Max’s 2010 Las Vegas BH/DC Summary
Hey, this is Max Sobell and I’ve been interning with Intrepidus Group this past summer. I just got back from my first Blackhat/Defcon with IG a few days ago. Corey summed up quite a few of the really good talks but there was one more that was particularly interesting. The WiMAX Hacking (https://groups.google.com/group/wimax-hacking) talk, from Pierce, Goldy, and aSmig feat. sanitybit was great.
For those of you who aren’t familiar with WiMAX, it’s a wireless broadband technology being deployed (and spreading rapidly) by Clearwire (and others, though Clearwire has the largest network). The team’s research was done on the Clear network, which Time Warner, Comcast, and Sprint all re-brand, though it is the same physical network. One thing I really liked in the talk was the emphasis on the hardware hacks and jailbreaks. They combined some hardware hacking with some VPN tricks to own a couple WiMAX devices and the captive portal page. The team was able to send fragmented packets though OpenVPN on UDP/53 without actually logging into the portal to get free WiMAX. Unfortunately, the downside is that the Location Based Services (LBS) from Clearwire (currently not very accurate and can’t be turned off) allow anyone bumming off the network to be tracked down by fellow users via a development key. One thing that confused the audience was the speakers didn’t qualify what they meant by LBS. In the context of their talk, they were talking about traditional signal strength analysis and antenna orientation. What was not mentioned is that these 4g WiMAX cellular radios also have a real GPS radios which is a requirement of E911. I would assume that the carrier has the ability to locate a device within meters based on the GPS radio.
Friday morning Corey, Mike, and I played in the Hack Cup soccer games on the Goal++ team along with DC Campbell, DC’s friend Judd, and Adam Pridgen. We sustained some early injuries, which left Mike scooting around the Riviera for the rest of the week in a motorized cart, but made it to the semi-finals with no subs. Unfortunately after that we had to stop playing because we lost DC to the airport and Judd had to go back to work. But watch out next year, Goal++ will be back! A big thanks to Nico Waisman for organizing the tournament and to Immunity for sponsoring it.
That’s it from me!
-Max
Post a comment or leave a trackback: Trackback URL.
2 Comments
Hi Max, I’m glad you enjoyed the talk.
To clarify, the current generation of Clear devices do not contain any form of GPS. Clears towers have 3 (and sometimes 4) antenna panel sectors. LBS data is derived by finding what sector panel the users device is associated with in combination with the signal strength.
The accuracy is not incredibly high, you only know what sector and what “range” it is from the tower. The ranges are currently predefined at:
160, 241, 321, 402, 482, 563, 643, 724, 804, 885, 965, 1126, 1448 meters.
Here is a terrible and confusing diagram that I drew up in the gimp. I would have made something nicer but Summer Glau is on television so I’m a little distracted.
http://imgur.com/6cSMP.png
Clear has stated that in the future they will start using multiple towers to perform actual triangulation, but there is no eta on this.
Also, the slides are available online here:
https://groups.google.com/group/wimax-hacking/files
Video of the WiMAX Hacking 2010 talk is now available for streaming & download on Vimeo.
http://vimeo.com/14951004