The software radios on the table are pretending to be a cellphone base station - we are doing this in an isolated room deep underground where there is no cellphone coverage to interfere with and I am the only other person in the room. As soon as we power up the new phone in the presence of their attack radio, their signal patches the radio runtime software of the baseband processor (the other cpu in your cellphone that users can't access that takes care of the radio to talk to the network) so that after the patch any phone calls I make are routed to them instead of their intended destination.
I tested this after when we went to where we did have cellphone coverage by trying to dial my Japanese cellphone and it rang on Nico's cellphone instead. The modified radio software also forwarded the original number dialled so in the real world an attacker would then use a VoIP proxy to forward the call imperceptibly and listen in on it.
Ironically enough, this year at PWN2OWN we have had some of the most significant research with the smallest prizes ever, in the true spirit of security research - to reward these guys since I don't have a lavish budget I'm going to fly them and their wives, girlfriends and family to CanSecWest next year to come snowboarding/skiing after they give a technical presentation on doing security research on baseband processors and this vulnerability. (Hat tip to the Blackberry security folks who got us in touch with the right folks to get the vulnerability information to Samsung through a VP they know there.) I would like to get these guys some further reward, beyond the bragging rights for winning PWN2OWN and being the first to show a successful baseband attack, for this significant research, especially since last year we were offering $150,000 rewards for an attack like this.
These guys have been doing this work in their spare time in addition to their day jobs and have put in a significant amount of time into doing this to secure the whole industry. So if you folks know a bounty program that would be interested in these and other significant cellphone baseband radio discoveries please contact me.
Oops. I up and did it.
PacSec 2015 PWN2OWN MOBILE
We are still making PacSec announcements. But first some regrets. Other than BlackBerry, which I think says something about their security team and the culture inspired there by excellent managers, now and in the past(waves), no-one has stepped up to bat for Pwn2Own Mobile. But if you remember I started this whole thing on a challenge from some macbooks, pwn them get to keep them.
Well I'm going to do the same thing. So here is a bet/challenge 2-3 weeks out from the conference. I'm going to have a WinMo phone(TBD, but something widely avail), a Project Fi edition Nexus 6, (or a 6P if it arrives in time, supposed to arrive the day I leave), an iPhone6s plus, and a Blackberry Classic (or another model if you get a hold of me in time). You pwn any of my phones on this list and you get to keep them - and the pr bragging rights. So are you going to walk away from a million bucks for your remote iOS jailbreak to weaponize for who knows who for any nefarious what, or will you get a phone, moral high-ground, and handing it over to the original vendor/developer in the process? (and probably a few tequila shots)
Oh wait, maybe we can add one more carrot - and this clever idea is Gohsuke Takama's to give due credit. In addition to handing it over to the requisite vendor. (And as mentioned Blackberry has a bounty on any vulns for their platform....) and here is where the experiment begins, because we will auction off access to the information co-incident with the vendor disclosure, at the conference, and the proceeds go to the winning team(s). Gentlemen, start your disassemblers. Contact me if you are going to participate.
- University of Alberta
Demand answers and real consequences for robocall election fraud
Elections Canada just traced misleading phone calls made during the 2011 federal election to a company that worked for the Conservative Part
KB14320-How to maximize battery life and free memory on the BlackBerry s...
Maximizing Battery Power. Application Management. Multitasking - Close any running BlackBerry® smartphone applications that are not being ac
XBMC is awesome on Nexus 7! - Page 3 - xda-developers
XBMC is awesome on Nexus 7! Nexus 7 Themes and Apps
Play VOB,MKV,MTS,FLV RM,RMVB on Windows RT (Surface 8 RT included) » AMV...
Overview Micrsoft has made an important step to support the playback of MPEG-4 on Windows 8 RT and Windows 8 Pro. Windows RT has excellent s
A free and open world depends on a free and open web. | Google
A free and open world depends on a free and open Internet. Governments alone, working behind closed doors, should not direct its future. The
There's a New Way to Own a Piece of Facebook Before Its IPO
If you're looking to invest in Facebook before its IPO but not privy to the secondary markets where shares of the company have been trad
Vancouver Riot: Psychology (Not Hooligans) Is Responsibile for the Chaos...
As I sat at home watching the Vancouver riots unfold in front of me, I was amazed at how ill-informed the newscasters and on-site reporters