On Sat, Nov 30, 2013 at 10:18 AM, Dan Staples <danstaples@disman.tl> wrote:

I would be interested to see the details of the exploits you witnessed/were subject to (especially since I was at DC20).

of course; the complete details will be slow to arrive, not least because detailed description requires a demonstration in a reproduction test setup, rather than reporting of actual traffic. :/ that said, useful aspects i'll certainly provide on whim or request. the defining characteristics of the two types of attacks: DC19 with DRT: - "high power on-site", less descriminant attacks. target by and limited to location. - MitM for system, application, and protocol level attacks. Evilgrade, MasterKey vulns, etc. mostly known and a few 0day escalated attacks. - favorite attack: "Google Voice Search" always-on eavesdropper payload; Speex voice from all audible participants. DC20 with Alexander's toys: - "in the towers", highly targeted to specific devices, active over wide metro area. - baseband exploit vector for device key retrieval, memory and storage forensics, exfiltration. - PDoS attacks (bricked secondary devices used as fall back once identified by call graph; ~20 hours) - favorite attack: baseband pwn in airplane mode, with ex-filtration over custom channel. DC21: no appearance (observed). speculation ongoing...

How exactly did you determine how the exploits occurred, and who was responsible for them?

reversing attacker capabilities, toolkits, TTPs, humanpower/hours, a much longer tangent. but this assertion is based on correlation of the observed power, capacity, and protocols in specific bands implemented by the attacker with the capabilities of the DRT system. multiple locations, terabytes of captured spectrum, patience and tuning... as for who was operating it - unknown beyond the usual suspects, which is a small set due to the restricted distribution of both the hardware platform and the exploit kit atop it :) --- i'll send more details once available. the details and distribution to be part of a separate FOIPA effort for US citizen security enthusiasts that might be of interest to those following this thread. best regards,