00:15.14 | *** join/#neo900 Kabouik (~kabouik@2a01cb00802301005c81c80ca49536bd.ipv6.abo.wanadoo.fr) |
00:17.34 | *** join/#neo900 infobot (ibot@c-174-52-60-165.hsd1.ut.comcast.net) |
00:17.35 | *** topic/#neo900 is http://neo900.org | CCCAMP15 lightning talks at http://neo900.org/stuff/cccamp15/ - major: http://neo900.org/stuff/cccamp15/ccc2015talk/neo900-wpwrak_CCC2015.webm | conversations are logged http://maemo.cloud-7.de/irclogs/freenode/_neo900/ & http://irclog.whitequark.org/neo900 | Status: https://talk.maemo.org/showthread.php?p=1556735 |
00:17.35 | *** mode/#neo900 [+v infobot] by ChanServ |
01:02.34 | *** join/#neo900 ArturShaik (~ArturShai@212.112.100.88) |
03:22.13 | *** join/#neo900 _whitelogger (~whitelogg@uruz.whitequark.org) |
03:22.13 | *** mode/#neo900 [+v _whitelogger] by ChanServ |
03:48.44 | *** join/#neo900 ArturShaik (~ArturShai@212.112.100.88) |
04:28.13 | *** join/#neo900 _whitelogger (~whitelogg@uruz.whitequark.org) |
04:28.13 | *** mode/#neo900 [+v _whitelogger] by ChanServ |
04:29.43 | *** join/#neo900 neo900 (~office@neo900/coreteam/joerg) |
04:29.43 | *** mode/#neo900 [+v neo900] by ChanServ |
04:29.47 | *** join/#neo900 DocScrutinizer05 (~saturn@openmoko/engineers/joerg) |
04:29.47 | *** mode/#neo900 [+v DocScrutinizer05] by ChanServ |
04:58.12 | *** join/#neo900 _whitelogger (~whitelogg@uruz.whitequark.org) |
04:58.12 | *** mode/#neo900 [+v _whitelogger] by ChanServ |
07:49.22 | *** join/#neo900 _Chris_ (~Chris@p5B32CEAC.dip0.t-ipconnect.de) |
16:13.47 | *** join/#neo900 Kabouik (~kabouik@2a01cb00802301005c81c80ca49536bd.ipv6.abo.wanadoo.fr) |
17:00.41 | Joerg-Neo900 | >>According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack<< Neo900 being resistant to at least 5 of the 7 listed attack scenarios |
17:01.52 | Joerg-Neo900 | particularly >>Performing premium-rate scams by dialing premium-rate numbers,<< and >>Spying on victims' surroundings by instructing the device to call the attacker's phone number,<< is 100% impossible by design of Neo900 |
17:02.55 | Joerg-Neo900 | even nore impossible, basically not even feasible if user would want to allow it: >>Spreading malware by forcing victim's phone browser to open a malicious web page<< |
17:03.01 | Joerg-Neo900 | more* |
17:03.52 | Joerg-Neo900 | there's no default implementation of SIM instructing browser to open a webpage, in Neo900/maemo |
17:05.48 | Joerg-Neo900 | generally Neo900 could intercept _all_ such attacks by simply monitoring SIM activity and interrupting whole modem as soon as SIM becomes unusually active after modem receiving data |
17:07.06 | Joerg-Neo900 | so >>According to the researchers, all manufacturers and mobile phone models are vulnerable<< is incorrect: Neo900 is basically immune |
17:09.38 | Joerg-Neo900 | even nore remarkable: this is a unique Neo900 property not even 100% shared by N900. The N900, while immune to a few of the attack scenarios, is vulnerable to most of them |
17:11.29 | Joerg-Neo900 | Neo900, by a simple and easy hw modification possible to get done by basically every user, could get modified in field to be 100% on top of this and any other SIM-based exploits |
17:12.20 | Joerg-Neo900 | (hint: monitor SIM IF) |
17:13.48 | Joerg-Neo900 | the modificaten takes ca 30min incl disassembly and re-asembly and needs a torx driver and tweezers as tools |
17:18.22 | Joerg-Neo900 | oh, context for those who missed it: https://thehackernews.com/2019/09/simjacker-mobile-hacking.html |
17:25.15 | *** join/#neo900 _whitelogger (~whitelogg@uruz.whitequark.org) |
17:25.15 | *** mode/#neo900 [+v _whitelogger] by ChanServ |
18:11.24 | norly | hi neo900 team, just a quick note - the SSL certificate on https://neo900.org has expired |
20:13.44 | crox | maybe it could be replaced by a letsencrypt one? (I guess the expired certificate was issued before LE allowed wildcard certificates) |
20:50.00 | Joerg-Neo900 | yes. Know, thanks for noting nevertheless. As soon as one of the sysops feels like tackling it, we will take care |
20:50.09 | Joerg-Neo900 | Known, even |
20:50.54 | Joerg-Neo900 | at least our server doesn't enforce https ;-) |
20:55.52 | Joerg-Neo900 | a year ago I had the money on my private account to get a wildcard cert and not pester sysops to spend their expensive and precious time on LE installation, a 100 EUR per years seemed the more reasonable approach. Alas now I can't afford this anymore and it's unclear how long the servers will stay paid and up and online at all due to that |