Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Overview Protocols and Threat Models Dan Veeneman

Similar presentations


Presentation on theme: "Wireless Overview Protocols and Threat Models Dan Veeneman"— Presentation transcript:

1 Wireless Overview Protocols and Threat Models Dan Veeneman

2 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 2 Focus of this talk Overview of available commercial technologies Skipping U.S.-centric Terrestrial networks Additional information in second briefing

3 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 3 Wireless Overview Protocols and Threat Models Radio Frequency Basics Mobile telephony Cellular Digital Packet Data (CDPD) Nextel Private data networks Two-way paging Bluetooth 3G

4 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 4 Why Wireless Immediate communication, mobile user Two-way, interactive Broadcast Convenience Bandwidth limitations Roaming (no fixed location)

5 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 5 Market Requirements Reliable Low-cost Easy to use Secure Pervasive Interoperable

6 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 6 Wireless Security Requirements Trust Model access control –authenticate users to access particular resources link privacy –encryption link integrity –message authentication prevent denial of service –(limit bandwidth hogs)

7 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 7 Radio Frequency Federal Communications Commission FM Radio: 88 to 108 MHz Cellular telephones: 800 and 1900 MHz Two-way pagers: 900 MHz Industrial, Scientific and Medical (ISM): to GHz

8 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 8 Radio Wave Frequency Wavelength Amplitude Modulation –Amplitude –Frequency –Phase –FSK –PSK

9 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 9

10 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 10 Generic Wireless Architecture Mobile terminal Airlink Radio base station Intraconnect links Network control Interconnect links External Networks –Public Switched Telephone Network –Internet

11 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 11 Common Airlink Problems Variable link quality Multi-path (signal reflections) Shadowing (terrain/structure blockage) Interference –Other users –EMI Attenuation –Distance –Antenna orientation/polarization

12 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 12 Multipath Multiple paths to receiver Each path has slightly different time delay

13 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 13 Interference

14 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 14 Error Detection/Correction Parity Codes –Parity bits + Data bits = Expected code word Cyclic Redundancy Check –Chunk of data + Polynomial residue Block Codes –Chunk of data + Redundant Data Convolutional Codes –Data stream fed through LFSR –Code rate, constraint length Concatenated Codes

15 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 15 Terrestrial Networks Voice primary –Cellular and PCS –Nextel Data primary –private packet –paging

16 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 16 Cellular Analog Digital - TDMA Digital - CDMA Digital - GSM

17 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 17 System Comparison

18 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 18 Cellular Frequency Reuse Seven frequency sets Geographic distance between sets allows the same frequencies to be reused

19 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 19 Cellular-based Mobile Telephone Switching Office (MTSO) –Controls multiple base stations –Interfaces to PSTN Mobile is handed off from one base station to another

20 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 20 Advanced Mobile Phone System 1G Analog voice 50 MHz, 832 channels Mobile transmit: 824 MHz to 849 MHz Base transmit: 869 to 894 MHz 21 control channels Designed in 1970s

21 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 21 Cellular Telephone startup Mobile telephone scans for strongest control channel Listens to overhead messages on forward link Sends registration message –Electronic Serial Number (ESN) –Mobile Identification Number (MIN) Waits for paging message

22 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 22 AMPS weaknesses Interception is easy (but now illegal) Spoofing (cloned phones) Call hijacking Tracking

23 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 23 Locating Mobiles GPS Time Difference of Arrival Angle of Arrival Multipath Fingerprinting

24 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 24 TDOA

25 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 25 AOA

26 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 26 Cellular Digital Packet Data Packet data sent on idle voice channels Voice takes priority AT&T –OmniSky service Verizon IP-based interfaces 150,000 customers Many police car installs

27 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 27 CDPD Coverage

28 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 28 CDPD Elements M-ES: Mobile End System –CDPD modem MDBS: Mobile Data Base Station –RF interface MD-IS: Mobile Data Intermediate System –Mobile Home Function (MHF) –Mobile Serving Function (MSF) IS: Intermediate System –Router, IP/CNIP F-ES: Fixed End Station

29 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 29 CDPD Roaming Packets to M-ES go to MHF MD-IS first Forwarded to MSF MD-IS Packets from M-ES can route directly to F-ES

30 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 30 CDPD Airlink GMSK modulation 19.2 kbps raw data rate FEC –Reed-Solomon 63, 47 block code –47 info symbols (six-bit symbols, 282 bits), 16 parity symbols, 63 total symbols –Correct up to 8 six-bit symbols

31 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 31 CDPD MAC Continuous forward link from MDBS Mobiles listen to forward link busy/idle Possible reverse channel collisions –Mobile checks forward link for decode success Header, User Data, Trailer (Frame Check) Flag, address, control fields in header Selective ARQ

32 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 32 CDPD Link Establishment M-ES known to serving MD-IS Terminal Equipment Identifier (TEI), 6 to 27 bits M-ES sends TEI Request with 48-bit Equipment ID MD-IS issues TEI Assign with assigned TEI TEI lifetime of 4 hours, can be exhausted

33 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 33 CDPD Registration End System Hello (ESH) message –Network Equipment Identifier (usually 32-bit IP address) –Registration Counter (to filter duplicates) –Credentials Authentication Random Number (ARN, 64 bits) Authentication Sequence Number (ASN, 16 bits) –Shared history (incremented by 1 after each TEI assignment) ESH sent from M-ES to MDBS encrypted ASN and ARN are both 0 at initial configuration ARN occasionally changed Network maintains two most-recent Credentials –(in case of loss of update synchronization)

34 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 34 CDPD Registration MD-IS sends Redirect Request (RDR) to MHF Requests MHF send all future packets to it MHF checks M-ES Credentials MHF returns Redirect Confirmation to MSF MSF returns Hello Confirmation (ISC) to M-ES

35 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 35 CDPD Attacks IP-accessible Intermediate Systems (routers) –Attacks from outside, other providers –BGP4, OSPF, buffer overflow, etc Only the airlink is encrypted Use unauthenticated RDR messages to grab traffic Brute force Credentials via repeated RDR Jam reverse link transmissions –Disrupt M-ES reception –Busy-out the reverse link (attempt saturation) –Place an analog call via CDPD cellsite CDPD ZAP command to silence bad modems

36 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 36 Cellemetry Use spare capacity in the cellular control channel A few bytes Telemetry –Vending machines –Maintenance data

37 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 37 Digital AMPS Answer to capacity issues AT&T Wireless IS MHz cellular and 1900 MHz PCS Time Division Multiple Access Six timeslots One call gets two timeslots

38 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 38 Time Division Multiple Access Mobiles take turns transmitting Base transmits continuously

39 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 39 Code Division Multiple Access Competitor to D-AMPS IS-95 Sprint PCS, Verizon Pilot + 63 other channels Walsh Codes –Requires that all users in a cell be time- synchronized to maintain orthogonality Near/Far problem, power control

40 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 40 Frequency Hopping Transmissions hop Pseudo-random sequence Transmitter and receiver must synchronize 2.4 GHz ISM –at least 75 frequencies –duration < 400 ms

41 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 41 Direct Sequence Each data bit replaced with sequence of chips Bandwidth increases Power density decreases Signals appear as noise LPI/LPD, anti-jam GPS, IS-95 Chip pattern comes from Pseudo-random Noise (PN) code Transmitter and receiver must synchronize

42 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 42 Correlation Example DATA: PN: SPREAD: (four chips per bit) First data bit 1 becomes 4 chips, 1010 Next data bit 0 comes 4 chips, 1001 (inverted 0110 ) Correlation with PN Code synchronized SPREAD: PN: XOR: Correlation with PN Code not synchronized (one chip off) SPREAD: PN: XOR:

43 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 43 Problems with CDMA Cell sites breathe –Combined noise of all reverse links can exceed cell site limit Airlink different but network suffers same weaknesses as D-AMPS Must license from Qualcomm

44 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 44 Global System for Mobiles European design from the 1980s VoiceStream, Cingular, AT&T transitioning Short Message Service 200 kHz channels Eight timeslots 270 kbps aggregate data rate Separates equipment identity from user identity Subscriber Information Module

45 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 45 International Mobile station Equipment Identity Type Approval Code (TAC) is issued by a central authority Final Assembly Code (FAC) identifies the place of manufacture Serial Number (SNR) assigned by the manufacturer Spare (SP) is reserved, usually zero.

46 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 46 International Mobile Subscriber Identity Mobile Country Code (MCC) identifies the country in which the customer is subscribed. –(United States is 310) Mobile Network Code (MNC) identifies the GSM network to which the user is subscribed, also known as the home network. –(VoiceStream is 26) Mobile Subscriber Identification Number (MSIN) identifies the user within the network.

47 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 47 GSM Speech 20 millisecond sample of speech Digitized from codec (13 kbps) Channel coding (22.8 kbps) Interleaving Encrypting Burst formatting (33.8 kbps) Modulation (270 kbps)

48 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 48 GSM has weak crypto Security by Obscurity –Algorithms never officially released –All of them leaked or reverse- engineered A3/A8 in SIM A5 in hardware A5 (privacy algorithm) deliberately weakened –A8 feeds it weakened keys –Weaker algorithm (A5/2) for export

49 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 49 Short Message Service 20 billion SMS messages per month from 553 million GSM subscribers Carried in GSM logical data channel Increasing applications –Youth market (Instant Messenger) –eBay outbidding –Remote monitoring TDMA and CDMA have similar –Tacked on

50 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 50 Some SMS Issues Early pre-pay phones had free SMS due to lack of billing system integration SMS Identity spoofing –Faked caller-ID data SMS viruses Crash certain phones –Badly-formatted binary messages

51 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 51 Integrated Dispatch Enhanced Network (iDEN) Grew out of Specialized Mobile Radio (SMR), dispatch/group environment Equipment from Motorola Service from Nextel TDMA, 6 timeslots, 15 ms each Continuous forward control channel VSELP voice Test equipment can monitor

52 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 52 Mobitex Cingular Interactive (US) Rogers (Canada) Palm.Net service Ericsson standard 700,000 customers

53 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 53 Mobitex coverage

54 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 54 Mobitex 2,500 U.S. base stations 30 mile radius channels per site 12.5 kHz 8 kbps signaling rate MHz 2 watts

55 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 55 Mobitex monitoring Specification publicly available Source code to monitor released on Usenet –Receiver with 800 MHz coverage –PC with simple interface board Network interfaces via Internet, frame relay, X.25

56 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 56 Advanced Radio Data Information System (ARDIS) IBM field personnel, Motorola network Motient (US), Bell Mobility (Canada) 40 million messages/month 1,500 base stations 40 watt transmitter, mile range X.25 or TCP/IP to ARDIS switch

57 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 57 ARDIS Network Radio Packet Modem (RPM) Base stations talk to Radio Network Controller (RNC) via leased lines with dialup restoral Switch is ARDIS Service Engine

58 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 58 ARDIS Airlink DataTac 4000 (US) MDC 4800 or RD-LAP maximum message 240 or 512 byte max packet payload Logical Link Identifier (unique device ID), either 4 or 8 bytes CRC and FEC

59 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 59 ARDIS Protocols Standard Context Routing (SCR) –Basic Inbound (from server to mobile) –Basic Acknowledgement (mobile ACK) –Basic Outbound (from mobile to server) Peer-to-peer –Message Generator (MG) protocol –Poorly validated field values Sender (spoof) Recipient (spam) Message length (crash client application)

60 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 60 ARDIS Message Filtering Radio Packet Modem uses Hayes AT command- style interface The modems two-character S50 register contains the current user header. When a wireless modem receives an outbound message from the ARDIS network, the modem examines the user header in the message header. If the user header in the message matches the user header in an S50 register, the message can be received. If it does not match, the message is discarded. –ATS50=QA

61 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 61 ARDIS Security Recommendations Customers with sensitive data may want to provide data encryption within their applications. For example, an exclusive OR could be applied to ASCII data with a randomly generated encryption key selected for each terminal during logon. NOTE: Only user data can be encrypted; ARDIS must be able to read SCR and other user header data to determine the proper disposition of a message. A wireless device application should allow a command from the host to dump all RAM contents and disable the application. This command could be used if a wireless device were lost or stolen. This feature could be activated automatically when a logon is attempted, or by a host user.

62 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 62 MicroCellular Data Network (Ricochet) Mesh topology FHSS, every ms Synchronous heartbeat, 30 sec Ricochet modems: 900 MHz Poletop radios: 2.3, 2.4 GHz –Density per square mile Wireless Access Point (WAP) –Covers square miles

63 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 63 Ricochet Network Name Server: The Ricochet Name Server maintains access control and routing information for every radio and service within the Ricochet network. Every time a Ricochet device (subscriber device, microcell radio, or gateway) is powered on, it registers with the Name Server to verify that it has network authorization. Whenever a Ricochet device requests a connection, the Name Server validates the request. If authorized, the originator is provided with a network routing path to the requested destination. MCDN Path –List of addresses (IP, phone number, microcell number) of waypoints –part of header, used to route the packet Packet delivery services –Lightweight: in-order, windowed, no end-to-end retries –Heavyweight: in-order, windowed, end-to-end retries

64 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 64 Metricom and Ricochet Metricom 51,000 customers in 21 cities Bankruptcy Ricochet Networks (part of Aerie Networks) Gen II: 176 kbps, up to 400 kbps bursts

65 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 65 FLEX (One-way paging) Four level FSK 1600, 3200, 6400 bps Four-minute FLEX protocol cycle Short capcodes: 7 digits Long capcodes: 9 digits FLEXsuite: 128-bit RC4, symmetric keys

66 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 66 ReFLEX (Two-way paging) Narrowband PCS Nationwide frequencies Forward: MHz Reverse: , MHz

67 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 67 ReFLEX inbound messaging Send request on shared ALOHA channel Receive timeslot assignment Send data in assigned timeslot on data channel

68 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 68 ReFLEX forward link ReFLEX frame is s 128 frames = cycle (4 minutes) 21 data, 11 error correction (21,32) BCH collapse, sleep for 2 n frames

69 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 69 Bluetooth Peer-to-peer, proximity-based personal area network Low power, short range Multiple devices in a piconet –one device is master Up to 10 piconets may link to form scatter nets Each device has a unique 48- bit address Initialization process uses a PIN

70 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 70 Bluetooth Airlink 2.45 GHz 1,600 hops per second Master and up to 7 active Slaves Hop sequence based on masters address GMSK, BPSK FEC Master: up to 721 kbps, even timeslots Slave: 57.6 kbps, odd timeslots 79 frequencies 3.2 kHz clock, 28 bits

71 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 71 Bluetooth device modes Four modes: –active (continuous) –sniff (check at intervals) –hold (check again later) –park (listen for beacon only)

72 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 72 Bluetooth Protocol Stack Application Group Middleware Protocol Group Transport Protocol Group

73 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 73 Transport Protocol Group Radio Baseband L2CAP (Logical Link Control and Adaptation Protocol) –Protocol multiplexing –Fragmentation/reassembly Audio Control Link Manager

74 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 74 Bluetooth Identifiers Device Address, 48 bits Private Authentication Key, 128 bits Private Encryption Key, 8 to 128 bits RAND, 128 bits

75 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 75 Bluetooth Security Modes Security Mode 1 –non-secure Security Mode 2 –service-level –after channel establishment Security Mode 3 –link-level –prior to channel establishment

76 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 76 Bluetooth Security Levels Device –Trusted –Untrusted Service –Authorization and Authentication –Authentication Only –Open to all devices

77 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 77 Bluetooth Unit Key Unit Key –E 21 ( Device Address, Random Number) –Usually fixed for the lifetime of the device

78 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 78 Bluetooth Initial Key Generation Verifier sends Claimant IN_RAND Verifier computes K init from E 22 ( IN_RAND, PIN ) K ini t is temporary link key PIN can be –Fixed in simple device –Keyed in by user (typically 4 digits) –Generated by user device

79 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 79 Bluetooth Authentication 1.Device A generates AU_RAND and sends it to Device B 2.Device B sends Device Address B to Device A 3.Device A and Device B both compute SRES and ACO from SAFER+ based MAC function E 1 ( K init, AU_RAND, Device Address ) 4.Device B sends SRES B to Device A 5.If SRES A equals SRES B, then devices are authenticated

80 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 80 Bluetooth Link Key Two types of link keys Unit key of one of the devices –Unit A computes K = K A XOR K init and sends K to Unit B –Unit B computes K A = K XOR K init –K A is used as link key Key derived from both unit keys –Unit A generates LK_RAND A, sends it to Unit B and computes LK_K A = E 21 (LK_RAND A, Device Address A ) –Unit B generates LK_RAND B, sends it to Unit A and computes LK_K B = E 21 (LK_RAND B, Device Address B ) –Both units compute each others key and the link key K AB = LK_K A XOR LK_K B

81 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 81 Bluetooth Encryption Key K C = E 3 ( EN_RAND A, K link, COF ) Ciphering Offset Figure (COF) –Authenticated Ciphering Offset (ACO) or –For broadcast, Device Address concatenated with itself

82 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 82 Bluetooth Encryption K cipher = E 0 ( Device Address A, clock A, K C ) Data is exclusive- ORed with K cipher before transmission and after reception

83 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 83 Bluetooth Security Issues Privacy –Devices can be closely tracked Only devices are authenticated, not users Key variables exchanged in the clear Link key a shared secret among too many –A, B use As unit key as the link key –B can later use As unit key and a faked address to eavesdrop on traffic

84 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 84 3GPP 3rd Generation Partnership Project Crypto developed in the open Air interface will use KASUMI encryption Evolve GSM –Multimedia Messaging Service (MMS) –General Packet Radio Service (GPRS) GSM overlay (Phase 1: 4x14 kbps, Phase 2: 8x14kbps) Cingular,AT&T: TDMA to GSM to GPRS –Enhanced Data rates for GSM Evolution (EDGE) –Universal Mobile Telephone Service (UMTS) –High Speed Circuit Switched Data (HSCSD)

85 Black Hat Briefings July 31, 2002 Wireless Overview Protocols and Threat Models Page 85 Questions?


Download ppt "Wireless Overview Protocols and Threat Models Dan Veeneman"

Similar presentations


Ads by Google