DEF CON China 1.0 Hacking Conference

Attacks you can't combat: vulnerabilities of most robust mobile operators

Sergey Puzankov Telecom Security Expert, Positive Technologies

The mobile world is moving to 5G. However, there are billions of subscribers who still use old 2G and 3G networks. These networks rely on the SS7 (Signaling System #7) protocol stack that was developed in the 1970s. The SS7 stack was supposed to be used as an isolated network within a small club of large telephone operators, so nobody thought about upper-layer security mechanisms. Further development of SS7 brought the possibility of sending signaling traffic over IP networks. Thus, the SS7 stack got vulnerabilities “by-design” that allow an external intruder to perform such attacks as location tracking, service disruption, SMS and voice call interception. Mobile operators, equipment vendors, and non-commercial organizations (such as the GSMA - the association of mobile operators) are aware of the problem. They develop and implement security solutions mitigating threats from SS7 networks.

Our recent research shows that SS7 has vulnerabilities that allow bypassing any protection tools. Manipulation of parameters on different layers of an SS7 message may help an intruder to cheat a security tool and achieve the goal even with subscribers served by a well-protected network. The research findings were reported to the GSMA Coordinated Vulnerability Disclosure Programme and FASG (Fraud and Security Group). The report was used for a security recommendations update.

In this presentation, I will demonstrate how an intruder can use new SS7 vulnerabilities to bypass security tools. I will explain why it is possible and how network equipment reacts to malicious traffic. In addition, I will give recommendations to operators on how to make their networks more secure.

Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he researches signaling network security and participates in audits for mobile operators around the world.

Sergey is also the general developer of the PT Telecom Vulnerability Scanner tool, member of the PT Telecom Attack Discovery development team, writes Positive Technologies annual reports on telecom security.

He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, Telegram accounts, and a Bitcoin wallet. Apart from that, Sergey actively contributes the results of security research and discovered vulnerabilities to global organizations, such as GSMA and ITU.

Twitter: xigins

Derevolutionizing OS Fingerprinting: The Cat and Mouse Game

Jaime Sanchez Global Security Research Lead, Telefónica

With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.

There are lot of reasons to hide your OS to the entire world:

• Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
• Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
• Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
• It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
• And finally, privacy; nobody needs to know the systems you've got running.

This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.

Sorry guys, OS fingerprinting is over...

Jaime Sánchez (aka @segofensiva) has worked for over 20 years as a specialist advisor for large national and international companies, focusing on different aspects of security such as consulting, auditing, training, and ethical hacking techniques. He holds a Computer Engineering degree and an Executive MBA. In addition, he holds several certifications, like CISA , CISM , CISSP , just to name a few, and a NATO SECRET security clearance, as a result of his role as advisory of many law enforcement organizations, banks and large companies in Europe and Spain.

He has spoken in renowned security conferences nationally and internationally, as in RootedCON , Nuit du Hack , Black Hat , Defcon , DerbyCON , NocOnName , Deepsec , Shmoocon or Cyber Defence Symposium , among others. As a result of his researches, he has notified security findings and vulnerabilities to top companies and vendors, like Banco Popular, WhatsApp, Snapchat, Microsoft, Apple etc.

He is a frequent contributor on TV (TVE, Cuatro, LaSexta, Telecinco), press (El Pais, El Mundo, LA Times, NBC News) and radio programs, and writes a blog called 'SeguridadOfensiva'

Twitter: @segofensiva
Website: https://www.seguridadofensiva.com
Tools: https://github.com/segofensiva

VoIPShark: Open Source VoIP Analysis Platform

Nishant Sharma R&D Manager, Pentester Academy

Jeswin Mathai Security Researcher, Pentester Academy

Ashish Bhangale Senior Security Researcher, Pentester Academy

Leveraging the packet switched network for making phone calls or VoIP has come a long way now. Today, it has already replaced conventional circuit switching based telephones from the large organizations and now moving to capture the non-commercial users. In this talk, we will focus on the traffic analysis based security analysis of SIP and RTP protocols which are one of the most popular protocols for VoIP. These protocols are already gaining new adopters on high rate and also replacing older protocols like H323.

We will discuss VoIPShark open source VoIP Analysis Platform which will allow people to analyze live or stored VoIP traffic, easily decrypt encrypted SRTP stream, perform macro analysis, generate summary specific to VoIP traffic/nodes and export calls/SMS/DTMF in popular user friendly file formats. We will also be releasing VoIPShark collection of Wireshark plugins written in Lua under GPL. VoIPShark is plug-n-play, easy to modify/extend and platform independent in nature. We will also discuss the currently available open source tools for SRTP decryption, their shortcomings and how VoIPShark address those.

Nishant Sharma is a R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 6+ years of experience in information security field including 4+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.

LinkedIn: https://www.linkedin.com/in/wifisecguy/
Twitter: @wifisecguy
Facebook: https://www.facebook.com/wifisecguy

Ashish Bhangale is a Senior Security Researcher at Pentester Academy and Attack Defense. He has 6+ years of experience in Network and Web Application Security. He has also worked with the state law enforcement agencies in the capacity of a Digital Forensics Investigator and was instrumental in solving IT fraud/crime cases. He was responsible for developing and testing the Chigula (WiFi Forensics Framework) and Chellam (First pure WiFi Firewall) frameworks. He has also created and managed multiple projects like Vulnerable Web Application OSes, Vulnerable Router Project and Damn Vulnerable Wordpress. He has presented/published his work at Blackhat, Wireless Village, IoT village and Demo labs (DEFCON). His areas of interest include Forensics, WiFi and AD security.

Jeswin Mathai is a Researcher at Pentester Academy and Attack Defense. He has published his work at Blackhat Arsenal and Demo labs (DEFCON). He has a Bachelor's degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

LinkedIn: https://www.linkedin.com/in/jeswinmathai/
Twitter: @jeswinMathai
Facebook: https://www.facebook.com/jeswinMathai

Tag-side attacks against NFC

Christopher Wade

This talk covers tag-side attacks against NFC communication protocols, including cracking of Mifare encryption keys and performing targeted attacks against NFC readers. In addition, it will cover the design and creation of devices capable of emulating NFC tags down to the raw protocol using standard components and tools, with no abstraction to dedicated hardware, covering and expanding on the capabilities of available products. This talk will contain how 13.56MHz NFC works at a raw level, how tools can be built for analysing it, how the protocol can be implemented in full on standard Microcontrollers, and the security weaknesses present in its design.

Chris is a seasoned security researcher and testing consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.

https://github.com/Iskuri
@Iskuri1 on Twitter

How to perform security analysis on IoT equipment through building a base station system

XiaoHuiHui Senior Security Researcher, Baidu,Inc.

Every year billions more smart devices, like those in vending machines\automobile central controls\shared bicycles\smart watches, are connecting to the network using 2/3/4G technology. On one hand, we need to obtain the data of connections between devices and cloud to analyze and find the vulnerabilities. On the other hand, as latest devices do not have as many direct break-in points to exploit, sniffing and man-in-the-middle into 2/3/4G traffic seem to be the trending and effective attacks, which may cause serious security issues such as leaking confidential information and remote command execution etc.

In this talk, we will first show how to build a test GSM base station system under legal premise, and then introduce a new method (inspired from learnings on malicious BTS practices in China) which make the mobile devices connected to the test base station system automatically. Using this method, we can sniff and run MITM attack easily. This affects all kinds of devices using 2/3/4G. We will demonstrate 4 examples, which use this method to find the vulnerability and take control of the devices. At the end, we will present how to build a 4G LTE test base station to perform the fast and stable testing on mobile devices.

Shupeng is a member of Baidu Security Lab. He is an expert on IoT security, AI security, penetration testing, etc. He was invited to talk on multiple security conferences, and successfully pwned IOT equipments on XPwn 2016/2017/2018, GeekPwn May/October 2017, the biggest pwn competitions in China.

From Ancient to Modern: Diagnosing Root Cause of Software Vulnerabilities from unexpected Crashes

Xinyu Xing Assistant Professor, Penn State University. Research Scientist, JD.com

Jimmy Su Head of security center, JD.com Silicon Valley

Despite the best efforts of developers, software inevitably contains flaws that may be leveraged as security vulnerabilities. Modern operating systems integrate various security mechanisms to prevent software faults from being exploited. To bypass these defenses and hijack program execution, an attacker therefore needs to constantly mutate an exploit and make many attempts. While in their attempts, the exploit triggers a security vulnerability and makes the running process terminate abnormally.

After a program has crashed and terminated abnormally, it typically leaves behind a snapshot of its crashing state in the form of a core dump. While a core dump carries a large amount of information, which has long been used for software debugging, it barely serves as informative debugging aids in locating software faults, particularly memory corruption vulnerabilities. As such, previous research mainly seeks full reproducible execution tracing to identify software vulnerabilities in crashes. However, such techniques are usually impractical for complex programs. Even for simple programs, overhead of full tracing may only be acceptable at the time of in-house testing.

In this talk, we will introduce a reverse execution technique, which takes as input a core dump, reversely executes the corresponding crashing program and automatically pinpoints the root cause of the vulnerable site hidden behind the crash. In the process of performing reverse execution, our technique typically encounters uncertainty (e.g., uncertain control or data flow) which significantly influence the capability of identifying vulnerabilities. To tackle this problem, we augment the technique with deep recurrent neural network, which poses reverse execution with the ability to perfectly infer the control and data flow leading up to the program crash. To demonstrate the utility of this technique, we have already used it to analyze hundreds of crashes pertaining to more than 300 CVEs, and successfully pinpoint the vulnerable site corresponding to each crash. Along with this talk, we will release the tool developed under our technique and make it publicly available.

Dr. Xinyu Xing is an Assistant Professor at the Pennsylvania State University, and currently working at JD Inc. as a visiting researcher. His research interest includes exploring, designing and developing tools to automate vulnerability discovery, failure reproduction, vulnerability diagnosis (and triage), exploit and security patch generation. He was the speaker at BlackHat USA, BlackHat Europe and many academic conferences (e.g., USENIX Security and CSS). He has also received best paper awards from academic conferences such as CCS and ACSAC. His works have been featured by many mainstream media, such as Technology Review, New Scientists and NYTimes etc. He was also the organizer of NSA memory corruption forensics competition. xingxinyu1983 (wechat) http://xinyuxing.org (personal site)

Dr. Jimmy Su leads the JD security research center in Silicon Valley. He joined JD in January 2017. Before joining JD, he was the director of advanced threat research at FireEye Labs. He led the research and development of multiple world leading security products at FireEye, including network security, email security, mobile security, fraud detection, and end-point security. He led a global team including members from the United States, Pakistan, and Singapore from research to product releases on the FireEye's first machine learning based malware similarity analysis Cloud platform. This key technology advance was released on all core FireEye products including network security, email security, and mobile security. He won the Q2 2016 FireEye innovation award for his seminal work on similarity analysis. He earned his PhD degree in Computer Science at the University of California, Berkeley in 2010. After his graduation, he joined Professor Dawn Song's team as a post doc focusing on similarity analysis of x86 and Android applications. In 2011, he joined Professor Song in the mobile security startup Ensighta, leading the research and development of the automatic malware analysis platform. Ensighta was acquired by FireEye in December of 2012. He joined FireEye through the acquisition. JD security research center in Silicon Valley focuses on these seven areas: account security, APT detection, bot detection, data security, AI applications in security, Big Data applications in security, and IoT security.