SlideShare uma empresa Scribd logo

A million little tracking devices - Don Bailey

idsecconf
idsecconf
TecnologiaNegócios
1 de 77
Baixar para ler offline
Was: I’m the Hunter I‟m Going Hunting donb@isecpartners.com @DonAndrewBailey
A Million Little Tracking Devices Turning Embedded Devices into Weapons donb@isecpartners.com @DonAndrewBailey
whois donb?
Places I’ve been in the past 24 hours • Boston • Afghanistan • Libya • The White House
So what’s this all about, donb?
Zoombak “Advanced GPS Tracker” • Sold in over 12,500 stores in USA • Smart Phone App (iPhone, Android, Blackberry) • 2x as big as your 6th Generation iPod Nano • Track your… ▫ Car ▫ Family ▫ Pet ▫ Valuables
Even Oprah Loves Zoombak
What is the Device composed of?
Modular design • GSM module • GPS module • Application “microcomputer” • T-Mobile SIM Card
GSM Module • Siemens 0682 ▫ Infineon Baseband ▫ Skyworks 7750 RF Tx • Controlled via USART ▫ AT Commands! • No shared memory!
A Quick Comment about Siemens 0682 • Attaching to OpenBTS ▫ Using Malaysian Test SIM cards (001/01) • The Zoombak (Siemens) claims A5/2 capability ▫ And only A5/2 • The Zoombak accesses GPRS ▫ Presumably using A5/2 • T-Mobile allows A5/2 on GPRS in the USA? ▫ This shouldn‟t happen
GPS Module • GR-520 GPS Module • Not that interesting • Acquires GPS!!!
Application uC • Renesas SH7721/7300 Microcomputer Platform • Fairly robust uC platform • Application processor unknown ▫ But, probably one of the common realtime uC OS ▫ Likely, Java ▫ Or something….
But wait! Donb, don’t you know?!?
I don’t have to know…
How does Zoombak work?
It’s all about the Customer Experience • Log into the Web2.0 interface • Select the desired tracking device • Click “find now” • Wait for the embedded map to update • Enjoy the map!
How does the device work?
The Control Channel • Commands are received via SMS ▫ 8bit binary messages • Application polls SIM for SMS • Application receives command ▫ Parses binary SMS ▫ Extracts command
PDU Breakdown • “gOnDLocate” ▫ Represents an incoming location request • “Loc34-gfqgyl9f” ▫ Location ID (nonce) • 0x43 0xCA 0xED 0x70 ▫ 67.202.237.112 ??? • SMS UDH specifies port 0x1c6c ▫ Port 7276
So, the Location Request… • Defines where the device should connect ▫ IPv4 Address ▫ TCP Port • Defines what the device should send ▫ Nonce ▫ Location Response
Okay, but what does a response look like?
Back to the Logic Analyzer • Log into Zoombak‟s Web2.0 GUI • Send a valid request to the Device • Sniff the AT commands between App -> GSM • Watch what the device does
Seriously?!? • The GSM Module accepts AT commands to… ▫ Connect to a specific host AND port ▫ Over TCP/IP ▫ Send/Receive data • Zero confidentiality!
Lets Diverge, Shall We? • GSM baseband attacks are a Serious Issue ™ • The baseband attack surface was ▫ Thought to be small ▫ RF oriented ▫ Localized • But, wait! Remote baseband compromise? ▫ Embedded TCP/IP stack ▫ Small code base (small flash space)
Attack Scenario • Force AT commands to connect to Host:Port • Implement attack against TCP/IP stack • Get persistent compromise in the baseband • Force network traffic to a specific IP address • Evade Application Flash Updates • Similar to BIOS backdoors for PC
Okay, back to the payload.
First Response Payload Format • Nonce • Version stuff • Sender‟s phone number (MSISDN) • Number of location data segments • Time stamp • Cellular data ▫ Location Area Code (LAC), Cell ID, MCC, MNC, RSSI ▫ This is the „A‟ in A-GPS
Second Response Payload Format • Nonce • Version stuff • Sender‟s phone number (MSISDN) • Number of location data segments • GPS data (latitude, long) ▫ If available • Time stamp
Let’s use Open Cell ID • Online database of cellular towers • Includes ▫ MCC ▫ MNC ▫ Cell ID ▫ LAC ▫ Geo Location (Latitude, Longitude)
So, now we know… • How to control the device • What a response looks like • Where the data is sent • What GPRS network its sent to
What’s next?
“Dogggg will hunt!!” – Les Claypool
Piece it together! • SMS service like Routomessaging ▫ Send binary SMS for fractions of a cent ▫ Scriptable over SMPP ▫ Combine with crontab -> Win! • Edit a valid payload ▫ Change Zoombak‟s IP to Your IP ▫ Ship the SMS • Wait on port 7276
So, we know we can intercept. But, can we find devices?
Enter, War Texting • Spam thousands of numbers with our SMS payload • Wait patiently, serving on port 7276 • Log all incoming requests • Analyze location data ▫ Interesting targets?
War Texting – The reality • SMS spam is a huge problem • Too many messages too fast = blocked ▫ Average one message per 20 seconds ▫ Slightly change payload  Alter Nonce with every message • Don‟t increment through MSISDN ▫ Randomize from a set of targets • Don‟t spam all MSISDN ▫ Look for the device‟s profile first
Building an Easy Device Profile • Incoming calls are disabled • All devices are T-Mobile • SMS is enabled • NPA/NXX are typically not associated with location of purchase • Use HLR to find devices that are “never home” • Caller ID is always “Unavailable” • Use HLR to find devices that are turned on ▫ „Off‟ devices are „Absent Subscriber‟
Profiling is Less Intrusive • Profiling is simply reconnaissance • Perform many normal actions ▫ To create an abnormal result • Effect? ▫ Generated list of potential fits ▫ Less people spammed ▫ Less provider hate for our SMS ▫ More low key
So, we can find and target users. But, can we impersonate them?
Of course! • Response payloads have no confidentiality • Pure HTTP • We can forge RSSI • GPS data can be forged easily ▫ Yay for on-line maps and Google Earth!
The Assisted in Assisted GPS • Doesn‟t mean „Assisting You‟ ▫ It means „Assisting Them‟ • Obviously, known LAC/CI pairs should indicate potentially bad GPS data (or vice versa) • Selling LAC/CI is big $ in the Location Research markets
We hit the Trifecta
We can now… • Discover random tracking devices • Force location interception • Impersonate compromised targets
What attacks can be performed? • This is an issue of thinking like an attacker • Discover and monitor targets over time • Assess highly desirable targets • Strategic planning through behavioral analysis
What can be done to fix these problems?
Currently, they are… • Using T-Mobile to do things “the wrong way” ▫ “Non-Geographic Test Number” NPA/NXX  As of February 2011  Not active in Number Portability Administration  Blocks SMS from services like RoutoMessaging (temporarily?) ▫ GPRS PDP Context Switching  Drop different types of devices into different networks
But, they should be… • Not relying on the control message • Not implementing confidentiality and integrity • Disallowing software from talking to non- Zoombak resources • Using HLR to assess potential spoofing/abuse ▫ Dead technique
The Carmen Sandiego Project’s Success is Zoombak’s Failure
Remember Carmen Sandiego? • Research presented with Nick DePetrillo (Crucial Security) • Tracking via HLR access • Only a Phone Number is required
Carmen Succeeded! • T-Mobile HLR requests now fail • Random MSC values from a static set of N • No more T-Mobile tracking • All major GSM providers in the USA are now secure
Bad for Zoombak • No Location Data to compare to • The device‟s response must be trusted • HLR can‟t prove error / manipulations
What Lessons can we Learn?
Embedded Security is Hard • Weak security surface • Vast threat surface • Many “moving parts” to maintain ▫ Baseband ▫ GPS firmware ▫ Application firmware ▫ SIM software/keys/etc • The days of obfuscating your product are over ▫ No plastic / epoxy / silicon for me
It’s also a Function of $ • Decreased production cost • Increased functionality ▫ Zigbee/802.15.4/Z-Wave ▫ RFID/NFC ▫ DECT • Increased application space ▫ More production = decreased cost to user
What’s the next Killer App? • Urban Traffic Control systems ▫ Controlled over GSM • SCADA sensors ▫ Controlled over GSM / SMS • Generic user devices ▫ Kindles, iPads, etc
Even vehicle security systems!
A specific vendor allows • Remote door unlock • Remote “storage locker” functionality • Remote engine start
The design is exactly the same… • GSM module w/ TCP/IP • ST Microcontroller • SIM card
But, this time it’s more fun • Got the firmware image! • Wrote a disassembler • Can understand *all* functionality
Result? • Scan the telephone network • Randomly unlock people‟s cars • Randomly turn on engines
Thanks For All The Fish! • IdSecConf • Nick DePetrillo • Ech0 crew!! • Travis Goodspeed • Jim Geovedi • Mike Ossmann • Alex Stamos
“We ain’t hard 2 find” – 2pac donb@isecpartners.com @DonAndrewBailey

Recomendados

Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
1024-bit Encrypted, Cloud-Based Garage
1024-bit Encrypted, Cloud-Based Garage1024-bit Encrypted, Cloud-Based Garage
1024-bit Encrypted, Cloud-Based Garagedanieljng
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014Andy Piper
 
The Ultimate Meeting Professionals Guide to Internet Connectivity
The Ultimate Meeting Professionals Guide to Internet ConnectivityThe Ultimate Meeting Professionals Guide to Internet Connectivity
The Ultimate Meeting Professionals Guide to Internet Connectivitytechsytalk
 
Reksoprodjo cyber warfare stmik bali 2010
Reksoprodjo cyber warfare stmik bali 2010Reksoprodjo cyber warfare stmik bali 2010
Reksoprodjo cyber warfare stmik bali 2010idsecconf
 
y3dips, mastering the network hackingFU
y3dips, mastering the network hackingFUy3dips, mastering the network hackingFU
y3dips, mastering the network hackingFUidsecconf
 
LockPicking (paper) - Mr.pick
LockPicking (paper) - Mr.pickLockPicking (paper) - Mr.pick
LockPicking (paper) - Mr.pickidsecconf
 

Recomendados

Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
1024-bit Encrypted, Cloud-Based Garage
1024-bit Encrypted, Cloud-Based Garage1024-bit Encrypted, Cloud-Based Garage
1024-bit Encrypted, Cloud-Based Garagedanieljng
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014Andy Piper
 
The Ultimate Meeting Professionals Guide to Internet Connectivity
The Ultimate Meeting Professionals Guide to Internet ConnectivityThe Ultimate Meeting Professionals Guide to Internet Connectivity
The Ultimate Meeting Professionals Guide to Internet Connectivitytechsytalk
 
Reksoprodjo cyber warfare stmik bali 2010
Reksoprodjo cyber warfare stmik bali 2010Reksoprodjo cyber warfare stmik bali 2010
Reksoprodjo cyber warfare stmik bali 2010idsecconf
 
y3dips, mastering the network hackingFU
y3dips, mastering the network hackingFUy3dips, mastering the network hackingFU
y3dips, mastering the network hackingFUidsecconf
 
LockPicking (paper) - Mr.pick
LockPicking (paper) - Mr.pickLockPicking (paper) - Mr.pick
LockPicking (paper) - Mr.pickidsecconf
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014FalafelSoftware
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaNicolas Lesconnec
 
SIGFOX Makers Tour - Madrid
SIGFOX Makers Tour - MadridSIGFOX Makers Tour - Madrid
SIGFOX Makers Tour - MadridNicolas Lesconnec
 
Programming for the Internet of Things
Programming for the Internet of ThingsProgramming for the Internet of Things
Programming for the Internet of ThingsKinoma
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
Setting Up InfluxDB for IoT by David G Simmons
Setting Up InfluxDB for IoT by David G SimmonsSetting Up InfluxDB for IoT by David G Simmons
Setting Up InfluxDB for IoT by David G SimmonsInfluxData
 
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingDEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingFelipe Prado
 
Building Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptBuilding Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptJonathan Stark
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comInfrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comDevOps4Networks
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
 

Mais conteúdo relacionado

Semelhante a A million little tracking devices - Don Bailey

Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014FalafelSoftware
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaNicolas Lesconnec
 
Programming for the Internet of Things
Programming for the Internet of ThingsProgramming for the Internet of Things
Programming for the Internet of ThingsKinoma
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
Setting Up InfluxDB for IoT by David G Simmons
Setting Up InfluxDB for IoT by David G SimmonsSetting Up InfluxDB for IoT by David G Simmons
Setting Up InfluxDB for IoT by David G SimmonsInfluxData
 
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingDEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingFelipe Prado
 
Building Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptBuilding Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptJonathan Stark
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comInfrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comDevOps4Networks
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 

Semelhante a A million little tracking devices - Don Bailey (20)

Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
 
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014
iBeacons for Everyone, from iOS to Android - James Montemagno | FalafelCON 2014
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - Barcelona
 
SIGFOX Makers Tour - Madrid
SIGFOX Makers Tour - MadridSIGFOX Makers Tour - Madrid
SIGFOX Makers Tour - Madrid
 
Programming for the Internet of Things
Programming for the Internet of ThingsProgramming for the Internet of Things
Programming for the Internet of Things
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Setting Up InfluxDB for IoT by David G Simmons
Setting Up InfluxDB for IoT by David G SimmonsSetting Up InfluxDB for IoT by David G Simmons
Setting Up InfluxDB for IoT by David G Simmons
 
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingDEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
 
Building Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptBuilding Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScript
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comInfrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 

Mais de idsecconf

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfidsecconf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...idsecconf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfidsecconf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidadaidsecconf
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullahidsecconf
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaidsecconf
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwiantoidsecconf
 

Mais de idsecconf (20)

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

A million little tracking devices - Don Bailey

  • 1. Was: I’m the Hunter I‟m Going Hunting donb@isecpartners.com @DonAndrewBailey
  • 2.
  • 3.
  • 4. A Million Little Tracking Devices Turning Embedded Devices into Weapons donb@isecpartners.com @DonAndrewBailey
  • 6. Places I’ve been in the past 24 hours • Boston • Afghanistan • Libya • The White House
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. So what’s this all about, donb?
  • 12. Zoombak “Advanced GPS Tracker” • Sold in over 12,500 stores in USA • Smart Phone App (iPhone, Android, Blackberry) • 2x as big as your 6th Generation iPod Nano • Track your… ▫ Car ▫ Family ▫ Pet ▫ Valuables
  • 13. Even Oprah Loves Zoombak
  • 14. What is the Device composed of?
  • 15. Modular design • GSM module • GPS module • Application “microcomputer” • T-Mobile SIM Card
  • 16. GSM Module • Siemens 0682 ▫ Infineon Baseband ▫ Skyworks 7750 RF Tx • Controlled via USART ▫ AT Commands! • No shared memory!
  • 17. A Quick Comment about Siemens 0682 • Attaching to OpenBTS ▫ Using Malaysian Test SIM cards (001/01) • The Zoombak (Siemens) claims A5/2 capability ▫ And only A5/2 • The Zoombak accesses GPRS ▫ Presumably using A5/2 • T-Mobile allows A5/2 on GPRS in the USA? ▫ This shouldn‟t happen
  • 18. GPS Module • GR-520 GPS Module • Not that interesting • Acquires GPS!!!
  • 19. Application uC • Renesas SH7721/7300 Microcomputer Platform • Fairly robust uC platform • Application processor unknown ▫ But, probably one of the common realtime uC OS ▫ Likely, Java ▫ Or something….
  • 20. But wait! Donb, don’t you know?!?
  • 21. I don’t have to know…
  • 23. It’s all about the Customer Experience • Log into the Web2.0 interface • Select the desired tracking device • Click “find now” • Wait for the embedded map to update • Enjoy the map!
  • 24. How does the device work?
  • 25. The Control Channel • Commands are received via SMS ▫ 8bit binary messages • Application polls SIM for SMS • Application receives command ▫ Parses binary SMS ▫ Extracts command
  • 26.
  • 27. PDU Breakdown • “gOnDLocate” ▫ Represents an incoming location request • “Loc34-gfqgyl9f” ▫ Location ID (nonce) • 0x43 0xCA 0xED 0x70 ▫ 67.202.237.112 ??? • SMS UDH specifies port 0x1c6c ▫ Port 7276
  • 28.
  • 29. So, the Location Request… • Defines where the device should connect ▫ IPv4 Address ▫ TCP Port • Defines what the device should send ▫ Nonce ▫ Location Response
  • 30. Okay, but what does a response look like?
  • 31. Back to the Logic Analyzer • Log into Zoombak‟s Web2.0 GUI • Send a valid request to the Device • Sniff the AT commands between App -> GSM • Watch what the device does
  • 32.
  • 33. Seriously?!? • The GSM Module accepts AT commands to… ▫ Connect to a specific host AND port ▫ Over TCP/IP ▫ Send/Receive data • Zero confidentiality!
  • 34. Lets Diverge, Shall We? • GSM baseband attacks are a Serious Issue ™ • The baseband attack surface was ▫ Thought to be small ▫ RF oriented ▫ Localized • But, wait! Remote baseband compromise? ▫ Embedded TCP/IP stack ▫ Small code base (small flash space)
  • 35. Attack Scenario • Force AT commands to connect to Host:Port • Implement attack against TCP/IP stack • Get persistent compromise in the baseband • Force network traffic to a specific IP address • Evade Application Flash Updates • Similar to BIOS backdoors for PC
  • 36. Okay, back to the payload.
  • 37.
  • 38. First Response Payload Format • Nonce • Version stuff • Sender‟s phone number (MSISDN) • Number of location data segments • Time stamp • Cellular data ▫ Location Area Code (LAC), Cell ID, MCC, MNC, RSSI ▫ This is the „A‟ in A-GPS
  • 39. Second Response Payload Format • Nonce • Version stuff • Sender‟s phone number (MSISDN) • Number of location data segments • GPS data (latitude, long) ▫ If available • Time stamp
  • 40. Let’s use Open Cell ID • Online database of cellular towers • Includes ▫ MCC ▫ MNC ▫ Cell ID ▫ LAC ▫ Geo Location (Latitude, Longitude)
  • 41.
  • 42. So, now we know… • How to control the device • What a response looks like • Where the data is sent • What GPRS network its sent to
  • 44. “Dogggg will hunt!!” – Les Claypool
  • 45. Piece it together! • SMS service like Routomessaging ▫ Send binary SMS for fractions of a cent ▫ Scriptable over SMPP ▫ Combine with crontab -> Win! • Edit a valid payload ▫ Change Zoombak‟s IP to Your IP ▫ Ship the SMS • Wait on port 7276
  • 46.
  • 47.
  • 48. So, we know we can intercept. But, can we find devices?
  • 49. Enter, War Texting • Spam thousands of numbers with our SMS payload • Wait patiently, serving on port 7276 • Log all incoming requests • Analyze location data ▫ Interesting targets?
  • 50. War Texting – The reality • SMS spam is a huge problem • Too many messages too fast = blocked ▫ Average one message per 20 seconds ▫ Slightly change payload  Alter Nonce with every message • Don‟t increment through MSISDN ▫ Randomize from a set of targets • Don‟t spam all MSISDN ▫ Look for the device‟s profile first
  • 51. Building an Easy Device Profile • Incoming calls are disabled • All devices are T-Mobile • SMS is enabled • NPA/NXX are typically not associated with location of purchase • Use HLR to find devices that are “never home” • Caller ID is always “Unavailable” • Use HLR to find devices that are turned on ▫ „Off‟ devices are „Absent Subscriber‟
  • 52. Profiling is Less Intrusive • Profiling is simply reconnaissance • Perform many normal actions ▫ To create an abnormal result • Effect? ▫ Generated list of potential fits ▫ Less people spammed ▫ Less provider hate for our SMS ▫ More low key
  • 53. So, we can find and target users. But, can we impersonate them?
  • 54. Of course! • Response payloads have no confidentiality • Pure HTTP • We can forge RSSI • GPS data can be forged easily ▫ Yay for on-line maps and Google Earth!
  • 55. The Assisted in Assisted GPS • Doesn‟t mean „Assisting You‟ ▫ It means „Assisting Them‟ • Obviously, known LAC/CI pairs should indicate potentially bad GPS data (or vice versa) • Selling LAC/CI is big $ in the Location Research markets
  • 56. We hit the Trifecta
  • 57. We can now… • Discover random tracking devices • Force location interception • Impersonate compromised targets
  • 58. What attacks can be performed? • This is an issue of thinking like an attacker • Discover and monitor targets over time • Assess highly desirable targets • Strategic planning through behavioral analysis
  • 59. What can be done to fix these problems?
  • 60. Currently, they are… • Using T-Mobile to do things “the wrong way” ▫ “Non-Geographic Test Number” NPA/NXX  As of February 2011  Not active in Number Portability Administration  Blocks SMS from services like RoutoMessaging (temporarily?) ▫ GPRS PDP Context Switching  Drop different types of devices into different networks
  • 61. But, they should be… • Not relying on the control message • Not implementing confidentiality and integrity • Disallowing software from talking to non- Zoombak resources • Using HLR to assess potential spoofing/abuse ▫ Dead technique
  • 62. The Carmen Sandiego Project’s Success is Zoombak’s Failure
  • 63. Remember Carmen Sandiego? • Research presented with Nick DePetrillo (Crucial Security) • Tracking via HLR access • Only a Phone Number is required
  • 64.
  • 65. Carmen Succeeded! • T-Mobile HLR requests now fail • Random MSC values from a static set of N • No more T-Mobile tracking • All major GSM providers in the USA are now secure
  • 66. Bad for Zoombak • No Location Data to compare to • The device‟s response must be trusted • HLR can‟t prove error / manipulations
  • 67. What Lessons can we Learn?
  • 68. Embedded Security is Hard • Weak security surface • Vast threat surface • Many “moving parts” to maintain ▫ Baseband ▫ GPS firmware ▫ Application firmware ▫ SIM software/keys/etc • The days of obfuscating your product are over ▫ No plastic / epoxy / silicon for me
  • 69. It’s also a Function of $ • Decreased production cost • Increased functionality ▫ Zigbee/802.15.4/Z-Wave ▫ RFID/NFC ▫ DECT • Increased application space ▫ More production = decreased cost to user
  • 70. What’s the next Killer App? • Urban Traffic Control systems ▫ Controlled over GSM • SCADA sensors ▫ Controlled over GSM / SMS • Generic user devices ▫ Kindles, iPads, etc
  • 72. A specific vendor allows • Remote door unlock • Remote “storage locker” functionality • Remote engine start
  • 73. The design is exactly the same… • GSM module w/ TCP/IP • ST Microcontroller • SIM card
  • 74. But, this time it’s more fun • Got the firmware image! • Wrote a disassembler • Can understand *all* functionality
  • 75. Result? • Scan the telephone network • Randomly unlock people‟s cars • Randomly turn on engines
  • 76. Thanks For All The Fish! • IdSecConf • Nick DePetrillo • Ech0 crew!! • Travis Goodspeed • Jim Geovedi • Mike Ossmann • Alex Stamos
  • 77. “We ain’t hard 2 find” – 2pac donb@isecpartners.com @DonAndrewBailey