Podcasts about usrp

This week, Holly Graceful (@HollyGraceful, gracefulsecurity.com) joined us to talk about her recent hardware reverse engineering blog series and her pen(etration) testing and security career in both public and private sectors. She tells us about how she entered the field via the military and some of those differences. We discussed breaking down projects into smaller bites. We talk about why getting access to the JTAG (use it for...) port can be super easy in the consumer product and it may be more calculated than expected. The series ends with some key fob fun. We do a minor round up of software defined radio and the USRP used with gnuradio.  We catch up on what Alvaro is doing with his SDRs. Holly is working on more posts so stay follow to be updated with the latest. Links that came up: Pulse view logic analyzer Michael Ossmann (of Great Scott Gadgets) tutorials (one of many) Cheap: Jtag on arduino,  Black Magic Probe, CortexProg Expensive: Jtagulator , Segger Jlink Radio posts/tutorial- by Oona Räisänen @Windyoona (Website) Have comments or suggestions for us? Find us on twitter @unnamed_show,  or email us at show@unnamedre.com. Music by TeknoAxe (http://www.youtube.com/user/teknoaxe)

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf Low-cost GPS simulator – GPS spoofing by SDR Lin Huang Senior wireless security researcher, Qihoo 360 Technology Co. Ltd. Qing Yang Team Leader of Unicorn Team, Qihoo 360 Technology Co. Ltd. It is known that GPS L1 signal is unencrypted so that someone can produce or replay the fake GPS signal to make GPS receivers get wrong positioning results. There are many companies provide commercial GPS emulators, which can be used for the GPS spoofing, but the commercial emulators are quite expensive, or at least not free. Now we found by integrating some open source projects related to GPS we can produce GPS signal through SDR tools, e.g. USRP / bladeRF. This makes the attack cost very low. It may influence all the civilian use GPS chipset. In this presentation, the basic GPS system principle, signal structure, mathematical models of pseudo-range and Doppler effect will be introduced. The useful open source projects on Internet will be shared with attendees. HUANG Lin is a wireless security researcher, from Unicorn Team of Qihoo 360 China. Before entering Qihoo, she worked for telecom operator Orange, for 9 years, as a wireless researcher. Her interests include the security issues in wireless communication, especially the cellular network security, and also other problems in ADS-B, GPS, Bluetooth, Wifi, and automotive electronics. Twitter: @huanglin_bupt She is one of the earliest users of USRP in China, and keeps active in SDR/USRP research and development since 2006. She contributed to several UMTS/LTE soft base station projects, e.g. Open Air Interface. In 2009, She wrote one free e-book for GNU Radio training, which is very popular in China. YANG Qing is the team leader of Unicorn Team in Qihoo 360 Technology Co. Ltd. He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio. He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Yuwei-Zheng-Haoqi-Shan-Build-a-Free-Cellular-Traffic-Capture-Tool-with-a-VxWorks-Based-Femto.pdf Build a free cellular traffic capture tool with a vxworks based femoto Yuwei Zheng Senior security researcher, Qihoo 360 Technology Co. Ltd. Haoqi Shan Wireless/hardware security researcher, Qihoo 360 Technology Co. Ltd. In recent years, more and more products, are integrated with cellular modem, such as cars of BMW, Tesla, wearable devices, remote meters, i.e. Internet of things. Through this way, manufactories can offer remote service and develop a lot of attractive functions to make their product more valuable. However, many vulnerabilities have also been introduced into these systems. It puts new questions to black-box penetration testing engineer. How to capture the SMS command between the cellular modem and the remote server? How to intercept the data link? Some existing solutions, such as USRP based OpenBTS, commercial product nanoBTS can be used to build a fake base station and capture data traffic. However all of them cannot access the real operator's core network so that they cannot capture real SMS and voice traffic. With the inspiration from social engineering, we got a femto-cell base station from a telecom operator. After a series of hacking and modifications, we built it as a powerful SMS, voice and data link inception tool. Furthermore, not like a fake station, it’s a legal base station and authorized to access the operator’s core network. By this tool, we can conveniently explore vulnerabilities of cellular modem inside products. Yuwei Zheng is a senior security researcher concentrated in embedded systems over 10 years. He had reversed blackberry BBM, PIN, BIS push mail protocol , and decrypted the network stream successfully in 2011. After that, one year later, he finished a MITM attack for blackberry BES, which based on a modified ECMQV protocol of RIM. At the Qtr4 of 2014, he entered wireless security research group, Unicorn Team, in Qihoo 360 China. Now he is focusing on the security issues of embedded hardware and IOT systems. Twitter: @hwiosec Haoqi Shan is currently a wireless/hardware security researcher in Unicorn Team, Qihoo 360 Technology Corporation. He obtained bachelor degree of electronic engineering in Harbin Engineering University, China, in 2015. He focuses on Wi-Fi penetration, GSM system, router/switcher hacking etc. Other research interests include mobile phone application security, reverse engineering on embedded devices such as femto-cell base station, Audio cameras.

Slides here; https://defcon.org/images/defcon-22/dc-22-presentations/Gorenc-Molinyawe/DEFCON-22-Brian-Gorenc-Matt-Molinyawe-Blowing-Up-The-Celly-UPDATED.pdf Blowing up the Celly - Building Your Own SMS/MMS Fuzzer Brian Gorenc ZERO DAY INITIATIVE, HP SECURITY RESEARCH Matt Molinyawe ZERO DAY INITIATIVE, HP SECURITY RESEARCH Every time you hand out your phone number you are giving adversaries access to an ever-increasing attack surface. Text messages and the protocols that support them offer attackers an unbelievable advantage. Mobile phones will typically process the data without user interaction, and (incorrectly) handle a large number of data types, including various picture, audio, and video formats. To make matters worse, you are relying on the carriers to be your front line of defense against these types of attacks. Honestly, the mobile device sounds like it was custom built for remote exploitation. The question you should be asking yourself is: How do I find weaknesses in this attack surface? This talk will focus on the "do-it-yourself" aspect of building your own SMS/MMS fuzzer. We will take an in-depth look at exercising this attack surface virtually, using emulators, and on the physical devices using OpenBTS and a USRP. To help ease your entry into researching mobile platforms, we will examine the messaging specifications along with the file formats that are available for testing. The value of vulnerabilities in mobile platforms has never been higher. Our goal is to ensure you have all the details you need to quickly find and profit from them. Brian Gorenc is the manager of Vulnerability Research in HP's Security Research organization where his primary responsibility is running the world’s largest vendor-agnostic bug bounty program, the Zero Day Initiative (ZDI). He’s analyzed and performed root cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. Brian’s current research centers on discovering new vulnerabilities, analyzing attack techniques, and identifying vulnerability trends. His work has led to the discovery and remediation of numerous critical vulnerabilities in Microsoft, Oracle, Novell, HP, open-source software, SCADA systems, and embedded devices. He has also presented at numerous security conferences such as Black Hat, DEF CON, and RSA. Matt Molinyawe is a vulnerability analyst and exploit developer for HP’s Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability. He was also part of HP’s winning team at Pwn2Own/Pwn4Fun who exploited Internet Explorer 11 on Windows 8.1 x64. Prior to being part of ZDI, he worked at L-3 Communications, USAA, and General Dynamics – Advanced Information Systems. In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. He also enjoys video games and has obtained National Hero status in QWOP and beat Contra using only the laser without dying a single time. Matt has a B.S. in Computer Science from the University of Texas at Austin.