lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 3 Aug 2014 03:47:12 -0700
From: coderman <coderman@...il.com>
To: Full Disclosure <fulldisclosure@...lists.org>
Cc: Georgi Guninski <guninski@...inski.com>
Subject: Re: [FD] Preferred Roaming List Zero Intercept Attack [was: DEF CON
 nostalgia [before that: going double cryptome at DEF CON 22]][still
 confusing]

On Fri, Aug 1, 2014 at 4:06 AM, coderman <coderman@...il.com> wrote:
> ...
> Any carrier phones or specific builds known to not accept PRL updates
> without authorization should be noted in response to this thread...


anon from the wiki pointed out the verizon rigmaiden aircard
incident.[0] while not a smart phone, this does illustrate how a
properly privacy conscious device will refuse to accept insufficiently
authenticated roaming list updates. UTStarcom PC5740 at that point in
time resistant to surreptitious corruption of roaming list.

also, more than twenty years for cell locator tech as written. how
many years of PRL Zero tricks?  still soliciting pointers, ...



best regards,


0. "Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight"
 - http://www.wired.com/2013/04/verizon-rigmaiden-aircard/all/
'''
Verizon reprogrammed the device so that when an incoming voice call
arrived, the card would disconnect from any legitimate cell tower to
which it was already connected, and send real-time cell-site location
data to Verizon, which forwarded the data to the FBI. This allowed the
FBI to position its stingray in the neighborhood where Rigmaiden
resided. The stingray then “broadcast a very strong signal” to force
the air card into connecting to it, instead of reconnecting to a
legitimate cell tower, so that agents could then triangulate signals
coming from the air card and zoom-in on Rigmaiden’s location.

To make sure the air card connected to the FBI’s simulator, Rigmaiden
says that Verizon altered his air card’s Preferred Roaming List so
that it would accept the FBI’s stingray as a legitimate cell site and
not a rogue site, and also changed a data table on the air card
designating the priority of cell sites so that the FBI’s fake site was
at the top of the list.

'''
 - the second "data table on the air card ... designating the priority
of cell sites" not unambiguous. for example, System Determination
Algorithms can utilize recent tower connection history foremost, along
with the "Preferred Roaming List" as commonly used. a stated common
method is listed in priority order:
1. MRU ROAMING History List (MRU)
2. Preferred Roaming List (PRL)

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists