libera/#neo900/ Saturday, 2019-09-14

Wasmachineman_NLcool, a neo-n900 irc channel00:24
Joerg-Neo900>>According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack<< Neo900 being resistant to at least 5 of the 7 listed attack scenarios19:00
Joerg-Neo900particularly >>Performing premium-rate scams by dialing premium-rate numbers,<<  and  >>Spying on victims' surroundings by instructing the device to call the attacker's phone number,<< is 100% impossible by design of Neo90019:01
Joerg-Neo900even nore impossible, basically not even feasible if user would want to allow it:  >>Spreading malware by forcing victim's phone browser to open a malicious web page<<19:02
Joerg-Neo900there's no default implementation of SIM instructing browser to open a webpage, in Neo900/maemo19:03
Joerg-Neo900generally Neo900 could intercept _all_ such attacks by simply monitoring SIM activity and interrupting whole modem as soon as SIM becomes unusually active after modem receiving data19:05
Joerg-Neo900so >>According to the researchers, all manufacturers and mobile phone models are vulnerable<< is incorrect: Neo900 is basically immune19:07
Joerg-Neo900even nore remarkable: this is a unique Neo900 property not even 100% shared by N900. The N900, while immune to a few of the attack scenarios, is vulnerable to most of them19:09
Joerg-Neo900Neo900, by a simple and easy hw modification possible to get done by basically every user, could get modified in field to be 100% on top of this and any other SIM-based exploits19:11
Joerg-Neo900(hint: monitor SIM IF)19:12
Joerg-Neo900the modificaten takes ca 30min incl disassembly and re-asembly and needs a torx driver and tweezers as tools19:13
Joerg-Neo900oh, context for those who missed it:
norlyhi neo900 team, just a quick note - the SSL certificate on has expired20:11
croxmaybe it could be replaced by a letsencrypt one? (I guess the expired certificate was issued before LE allowed wildcard certificates)22:13
Joerg-Neo900yes. Know, thanks for noting nevertheless. As soon as one of the sysops feels like tackling it, we will take care22:50
Joerg-Neo900Known, even22:50
Joerg-Neo900at least our server doesn't enforce https ;-)22:50
Joerg-Neo900a year ago I had the money on my private account to get a wildcard cert and not pester sysops to spend their expensive and precious time on LE installation, a 100 EUR per years seemed the more reasonable approach. Alas now I can't afford this anymore and it's unclear how long the servers will stay paid and up and online at all due to that22:55

Generated by 2.17.0 by Marius Gedminas - find it at!