breaking and fixing volte exploiting hidden data channels
play

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and - PowerPoint PPT Presentation

Oct 05, 2023 •30 likes •1.16k views

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* , Dongkwan Kim* , Minhee Kwon, Hyeongseok Han, Yeongjin Jang, Taesoo Kim, Dongsu Han, Yongdae Kim 1 VoLTE = Voice over LTE 4G LTE: All-IP based

  1. Quick Summary of Our Finding  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone 13

  2. Quick Summary of Our Finding  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 13

  3. Quick Summary of Our Finding  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 13

  4. VoLTE Call Procedure SIP server Callee Caller *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  5. VoLTE Call Procedure SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  6. VoLTE Call Procedure SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … … 200 OK *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  7. VoLTE Call Procedure SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … … 200 OK Voice Session (RTP payload = voice data) *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  8. Free Channel: SIP Tunneling SIP server Callee Caller INVITE Header : phone # of caller/callee, injected data Body : IP addr, port no., injected data … 603 Decline Voice Session (RTP payload = voice data) *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 15

  9. Free Channel: Media Tunneling SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … … 200 OK Voice Session (RTP payload = Injected data) *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 16

  10. Attack Implementation in Detail Caller Core Network Callee AP AP VoLTE Interface VoLTE Interface CP CP IMS 17

  11. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media Sender Sender VoLTE Interface VoLTE Interface CP CP IMS 17

  12. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP IMS 17

  13. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP IMS 17

  14. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP SIP IMS 17

  15. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP SIP Audio Data IMS (60-100 bytes) 17

  16. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP SIP Audio Data IMS (60-100 bytes) DIAG Command 17

  17. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE DIAG CP CP SIP , RTP SIP RTP IMS DIAG Command 18

  18. Outline  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 19

  19. Free Channel: Direct communication  Phone-to-Internet – Open a TCP/UDP socket with voice IP – Send data to the Internet E.g. TCP/UDP Socket (Src: voice IP/port, Dst: youtube.com/port) Internet Default bearer for VoLTE 4G Gateway IMS 20

  20. Free Channel: Direct communication  Phone-to-Internet – Open a TCP/UDP socket with voice IP – Send data to the Internet E.g. TCP/UDP Socket (Src: voice IP/port, Dst: youtube.com/port) Internet Default bearer for VoLTE 4G Gateway IMS 20

  21. Free Channel: Direct communication  Phone-to-Phone – Open a TCP/UDP socket with voice IP – Send data to callee E.g. TCP/UDP Socket (Src: voice IP/port, Dst: c allee’s voice IP/port) Internet Default bearer for VoLTE 4G Gateway IMS

  22. Free Channel: Direct communication  Phone-to-Phone – Open a TCP/UDP socket with voice IP – Send data to callee E.g. TCP/UDP Socket (Src: voice IP/port, Dst: c allee’s voice IP/port) Internet Default bearer for VoLTE 4G Gateway IMS

  23. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 22

  24. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 22

  25. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 22

  26. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 23

  27. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 23

  28. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  29. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling 42 Kbps ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  30. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ X SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling 42 Kbps ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  31. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ X SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling 42 Kbps ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  32. Outline  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 25

  33. No Encryption for Voice Packets  For voice signaling, – only one operator was using IPsec – An attacker can easily manipulate VoLTE call flow  For voice data, – no one encrypted voice data – An attacker might wiretap the outgoing voice data Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack ✓ ✓ ✓ No SIP Encryption X Message manipulation IMS ✓ ✓ ✓ ✓ ✓ No Voice Data Encryption Wiretapping : Vulnerable : Secure 26

  34. No Authentication/Session Management  No authentication – Make a call with a fake number Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  35. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  36. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management * In a normal call, one user can call to only one person Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  37. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management * In a normal call, one user can call to only one person – Send multiple INVITE messages  Several call sessions are established  For each call session, high-cost bearer is established Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  38. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management * In a normal call, one user can call to only one person – Send multiple INVITE messages  Several call sessions are established  For each call session, high-cost bearer is established – Even one sender can deplete resources of the core network Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  39. Caller Spoofing Scenario Caller Callee IMS 28

  40. Caller Spoofing Scenario Caller Callee INVITE IMS Header : phone # of caller/callee , … Body : IP addr , port no., … 28

  41. Caller Spoofing Scenario Attacker Caller Callee INVITE IMS Header : phone # of caller/callee , … Body : IP addr , port no., … 28

  42. Caller Spoofing Scenario Attacker Caller Callee INVITE INVITE IMS Header : phone # of caller/callee , … Header : phone # of caller/callee , … Body : IP addr, port no. , … Body : IP addr , port no., … 28

  43. 29

  44. IMS Bypassing  All voice packets should pass IMS, but 4G IMS Gateway Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  45. IMS Bypassing  All voice packets should pass IMS, but 4G IMS Gateway Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  46. IMS Bypassing  All voice packets should pass IMS, but 4G IMS Gateway Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  47. IMS Bypassing  All voice packets should pass IMS, but  An attacker can bypass SIP servers in IMS – IMS vulnerabilities are also possible 4G IMS Gateway e.g. Make a call with a fake number Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  48. Android Permission Model Mismatch  No distinction between a phone call and a normal data socket – In 3G, an app needs “ android.permission.CALL_PHONE ” – In VoLTE , we found that an app can call with “ android.permission.INTERNET ” Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack Phone Permission Mismatch Vulnerable for all Android Denial of Service on Call, Overbilling 31

  49. Android Permission Model Mismatch  No distinction between a phone call and a normal data socket – In 3G, an app needs “ android.permission.CALL_PHONE ” – In VoLTE , we found that an app can call with “ android.permission.INTERNET ”  A malicious app only with Internet permission can perform – Denial of service attack on call – Overbilling attack by making an expensive video call Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack Phone Permission Mismatch Vulnerable for all Android Denial of Service on Call, Overbilling 31

  50. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Attacker Attacker Caller Caller 32

  51. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Attacker Attacker Caller Caller 32

  52. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Block Attacker Attacker Caller Caller 32

  53. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Block Attacker Attacker Caller Caller 32

  54. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Block Cut-off Attacker Attacker Caller Caller 32

  55. 33

  56. 34

  57. Mitigation Point Vulnerability Mitigation Responsible Entity No Security Mechanisms Encrypt call signaling and voice data Operators IMS No Authentication Place proper authentication on voice packets IMS provider No Session Management Allow single call session per device 4G-GW Direct Communication Disallow direct communication Operators Permission Mismatch Create new permission for VoLTE interface Mobile OS (Android) Phone Place proper regulation on packet routing Mobile OS (Android) SIP/Media tunneling Apply deep packet inspection Operators 35

  58. Mitigation Point Vulnerability Mitigation Responsible Entity No Security Mechanisms Encrypt call signaling and voice data Operators IMS No Authentication Place proper authentication on voice packets IMS provider No Session Management Allow single call session per device 4G-GW Direct Communication Disallow direct communication Operators Permission Mismatch Create new permission for VoLTE interface Mobile OS (Android) Phone Place proper regulation on packet routing Mobile OS (Android) SIP/Media tunneling Apply deep packet inspection Operators How to resolve media tunneling? 35

  59. Mitigation Point Vulnerability Mitigation Responsible Entity No Security Mechanisms Encrypt call signaling and voice data Operators IMS No Authentication Place proper authentication on voice packets IMS provider No Session Management Allow single call session per device 4G-GW Direct Communication Disallow direct communication Operators Permission Mismatch Create new permission for VoLTE interface Mobile OS (Android) Phone Place proper regulation on packet routing Mobile OS (Android) SIP/Media tunneling Apply deep packet inspection Operators Not easy! Maybe byte-usage accounting? How to resolve media tunneling? 35

  60. Discussion  Some parts of 3GPP specifications are unclear – Several misunderstandings of the operators – Different implementations and security problems – Security features are only recommendations, not requirement  We reported vulnerabilities to US/KR CERTs, and Google in May – Google replied “moderate severity” – All two U.S. operators ACK’ed , but no follow-ups – Only two among three KR operators have been fixing with us 36

  61. Conclusion  Newly adopted VoLTE has – A complex (legacy time-based) accounting – Delegated voice signal (previously done by CP) to AP 37

  62. Conclusion  Newly adopted VoLTE has – A complex (legacy time-based) accounting – Delegated voice signal (previously done by CP) to AP  We analyzed the security of VoLTE for 5 operators, and found – Four free data channels – Five security problems 37

  63. Conclusion  Newly adopted VoLTE has – A complex (legacy time-based) accounting – Delegated voice signal (previously done by CP) to AP  We analyzed the security of VoLTE for 5 operators, and found – Four free data channels – Five security problems  All related parties have problems – 3GPP, telcos, IMS providers, mobile OSes, and device vendors 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Wireless dj vu Jason S. Chao, Ernst & Young LLP Panel: Implications for Valuation: Part 1 TFI Asset Valuation Conference and Seminar 2013 January 24, 2013 Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions

177 views • 3 slides
Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad) Partially supported by ONR and NSF Information and Software Engineering Department 30

278 views • 26 slides
Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin

Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin

Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin Chakrabarty Tariq Alhindi Siddharth Varia Kriste Krstovski Mona Diab Smaranda Muresan Automated Fact-checking and Related Tasks Source

382 views • 36 slides
Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu

Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu

Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu Appeared in CCS18 Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C)

661 views • 48 slides
Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators Schuyler Eldridge Ajay Joshi Department of Electrical and Computer Engineering, Boston University schuye@bu.edu January 30, 2015 This work was

679 views • 19 slides
Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

491 views • 46 slides
Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurlien Francillon Whats this all about? - A nov novel attack ex exploiting g EM side

886 views • 77 slides
From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice,

From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice,

From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice, Graz University of Technology July 4, 2017RMLL, Saint- Etienne, France Rennes Graz Cl ementine Maurice now postdoc at TU Graz, Austria PhD

2.37k views • 178 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

675 views • 41 slides
Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS Jeff Chao (Jeffxx) Researcher at TrapaSecurity Ex-senior Researcher at TeamT5 Member of HITCON CTF Team Member of Chroot Focus on

1.05k views • 77 slides
Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS Jeff Chao (Jeffxx) Researcher at TrapaSecurity Ex-senior Researcher at TeamT5 Member of HITCON CTF Team Member of Chroot Focus on

1.35k views • 75 slides
How to Make it Stick! With Therese Skelly You may be fixing the wrong

How to Make it Stick! With Therese Skelly You may be fixing the wrong

How to Make it Stick! With Therese Skelly You may be fixing the wrong thing This work isnt sexy. But its necessary! This is where the problem really lies You have hidden

544 views • 23 slides
Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your practices hidden vulnerability for the COVID Era If you havent already, register at VirtualPractices.org Inoculate your patient and

330 views • 22 slides
Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde <nico@comsecuris.com> @iamnion Daniel Komaromy <daniel@comsecuris.com> @kutyacica Motivation All your baseband Reverse engineering a Baseband

585 views • 55 slides
Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized trust layer Steven van der Vegt Open standard to enable safe and correct exchange of healthcare data. Goal Create a (inter)national network of

708 views • 35 slides
Decimeter-Level Localization with a Single WiFi Access Point Deepak Vasisht Swarun Kumar, Dina

Decimeter-Level Localization with a Single WiFi Access Point Deepak Vasisht Swarun Kumar, Dina

Decimeter-Level Localization with a Single WiFi Access Point Deepak Vasisht Swarun Kumar, Dina Katabi Indoor Localization is Cool! SpotFi [SIGCOMM 15], ToneTrack [Mobicom 15], Phaser [Mobicom 14], Tagoram [Mobicom 14], LTEye

720 views • 52 slides
Webinar: Complying with Form AP Rules Jennifer Rand, Deputy Chief Auditor, OCA Lisa Calandriello,

Webinar: Complying with Form AP Rules Jennifer Rand, Deputy Chief Auditor, OCA Lisa Calandriello,

Webinar: Complying with Form AP Rules Jennifer Rand, Deputy Chief Auditor, OCA Lisa Calandriello, Associate Chief Auditor, OCA Caveat The views we express today are our own and do not necessarily reflect the views of the Board, individual Board

683 views • 47 slides
Wi-Fi Goes to Town : Rapid Picocell Switching for Wireless Transit Networks Speaker: Zhenyu Song

Wi-Fi Goes to Town : Rapid Picocell Switching for Wireless Transit Networks Speaker: Zhenyu Song

Wi-Fi Goes to Town : Rapid Picocell Switching for Wireless Transit Networks Speaker: Zhenyu Song Zhenyu Song, Longfei Shangguan, Kyle Jamieson {zhenyus, longfeis, kylej}@cs.princeton.edu This work is supported by the NSF grant No. 1617161 and

468 views • 32 slides
Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven USENIX Security 2016 Security of Wi-Fi group keys? Protect broadcast and multicast Wi-Fi frames: All clients share a

564 views • 29 slides
IEEE 802.1ap MIB Glenn Parsons gparsons@nortel.com September 2006 1 Draft 0.0 for 802.1ap

IEEE 802.1ap MIB Glenn Parsons gparsons@nortel.com September 2006 1 Draft 0.0 for 802.1ap

IEEE 802.1ap MIB Glenn Parsons gparsons@nortel.com September 2006 1 Draft 0.0 for 802.1ap > http://www.ieee802.org/1/files/private/ap-drafts/d0/802- 1ap-d0-0.pdf > Proposal by David Levi > Draft contains Front matter

54 views • 3 slides
Design for simple application profiles Tom Baker and Karen Coyle Dublin Core Metadata Initiative

Design for simple application profiles Tom Baker and Karen Coyle Dublin Core Metadata Initiative

Design for simple application profiles Tom Baker and Karen Coyle Dublin Core Metadata Initiative DCMI Application Profiles Application Profiles (1999): how metadata terms from different vocabularies are combined and constrained in

314 views • 29 slides
Spotlight on Transparency: Secondary Market Disclosure Hot Topics June 16, 2020 SEC Rule 15c2-12

Spotlight on Transparency: Secondary Market Disclosure Hot Topics June 16, 2020 SEC Rule 15c2-12

Spotlight on Transparency: Secondary Market Disclosure Hot Topics June 16, 2020 SEC Rule 15c2-12 Continuing Disclosures Since February 2019, there have been a total of 63,454 event-based continuing disclosures filed with the MSRB Bond

112 views • 7 slides
PALINDROMES IN PURE MORPHIC WORDS Michelangelo Bucci with Elise Vaslet a ab b

PALINDROMES IN PURE MORPHIC WORDS Michelangelo Bucci with Elise Vaslet a ab b

PALINDROMES IN PURE MORPHIC WORDS Michelangelo Bucci with Elise Vaslet a ab b a a ab aba abaab abaababa ... abaababaabaababaababaaba... beeblebrox ~ =xorbelbeeb Pal = {w | w ~ = w} Pal(w) = { v Fact(w) s.

771 views • 49 slides

More recommend