The 26C3 Congress of the Chaos Computer Club

The Chaos Computer Club has officially been in existence since 1981 and has been organizing conferences (‘congresses’) since 1984. Through generations of leadership, a surprising number of themes have remained constant – for instance, the opposition to restrictions on the use of technology as well as technology’s role in society. These themes play a large role in the Congresses, although there is also plenty of space and time dedicated to ‘traditional’ hacking and LAN partying. In the end, like any good conference, it is an information fest.

The 26th Congress was held over four days between Christmas and New Year in Berlin, Germany, with the slogan ‘Here be Dragons’. By the first day, the Congress was so full of dragons that only a few tickets remained for day visitors and those travelling from afar. In all, it was estimated that 4,230 people participated on site. Oversubscription had been anticipated since the same problem had occurred last year, and an attempt was made to offer offsite participation through video streaming to remote chapters and anyone else who was interested. This was also useful for people who, like me, were on site, but could not get into the lecture halls due to overcrowding.

Unlike at the last event, there were no big disclosures this time. Instead, we heard about many incremental developments that are still very significant. With topics ranging from the politics of information to quantum cryptography, it is not possible to cover the hundreds of hours of material presented, so I will focus on a few select topics.

In the area that I roughly describe as information politics, there were quite a few presentations concerning events in Germany, such as recent attempts at Internet censorship and the country’s data retention laws. There was also a presentation by the Wikileaks people about their activities and the negotiations going on with the government of Iceland to create an information free haven. While Wikileaks has its own agenda in needing such a free haven, this would also provide a location for depositing illicit material that some people in the security community would rather keep offline – so it will be interesting to see what form, if any, this takes.

One trend that continued this year was hardware hacking. My favourite hardware projects are those that follow the open source principle down to the hardware level to produce working quadrocopters that can easily be built from scratch using all the documentation that is available online. Two such projects were on site this year, Mikrokopter.de and Ng.uavp.ch, and both provide an open development process as well as a shop for buying parts if you don’t want to make your own circuit boards, etc.

The idea of augmenting open source development with commercial interests was also manifest in another hardware project, the Makerbot, a 3D printer. Similarly, the Blinkenlights project and others were back again with various kits one could build in the hardware room in the basement. This was the first Congress to have a dedicated hardware room containing piles of soldering irons and other kit – which demonstrates the prominence of hardware hacking today.

It wasn’t a big surprise, then, that many of the hacking talks were about hardware. Continuing a theme from last year’s Congress, there was a talk about the lack of security in the Swiss Legic Prime RFID cards which, while already deprecated, are still being used in physical access control – even at some airports. This analysis was performed by the same group who analysed the Mifare Classic cards last year. Needless to say, they found Legic Prime to be very lacking in security, to the point that they could emulate master cards granting access to all readers in a group. This should worry more than Legic’s customers and also demonstrates why security through obscurity is not a long-term strategy.

The big topic of the event was GSM technology, the largest phone network in the world. It has been known for over a decade that the GSM A5/1 cipher is broken. Initially, this had no practical value, but over time more evidence has emerged of successful practical attacks, though details have never been fully disclosed. Now, a group that includes Karsten Nohl and Chris Paget has explored enough of GSM and A5/1’s weaknesses to mount a concerted attack against it. They have created an optimized variant of rainbow tables for this purpose and have started a distributed effort to generate them.

Effectively, this means that GSM privacy is dead if an attacker gets enough packets with known plaintext – which is highly likely, though there are some complications. GSM uses frequency hopping as well as time slicing below the encryption. The former means that you need to be able to predict the frequency on which the next packet will be transmitted, and this requires knowledge of the key. The way around this problem is to use two slightly modified universal software radios (USRP) to capture all traffic until the known plaintext attack has found the key, at which point they can lock onto the frequency hopping directly. More modifications need to be made to the USRP to make the attack more practical and offload much of the work now done by computer to the FPGA in the USRP, but the attack is feasible.

With the A5/1 algorithm now practically broken, what alternatives are there? Unfortunately, the newer GSM cipher, A5/3, is also theoretically broken. So far, there is no practical attack, so GSM operators could buy themselves some time by moving to this insecure algorithm, but they should not be under any illusions that doing so would ‘solve’ the privacy problem. It also won’t solve the problem that the phone always trusts the base station, so rogue networks can easily be set up to disable encryption and capture all data. A phone could be made to detect attacks like this, though so far none are known to implement any phone-side security. It was clear from the talk that there are some deep design bugs in GSM that cannot easily be mitigated. There is a good chance that GSM security directly affects GPRS and EDGE data traffic, but any consequences for UMTS are so far unknown.

The talk was accompanied by others about GSM security and other activities in this field. There was a room dedicated to GSM hacking from which a private GSM phone network was being run. As permission had been obtained to run this experimental network, it couldn’t be classified as ‘rogue’, but was an indication of what can be done. A lot of the activity in that room revolved around looking at various aspects of GSM phone technology, which meant a lot of hardware hacking.

Other GSM talks covered topics including the fuzzing of the phone-side operating system from either the PDA-side OS or the base station, or fuzzing the base station (and therefore the cell) from the phone. These activities are limited by the fact that there are very few vendors of GSM RF chips and it is hard to get at the documentation for them. Fuzzing is one way of finding out more despite the lack of documentation. Documentation projects have evolved around the Nokia DCT3 series phones and the TI TSM320 chips. I was told that the phone-side operating system of the OpenMoko phones is currently being reverse engineered (the PDA-side operating system is already open source).

There is increasing use of femtocells to fill GSM coverage gaps by routing phone traffic from the small GSM transceiver base stations to the telecom via the Internet. Philippe Langlois talked about the frequent lack of proper IPSec security of these devices and how one can access the SS7 or SIP signalling data. Femtocells are also an alternative to the micro cell base stations used in previous attacks and may make it even easier to set up rogue networks. I expect to hear more about these devices in future.

Another impressive talk was on breaking quantum key exchange, which has been proven to be secure. Just as traditional cryptography can be vulnerable due to faulty implementations, it turns out that photon emitters and receivers are prone to attack, making a man-in-the-middle attack feasible. Qin Liu and Sebastien Sauge of the Quantum Hacking group at the Norwegian technical and scientific university, NTNU, had previously developed this attack on their campus and have now created a flight-case with which they can take a demonstration on the road.

Moving onto network security, the IPv4 address space is becoming a scarce resource and competition for address blocks is intensifying. At the same time it is not unknown for a block to become orphaned as companies go bankrupt or forget to track their assets. ‘Nibbler’ described how he was able to regain four address blocks despite not actually being the owner in the strictest sense (although they had been under his legitimate control at some point) by persuading RIPE to release the ASNs to him. While the Internet Assigned Numbers Authority (IANA) sets strict policies, the regional Internet registries are often lax in enforcing them and very old IP address spaces often don’t fall under the more recent policies anyway. Nibbler went on a hunt for address blocks that might have been hijacked and believes he found one large space where the ownership has mutated over time in suspicious ways. While it seems unlikely that active address spaces would as easily fall prey to such persuasion, it is still a risk for companies who are slack with managing their Internet assets.

Fabian Yamaguchi of Recurity Labs talked us through a very convoluted attack involving various networking layers. It included the abusing of some known vulnerabilities and discovery of many more, but the most impressive aspect was the weaving of these various unrelated and small vulnerabilities into a larger, effective attack. It shows that to withstand a determined attack, no vulnerability can be ignored even if individually the risk factor is low.

Finally, Dan Kaminsky made an appearance at the Congress, this time talking about the X.509 certificate process. SSL/TLS, which is based on X.509 certificates, has held up surprisingly well, but cracks were already beginning to show prior to last year’s attack against the scheme whereby a group was able to engineer a root certificate based on MD5 using the known vulnerability of that hash algorithm. Dan talked us through various other weaknesses in both the X.509 certificates and the general certification process. The economics of the process means there is effectively a race to the bottom as far as security is concerned. There are problems with the X.509 delegation approach which leads companies either to (nearly worthlessly) self-sign certificates to avoid constantly needing to purchase new ones from the certificate authorities, or to purchase the right to become a signing authority. There are also technical problems with delegation and the way that various implementations interpret them. Furthermore, MD2, the even less secure grand-daddy of MD5, is still in use – though all major browsers now have shunned its use and will probably remove support for that algorithm soon.

Dan’s proposal is to eventually abandon X.509 as a public key infrastructure in favour of DNSSEC once its root key has been signed. His arguments are compelling, but it remains to be seen whether the major vendors will implement DNSSEC authentication. Most users don’t understand enough about crypto to demand it, and moving to a new infrastructure is an upheaval for the vendors. However, enterprise customers – who have more clout with the vendors – should be particularly interested in the flexibility and security of a DNSSEC-based PKI, so we may see it rolled out sooner than we think.

Nearly all of the presentations are available online at http://events.ccc.de/congress/2009/, and many of the slides and other pieces of information can be found there too. I haven’t been able to cover things like BIOS hacking, user-space virtualization, port scanning or web application fingerprinting in this article, but the relevant papers are all available online. It may not be the same as being there in person, but in future it may be impossible to get in without lining up a day in advance anyway!