturers ignore reports (or
threaten to sue), and it is easier to maintain a bot-net of routers than PCs
(no antivirus, no updates, isn't switched off at night, "normal people" can't
detect the malware). Attack can be performed e.g. by hijacking a browser
"inside" (perhaps after infecting an ordinary PC, to get a "more permanent"
zombie and a better way to re-infect the PC if it is cleaned).
Possible uses of an infected router:
- The attacker can set up a proxy on the router, and direct PCs to use it using uPnP.
- The attacker can host scam pages on the router—undetectable from outside (e.g. by the ISP).
- The attacker can add/replace advertisements in HTML responses.
"How to fix it for $0.10": Add a hardware switch that disables all
configuration interfaces (web, telnet, ...)
Building the Next IDS Engine
Presented the Open Information Security Foundation. Supported projects include:
- emergingthreats.net: BSD-licensed snort rule repository
- A new IDS engine (multi-threaded, with HW acceleration support), employing
"top experts" in the field to develop it. First release expected by end of 2009.
Foundation is grant-funded (e.g. US government) for now, should be
self-sufficient eventually. One option is to make the IDS engine available
under GPL, and give paying foundation members commercial licenses (and let
them influence the direction of the project).
Internet election for the German Bundestag
I have lost my notes from this lecture, so here's at least the proposed election system, which looks nice, simple and can be reasonably easily explained to non-programmers:
- Use existing government to give every user a certificate that allows them to vote.
- Provide a service that lets each certificate holder generate a single ballot
number. The ballot number is blind-signed, so it does not identify the
voter. - Vote by submitting a ballot with the specified ballot number.
- Publish all ballots (and the list of generated certificates?).
A practical DOS attack to the GSM network
GSM uses TDMA, a phone needs to allocate a slot before it can talk (even
authenticate) to the base station. An unused slot is kept reserved for
about 60 seconds, and there are only about 40 slots, which can be used up easily.
3-4 phones is enough to reliably block all slots, denying all phones access
to the base station. Because the phones don't identify to the base station,
the attack is anonymous until the phone is found by triangulation.
No mitigation known.
No comments:
Post a Comment