"Chaos Congress Peers Into Mobile Security, Protocols"

From McAfee blog:

I heard a number of interesting mobile-related talks at the 28th Chaos Communications Congress (28c3) this week. Not every talk at the Congress was about newly discovered bugs or zero-day exploits; sometimes we got the building blocks necessary to better understand systems and increase security. I enjoyed key presentations on reverse-engineering USB 3G data sticks and the internals of 2G and 3G mobile data protocols.

Reverse-engineering a Qualcomm basebandGuillaume Delugré acknowledged researcher Ralph Phillip Weinmann’s work from last year during Delugré’s talk on reverse-engineering a popular 3G USB data stick.
 Guillaume Delugré discusses how he reverse-engineered Qualcomm firmware and developed a debugger.

[...]

Cellular protocol stacks for InternetHarald Welte, a lead developer of the Openmoko project and a Linux kernel developer, gave a good breakdown of various mobile data protocols. Cellular voice communication on GSM has gotten a lot of coverage over the years, but outside of the mobile industry there has been little to no information on how the data protocols function.
Harald Welte presents details on mobile data protocols.

"Networked Printers at Risk"

From McAfee blog:

"Multifunction printers (MFPs) have been common in offices for years. They let employees print, scan, and copy documents. Two separate talks at the 28th Chaos Communications Congress (28c3) show how attackers can infect these trusted office devices.

Hacking MFPs

In Andrei Costin’s presentation “Hacking MFPs,” he covered the history of printer and copier hacks from the 1960s to today. The meat of the talk concerned executing remote code on an MFP using crafted PostScript. Just printing a particular document can get code to run on the machine. Previous research proof of concepts have done exactly that, once with a specially designed Word document and once with a Java applet.

Printers and copiers have been targets of attackers and spies for decades.

[...]

Print me if you can

A day later researcher Ang Cui referred to Costin’s talk about PostScript attacks, though Cui’s research was limited to MFPs from HP. Similar to the earlier presentation Cui’s attack leveraged the update capabilities on multifunction devices.

Ang Cui and Jonathan Voris demonstrate printer malware that forwards printed documents to a printer outside the corporate network.

"Fighting Mobile Phone Impersonation and Surveillance"

From McAfee blog:

"[...] at the 28th Chaos Communications Congress (28C3), in Berlin, security researchers along with Karsten Nohl and Luca Melette showcased a number of flaws and solutions in GSM mobile phone networks."

Karsten Nohl presenting “Defending Mobile Phones” at the 28th Chaos Communications Congress.

An additional technique used to locate mobile phones is the so-called Silent SMS. These messages are silently ignored by the majority of mobile phones and give no indication to the user. But the messages leave trails in customer service records, the logs kept by mobile carriers, and allow monitors to correlate a mobile phone’s location with that of cell towers.

Our presenters have developed free software, CatcherCatcher, which detects features used by IMSI catchers that regular cell towers don’t use. The GSM security map, a site that uses data from the CatcherCatcher tool, helps to track unauthorized mobile phone monitoring.