25th Chaos Communication Congress
Opening Black Boxes
One trend you couldn't fail to notice was the inroads that hackers have made into hardware black boxes. Collien Mulliner, from Fraunhofer SIT, demonstrated telephone vulnerabilities, investigating buffer overflows in Symbian OS in the process.
Harald Welte took this a step further in his guide to dismantling smartphones. More and more high-end mobile devices have two controllers: an Application Processor (AP) that handles application control, and a Baseband Processor (BP) that handles wireless activity and phone calls.
Dismantling Phones
Despite increasing numbers of SDKs for the AP – or for higher-level layers, such as Google Android – manufacturers are still reticent when it comes to hardware, which is all the more reason for Welte & Co. to investigate the hardware more closely. Many telephones have debugging soldering points for the JTAG interface on their PCBs. With more than a little dexterity and a trusty soldering iron, hackers can attach and fire up a serial console (Figure 5).
Figure 5: Wire and more than a little dexterity are needed to solder a serial console onto a Glofiish smartphone. JTAG connectors provide access.
Genuine Vulnerabilities
Whereas the first days of the congress were colorful and entertaining, but lacking in novelties, the organizers pulled a security ace out of their sleeves on the final day. After all, data tourists used to visit Berlin to marvel over the latest vulnerabilities. An international team of researchers and hackers disclosed how they had exploited a known, but widely ignored, MD5 vulnerability, with a couple of hundred dollars, and 200 PlayStations to create a CA keypair that was indistinguishable from the real thing.
There was no answer to the question of whether investigation authorities have purchased CA certificates yet to comply with the BKA (Germany's Federal Criminal Police Office) rules introduced at the beginning of 2009. At the end of the event, our verdict was mixed – overfilled rooms, a variety of topics, and an audience that was wide awake but still slightly puzzled as to whether it was currently witnessing the sell-out of freedom on the network.
Infos
- 25c3 website with lecture notes: http://events.ccc.de/congress/2008/
- C-Base: http://www.c-base.org
- OpenPattern: http://openpattern.org
- Faifa: https://dev.open-plc.org
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
News
-
Tuxedo Computers Joins the Ryzen Bandwagon
Tuxedo Computers has released the Tuxedo Boot BA15 with an AMD Ryzen 3500 CPU.
-
Linux Apps on Windows Is Coming
Linux GUI apps will be coming to Windows Subsystem for Linux.
-
Linux Usage Is on the Rise
According to NetMarketShare, Linux saw a significant bump in usage during April.
-
Lenovo is Jumping on the Linux Laptop Bandwagon
PC and laptop maker Lenovo is set to release ThinkPad laptops pre-installed with Fedora Linux.
-
A New Linux Laptop Is in the Making
Manjaro Linux and TUXEDO computers have joined forces to develop the InfinityBook Manjaro.
-
Ubuntu 20.04 Has Been Released
The latest iteration of the user-friendly Linux distribution is now available.
-
Nextcloud Partners with IONOS
Nextcloud has partnered with Germany’s largest cloud provider, IONOS, to provide a safe haven for your data within the cloud.
-
Linux to Get High Resolution Wheel Scrolling
Work on high resolution wheel scrolling for the Linux desktop is being completed.
-
KDE Developers Are Working on a TV Interface
The developers of the KDE desktop are hard at work to create a TV interface.
-
System76 Is Developing a New Keyboard
The company behind the incredibly powerful Thelio desktop is developing a new keyboard.