Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

DEF CON 19 - hackers get hacked!
From: coderman <coderman () gmail com>
Date: Wed, 10 Aug 2011 02:21:58 -0700

while most were enjoying libations or talks a very interesting event
was taking place at the conference.

we're all familiar with the hostility of WiFi and GSM networks at DEF
CON, however, this year the most hostile network on earth was not
802.11; it was CDMA and 4G!

on Friday some parts of Anon and Lulz made appearance. by early
Saturday morning a weapon was deployed.



some characteristics:

- full active MitM against CDMA and 4G connections from Rio to carriers.

- MitM positioning for remote exploitation to ring0 on Android and PC.

- fall back to userspace only or non-persistent methods when
persistent rootkit unattainable.

- many attack trees and weaponized exploits. escalation from easy pwns
up to specialized techniques and tactics until success is achieved.

- simultaneous attack across CDMA and 4G connections using full power
in these LICENSED bands.

- operated continuously (except for outages :) from early Saturday
until 8am Monday.

- designed with intent: mass exploitation, reconnaissance,
exfiltration, eavesdropping.



how to tell if you met the beast at Rio:

- did you accept an upgrade for Android, Java, or other applications? (oops)

- did you notice 3G/4G signal anomalies, including full signal yet
poor bandwidth or no link?

- did you notice your Android at full charged plugged in, but dropping
to <50% charge once unplugged?

- did you notice 4G download speeds at quarter of usual, yet uploads
over twice as fast?

- did you notice Android services that immediately respawn when
killed? (Voice Search?)

- does your Android no longer connect to USB debugging yet adbd is alive?

- does your PC have an sshd that cannot be kill -9'd?

- did your Android crash - a hard freeze, and then take a long time to reboot?

...many other indicators, but for now that's sufficient to express the point.



if you met the beast, it seemed to have a nearly perfect success rate;
your odds not good.  in fact you probably didn't even notice as it
pilfered bytes off your devices and monitored your conversations.

i have waited over six DEF CONs to meet an adversary of this skill.
i was not disappointed.

did the talks suck this year because the good stuff is under NDA?
clearly a lot of you are selling out...



to those who got pwned, i would be interested in your experiences and binaries:
 ID 9B65F087 , FP = 1029 E3E0 F22A C73D B2D6  468F 2798 76BB 9B65 F087
 gpg --keyserver pool.sks-keyservers.net --recv-keys 9B65F087
 gpg --keyserver subkeys.pgp.net --recv-keys 9B65F087
 gpg --keyserver pgp.mit.edu --recv-keys 9B65F087

to the beast operators, i hope to see you next year!
 (and get your availability deficiencies and network anomalies worked
out. kind of a shame you spent so much time and money only to have
your kit fall over again and again.  and thanks for the 0days :)


until next year,...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]