breaking and fixing volte exploiting hidden data channels
play

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and - PowerPoint PPT Presentation

Oct 05, 2023 •30 likes •1.16k views

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* , Dongkwan Kim* , Minhee Kwon, Hyeongseok Han, Yeongjin Jang, Taesoo Kim, Dongsu Han, Yongdae Kim 1 VoLTE = Voice over LTE 4G LTE: All-IP based

  1. Quick Summary of Our Finding  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone 13

  2. Quick Summary of Our Finding  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 13

  3. Quick Summary of Our Finding  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 13

  4. VoLTE Call Procedure SIP server Callee Caller *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  5. VoLTE Call Procedure SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  6. VoLTE Call Procedure SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … … 200 OK *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  7. VoLTE Call Procedure SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … … 200 OK Voice Session (RTP payload = voice data) *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 14

  8. Free Channel: SIP Tunneling SIP server Callee Caller INVITE Header : phone # of caller/callee, injected data Body : IP addr, port no., injected data … 603 Decline Voice Session (RTP payload = voice data) *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 15

  9. Free Channel: Media Tunneling SIP server Callee Caller INVITE Header : phone # of caller/callee , … Body : IP addr , port no., … … 200 OK Voice Session (RTP payload = Injected data) *SIP: Session Initiation Protocol, *RTP: Real-time Transport Protocol 16

  10. Attack Implementation in Detail Caller Core Network Callee AP AP VoLTE Interface VoLTE Interface CP CP IMS 17

  11. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media Sender Sender VoLTE Interface VoLTE Interface CP CP IMS 17

  12. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP IMS 17

  13. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP IMS 17

  14. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP SIP IMS 17

  15. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP SIP Audio Data IMS (60-100 bytes) 17

  16. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE Interface CP CP SIP , RTP SIP Audio Data IMS (60-100 bytes) DIAG Command 17

  17. Attack Implementation in Detail Caller Core Network Callee AP AP SIP Media SIP Media Sender Sender Receiver Receiver VoLTE Interface VoLTE DIAG CP CP SIP , RTP SIP RTP IMS DIAG Command 18

  18. Outline  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 19

  19. Free Channel: Direct communication  Phone-to-Internet – Open a TCP/UDP socket with voice IP – Send data to the Internet E.g. TCP/UDP Socket (Src: voice IP/port, Dst: youtube.com/port) Internet Default bearer for VoLTE 4G Gateway IMS 20

  20. Free Channel: Direct communication  Phone-to-Internet – Open a TCP/UDP socket with voice IP – Send data to the Internet E.g. TCP/UDP Socket (Src: voice IP/port, Dst: youtube.com/port) Internet Default bearer for VoLTE 4G Gateway IMS 20

  21. Free Channel: Direct communication  Phone-to-Phone – Open a TCP/UDP socket with voice IP – Send data to callee E.g. TCP/UDP Socket (Src: voice IP/port, Dst: c allee’s voice IP/port) Internet Default bearer for VoLTE 4G Gateway IMS

  22. Free Channel: Direct communication  Phone-to-Phone – Open a TCP/UDP socket with voice IP – Send data to callee E.g. TCP/UDP Socket (Src: voice IP/port, Dst: c allee’s voice IP/port) Internet Default bearer for VoLTE 4G Gateway IMS

  23. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 22

  24. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 22

  25. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 22

  26. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 23

  27. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 23

  28. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  29. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling 42 Kbps ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  30. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ X SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling 42 Kbps ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  31. Evaluation Result: Accounting Bypass Free Channel US-1 US-2 KR-1 KR-2 KR-3 ✓ ✓ ✓ ✓ ✓ X SIP Tunneling Using VoLTE Protocol ✓ ✓ ✓ ✓ ✓ Media Tunneling 42 Kbps ✓ ✓ ✘ ✘ ✘ 16.8 Mbps Phone to Phone Direct IPv4: ✓ Communication ✓ ✓ ✘ ✘ 21.5 Mbps Phone to Internet IPv6: ✘ Last update: 20 th April, 2015 ✓ : vulnerable/not charged, x: secure 24

  32. Outline  Four free data channels – Using VoLTE protocol (for all operators)  SIP tunneling  Media tunneling – Direct communication (for some operators)  Phone-to-Internet  Phone-to-Phone  Five security issues – No encryption of voice packets – No authentication of signaling – No call session management (DoS on the cellular infrastructure) – IMS bypassing – Permission model mismatch (VoLTE call without “CALL_PHONE” permission) 25

  33. No Encryption for Voice Packets  For voice signaling, – only one operator was using IPsec – An attacker can easily manipulate VoLTE call flow  For voice data, – no one encrypted voice data – An attacker might wiretap the outgoing voice data Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack ✓ ✓ ✓ No SIP Encryption X Message manipulation IMS ✓ ✓ ✓ ✓ ✓ No Voice Data Encryption Wiretapping : Vulnerable : Secure 26

  34. No Authentication/Session Management  No authentication – Make a call with a fake number Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  35. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  36. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management * In a normal call, one user can call to only one person Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  37. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management * In a normal call, one user can call to only one person – Send multiple INVITE messages  Several call sessions are established  For each call session, high-cost bearer is established Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  38. No Authentication/Session Management  No authentication – Make a call with a fake number  No session management * In a normal call, one user can call to only one person – Send multiple INVITE messages  Several call sessions are established  For each call session, high-cost bearer is established – Even one sender can deplete resources of the core network Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack No Authentication X X O O X Caller Spoofing IMS No Session Management O O O X O Denial of Service on Core Network : Vulnerable : Secure 27

  39. Caller Spoofing Scenario Caller Callee IMS 28

  40. Caller Spoofing Scenario Caller Callee INVITE IMS Header : phone # of caller/callee , … Body : IP addr , port no., … 28

  41. Caller Spoofing Scenario Attacker Caller Callee INVITE IMS Header : phone # of caller/callee , … Body : IP addr , port no., … 28

  42. Caller Spoofing Scenario Attacker Caller Callee INVITE INVITE IMS Header : phone # of caller/callee , … Header : phone # of caller/callee , … Body : IP addr, port no. , … Body : IP addr , port no., … 28

  43. 29

  44. IMS Bypassing  All voice packets should pass IMS, but 4G IMS Gateway Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  45. IMS Bypassing  All voice packets should pass IMS, but 4G IMS Gateway Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  46. IMS Bypassing  All voice packets should pass IMS, but 4G IMS Gateway Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  47. IMS Bypassing  All voice packets should pass IMS, but  An attacker can bypass SIP servers in IMS – IMS vulnerabilities are also possible 4G IMS Gateway e.g. Make a call with a fake number Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack 4G-GW IMS Bypassing O X O X X Caller Spoofing : Vulnerable : Secure 30

  48. Android Permission Model Mismatch  No distinction between a phone call and a normal data socket – In 3G, an app needs “ android.permission.CALL_PHONE ” – In VoLTE , we found that an app can call with “ android.permission.INTERNET ” Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack Phone Permission Mismatch Vulnerable for all Android Denial of Service on Call, Overbilling 31

  49. Android Permission Model Mismatch  No distinction between a phone call and a normal data socket – In 3G, an app needs “ android.permission.CALL_PHONE ” – In VoLTE , we found that an app can call with “ android.permission.INTERNET ”  A malicious app only with Internet permission can perform – Denial of service attack on call – Overbilling attack by making an expensive video call Weak Point Vulnerability US-1 US-2 KR-1 KR-2 KR-3 Possible Attack Phone Permission Mismatch Vulnerable for all Android Denial of Service on Call, Overbilling 31

  50. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Attacker Attacker Caller Caller 32

  51. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Attacker Attacker Caller Caller 32

  52. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Block Attacker Attacker Caller Caller 32

  53. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Block Attacker Attacker Caller Caller 32

  54. Denial of Service on Call Scenario  Blocking an incoming call  Cutting off an ongoing call Victim Victim IMS IMS Block Cut-off Attacker Attacker Caller Caller 32

  55. 33

  56. 34

  57. Mitigation Point Vulnerability Mitigation Responsible Entity No Security Mechanisms Encrypt call signaling and voice data Operators IMS No Authentication Place proper authentication on voice packets IMS provider No Session Management Allow single call session per device 4G-GW Direct Communication Disallow direct communication Operators Permission Mismatch Create new permission for VoLTE interface Mobile OS (Android) Phone Place proper regulation on packet routing Mobile OS (Android) SIP/Media tunneling Apply deep packet inspection Operators 35

  58. Mitigation Point Vulnerability Mitigation Responsible Entity No Security Mechanisms Encrypt call signaling and voice data Operators IMS No Authentication Place proper authentication on voice packets IMS provider No Session Management Allow single call session per device 4G-GW Direct Communication Disallow direct communication Operators Permission Mismatch Create new permission for VoLTE interface Mobile OS (Android) Phone Place proper regulation on packet routing Mobile OS (Android) SIP/Media tunneling Apply deep packet inspection Operators How to resolve media tunneling? 35

  59. Mitigation Point Vulnerability Mitigation Responsible Entity No Security Mechanisms Encrypt call signaling and voice data Operators IMS No Authentication Place proper authentication on voice packets IMS provider No Session Management Allow single call session per device 4G-GW Direct Communication Disallow direct communication Operators Permission Mismatch Create new permission for VoLTE interface Mobile OS (Android) Phone Place proper regulation on packet routing Mobile OS (Android) SIP/Media tunneling Apply deep packet inspection Operators Not easy! Maybe byte-usage accounting? How to resolve media tunneling? 35

  60. Discussion  Some parts of 3GPP specifications are unclear – Several misunderstandings of the operators – Different implementations and security problems – Security features are only recommendations, not requirement  We reported vulnerabilities to US/KR CERTs, and Google in May – Google replied “moderate severity” – All two U.S. operators ACK’ed , but no follow-ups – Only two among three KR operators have been fixing with us 36

  61. Conclusion  Newly adopted VoLTE has – A complex (legacy time-based) accounting – Delegated voice signal (previously done by CP) to AP 37

  62. Conclusion  Newly adopted VoLTE has – A complex (legacy time-based) accounting – Delegated voice signal (previously done by CP) to AP  We analyzed the security of VoLTE for 5 operators, and found – Four free data channels – Five security problems 37

  63. Conclusion  Newly adopted VoLTE has – A complex (legacy time-based) accounting – Delegated voice signal (previously done by CP) to AP  We analyzed the security of VoLTE for 5 operators, and found – Four free data channels – Five security problems  All related parties have problems – 3GPP, telcos, IMS providers, mobile OSes, and device vendors 37

Recommend

Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Wireless dj vu Jason S. Chao, Ernst & Young LLP Panel: Implications for Valuation: Part 1 TFI Asset Valuation Conference and Seminar 2013 January 24, 2013 Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions

177 views • 3 slides
Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad) Partially supported by ONR and NSF Information and Software Engineering Department 30

278 views • 26 slides
Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin

Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin

Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin Chakrabarty Tariq Alhindi Siddharth Varia Kriste Krstovski Mona Diab Smaranda Muresan Automated Fact-checking and Related Tasks Source

382 views • 36 slides
Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu

Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu

Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu Appeared in CCS18 Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C)

661 views • 48 slides
Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators Schuyler Eldridge Ajay Joshi Department of Electrical and Computer Engineering, Boston University schuye@bu.edu January 30, 2015 This work was

679 views • 19 slides
Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

491 views • 46 slides
Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurlien Francillon Whats this all about? - A nov novel attack ex exploiting g EM side

886 views • 77 slides
From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice,

From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice,

From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice, Graz University of Technology July 4, 2017RMLL, Saint- Etienne, France Rennes Graz Cl ementine Maurice now postdoc at TU Graz, Austria PhD

2.37k views • 178 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

675 views • 41 slides
Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS Jeff Chao (Jeffxx) Researcher at TrapaSecurity Ex-senior Researcher at TeamT5 Member of HITCON CTF Team Member of Chroot Focus on

1.05k views • 77 slides
Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS Jeff Chao (Jeffxx) Researcher at TrapaSecurity Ex-senior Researcher at TeamT5 Member of HITCON CTF Team Member of Chroot Focus on

1.35k views • 75 slides
How to Make it Stick! With Therese Skelly You may be fixing the wrong

How to Make it Stick! With Therese Skelly You may be fixing the wrong

How to Make it Stick! With Therese Skelly You may be fixing the wrong thing This work isnt sexy. But its necessary! This is where the problem really lies You have hidden

544 views • 23 slides
Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your practices hidden vulnerability for the COVID Era If you havent already, register at VirtualPractices.org Inoculate your patient and

330 views • 22 slides
Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde <nico@comsecuris.com> @iamnion Daniel Komaromy <daniel@comsecuris.com> @kutyacica Motivation All your baseband Reverse engineering a Baseband

585 views • 55 slides
Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized trust layer Steven van der Vegt Open standard to enable safe and correct exchange of healthcare data. Goal Create a (inter)national network of

708 views • 35 slides
Data Mining l The Extraction of useful information from data l The automated extraction of hidden

Data Mining l The Extraction of useful information from data l The automated extraction of hidden

Data Mining l The Extraction of useful information from data l The automated extraction of hidden predictive information from (large) databases l Business, Huge data bases, customer data, mine the data Also Medical, Genetic, Astronomy, etc. l

535 views • 32 slides
Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware Wallets ? - high level overview YES NO Do you want to send 1.337 BTC to Public data 1UnREADABLE Operations on private data, with user validation

739 views • 24 slides
Dependable Data Repairing with Fixing Rules Jiannan Wang Nan Tang 1 Data is Dirty 2

Dependable Data Repairing with Fixing Rules Jiannan Wang Nan Tang 1 Data is Dirty 2

Dependable Data Repairing with Fixing Rules Jiannan Wang Nan Tang 1 Data is Dirty 2 incomplete inconsistent inaccurate Data is Dirty 2 incomplete 25% companies: flawed data inconsistent 3+ trillion $: US economy 20%: labor

1.09k views • 71 slides
Data analysis Piecewise-constant linear regression Hidden Markov Models Let x t denote the

Data analysis Piecewise-constant linear regression Hidden Markov Models Let x t denote the

Data analysis Piecewise-constant linear regression Hidden Markov Models Let x t denote the log-transformed data and u t the underlying signal. A transition kernel accounting for shift and drift Hidden state space: grid with Algorithmic

589 views • 27 slides
Visualization of Geant4 Data: Exploiting Component Visualization of Geant4 Data: Exploiting

Visualization of Geant4 Data: Exploiting Component Visualization of Geant4 Data: Exploiting

Visualization of Geant4 Data: Exploiting Component Visualization of Geant4 Data: Exploiting Component Architecture through AIDA, HepRep, JAS and WIRED Architecture through AIDA, HepRep, JAS and WIRED HepRep: a Generic Interface Definition for

531 views • 15 slides
Insecurity of Voice Solution VoLTE in LTE Mobile Networks Chi-Yu Li 1 , Guan-Hua Tu 1 , Chunyi

Insecurity of Voice Solution VoLTE in LTE Mobile Networks Chi-Yu Li 1 , Guan-Hua Tu 1 , Chunyi

Insecurity of Voice Solution VoLTE in LTE Mobile Networks Chi-Yu Li 1 , Guan-Hua Tu 1 , Chunyi Peng 2 , Zengwen Yuan 1 , Yuanjie Li 1 , Songwu Lu 1 , Xinbing Wang 3 1: University of California, Los Angeles; 2: The Ohio State University; 3:

534 views • 32 slides
VoLTE*: A Lightweight Voice Solution to 4G LTE Networks Guan-Hua Tu 1 , Chi-Yu Li 1 , Chunyi Peng

VoLTE*: A Lightweight Voice Solution to 4G LTE Networks Guan-Hua Tu 1 , Chi-Yu Li 1 , Chunyi Peng

VoLTE*: A Lightweight Voice Solution to 4G LTE Networks Guan-Hua Tu 1 , Chi-Yu Li 1 , Chunyi Peng 2 , Zengwen Yuan 1 , Yuanjie Li 1 , Xiaohu Zhao 2 , Songwu Lu 1 1 University of California, Los Angeles 2 The Ohio State University HotMobile16

661 views • 32 slides
Exploiting Generational Garbage Collection Using Data Remnants to Improve Memory Analysis and

Exploiting Generational Garbage Collection Using Data Remnants to Improve Memory Analysis and

Exploiting Generational Garbage Collection Using Data Remnants to Improve Memory Analysis and Digital Forensics Adam Pridgen 1 1 Rice University, Houston, TX, USA January 18, 2017 Pridgen Exploiting Generational Garbage Collection 1 Outline

1.33k views • 77 slides

More recommend