26C3 #2

We’ve planned to attend the JTAG debugger talk at 10:30 this morning, but we felt so comfy in the cafeteria where we were having breakfast that we stayed there a couple of hours chatting instead of going to the talk, so we finally missed it :( but that wasn’t such a big deal, I guess that in a few days the video recordings will be available to download.

The next talk scheduled in our very personal agendas :) was about the Google Lunar X-Prize and how the Part-Time-Scientist team is working to achieve it. The talk was amazing, in the sense that they explained all the steps given to date to build the robot, launch it, land it safely on the moon surface, capture and transmit back to earth the HD video, and finally let the robot survive as much time as possible up there. They explained all the robot internals, how it was built and the communication systems used to provide the upload channel to send commands to the robot, and the fat download pipe to get the HD images. It was amazing, more than 30 antennas all around the globe, to provide an unique “virtual big antenna” from the moon point of view, that provides 24/7 500kbps link to/from the moon-robot/earth. A nice detail was the live video-conference with one of the NASA engineers that participate in the original Apollo missions he talked us, from their home in the US, about the Apollo mission and how his work back then in the NASA.

After this some asian style lunch in the food court of the mall across the street, and back to the BCC to attend the Milkymist talk. Not much to say here, we learned about this open hardware platform, its design, how it is programmed and the visual effects that it provides in real time. More info in the project page.

More hardware stuff in the Advanced microcontroller programming lecture  the talk was a summary of advanced programming and debugging techniques learned after a year of hardcore microcontroller programming based on Atmel CPU. How to success with subjects like microcontroller C++ development, profiling, real time programming, timing and concurrency, and agile development techniques.

The Fuzzing the phone talk was pretty nice. The fuzzing technique is usually used to find bugs by forcing buffer overflows and probing all kind of malformed, oversized and mangled inputs. Applied to last-generation smartphones, SMS fuzzing is an interesting way of finding flaws in the phone software that handles the messages by injecting custom, specially formated or malformed SMS messages. The talk exposed how the SMS fuzzing framework was used against iPhone, Android and HTC WM6 phones, and the results obtained with the experiments. The design of the framework is pretty interesting, remember that phones based on Android or the Apple iPhone are little Unix boxes and therefore you can use some of the familiar and nice techniques that you already know, like programming a middle layer (a daemon in practice) that renames the /dev/XXX serial device used to talk to the radio modem interface, after that creates its own device so the SMS application in the OS do the I/O there, and our process takes control of all the information that the OS SMS app writes to this device. In the other hand our daemon opens the true serial devices that talks to the modem, so we can receive all the modem messages and relay the app messages to the modem. By doing this, the fuzzing process is pretty efficient, because we can inject the SMS directly to the OS app, and it will think that they are being received through the modem. So, a nice MiTM attack using some basic unix system programming. To inject the messages the daemon open a TCP socket, so we can send them through the WiFi network, connecting to this TCP socket, cool! This very same talk took place in BlackHat’09 so you can get more info about it in BlackHat web and also in the project page.

Defending the poor by Phenoelit/FX.  This talk wasn’t about attacking but about defending :) Flash isn’t a good designed languaje/environment, and malware take advantage of this to execute itself and do all kind of nasty things, like URL redirecting, fake clicking, etc. What FX introduced in his talk is a countermeasure to disable all attempt of attack from a malicious swf by patching the bytecode and make the attack fail. It’s in a very early status of development, but it has been released just now during the congress, so anybody can improve it, or make some nice plugin based on it. Check it out.

Unfortunately I missed the Haste ma’n netblock? lecture :( and I didn’t get the netstream of it, so I’ll have to wait to download it, so let’s jump to the last talk I attended today, the SS7 network hacking this talk was really interesting, the kind of talk that discover you a completely new world and encourage you to research and learn more about it. The speaker focused on the SS7 network design, which systems you can find there (gateways to other networks, authentication systems, roaming systems…), the complete protocol stack, the link with the well-known world of TCP/IP, and the most interesting part, some basic knowledge about auditing SS7 networks, what to search and where, how to make scans and how to take advante of the information gathered through those scans, and finally some links to tools. Unfortunately the time given to this talk (1 hour) was insufficient to cover all the subjects, but he had been talking hours and hours if he could… really nice talk. The problem is… how to reach the SS7 network? Thats the point, if you aren’t inside the network for auditing purposes, you’ll have to find some entry point, maybe an IP gateway reachable from the Internet. Remember that some SS7 systems, mainly SMS related, communicate through the Internet via standard IPSEC VPN links, so maybe this could be an entry point, or you could try the SST over SIP encapsulation trick, that would be nice. As I said before, a completely forgotten world waiting for us to have fun. It’s interesting to point out that this phone systems are increasingly considered strategic and critical infrastructures, so governments want to audit them and assure that they aren’t vulnerable, it’s a nice area to work on if you get the opportunity.

By the way, remember the “Sleep Hacking” talk/workshop? A wiki has been created to get all the stuff related to this subject there, so check it out and colaborate if you’re interested.  and if you’re successful hacking your sleep cycles, begin searching new hobbies because you’ll get a lot of extra free time ;)


One Response to “26C3 #2”

  1. CyberHades » Blog Archive » El día a día del 26C3 por FuTuR3 on January 2nd, 2010 1:23 pm

    [...] Día 2 [...]

Leave a Reply