25th Chaos Communication Congress
Opening Black Boxes
One trend you couldn't fail to notice was the inroads that hackers have made into hardware black boxes. Collien Mulliner, from Fraunhofer SIT, demonstrated telephone vulnerabilities, investigating buffer overflows in Symbian OS in the process.
Harald Welte took this a step further in his guide to dismantling smartphones. More and more high-end mobile devices have two controllers: an Application Processor (AP) that handles application control, and a Baseband Processor (BP) that handles wireless activity and phone calls.
Despite increasing numbers of SDKs for the AP – or for higher-level layers, such as Google Android – manufacturers are still reticent when it comes to hardware, which is all the more reason for Welte & Co. to investigate the hardware more closely. Many telephones have debugging soldering points for the JTAG interface on their PCBs. With more than a little dexterity and a trusty soldering iron, hackers can attach and fire up a serial console (Figure 5).
Whereas the first days of the congress were colorful and entertaining, but lacking in novelties, the organizers pulled a security ace out of their sleeves on the final day. After all, data tourists used to visit Berlin to marvel over the latest vulnerabilities. An international team of researchers and hackers disclosed how they had exploited a known, but widely ignored, MD5 vulnerability, with a couple of hundred dollars, and 200 PlayStations to create a CA keypair that was indistinguishable from the real thing.
There was no answer to the question of whether investigation authorities have purchased CA certificates yet to comply with the BKA (Germany's Federal Criminal Police Office) rules introduced at the beginning of 2009. At the end of the event, our verdict was mixed – overfilled rooms, a variety of topics, and an audience that was wide awake but still slightly puzzled as to whether it was currently witnessing the sell-out of freedom on the network.
Buy this article as PDF
A major setback for the Linux desktop.
Improved support for GPU in virtualization.
News site for the openSUSE community falls victim to a Wordpress exploit.
The source code is available online.
One out of three virtual machines on Microsoft Azure Cloud run Linux.
The form factor of the board makes it a drop-in replacement for Raspberry Pi.
Makes it easier for customers to move workloads into container-centric applications.
SUSE’s answer to container-centric operating systems.
Linux 4.9 is the biggest release in terms of number of commits.
The latest version of the official RHEL clone is here.