WASP: The Linux-powered flying spy drone that cracks Wi-Fi & GSM networks

The Black Hat Security Conference and DEFCON bring together the world’s professional hackers, security researchers, goverment representatives, journalists, and just about anyone who thinks of themselves as a hacker. They listen to talks about security, show off the latest novel hacks, and generally share information about the state of computer security.

Every year there’s a highlight to the conferences, and this year it looks like that highlight may be a flying drone, or unmanned aerial vehicle (UAV). This drone is called the Wireless Aerial Surveillance Platform, or WASP. It’s an ex-U.S. Army spy drone measuirng over 6-feet in length and wingspan that has been modified to make it more useful for hackers in our built-up, communication-heavy urban environments.

If you happen to see this yellow drone flying above your neighborhood you’d be right to be concerned. WASP is equipped with the tools to crack Wi-Fi network passwords made possible by an on-board VIA EPIA Pico-ITX PC running BackTrack Linux equipped with 32GB of storage to record information. BackTrack offers a full suite of digital forensics and penetration testing tools making it a good fit for this setup.

WASP can also act as a GSM network antenna meaning it will be able to eavesdrop on calls/text messages made over that network by any phone deciding to connect through it.

While such a drone may violate a few flying laws, it doesn’t break any FCC regulations as it uses the HAM radio frequency band or a 3G connection for communication. As to the reason for building it, creators Mike Tassey and Richard Perkins just wanted to prove there is a vulnerability that can easily be taken advantage of with a UAV such as this.

WASP is an open source platform using Arduino that Tassey willdiscuss how to build at DEFCON-19 next week. It was originally unveiled last August with the following video giving you a close up view and interview with the creators:

The main developments since last year seem to be the open-sourcing of the design rather than just relying on the ex-Army drone, and the GSM compatibility being added, which they were really eager to get working last August.

Apart from a manual take off and landing, WASP can be preloaded with GPS co-ordinates and then fly a course using its on-board electric motor. You could put this drone in the air and have it return some time later with 32GB of fresh data to look through, or monitor it from a base station and switch to loiter mode if you find an interesting area. The on-board HD camera also means it’s easy to capture video footage of an area, or a test flight like this:

The main take-away from the WASP project is that this is just two guys building a UAV in their spare time that can easily collect data from Wi-Fi and GSM networks with little input from the operator. There’s even instructions available to create your own. That makes it more than worthy of a talk at DEFCON, but also worth the time of network operators to see how they could counteract such a system from ever being used successfully.

Originally published by http://www.geek.com/geek-pick/wasp-the-linux-powered-flying-spy-drone-that-cracks-wi-fi-gsm-netwokrs-1407741/

Apple blames developer centre outage on 'intruder'

Since 18 July, registered Apple developers trying to download OS X 10.9, iOS 7, or any other Apple software from the company's developer portal have been greeted with a notice that the site was down for "maintenance." On 22 July, the company issued a brief statement blaming the extended outage on an "intruder," and that Apple "[has] not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed."

The notice says that "sensitive" information could not be accessed by the intruder because it was encrypted, and the company told  MacWorld that the system in question is not used to store "customer information," application code, or data stored by applications.  Anecdotal reports (including one from our own Jacqui Cheng) point to a sudden spike in password reset requests for some Apple IDs, suggesting that email addresses have in fact been accessed and distributed but that passwords were not. In any case, we generally recommend that users change their passwords when any breach (or suspected breach) like this occurs.

"In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database," the statement said. Apple has also given week-long extensions to any developers whose program subscriptions were scheduled to lapse during the outage, which will keep those developers' applications from being delisted in Apple's various App Stores.

This story originally appeared on ars technica

You SIM card might be vulnerable to hacking

SIM cards are the common chips which we use to connect to our service providers. The card contains a lot of infromation which is protected i.e  the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets.

With over seven billion cards in active use, SIMs may well be the most widely used security token in the world. 

Most people find their SIM card menus have been updated, this is done through a technology called over-the-air(OTA) updates. The updates are deployed via SMS and the cards are even extensible through custom Java software. While this extensibility is rarely used so far, its existence already poses a critical hacking risk.

According to an article written by Karsten Nohl of Security Research Labs in Berlin:

Cracking SIM update keys. OTA commands, such as software updates, are cryptographically-secured SMS messages, which are delivered directly to the SIM. While the option exists to use state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA, many (if not most) SIM cards still rely on the 70s-era DES cipher. DES keys were shown to be crackable within days using FPGA clusters, but they can also be recovered much faster by leveraging rainbow tables similar to those that made GSM’s A5/1 cipher breakable by anyone.

To derive a DES OTA key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. A rainbow table resolves this plaintext-signature tuple to a 56-bit DES key within two minutes on a standard computer.

Deploying SIM malware. The cracked DES key enables an attacker to send properly signed binary SMS, which download Java applets onto the SIM. Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.

In principle, the Java virtual machine should assure that each Java applet only accesses the predefined interfaces. The Java sandbox implementations of at least two major SIM card vendors, however, are not secure: A Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card.

Defenses. The risk of remote SIM exploitation can be mitigated on three layers:

1. Better SIM cards. Cards need to use state-of-art cryptography with sufficiently long keys, should not disclose signed plaintexts to attackers, and must implement secure Java virtual machines. While some cards already come close to this objective, the years needed to replace vulnerable legacy cards warrant supplementary defenses.
2. Handset SMS firewall. One additional protection layer could be anchored in handsets: Each user should be allowed to decide which sources of binary SMS to trust and which others to discard. An SMS firewall on the phone would also address other abuse scenarios including “silent SMS.”
3. In-network SMS filtering. Remote attackers rely on mobile networks to deliver binary SMS to and from victim phones. Such SMS should only be allowed from a few known sources, but most networks have not implemented such filtering yet. “Home routing” is furthermore needed to increase the protection coverage to customers when roaming. This would also provide long-requested protection from remote tracking.