HES 2012 ...

Revisiting Baseband attacks  by Weinmann Ralf Philipp (Luxembourg University)

  

The speaker states that his current works are based on previous research achieved in 2010. He carries on by giving a quick review  of known basebands attacks and the state of the art concerning this subject.

The speaker explains then different attack scenario as the one that consists in putting in place a rogue BTS operated by the attacker.

He underlines the fact that globally operator still think that is impossible for researcher to implement their own cell phone network.

    

A video demonstration was then shown illustrating a rogue BTS (physically based on an USRP) and linked to openBTS software. A call was issued from one phone to the other through the rogue BTS.   

     The main frame of the rest of the presentation goes as what follows:

•  How defensive side is organized 
•  How attacker capabilities are continuously increasing 
•  New  hardware platform
•  Silver bullet 
•   How it is possible to attack cell network infrastructure (turning the tables)          

      Defensive sides 

      The speaker mentions that internal audits are happening, vendors taking reports seriously. But, real problems are related the end of chain: OEMs (slow to fix security bugs, and don't see benefits of an update)

                 

      Globally the most Countermeasures seen are : 

• Not a single image with stack cookies seen
• Qualcomm's modem heap : safe unlinking 
•  X-gold 61x  DEP is useless du to ITCM
•  No ASLR (not giong to happen beacause it needs some complicated works)                         

     Attackers capabilities 

•  qcombbdbg helps a lot to understand the QCOM stack
•  unlike calimed in 2010: JTAG possible for a number production with QCOM chipset 
•  Pratical JTAG: RIFF box usually used by unlockers and helps for JTAG tracing 
•   For 3G: Anritsu  MD84OB a 3G protocol tester and allows also handover simulation 
• BB Heaps are better understood  

       

       Really that was a good presentation that I appreciate and I hope that I'll get the chance to work one day on this kind of subject...

Strange and Radiant Machines in the PHY Layer by Travis Goodspeed & Sergey Bratus

    
   The content of this conference was really interesting in the way that the speaker tries to shed light on  attacks that targets digital radio at the physical layer.
   
  And before that he tries to give an idea on how hardware bugs are identified Insisting that globally, before trying to attack a hardware, the speaker explains to us that is important to firstly get the software that resides in it.
   
   So the idea of Travis goodspeed as he well explain it in his blog is :
   
   "Layer 1 radio protocols are vulnerable injections similar to those that plague naively implemented SQL websites. You can place one packet inside of another packet and have the inner packet drop out to become a frame of its own. We call the technique Packet-in-Packet, or PIP for short"[goodspeed blog].
    
   So the key word of this conference was Packet injection and PIP (Packet in Packet). Indeed, PIP technique consists "in placing a complete radio frame within the body of a larger frame, then leveraging noise or protocol differences to cause the start of the outer frame to be missed"[GOODSPEED].


for those who wants to play with this type of attack, Goodspeed presented also a vulnerability that concerns Wireless Microsoft Keyboard. Actually, he developed a tool that allows to sniff traffic between a keyboard and a station. Nice Work...

Hardware backdooring is practical by Jonathan Brossard & Florentin    

   
Jonathan B. and Florentin presented a state of the art of Hardware backdooring.
As an introduction, the speakers gave an overview of the main components that have been used to develop the proof of concept: Rakshasa
Globally, the agenda of the presentation was  as the following:
A brief overview of an X86 architecture: here Florentin pointed out the fact that th TPM component is positioned between the "Southboard"  and the superIO component. that makes the TPM far from the CPU
 An overview of Coreboot project 
 A presentation of the design of Rakshasa: in fact, the POC is based on :

• Konboot 
• Coreboot
• SeaBios
• iPXE
• some payloads 

 Globally, the presentation was technically interesting ...

Cryptographic Function Identification in Obfuscated Binary Programs by Joan Calvet

One of the most recurrent challenge that are facing security researchers, reversers or pentesters is the way to identify Cryptographic function 
 in a Binary  program. Especially, malware analyzers have to deal with malwares that are in most cases obfuscation using cryptographic functions. 

 Joan C. as malware analyst presented to us his methodology to identify Crypto functions in obfuscated program. the methodology might divided into the following steps:

•  Step 1: Collect program trace execution (refer to Binary instrumentation tools as PIN)
•  Step 2: Extract Crypto Algorithm. The speaker underlines here that IDA features are plugins are not efficient in case of obfuscated binaries. Hence, he decided to introduce to us his own methodology based on the principal of identifying the relationship between inputs and outputs of a program. For that he assumes that loops are code features for crypto algorithm. So, he defines Loops and nested loops in case of binary analysis. 
•  Step 3: analyze the results. this steps is mainly based on comparing the behavior deduced from the previous steps with a real implementation of  a crytpo algorithm to validate the results. 

Finally, the speaker presented a demo based on real life cases and the enhancements that he has to do for his POC.

The talk was very clear and well explained.