Wasmachineman_NL | cool, a neo-n900 irc channel | 00:24 |
---|---|---|
Joerg-Neo900 | >>According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack<< Neo900 being resistant to at least 5 of the 7 listed attack scenarios | 19:00 |
Joerg-Neo900 | particularly >>Performing premium-rate scams by dialing premium-rate numbers,<< and >>Spying on victims' surroundings by instructing the device to call the attacker's phone number,<< is 100% impossible by design of Neo900 | 19:01 |
Joerg-Neo900 | even nore impossible, basically not even feasible if user would want to allow it: >>Spreading malware by forcing victim's phone browser to open a malicious web page<< | 19:02 |
Joerg-Neo900 | more* | 19:03 |
Joerg-Neo900 | there's no default implementation of SIM instructing browser to open a webpage, in Neo900/maemo | 19:03 |
Joerg-Neo900 | generally Neo900 could intercept _all_ such attacks by simply monitoring SIM activity and interrupting whole modem as soon as SIM becomes unusually active after modem receiving data | 19:05 |
Joerg-Neo900 | so >>According to the researchers, all manufacturers and mobile phone models are vulnerable<< is incorrect: Neo900 is basically immune | 19:07 |
Joerg-Neo900 | even nore remarkable: this is a unique Neo900 property not even 100% shared by N900. The N900, while immune to a few of the attack scenarios, is vulnerable to most of them | 19:09 |
Joerg-Neo900 | Neo900, by a simple and easy hw modification possible to get done by basically every user, could get modified in field to be 100% on top of this and any other SIM-based exploits | 19:11 |
Joerg-Neo900 | (hint: monitor SIM IF) | 19:12 |
Joerg-Neo900 | the modificaten takes ca 30min incl disassembly and re-asembly and needs a torx driver and tweezers as tools | 19:13 |
Joerg-Neo900 | oh, context for those who missed it: https://thehackernews.com/2019/09/simjacker-mobile-hacking.html | 19:18 |
norly | hi neo900 team, just a quick note - the SSL certificate on https://neo900.org has expired | 20:11 |
crox | maybe it could be replaced by a letsencrypt one? (I guess the expired certificate was issued before LE allowed wildcard certificates) | 22:13 |
Joerg-Neo900 | yes. Know, thanks for noting nevertheless. As soon as one of the sysops feels like tackling it, we will take care | 22:50 |
Joerg-Neo900 | Known, even | 22:50 |
Joerg-Neo900 | at least our server doesn't enforce https ;-) | 22:50 |
Joerg-Neo900 | a year ago I had the money on my private account to get a wildcard cert and not pester sysops to spend their expensive and precious time on LE installation, a 100 EUR per years seemed the more reasonable approach. Alas now I can't afford this anymore and it's unclear how long the servers will stay paid and up and online at all due to that | 22:55 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!