evilgenius » security

Crapto1 – the tool to break the Mifare crypto algorithm

hosh — Mon, 27 Oct 2008 21:02:53 +0000

A few month ago a paper was released which described how to break the Crypto1 algorithm of the Mifare Classic cards. Now the implementation has been released. The files with the source code have all in all only 611 LOC. Not so much…

NIST: Guide to Bluetooth Security

hosh — Wed, 08 Oct 2008 21:12:57 +0000

The Computer Security Devision of the National Institute of Standards and Technology (NIST) have released their Guide to Bluetooth Security. Just had a short look at it, but I think it worth to read it. Especially the part about the new security features of Bluetooth 2.1 with Secure Simple Pairing (SSP). There are also some other quite interesting publications around.

The CSI Stick

hosh — Sun, 07 Sep 2008 17:56:40 +0000

Schneier about the CSI (Cellular Seizure Investigation) stick.

A little device with the size of a lighter which you plug into a cellular phone and sucks out all it’s user data. Right now, it only supports Samsung and Motorola phones, but I think it should be no problem to support other cellular phone brands like Nokia oder Sony Ericsson.

CBBQWE08 and Secure Simple Pairing

hosh — Wed, 18 Jun 2008 22:29:30 +0000

This weekend the CBBQWE08 will take place in Dortmund, Germany, Old Europe. It’s organized by the CCC Dortmund there will be some lectures – I will give an overview of the new security features of Bluetooth Secure Simple Pairing – but the main focus of the event is the BBQ and having some fun. I hope it will be good weather.

Boeing 787 and network security

hosh — Mon, 07 Jan 2008 05:54:12 +0000

Now this is not really wireless, but a least it has to do something with security in the air.

According to The Inquirer, referencing an FAA (Federal Aviation Administration) report, it seems that the guys at Boeing don’t know basic network security concepts, like for example network segmentation. The network access for passengers seems to be in the same network like plane’s control, navigation, communication, etc. Seems that Boeing is going to fix this, but I can’t wait until first passengers start messing around with the final system.

24C3: Mifare Security

hosh — Sun, 06 Jan 2008 15:41:40 +0000

Seems that I have missed one of the most interesting speeches at 24C3.
Henryk Plötz and Karsten Nohl presented the recent developments in reverse engineering the Mifare RFID card. What they basically did is polishing away the different layers of the chip in the Mifare card and then visually analyze the layers, trying to find the cryptographic relevant parts. The security of the low-end Mifare Classic cards is to be concerned as broken. “Start migrating!” This does not have an impact on the high-end Mifare DESFire card. Check out the video!

Slides 1
Slides 2

Torrent of the video recording in Matroska / Vorbis / H.264
Torrent of the video recording in MPEG-4 / AAC-LC / H.264

24C3: Bluetooth Stuff

hosh — Fri, 28 Dec 2007 21:06:50 +0000

Hi there! Greetings from 24C3, the annual hacker meeting of CCC. Some updates on Bluetooth related stuff:

Balle released a new version of bluediving, now available in version 0.9.

A funky new tool has been released at this congress: bluedrift. What driftnet is for ethernet, bluedrift is for Bluetooth. Using a special Bluetooth dongle which is capable of being flashed, you are now able to automatically sniff Bluetooth traffic and extract OBEX data, e.g. electronic vcards or pictures, from your sniff.

Another project I didn’t know before is the Wave Bubble by ladyada: “A design for a self-tuning portable RF jammer”

Best cite of the congress: “MIT doesn’t teach you how to fuck GSM-Networks” — Ladyada

iPhone’s Bluetooth Bug and the Metasploit Framework

hosh — Sat, 29 Sep 2007 20:21:55 +0000

As balle already pointed out, there is a major Bluetooth Bug in iPhones. The SDP-Service can be exploited to execute arbitrary code. The funny thing with iPhones is, that even when Inquiry Scan is disabled (“hidden Bluetooth device”) it’s easy to find out the Bluetooth Address of an iPhone: The WiFi-address is the Bluetooth address incremented by one. When you know the MAC Address of the iPhone, you also know the Bluetooth address.

Another interesting thing: The Metasploit Framework about to be ported to the iPhone. All the applications seem to run as UID 0 on the iPhone – this is going to be fun!

Source: Computerworld

Camp 2007 Review

hosh — Sun, 26 Aug 2007 14:42:28 +0000

Camp is over. Unfortunately I did not have enough spare time to write a in depth review, but I can say it was a lot of fun and very interesting. I didn’t enjoy the lectures very much, because the acoustic was lousy and the content of the lectures was not as good as I expected. But the concept of villages with people of same interests was very good. That way it was very easy to meet people with the same interests. One very interesting lecture was about the A5 Cracking Project. The projects goal is to implement a practical attack on the A5 cipher used in GSM networks. The cipher has already been broken in 1998 after the specs leaked into public because someone forgot to sign a NDA. But until now there is no public implementation of the attacks. There is a Wiki where the project is coordinated, check it out. That stuff is at the very top of my agenda. hmm, maybe not at the very top, but at the top .

Anyway, due to the great atmosphere at the camp (especially during the night), I enjoyed it very much. Check out the flickr slideshow. I also made some photos, mostly night shots:

Write your own CSR Firmware!

hosh — Thu, 16 Aug 2007 15:54:18 +0000

Darkircop have released their tools for reverse engineering CSR Firmware. The tools include a disassembler dis.c for disassembling official firmware. An assembler as.cc for writing your own firmware is also included. With these tools you are now able to write your own firmware for your CSR based Bluetooth Dongle, which might even include raw access for Bluetooth sniffing. The source code for sniffing Bluetooth under Linux included, too.

It might even be possible to port the techniques for finding hidden Bluetooth devices described in this paper onto a CSR dongle. In the paper GNU Radio with USRP was used. The source code used for this attack can be downloaded, too.