diff options
authorhellekin <>2016-08-12 08:46:21 +0000
committerhellekin <>2016-08-12 08:46:21 +0000
commitd504ea80bdc08101a6dc7b175b57847d016edbae (patch)
parentfd4fe2dd7fe1dd98ecf344bbbf36e55fb44cfba1 (diff)
Use 0022, HTML, and news, because /labs and .md are not supported yet :(
3 files changed, 160 insertions, 4 deletions
diff --git a/content/0022-about-the-asn.1-vulnerability.html b/content/0022-about-the-asn.1-vulnerability.html
new file mode 100644
index 0000000..802d4d5
--- /dev/null
+++ b/content/0022-about-the-asn.1-vulnerability.html
@@ -0,0 +1,154 @@
+<!DOCTYPE html>
+ <head>
+ <meta charset="UTF-8" name="charset"><!-- pelican??? -->
+ <title> About the ASN.1 Vulnerability</title>
+ <meta name="date" content="2016-08-07 13:00:00">
+ <meta name="last modified" content="2016-08-07 13:00:00">
+ <meta name="keywords" content="neo900, ASN.1, security, modem separation, GTA0x">
+ <meta name="authors" content="hellekin">
+ <meta name="description" content="Neo900 is not vulnerable to ASN.1 vulnerability. Here's why.">
+ </head>
+ <body>
+ <p class="lead">
+ A recent vulnerability disclosure threatens billions of
+ smartphones. What's the fuss about it? How does Neo900 fare
+ against this threat? Hint: pretty well.
+ </p>
+ <h1 id="asn1-vulnerability">ASN.1 Vulnerability</h1>
+ <p>Following the decision of <abbr title="National Institute for
+ Standards and Technology">NIST</abbr> to deprecate usage of SMS
+ in two-factor authentication, this vulnerability disclosure
+ confirms the pertinence of the unique design of Neo900 that,
+ among other features, isolates the baseband chip (modem), making
+ it dependent on the <abbr title="Central Processing
+ Unit">CPU</abbr> (and the <abbr title="Operating
+ System">OS</abbr>) to access anything else on the system, and
+ preventing remote activation of the chip in the first place.</p>
+ <p>Lucas Molas of <em>Programa STIC</em> discovered a <q>Heap
+ memory corruption in <abbr title="Abstract Syntax Notation
+ One">ASN.1</abbr> parsing code generated by Objective Systems
+ Inc. ASN1C compiler for C/C++</q> potentially affecting
+ billions of phone users worldwide.
+ <q cite="">
+ <abbr>ASN.1</abbr> is used in many protocols and data formats,
+ including cellular telephony.</q>
+ The proprietary software vendor received a bug report
+ via <em>plain text email</em> on June, 1<sup>st</sup>, 2016,
+ according to
+ the <a href="">CVE-2016-5080</a>
+ released on July, 18<sup>th</sup>, 2016 to the public in a
+ coordinated release with the vendor.</p>
+ <blockquote>Abstract Syntax Notation One (<abbr>ASN.1</abbr>) is
+ a technical standard and formal notation that describes rules
+ and structures for representing, encoding, transmitting, and
+ decoding data in telecommunications and computer
+ networking.</blockquote>
+ <blockquote>A vulnerability found in the runtime support
+ libraries of the ASN1C compiler for C/C++ from Objective
+ Systems Inc. could allow an attacker to remotely execute code
+ in software systems, including embeded software and firmware,
+ that use code generated by the ASN1C compiler. The
+ vulnerability could be triggered remotely without any
+ authentication in scenarios where the vulnerable code receives
+ and processes <abbr>ASN.1</abbr> encoded data from untrusted
+ sources, these may include communications between mobile
+ devices and telecommunication network infrastructure nodes,
+ communications between nodes in a carrier's network or across
+ carrier boundaries, or communication between mutually untrusted
+ endpoints in a data network.</blockquote>
+ <p>The proprietary software vendor released a hot patch (v7.0.1)
+ available upon request to their customers, and will integrate the
+ fix in the upcoming v7.0.2 of their compiler.</p>
+ <p>On July, 1<sup>st</sup>, Programa STIC mentioned
+ that <q>memory corruption bugs in <abbr>ASN.1</abbr> related
+ components of an <abbr title="Long Term Evolution">LTE</abbr>
+ stack have been announced or hinted at in several infosec
+ conference presentations over the past few weeks and its (sic)
+ likely the same or similar bugs will become public
+ soon.</q></p>
+ <h2>How is Neo900 Affected?</h2>
+ <p>The short answer is: this vulnerability that potentially
+ plagues most commercial phones on the planet, won't affect
+ Neo900 like it will other devices.</p>
+ <p>In
+ our <a href="">last
+ communication</a> we noted that <strong>Neo900 is the only
+ phone that provides a hardware protection from rogue behavior
+ of the modem</strong>.</p>
+ <p id="anchor-gta0x">In fact, the
+ <a href="#note-gta0x"><strong>GTA0x</strong> design</a> contains
+ two unique features to detect and/or prevent suspect activity:
+ <ul>
+ <li>the modem is detached from the power source, unlike other
+ smartphones, so that the modem has to be authorized by
+ the <abbr>CPU</abbr> before it can perform its tasks.</li>
+ <li>the modem and the <abbr>CPU</abbr> <strong>do not share
+ <abbr title="Random Access Memory">RAM</abbr></strong>, which
+ prevents a whole range of attack vectors where a rogue
+ modem, either by design, by "lawful", or by illegal action,
+ could take control of memory segments pertaining to other
+ subsystems and inject malicious code.</li>
+ </ul>
+ Neo900 takes advantage of this and incorporates circuitry to
+ give the <abbr>CPU</abbr> the capacity to monitor:
+ <ul>
+ <li>the modem access to power and its consumption</li>
+ <li>the activity of the modem antenna</li>
+ <li>the activation of the
+ <abbr title="Global Positioning System">GPS</abbr>
+ part of the modem</li>
+ <li>other interfaces (e.g., digital
+ <abbr title="Pulse-Code Modulation">PCM</abbr> audio</li>
+ </ul>
+ </p>
+ <p>Therefore, although the modem in Neo900 may or may not be
+ affected&mdash;we cannot know since <strong>all baseband chips
+ are proprietary black box designs</strong>&mdash;Neo900 is
+ designed to not trust the modem. In other designs where RAM is
+ shared and a rogue modem can access the power supply at will,
+ the attack surface is infinitely larger, and exploiting a
+ vulnerability such as the <abbr>ASN.1</abbr> bug will grant
+ access to the whole system.</p>
+ <p>But with Neo900, the attack surface is much reduced, and a
+ compromised modem would only be able to subvert
+ the <abbr>CPU</abbr> in the presence of subsequent major
+ vulnerabilities. As long as there's no proprietary vulnerable
+ binary blobs in the Neo900 <abbr title="Application Processor
+ Environment">APE</abbr>, we consider the chance of a modem bug
+ bubbling up to the rest of the system without a way to control
+ it and fix it in software negligible.</p>
+ <p>Our exclusive Neo900 design is more valuable than ever!</p>
+ <p>Thank you for your attention,</p>
+ <p>&ndash; hellekin for the Neo900 team</p>
+ <p>P.S.: Feedback is welcome! Did you enjoy reading this post?
+ What else should it have covered? What do you want to read in the
+ news? You can tell me: hellekin at neo900 dot org.</p>
+ <p id="note-gta0x" class="footnote">Footnote: from Openmoko Neo
+ 1973 and FreeRunner, to Golden Delicious GTA04 and maybe the
+ upcoming Pyra, and of course Neo900, GTA0x design supports modem
+ separation, although not power separation in Neo 1973
+ (GTA01). <a href="#anchor-gta0x" title="back to text">^^</a></p>
diff --git a/ b/
index e861855..10bae45 100644
--- a/
+++ b/
@@ -4,7 +4,7 @@ from __future__ import unicode_literals
AUTHOR = u'neo900'
SITENAME = u'Neo900'
TIMEZONE = 'Europe/Warsaw'
@@ -14,7 +14,7 @@ DEFAULT_LANG = u'en'
FEED_RSS = 'rss.xml'
-IGNORE_FILES = ['.*.kate-swp']
+IGNORE_FILES = ['.*.kate-swp','*~','.*~']
@@ -38,5 +38,7 @@ ARTICLE_SAVE_AS = "news/{slug}.html"
PAGE_URL = "{slug}"
PAGE_SAVE_AS = "{slug}.html"
-PLUGIN_PATH = 'plugins'
+PLUGIN_PATHS = ['plugins']
PLUGINS = ['neighbors']
diff --git a/ b/
index edaf034..0d4c9d4 100644
--- a/
+++ b/
@@ -10,7 +10,7 @@ import sys
from pelicanconf import *