«
Expand/Collapse
37 items tagged "gsm"
Related tags:
phone [+],
gsm sim [+],
protocol [+],
harald welte [+],
hacks [+],
cellphones [+],
utility [+],
tcp ip protocol [+],
sim editor [+],
sim [+],
overflow [+],
free software implementation [+],
buffer [+],
based buffer overflow [+],
baseband [+],
Hardware [+],
video [+],
usa [+],
technological focus [+],
system level software [+],
state [+],
script kiddy [+],
recent technological advances [+],
read [+],
ralf philipp [+],
radio spectrum [+],
protocol stack [+],
processor [+],
processing [+],
privacy threat [+],
osmocombb [+],
open source solutions [+],
mobile phone [+],
mitigation steps [+],
memory trade [+],
memory corruption [+],
high bandwidth [+],
hacking [+],
gsm protocol [+],
encryption [+],
david hulton [+],
commodity hardware [+],
chris paget [+],
black hat [+],
base [+],
air interface [+],
abu dhabi [+],
wireless router [+],
wireless hotspots [+],
want [+],
version [+],
txt [+],
traffic [+],
tidigino [+],
target user [+],
tags [+],
steve markgraf [+],
srsly [+],
source [+],
slides [+],
sim utility [+],
serial [+],
seh [+],
security review [+],
security [+],
rf interface [+],
review [+],
researchers [+],
remote control [+],
prepaid cellphones [+],
phones [+],
phone base [+],
patience [+],
paper [+],
nick depetrillo [+],
network [+],
module [+],
modem [+],
mobile [+],
masses [+],
malaysia [+],
location [+],
local buffer overflow [+],
linux machine [+],
kraken [+],
internet connectivity [+],
interface [+],
interesting devices [+],
intercept test [+],
hackers [+],
hack mobile [+],
hack in the box [+],
hack [+],
gsm location [+],
gsm infrastructure [+],
gps module [+],
gps [+],
google maps [+],
emmanuel gadaix [+],
don bailey [+],
dieter spaar [+],
darknet [+],
cryptography [+],
cracking software [+],
control [+],
cellphone [+],
cell [+],
carmen san diego [+],
car immobilisers [+],
buffer overflow vulnerability [+],
boston [+],
boris landoni [+],
boris [+],
black hats [+],
available tools [+],
attack [+],
asia [+],
arduino [+],
Software [+],
chaos communication congress [+]
-
-
![Permalink for '[Slides] Running your own GSM stack on a phone'](/themes/lilina/web//media/mark_off.gif)
21:36
»
SecDocs
Authors:
Harald Welte Steve Markgraf Tags:
GSM phone Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: In recent years, we have seen several Free Software projects implementing the network side of the GSM protocol. In 2010, OsmocomBB was started to create a free software implementation of the telephone-side. The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network.
-
-
21:48
»
SecDocs
Authors:
Ralf-Philipp Weinmann Tags:
GSM Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI. This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.
-
21:48
»
SecDocs
Authors:
Ralf-Philipp Weinmann Tags:
GSM Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI. This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.
-
-
21:50
»
SecDocs
Authors:
Karsten Nohl Sylvain Munaut Tags:
GSM sniffer Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year – like wide-band sniffing and real-time signal processing – will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.
-
-
21:29
»
SecDocs
Authors:
Karsten Nohl Sylvain Munaut Tags:
GSM sniffer Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year – like wide-band sniffing and real-time signal processing – will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.
-
-
12:38
»
Packet Storm Security Exploits
This Metasploit module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code.
-
12:38
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code.
-
12:38
»
Packet Storm Security Misc. Files
This Metasploit module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code.
-
-
13:24
»
Hack a Day
By now, most of us have seen have seen one of those GSM to wi-fi hotspot bridges. They’re interesting devices, and being able to carry a small wireless router with you at all times is very handy. Surprisingly, we haven’t seen many builds featuring these portable wireless hotspots, something probably due to the effort in [...]
-
-
9:01
»
Hack a Day
If you’re looking to remotely control things around the house, but can’t do it over the Internet or via WiFi, the TiDiGino just might have what you’re looking for. [Boris Landoni] from Open Electronics sent some information on the TiDiGino our way, and it certainly looks like a useful device if you’re in need of [...]
-
-
21:30
»
SecDocs
-
-
10:32
»
SecDocs
Authors:
Karsten Nohl Tags:
GSM phone Event:
Black Hat USA 2010 Abstract: Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented.
-
-
0:35
»
SecDocs
Tags:
GSM phone Event:
Black Hat USA 2010 Abstract: Recent technological advances have placed GSM tools within the reach of today's security researchers and hackers. It is finally possible to directly explore the lowest levels of the GSM stack. This talk focuses on both sides of the GSM network where the users and network directly interact: the Um (air) interface. The primary technological focus of this talk is on the exposed interfaces between the GSM networks and users. This covers the base station system -- the network components which communicate with mobile phones -- and the base band -- the component of the mobile phone which communicates with the network. During the talk the two main components of the attack system will be demoed - malicious basestations and malicious basebands. The base station enables fuzzing mobile phone basebands, as well as other attacks. The baseband is used to test GSM network equipment for flaws, as well as exploit backend systems. Trust us, you'll *want* to turn off your phone for the duration of this talk!
-
-
0:24
»
SecDocs
Authors:
Harald Welte Tags:
GSM Event:
Hashdays 2010 Abstract: The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network. Well-known and established techniques like protocol fuzzing can finally be used in GSM networks and reveal how reliable and fault tolerant the equipment used in the GSM networks really is.
-
-
5:27
»
SecDocs
Authors:
Karsten Nohl Tags:
GSM phone Event:
Black Hat Abu Dhabi 2010 Abstract: Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented.
-
-
13:20
»
SecDocs
Tags:
GSM phone Event:
Black Hat Abu Dhabi 2010 Abstract: Recent technological advances have placed GSM tools within the reach of today's security researchers and hackers. It is finally possible to directly explore the lowest levels of the GSM stack. This talk focuses on both sides of the GSM network where the users and network directly interact: the Um (air) interface. The primary technological focus of this talk is on the exposed interfaces between the GSM networks and users. This covers the base station system—the network components which communicate with mobile phones—and the base band—the component of the mobile phone which communicates with the network. During the talk the two main components of the attack system will be demoed - malicious basestations and malicious basebands. The base station enables fuzzing mobile phone basebands, as well as other attacks. The baseband is used to test GSM network equipment for flaws, as well as exploit backend systems. Trust us, you'll want to turn off your phone for the duration of this talk!
-
-
8:10
»
Hack a Day
If you use the Google Maps Mobile function then the big G knows where you are even if your phone doesn’t have a GPS module in it. So the next time you want geolocation capabilities in a project consider building around GSM functionality which can also be used for Internet connectivity. That’s exactly what this module does [...]
-
-
11:12
»
SecDocs
Authors:
Harald Welte Tags:
GSM Event:
Hashdays 2010 Abstract: The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network. Well-known and established techniques like protocol fuzzing can finally be used in GSM networks and reveal how reliable and fault tolerant the equipment used in the GSM networks really is.
-
-
13:00
»
Hack a Day
Want to listen in on cellphone calls or intercept test messages? Well that’s a violation of someone else’s privacy so shame on you! But there are black-hats who want to do just that and it may not be quite as difficult as you think. This article sums up a method of using prepaid cellphones and [...]
-
-
12:58
»
Hack a Day
Open source GSM cracking software called “Kraken” has been released into the wild. You may recognize some of the information from back in December when we announced that they had cracked GSM encryption. Well, now you can participate as well. You’ll need a pretty beefy Linux machine and some patience. They say that an easier [...]
-
-
3:45
»
SecDocs
Authors:
Nick DePetrillo Don Bailey Tags:
GSM phone locating Event:
Source Conference Boston 2010 Abstract: Using new resources in concert with new and old telephony tricks, the speakers have been able to successfully track users of GSM mobile phones without direct access to SS7. Though, initially, the granularity of the location information was not fine enough, the speakers have been able to develop effective techniques to supplement the location data. Augmenting this attack is the ability to learn a target user's mobile phone number without the user's knowledge, enhancing the passive nature of the attack. The speakers will elaborate on new real world attack vectors that make these threats both credible and practical. GSM location data in the US is private. However, unscrupulous providers have exposed this data to an international audience, allowing anyone access to this information for a price. The researchers will elaborate on the technical details of how and why the above attacks work, what solutions are possible, and how users can protect themselves.
-
-
21:10
»
SecDocs
Authors:
Harald Welte Tags:
GSM fuzzing phone Event:
Chaos Communication Congress 26th (26C3) 2009 Abstract: With the recent availability of more Free Software for GSM protocols such as OpenBSC, GSM protocol hacking is no longer off-limits. Everyone can play with the lower levels of GSM communications. It's time to bring the decades of TCP/IP security research into the GSM world, sending packets incompatible with the state machine, sending wrong length fields and actually go all the way to fuzz the various layers of the GSM protocol stack. The GSM protocol stack is a communications protocol stack like any other. There are many layers of protocols, headers, TLV's, length fields that can "accidentially" be longer or shorter than the actual content. There are timers and state machines. Wrong messages can trigger invalid state transitions. This protocol stack inside the telephone is implemented in C language on the baseband processor on a real-time operating system without any memory protection. There are only very few commercial GSM protocol stack implementations, which are licensed by the baseband chipset companies. Thus, vulnerabilities discovered in one phone will likely exist in many other phones, even of completely different handset manufacturers. Does that sound like the preamble to a security nightmare? It might well be! Those protocol stacks never have received the scrutiny of thousands of hackers and attack tools like the TCP/IP protocol suite on the Internet. It's about time we change that.
-
21:10
»
SecDocs
Authors:
Harald Welte Tags:
GSM fuzzing phone Event:
Chaos Communication Congress 26th (26C3) 2009 Abstract: With the recent availability of more Free Software for GSM protocols such as OpenBSC, GSM protocol hacking is no longer off-limits. Everyone can play with the lower levels of GSM communications. It's time to bring the decades of TCP/IP security research into the GSM world, sending packets incompatible with the state machine, sending wrong length fields and actually go all the way to fuzz the various layers of the GSM protocol stack. The GSM protocol stack is a communications protocol stack like any other. There are many layers of protocols, headers, TLV's, length fields that can "accidentially" be longer or shorter than the actual content. There are timers and state machines. Wrong messages can trigger invalid state transitions. This protocol stack inside the telephone is implemented in C language on the baseband processor on a real-time operating system without any memory protection. There are only very few commercial GSM protocol stack implementations, which are licensed by the baseband chipset companies. Thus, vulnerabilities discovered in one phone will likely exist in many other phones, even of completely different handset manufacturers. Does that sound like the preamble to a security nightmare? It might well be! Those protocol stacks never have received the scrutiny of thousands of hackers and attack tools like the TCP/IP protocol suite on the Internet. It's about time we change that.
-
-
21:04
»
SecDocs
Authors:
Dieter Spaar Tags:
GSM phone Event:
Chaos Communication Congress 26th (26C3) 2009 Abstract: This talk will show what can be done by taking control of the GSM RF part of a mobile phone, for example performing a DoS attack to the GSM network or using the phone as a sniffing device.
-
-
21:06
»
SecDocs
Authors:
Karsten Nohl Chris Paget Tags:
cryptography GSM cracking phone Event:
Chaos Communication Congress 26th (26C3) 2009 Abstract: The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM's security hasn't received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising. From the total lack of network to handset authentication, to the "Of course I'll give you my IMSI" message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet. Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.
-
21:06
»
SecDocs
Authors:
Karsten Nohl Chris Paget Tags:
cryptography GSM cracking phone Event:
Chaos Communication Congress 26th (26C3) 2009 Abstract: The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM's security hasn't received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising. From the total lack of network to handset authentication, to the "Of course I'll give you my IMSI" message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet. Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.
