Category Archives: security

24C3: Mifare Security

Seems that I have missed one of the most interesting speeches at 24C3.
Henryk Plötz and Karsten Nohl presented the recent developments in reverse engineering the Mifare RFID card. What they basically did is polishing away the different layers of the chip in the Mifare card and then visually analyze the layers, trying to find the cryptographic relevant parts. The security of the low-end Mifare Classic cards is to be concerned as broken. “Start migrating!” 😉 This does not have an impact on the high-end Mifare DESFire card. Check out the video!

Slides 1
Slides 2

Torrent of the video recording in Matroska / Vorbis / H.264
Torrent of the video recording in MPEG-4 / AAC-LC / H.264

24C3: Bluetooth Stuff

Hi there! Greetings from 24C3, the annual hacker meeting of CCC. Some updates on Bluetooth related stuff:

Balle released a new version of bluediving, now available in version 0.9.

A funky new tool has been released at this congress: bluedrift. What driftnet is for ethernet, bluedrift is for Bluetooth. Using a special Bluetooth dongle which is capable of being flashed, you are now able to automatically sniff Bluetooth traffic and extract OBEX data, e.g. electronic vcards or pictures, from your sniff.

Another project I didn’t know before is the Wave Bubble by ladyada: “A design for a self-tuning portable RF jammer”

Best cite of the congress: “MIT doesn’t teach you how to fuck GSM-Networks” — Ladyada

iPhone’s Bluetooth Bug and the Metasploit Framework

As balle already pointed out, there is a major Bluetooth Bug in iPhones. The SDP-Service can be exploited to execute arbitrary code. The funny thing with iPhones is, that even when Inquiry Scan is disabled (“hidden Bluetooth device”) it’s easy to find out the Bluetooth Address of an iPhone: The WiFi-address is the Bluetooth address incremented by one. When you know the MAC Address of the iPhone, you also know the Bluetooth address.

Another interesting thing: The Metasploit Framework about to be ported to the iPhone. All the applications seem to run as UID 0 on the iPhone – this is going to be fun!

Source: Computerworld

Camp 2007 Review

Camp is over. Unfortunately I did not have enough spare time to write a in depth review, but I can say it was a lot of fun and very interesting. I didn’t enjoy the lectures very much, because the acoustic was lousy and the content of the lectures was not as good as I expected. But the concept of villages with people of same interests was very good. That way it was very easy to meet people with the same interests. One very interesting lecture was about the A5 Cracking Project. The projects goal is to implement a practical attack on the A5 cipher used in GSM networks. The cipher has already been broken in 1998 after the specs leaked into public because someone forgot to sign a NDA. But until now there is no public implementation of the attacks. There is a Wiki where the project is coordinated, check it out. That stuff is at the very top of my agenda. hmm, maybe not at the very top, but at the top ;-).

Anyway, due to the great atmosphere at the camp (especially during the night), I enjoyed it very much. Check out the flickr slideshow. I also made some photos, mostly night shots:
Continue reading Camp 2007 Review

Write your own CSR Firmware!

Darkircop have released their tools for reverse engineering CSR Firmware. The tools include a disassembler dis.c for disassembling official firmware. An assembler as.cc for writing your own firmware is also included. With these tools you are now able to write your own firmware for your CSR based Bluetooth Dongle, which might even include raw access for Bluetooth sniffing. The source code for sniffing Bluetooth under Linux included, too.

It might even be possible to port the techniques for finding hidden Bluetooth devices described in this paper onto a CSR dongle. In the paper GNU Radio with USRP was used. The source code used for this attack can be downloaded, too.