I mean...Black Hat DC.
This past Friday brought Black Hat DC to a close. While this year's agenda focused primarily on web applications, embedded, and wireless technology, as usual, the conference exposed exploits and vulnerabilities of all kinds. This year was no exception to the high standards of expert security training and talks by the brightest security minds, which Jeff Moss regularly puts together.
There were too many highlights (in my opinion) to refer to any of the presentations as true highlights, but there were some I found particularly fascinating.
RFID security guru, Adam Laurie (AKA Major Malfunction), served his usual dose of mobile and wireless wonders with a new presentation on RFID hacking. No stranger to open source development... being a key developer to brother Ben's Apache-SSL... he discussed his open source project, an RFID reader. While covering much of the same content from his talk last year, he did show off his new python scripted RFIDIOt, and provided a cool demonstration for attendees. He was able to successfully sniff the content from an audience member's RFID enabled credit card, revealing their name, account, and date of expiration (the card's, not the person's). While the financial security implications are evident, I still fear (although very impressed by) his ability to clone human implanted RFID chips. It seems like all the kids today are abandoning belly button piercings and bicep tattoos for RFID chip implantations. I just can't keep up with all the trends.
Proof of concepts are always nice, and seeing the results of a brute force attack that required 10 years of clustered supercomputing is kind of fun, but when someone shows you how to crack a currently used encryption algorithm for the price of a 3GHz Xeon Quad Core, in just under the time it takes to watch two episodes of Hak.5....well, that's impressive. This is exactly what David Hulton and Steve Muller did to the A5/1 stream cipher. With some FPGAs, a frequency scanner, a rainbow table's worth of storage and the power of positive thinking, they presented the first cost effective technique for GSM phone cracking. This has been attempted many times in the past, however, those usually required hardware that was "over budget", or used methods forcing the phones' use of the cryptographic sissy of GSM algorithms...the A5/2 cipher. It will probably be awhile before we can buy them at Radio Shack (yes, I still go there...where else can I go to get my TRS-80 serviced?). Leaving the discussion of IMSI analysis, Ki extraction, and Java card SIMs to the experts (am I supposed to be one of those?), I will say that the details of their ingenuity will sure to appear on the net sometime soon. I'm looking forward to their work on A5/3 cracking, as my own research has proven that it's not just the sum of A5/1 and A5/2.
The last presentation I will mention in this blog is that of digital forensic image wizard, Neal Krawetz. His talk, "A Pictures Worth: Digital Image Analysis", examines the sophisticated techniques behind image manipulation and digital analysis. Contrasting subtle elements of Osama Bin Laden video footage taken in 2004 and 2007, he explains the intricacies of digital video splicing, the importance of lighting, contrast, and camera angle elements, and the significance of overlaying audio. Interestingly, his comparison does not solely rely on the use of high end equipment. There were several observational differences noted by his well trained eye. Noticing simple similarities and differences in clothing, appearance, and background, provide important clues for evidence of tampering. I rest easier knowing that the likes of Krawertz are out there providing the checks and balances needed for all digital media content. While very impressed with one portion, where he discerns between interlaced and non-interlaced sources, he never goes on to say whether they were 1080i or 720p.
There were several other presentations that I would like to talk about, but I'm still bitter about those RF-data-intercepting guys from Dreamlab Technologies. Even though their work was well known prior to Black Hat, it just reminded me of another hack I wasn't first to invent. I personally thought I was the only one working on sniffing the 27MHz range. Unfortunately, they are leagues ahead of me. I was calling mine the "KM sniffer" (as in KVM)....can I at least get credit for the name?
If you can figure out where my RFID chip is implanted, you can scan me at firstname.lastname@example.org