Chaos Congress Peers Into Mobile Security, Protocols

I heard a number of interesting mobile-related talks at the 28th Chaos Communications Congress (28c3) this week. Not every talk at the Congress was about newly discovered bugs or zero-day exploits; sometimes we got the building blocks necessary to better understand systems and increase security. I enjoyed key presentations on reverse-engineering USB 3G data sticks and the internals of 2G and 3G mobile data protocols.

Reverse-engineering a Qualcomm baseband
Guillaume Delugré acknowledged researcher Ralph Phillip Weinmann’s work from last year during Delugré’s talk on reverse-engineering a popular 3G USB data stick.

Guillaume Delugré discusses how he reverse-engineered Qualcomm firmware and developed a debugger.

The USB stick runs a proprietary OS named REX. Delugré reverse-engineered a diagnostic mode used by Qualcomm engineers. Although some work has been done on documenting and using the diagnostics interface (the ModemManager project), he developed more detailed specifications.

Delugré explains the format for an undocumented diagnostics interface.

Cellular protocol stacks for Internet
Harald Welte, a lead developer of the Openmoko project and a Linux kernel developer, gave a good breakdown of various mobile data protocols. Cellular voice communication on GSM has gotten a lot of coverage over the years, but outside of the mobile industry there has been little to no information on how the data protocols function.

Harald Welte presents details on mobile data protocols.

The talk covered the layout of a number of the mobile data protocols, including the latest 3G protocols.

Diagram of UMTS network architecture.

Perhaps in the next year we will see more development in the exploitation and security of mobile devices.

Boston D.A. Subpoenas Twitter Over Occupy Boston, Anonymous

@p0isan0n's Twitter icon, the Antisec oenophile

On December 14, Twitter received a bizarre subpoena from the District Attorney of Suffolk County, which includes Boston.

It requested “All available subscriber information, for the account or accounts associated with the following information, including IP address logs for account creation and for the period December 8, 2011 to December 13, 2011.” The named targets included two hashtags, two accounts, and one proper name:

That subpoena, as written, ostensibly asks for whatever identifying information Twitter has on anyone who used the hashtags #bostonpd and #d0xcak3 from 12/8/2011 to 12/14/2011, which could number in the thousands.

It’s unclear if that’s what the Boston police meant to do, or if they are unfamiliar with Twitter. It seems likely the latter, given that the @occupyboston account is a year-and-a-half old fallow account with four tweets. The quasi-official Twitter account for the Occupy Boston movement that was evicted in this time frame is @occupy_boston.

@p0isan0n purports to be a participant in Antisec, the blackhat wing of Anonymous, which has targeted the Boston Police several times in document releases that have included online logins, physical addresses, and most recently, payroll information for 40 senior officers. The subpoena may also be be related to the d0xing, or document publication, of Boston Mayor Tom Menino on December 9th, as tweeted by @youranonnews:

“Boston Mayor Tom Menino d0x’d, courtesy of @DoxCak3 — #OccupyBoston << someone order the man a pizza, stat!”

If so, the district attorney’s office mixed up their # and @ symbols.

The subpoena also includes a request for confidentiality from the Special Prosecutions Unit, but had no actual legal gag order. Without legal orders, the request for confidentially had no more enforceability than if Assistant District Attorney Benjamin Goldberger had also asked Twitter to send him a cupcake.

It’s Twitter’s policy to forward a subpoena to its target in order to give the user a chance to fight it, unless the company is specifically gagged. It appears that @p0isan0n received a copy from Twitter and posted it to Scribd.

ACLU attorney Peter Krupp, who is representing user @p0isan0n, filed a motion to quash the subpoena on First Amendment grounds. But Thursday, the ACLU seemed to be dealt a defeat when Suffolk Superior Court Judge Carol Ball issued an impoundment order after hearing the case in whispers at the bench.

This barred anyone in the case from talking about the arguments on either side, or about why the motion to dismiss the subpoena was likely rejected. Impoundment is an extraordinary measure that can be requested by one side of a case, and is generally granted only in cases involving sensitive security issues, investigative issues, witness intimidation, or the possibility of the suspect running.

“I think none (of these reasons) are valid in this instance,” said Krupp.

For its part, the Boston Police told Boston local publication BostInno that the “Boston Police Department is investigating serious threats directed at department personnel. The department will not disclose the specific nature of the intelligence gathered relative to this matter.”

But what does it mean to subpoena a hashtag?

Krupp has a scary interpretation: “Presumably that means the IP address of anyone that uses that hashtag. It’s all IP address logs associated with that Twitter address.”

That would mean Twitter would be required to turn over the IP addresses and e-mail addresses of anyone who used the hashtag #BostonPD from December 12 to 14, a time period covering the widely followed eviction of Occupy Boston from Dewey park.

Krupp also sees a fishing expedition in the phrasing of “for the account or accounts associated with the following information”. That, he believes, could mean anyone that’s a follower of that account.

“In my view the statute… doesn’t go nearly so far in permitting an administrative subpoena to get that information,” Krupp said. “You have to go to a court and prove you’re entitled to that stuff.”

If the D.A. has this liberal interpretation of the subpoena, your humble Wired reporter is included for the incriminating act of following someone on Twitter.

Photo: floordje/Flickr

Correction: The story was updated to reflect that the hearing was comprised mostly of attorneys conferring with the judge.

Beyond ‘Blowin’ in the Wind’: The Music of Occupy Wall Street

A movement goes nowhere without creating culture as it grows.

To wit, the fast growing Occupy movement has become a locus for cultural creation by artists and musicians, as well as technologists and political activists. It started out spare, borrowing from the past.

Back in October, while I was visiting the weary crew of Occupy Long Beach, they gathered in a circle after GA to sing together to one occupier’s guitar. But at that moment there were no songs about the Occupy movement.

Instead they sang ’60s protest standards, Blowin’ in the Wind, What’s going on, and found camaraderie in the Beatles’ With a Little Help from my Friends. But 50-year-old songs could only go so far, they couldn’t really describe the now. In the months since, Occupy music has started to flow.

Here’s a sample of some of the music generated by and about the Occupys.

  • The beautiful and folky We Are The Many (above) by Hawaiian artist Makana is not only written specifically as a song for the Occupy movement, it has the distinction have being a surprise act for the World Leaders Dinner at APEC, when Makana pulled open his jacket and shirt to reveal an undershirt with “Occupy with Aloha” handwritten on it. He started out quiet and hesitant in front of the room of dignitaries, singing We’ll occupy the streets / we’ll occupy the courts / We’ll occupy the offices of you / ‘Til you do / The bidding of the many, not the few.
  • Dear Mr. President, comes straight out of the occupy, from Gabriel Quinn Andreas of Occupy Santa Barbara. He expresses a common sentiment in the occupys, many supporters of Obama that feel he’s failed them with the whole hope-y change-y thing: We gave you a fair chance and this is how it went / Signed sincerely yours / The Other Ninety-Nine Percent.

  • Third Eye Blind did an upbeat tribute calling for the youth to rally to the Occupy movement with If Ever There Was A Time, which they’ve made available for free. Despite being overall an optimistic song, (Things only get brighter when you light a spark / Everywhere you go right now is Zuccotti park) it’s bookended by samples from police confrontations, including Iraq vet Scott Olsen’s Occupy Oakland head wound. The group has asked downloaders to donate to the Occupy movement.
  • Hip-hop artist MK-ULTRA (Not to be confused with the alternative band from the Bay Area or the Chicago punk band of the same name, both from the 1990s) appears to have joined the movement around September 26th. His track Who’s The Man was shot at Zuccotti park in New York City a month before its eviction.

  • The Roaring featuring Ari Herstand did a reggie-influenced song, Finally Here, which emphasizes the arrival and outrage of the young, much as Third Eye Blind did. There’s a pay-what-you-want Bandcamp link, and We Stand As One (#occupywallstreet), a Bob Dylan/Woody Guthrie inspired folk tune for the Occupy movement. Despite the gentle music, this song has the most violent lyrics of these occupy songs, pointed at the metaphorical 1%. And what you won’t share / Will be ripped from your hands / Your body destroyed / The way fire lands / Burning your homes

  • Miley Cyrus didn’t pen a song specifically for the Occupy, but her new video for the song Liberty Walk is made out of expertly edited footage from around marches and crackdowns on OWS around the world. It also has the distinction to be the most viewed Occupy-related music video on Youtube, clocking in at 600,000 views.

  • While this list is by no means comprehensive, no survey of occupational music overlook OWS’s first music fan, Lupe Fiasco. His new track, The End Of The World, starts talking about Rachel Corrie and Palestine, but spends some time talking about OWS, which he visited early on. He riffs on some common marching chants with lyrics like Whose streets? Our streets, it’ll never be deleted / No matter how many cops that you send to try and beat it

In the New Year, as people process the evictions of the fall and get through the winter, it will likely be culturally rich for Occupiers. It’s one advantage for OWS of the evictions– they’re driving the activist artists, technologists, and makers out of the parks and back into their studios, offices, and hackerspaces.

Networked Printers at Risk

Multifunction printers (MFPs) have been common in offices for years. They let employees print, scan, and copy documents. Two separate talks at the 28th Chaos Communications Congress (28c3) show how attackers can infect these trusted office devices.

Hacking MFPs
In Andrei Costin’s presentation “Hacking MFPs,” he covered the history of printer and copier hacks from the 1960s to today. The meat of the talk concerned executing remote code on an MFP using crafted PostScript. Just printing a particular document can get code to run on the machine. Previous research proof of concepts have done exactly that, once with a specially designed Word document and once with a Java applet.

Printers and copiers have been targets of attackers and spies for decades.

Costin found a method to exploit the firmware update capability of certain Xerox MFPs to upload his crafted PostScript code. He was able to run code to dump memory from the printer. This could allow an attacker to grab passwords for the administration interface or access or print PIN-protected documents.

Attackers can grab passwords to the administration interface from an MFP's memory.

MFPs are trusted devices connected to the office network, but sometimes they’re also accessible from the Internet. The numbers of publicly accessible office MFPs range in the tens of thousands. An attacker could craft PostScript code tied with exploits from the Metasploit framework and upload it to an MFP to attack a corporate network.

Print me if you can
A day later researcher Ang Cui referred to Costin’s talk about PostScript attacks, though Cui’s research was limited to MFPs from HP. Similar to the earlier presentation Cui’s attack leveraged the update capabilities on multifunction devices.

Ang Cui and Jonathan Voris demonstrate printer malware that forwards printed documents to a printer outside the corporate network.

Cui’s technique for infecting printers involves the more limited Printer Job Language, rather than PostScript, and injects code into processes running on the printer. This was effectively a custom rootkit for the printer’s OS.

To get his code on a machine, he needed to reverse-engineer HP’s proprietary firmware update file format. This involved dumping memory images from the printer and using a disassembler on the extracted firmware to determine how to parse the update files. Cui has developed a tool, HPacker, that can take an infected firmware image and repackage it into the proper RFU format for updates. This tool can also analyze current memory dumps.

Researcher Ang Cui uses a memory dumper to access the boot code and reverse-engineer the update file format.

The vulnerability was disclosed to HP, and updates for infected printers were released last week.