DEF CON cell network attacks

coderman coderman at gmail.com
Mon Dec 2 10:29:05 PST 2013


On Sat, Nov 30, 2013 at 10:18 AM, Dan Staples <danstaples at disman.tl> wrote:
> I would be interested to see the details of the exploits you
> witnessed/were subject to (especially since I was at DC20).

of course; the complete details will be slow to arrive, not least
because detailed description requires a demonstration in a
reproduction test setup, rather than reporting of actual traffic. :/


that said, useful aspects i'll certainly provide on whim or request.



the defining characteristics of the two types of attacks:

DC19 with DRT:
- "high power on-site", less descriminant attacks. target by and
limited to location.
- MitM for system, application, and protocol level attacks. Evilgrade,
MasterKey vulns, etc.  mostly known and a few 0day escalated attacks.
- favorite attack: "Google Voice Search" always-on eavesdropper
payload; Speex voice from all audible participants.


DC20 with Alexander's toys:
- "in the towers", highly targeted to specific devices, active over
wide metro area.
- baseband exploit vector for device key retrieval, memory and storage
forensics, exfiltration.
- PDoS attacks (bricked secondary devices used as fall back once
identified by call graph; ~20 hours)
- favorite attack: baseband pwn in airplane mode, with ex-filtration
over custom channel.


DC21: no appearance (observed).  speculation ongoing...



> How exactly
> did you determine how the exploits occurred, and who was responsible for
> them?


reversing attacker capabilities, toolkits, TTPs, humanpower/hours, a
much longer tangent.  but this assertion is based on correlation of
the observed power, capacity, and protocols in specific bands
implemented by the attacker with the capabilities of the DRT system.
multiple locations, terabytes of captured spectrum, patience and
tuning...

as for who was operating it - unknown beyond the usual suspects, which
is a small set due to the restricted distribution of both the hardware
platform and the exploit kit atop it :)


---

i'll send more details once available.  the details and distribution
to be part of a separate FOIPA effort for US citizen security
enthusiasts that might be of interest to those following this thread.

best regards,



More information about the cypherpunks mailing list