85
War Texting Weaponizing Machine 2 Machine @DonAndrewBailey [email protected]

War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

  • Upload
    ledung

  • View
    216

  • Download
    2

Embed Size (px)

Citation preview

Page 1: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

War TextingWeaponizing Machine 2 Machine

@[email protected]

Page 2: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

whois donb?

Page 3: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

whatis iSEC Partners?

Page 4: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

whyare we here?

Page 5: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

No, really.

• Cellular enabled pill bottles

• Track pill usage remotely

• Email alerts when

▫ Pill count is low

▫ Pills haven’t been taken

▫ When its time to take your pill

Page 6: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Wait. That sounds bad.

Page 7: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

But, it’s helping people.

• Alzheimer’s patients

• Children with severe diseases

• Physically disabled patients

• Overworked security consultants

Page 8: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Wait. That sounds good.

Page 9: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 10: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 11: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Everything will be a computer

Page 12: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Examples?

• Medical devices (personal, industrial)

• Industrial monitoring

• Automated Teller Machines

• Industrial/Commercial Alarm Systems

• Home Alarm Systems

• …Car security systems

Page 13: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

I would have owned ATMs, but…

Page 14: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 15: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Elegant Attacks Against M2M

Page 16: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Attack methods

• Firmware Over The Air (FOTA)

• Long Range Baseband Compromise

• Access Point Name (APN) Private Network compromise

Page 17: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

FOTA Hacking?

Page 18: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

FOTA

• A methodology for

▫ Devising a firmware patch/update

▫ Securely packaging the patch/update

▫ Shipping it OTA to be applied

Page 19: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

FOTA Attacks

• Benefits▫ Elegant▫ Mass compromise of multiple types of devices Multiple vendors use the same baseband

• Negatives▫ Very chip specific▫ Impacts the update lifecycle▫ Requires specialized firmware▫ Corner cases = potential detection▫ FOTA compromise != Application compromise▫ FOTA may not be used in specific M2M deployments

Page 20: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

FOTA Conclusion?

Page 21: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 22: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

So you thought baseband attacks were

local only, eh?

Page 23: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Long Range Baseband Compromise

• Yep, Basebands have TCP/IP stacks• Oh, and these too

▫ HTTP▫ FTP▫ DNS▫ ICMP▫ TCP client/server▫ UDP client/server▫ POP3▫ SMTP

Page 24: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Long Range Baseband Attacks

• Benefits▫ Elegant▫ Mass persistent compromise▫ Doesn’t mess up firmware updates▫ Backdoors are light weight▫ Potential detection is slim to none

• Negatives▫ Very chip specific▫ Requires zero-day▫ Large time to deployment▫ Target could be Java VM, could be C/C++

Page 25: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Long Range Baseband Conclusion?

Page 26: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 27: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

APN Private Network Attacks?

Page 28: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

APN Private Network Attacks

• Benefits

▫ None

• Negatives

▫ Uninteresting

▫ Boring

▫ Pointless

▫ Repetitive

▫ The Grugq would laugh at me

Page 29: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

You don’t need to see a conclusion for

this one.

Page 30: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

So, what should we do?

Page 31: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Common M2M Example from Microchip

Page 32: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Find Architectural Commonalities

• Baseband ▫ modules must be approved▫ The approved list is public▫ few features▫ can’t drive Application Logic

• Microcontrollers▫ Small RAM▫ Small Code Space (flash)▫ Minimal security surface (if any)

Page 33: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Find Architectural Commonalities

• Communication

▫ Network Comm = Baseband

▫ Peripheral Comm = uC

▫ Comm between Baseband & uC = UART

• Cryptographic Capability

▫ Only some Basebands provide HTTPS/SSL

Usually only Java VM capable

▫ uC is usually baked (or non-existent)

Page 34: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Basebands Accept Hayes AT

• For network requests

▫ AT+UHTTPC

▫ AT^SISS

▫ AT^USORF

• For Incoming/Outgoing SMS

▫ AT+CMGL

▫ AT^SMGL

Page 35: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

The Payload May Be Encrypted

• If the payload is encrypted

▫ Finite ways the Application can generate a key

IMSI

GSM Timestamp

IMEI

Static Secret

Value from Network (Data or SMS)

• Some applications don’t even encrypt

Page 36: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

If encrypted, how do we analyze?

Page 37: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

How do we extract it?

• Use datasheet to find pins

▫ Don’t have the uC datasheet?

▫ Most baseband datasheets are public

• Use multimeter to

▫ trace baseband UART -> uC UART

▫ Trace VCC, VSS

▫ = Now you know 4 pins on your unknown uC

▫ Scan leftovers for JTAG/etc

Page 38: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

How do we extract it?

• Logic Analyzer

▫ Tap the UART pins

▫ Find test pads, if available

▫ Solder only when necessary (limit damage)

• Most basebands will only talk

▫ Async Serial 9600 8N1

▫ Async Serial 115200 8N1

▫ Process data at both speeds

Page 39: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 40: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 41: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Next, we reverse.

Page 42: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

It’s not always easy

• Difficult to determine crypto keys

• Protocol may be dynamic

• Nonces may get in the way

Page 43: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Some light Hardware Hacking?

Page 44: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Nothing too new

• Simple/Differential Power Analysis

▫ Extract keys

• Glitching

▫ Extract firmware

▫ Bypass fuses to set DEBUG mode

• Blue wire fixes

▫ Enable DEBUG mode

• Add/remove resistors

▫ Enable DEBUG mode

Page 45: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Revenge (REVerse ENGinEering)

• uC are easy

▫ Small code base

▫ Predictable vectors

▫ Simple opcode architecture

▫ Typically noMMU (used)

Page 46: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

The STM8 example

• stm8s207xx

▫ 24MHz clock

▫ 6KB RAM

▫ 128KB Flash

▫ 96 assembly instructions

Page 47: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 48: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 49: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 50: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Disassembling & Emulating = Easy

• Few registers (X, Y, PC, SP, A, C)

• Instructions are easy to decode

▫ A common bit represents a type of memory access

▫ No Store, just Load

• Emulation requirements are minimal

▫ Inject interrupts as desired

▫ Managing the Clock isn’t complex

▫ Simple buffer for UART bytes

Page 51: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 52: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Releasable Tools

• GPLv2 License

• This week

▫ STM8 disassembler

▫ STM8 emulator

• At HITB KL

▫ STM8 SWIM for GoodFET

Page 53: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Point of Reverse Engineering?

• Determine vectors for communication

▫ SMS

▫ Internet

▫ Voice calls

• Extract messages for Comm Channels

• Develop Protocol APIs

Page 54: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

With comm channel…

• Identify commands

• Build payloads

• Assess delivery mechanisms

• Essentially: Build a strategy for attack

Page 55: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Building a Fingerprint

Page 56: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Device Profiling

• Network fingerprint▫ Which network provider?▫ Is it allocated an MSISDN?▫ Is voice allowed?▫ Is SMS allowed?▫ Caller ID?▫ NPA NXX?▫ HLR?

• Physical fingerprint▫ Recognizable SIM▫ Baseband Capabilities

Page 57: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Why Device Profile?

• SMS is Noisy

▫ Hundreds of thousands of MSISDN

▫ Decrease cost

▫ Evade SMS SPAM filters

▫ Don’t tip off your Target

Page 58: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Simple Profiling Tools

• Scripts by donb and NickDE!

▫ Hello, Carmen Sandiego :)

• Snarf Caller ID

• Scan HLR

• Build MSC databases

Page 59: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 60: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Quick Example: iPad on AT&T

• Provider?

▫ AT&T (MCC: 310, MNC: 410)

• Caller ID?

▫ Billable name “BAILEY DON”

• MSISDN & MSC

▫ MSC location != NPA NXX

• Voice capability

▫ Error

Page 61: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Phew! That’s a lot of stuff!

Page 62: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Overall Strategy?

• Identify target industry

• Build doc library

• Intercept initial command set

• Attack hardware

• Reverse engineer firmware

• Extract commands

• Identify command channels

• Devise network fingerprint

• Attack!

Page 63: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Case Study: Zoombak Tracking Device

Page 64: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Zoombak “Advanced GPS Tracker”

• Sold in over 12,500 stores in USA

• Smart Phone App (iPhone, Android, Blackberry)

• 2x as big as your 6th Generation iPod Nano

• Track your…

▫ Car

▫ Family

▫ Pet

▫ Valuables

Page 65: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Zoombak Architecture

• Renesas SH microprocessor

• Cinterion Wireless MC56

• GR-520 GPS Module

Page 66: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Intercept Initial AT Command Set

• Accepts SMS commands

• Uploads data to Internet

• Retrieves IMSI, IMEI, Network Timestamp, etc

• Monitors Base Station Info (RSSI, LAC, CI, etc)

Page 67: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 68: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 69: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Zoombak Communication Channel

• Comm Vectors

▫ SMS

▫ Internet

• Control Channel

▫ Use SMSsubmit to ship the SMS via Kannel

• Callbacks

▫ SIM in GSM Modem

Page 70: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Zoombak Network Fingerprint

• HLR

• Caller ID

• Voice capability

• MSC vs. MSISDN

• Specialized SMS

Page 71: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 72: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Fingerprint Result?

• 72% Success Rate

• Several hundred Zoombak

Page 73: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Zoombak Overall Result?

Page 74: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 75: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 76: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Case Study: Car Security Module

Page 77: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Strategy

• Target industry

• Doc library

• Intercept initial command set

• Attack hardware

• RevEng firmware

• Identify command channels

• Devise network fingerprint

• Attack!

Page 78: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Car Security Overall Result?

Page 79: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 80: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t
Page 81: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Embedded Security is Hard.

Page 82: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Don’t make it harder

• Increase crypto usage

• Ensure APN security

• Use Nonces/Tokens

• Don’t embed IP addresses in SMS ;)

• Don’t push insecure architecture

▫ Require PKI/SSL

• Decrease Prices of Security uC

▫ Atmel

▫ ST

Page 83: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

All tools can be downloaded…

• https://wartexting.org/

• Simple Zoombak Scanner

• FindMe HLR/MSC snarfer

• WhoIs Caller ID client

• Soon to come (end of next week)

▫ STM8 Disassembler

▫ STM8 Emulator

Page 84: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

Thanks to…

• iSEC Partners, NCC Group, and Alex Stamos• Mat Solnik• Joe Gratz• Nick DePetrillo• Mike Ossmann• Travis Goodspeed• Patrick McCanna• Justine Osborne• Heidi Cuda• David Munson• Robot insect image © Mike Libby

Page 85: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t

“Even if my collar bones crush or crumble.”

- Eminem