Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
1
Random tales from a mobile
phone hacker
Collin Mulliner
Security in Telecommunications
Technical University Berlin, Germany
CanSecWest 2010
Vancouver, Canada
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
2
About Myself
●
Mobile device security researcher
●
PhD student in Berlin, Germany
●
I hack it if: it looks or acts like a mobile
phone, if it has a SIM card,...
●
Past:
●
SMS-p0wnd the iPhone, Android, WinMo
●
Symbian exploitation
●
Wireless foo: Bluetooth & NFC
●
MMS-p0wnd WinMo
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
3
The Story behind this Talk
●
I play with and hack on various mobile
phone related stuff during my day
●
Not only phones
●
SIM cards from different operators
●
I often find small things, where I go: Doh!
●
Most things are to simple for a dedicated talk
●
This talk is a summary of the stuff I find
all time...
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
4
Agenda
●
Data Leaks by Mobile Phone Web Access
●
SIM cards
●
Consumer Electronic devices with SIM cards
–
101 Kindle 2 tethering (aka free wireless4life)
–
A digital picture frame with a phone number
●
Pre-paid SIMs mobile internet with a twist →
of free
●
TEL & SMS: URIs from Hell
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
5
Data Leaks by Mobile Phone
Web Access
●
This is about privacy
●
Keeping your data to yourself
●
This is mostly about mobile phones not
smart phones
●
Later you see why
●
The project goes back more then 1 year
●
Collecting data needs time
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
6
Mobile Web Access is Popular
●
Today almost all mobile phones have a
web browser
●
A browser for the web (WAP is dead!)
●
Laptop “dial-up”
●
Tethering
●
Mobile data is getting cheaper around the
world
●
Everybody is using it, trust me!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
7
Some Abbreviations
●
MSISDN
●
Mobile Subscriber Integrated Services Digital
Network Number
–
a mobile phone number
●
IMSI
●
International Mobile Subscriber Identity
–
unique SIM card ID
●
IMEI
●
International Mobile Equipment Identity
–
unique phone ID
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
8
I'm a little curious
●
I've read that some mobile phones leak
private data through HTTP headers
●
Me: WTF?!?!
●
Searching for answers got me confused
●
People couldn't make up their minds if this is
happening or not
●
I decided to investigate for myself
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
9
Collecting Data
●
I didn't believe anybody about what
headers contain what data
●
This is basically the main point of my
investigation
●
I just started to log all HTTP headers!
●
My site is mostly PHP so adding some logging
is trivial
●
Images references by other sites are taken
care of through Apache's rewrite module
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
10
Getting Traffic
●
I'm a mobile devices geek and I have a
website that shows it
●
I wrote some J2ME games a few years ago
and a big site is embedding images from
my server, thanks btw!
●
The website of our “hacker” group
(trifinite.org) is a popular website too...
●
So yes, I get good traffic!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
11
Needle in the Haystack
●
Now we got tones and tones of data
●
How to find interesting stuff
●
Most likely: interesting == rare
●
Sort HEADERS by occurrence...
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
12
Some Results
●
Some highlights from my logs...
●
BIG FAT Disclaimer
●
These are just “random” examples
–
Examples that contain interesting data
●
I don't want to discredit any operators!
●
These are just facts!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
13
Rogers, Canada
HTTP_USER_AGENT: MOT-V3re/0E.43.04R MIB/2.2.1 Profile
/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.5.1.0.0
HTTP_X_UP_UPLINK: rogerspush.gprs.rogers.com
HTTP_X_UP_SUBNO: 1239769412-53731234_
rogerspush.gprs.rogers.com
HTTP_X_UP_LSID: 120472093XX <-- MSISDN
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
14
H3G S.p.a., Italy
HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-
US; rv:1.8.0.7) Gecko/20060909
Firefox/1.5.0.7 Novarra-Vision/6.9
HTTP_X_DEVICE_USER_AGENT: LG/U450/v1.0 Profile/MIDP-2.0
Configuration/CLDC-1.1 Novarra
/5.2.25.1.12lgu450(J2ME-OPT)
HTTP_X_MOBILE_GATEWAY: Novarra-Vision/6.9 (3IT;
Server-Only)
HTTP_X_SDC_NOVARRA_TRIAL_FLAG: 0
HTTP_X_SDC_NOVARRA_END_DATE: 31/12/2100 23:59
HTTP_X_H3G_MSISDN: 3939249093XX
HTTP_X_H3G_PARTY_ID: 1017030640 <--- ???
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
15
Vodafone/BILDmobil, Germany
●
Vodafone-based prepaid service
●
Leaks mobile phone number
HTTP_USER_AGENT: Nokia6212 classic/2.0 (05.16)
Profile/MIDP-2.1 Configuration/CLDC-1.1
HTTP_X_UP_SUBNO: 1233936710-346677XXX <- customer id?
HTTP_X_UP_CALLING_LINE_ID: 49152285242XX <- my number!
HTTP_X_UP_SUBSCRIBER_COS: System,UMTS,SX-LIVPRT,
A02-MADRID-1BILD-VF-DE,
Vodafone,Prepaid,Rot
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
16
Orange, UK
HTTP_USER_AGENT: Mozilla/5.0 (SymbianOS/9.3; U; …
HTTP_X_NOKIA_MUSICSHOP_BEARER: GPRS/3G
HTTP_X_NOKIA_REMOTESOCKET: 10.45.28.146:12990
HTTP_X_NOKIA_LOCALSOCKET: 193.35.132.102:8080
HTTP_X_NOKIA_GATEWAY_ID: NBG/1.0.91/91
HTTP_X_NOKIA_BEARER: 3G
HTTP_X_NOKIA_MSISDN: 4479801754XX
HTTP_X_NOKIA_SGSNIPADDRESS: 194.33.27.146
HTTP_X_NETWORK_INFO: 3G, 10.45.28.146,
4479801754XX,
194.33.27.146, unsecured
HTTP_X_ORANGE_RAT: 1
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
17
Pelephone, Israel
●
Leaks MSISDN, IMEI, and IMSI
HTTP_USER_AGENT: SonyEricssonW760i/R3DA
Browser/NetFront/3.4 Profile/MIDP-2.1
HTTP_MSISDN: 9725077690XX
HTTP_IGCLI: 9725077690XX
HTTP_IMEI: 35706702308316XX
HTTP_IMSI: 4250300200079XX
HTTP_NETWORK_ID: pcl@3g
REMOTE_ADDR: 193.41.209.2
HTTP_SGSNIP: 91.135.96.33
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
18
Zain, Nigeria
●
Zain is a South African operator
●
This is a customer from/in Nigeria (using my
Maemo repository)
HTTP_USER_AGENT: Debian APT-HTTP/1.3
HTTP_VIA: Jataayu CWS Gateway Version
4.2.0.CL_P1 at wapgw2.celtel.co.za
HTTP_X_ROAMING: Yes
HTTP_X_UP_CALLING_LINE_ID: 23480845524XX <-- MSISDN
HTTP_X_APN_ID: wap.ng.zain.com
HTTP_X_IMSI: 6212032203124XX
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
19
Bharat Sanchar Nigam Ltd,
India
HTTP_COOKIE:
User-Identity-Forward-msisdn = 9194554314XX
Network-access-type = GPRS
Charging-id = 123792550
Imsi = 4045541600364XX
Accounting-session-id = DAF841A20760ECA6
Charging-characteristics = Prepaid
Roaming-information = no_info
... boring stuff striped ...
HTTP_MSISDN: 10.184.0.48 9194554314XX
HTTP_USER_AGENT: Nokia1680c-2/2.0 (05.61) Profile/MIDP-2.1
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
20
Hex Encoded MSISDN
HTTP_USER_AGENT: SAMSUNG-SGH-F250/1.0 Profile/MIDP-2.0...
HTTP_COOKIE:
User-Identity-Forward-msisdn = 323637373435373134XXXX
Network-access-type = GPRS
Called-station-id = wap.mascom
Actual MSISDN: 267745714XX (Botswana)
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0;
Symbian OS; Nokia 6630/2.39.152; 9399)
Opera 8.65 [en]...
HTTP_COOKIE:
User-Identity-Forward-msisdn = 36333932373337333437XXXX
Actual MSISDN: 6392737347XX (Philippines)
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
21
Where does the Data come
from?
●
The phone doesn't have all the data that I
find in my logs
●
i.e. the SUBNO (subscriber number?)
●
Data must be added by the network
●
Best guess is the HTTP proxy/gateway at
the operator
●
Theory is supported by the fact that I don't
have any log entries from smart phones that
don't have a pre-configured proxy (such as
iPhone and Android devices)
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
22
Data is added by Web Proxy
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
23
Mobile Phone Web Proxies
●
This topic seems to be quite complicated
●
It seems like some operators have
different proxies for different kinds of
customers
●
e.g. my personal BILDmobil experience
●
Proxies are also operated by 3
rd
parties
●
Companies that build these “mini-browsers”
●
Mobile web optimizers
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
24
Here is my Web Interface
●
Lets take a look (DEMO time)!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
25
Collected Data
●
Common:
●
MSISDN
●
IMSI, IMEI
●
APN (access point name)
●
Customer/Account ID
●
Rare:
●
Roaming status
●
Account type: post-paid or pre-paid
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
26
We have the Data, now what?
●
Unique IDs can be used for tracking
●
MSISDN, IMSI, IMEI, customer ID, …
–
Fact: getting a new phone doesn't change your
phone number user tracking++→
●
Phone number (MSISDN)
●
Reverse lookup, get the name of your visitors
●
SMS spam?
●
Hopefully no one uses “secret” APNs for
VPN-like network access anymore
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
27
Why the MSISDN...
●
is not easy to find after all and why this
privacy breach hasn't gotten any real
attention yet
●
Too many different headers
●
Some headers seem operator and equipment
manufacturer specific
HTTP_MSISDN, HTTP_X_MSISDN, HTTP_X_UP_CALLING_LINE_ID,
HTTP_X_NOKIA_MSISDN, HTTP_X_HTS_CLID, HTTP_X_MSP_CLID,
HTTP_X_NX_CLID, HTTP__RAPMIN, HTTP_X_WAP_MSISDN,
HTTP_COOKIE, HTTP_X_UP_LSID, HTTP_X_H3G_MSISDN,
HTTP_X_JINNY_CID, HTTP_X_NETWORK_INFO, ...
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
28
# by Countries...
Brazil: 8, Turkey: 4, Italy: 126, Peru: 3, Kuwait: 2,
Panama: 1, Nepal: 5, Mongolia: 1, Uzbekistan: 4,
Ivory Coast: 2, Benin: 1, Nigeria: 7, Venezuela: 7, Malawi: 3,
Ecuador: 3, Bangladesh: 9, Brunei: 9, Saudi Arabia: 8,
Australia: 2, Iran: 56, Algeria: 4, Singapore: 7, Zambia: 1,
Jordan: 7, USA/Canada: 29, Togo: 1, China: 9,
Bosnia and Herzegovina: 5, Armenia: 1, Thailand: 2, Germany: 3,
Tanzania: 1, Ukraine: 3, Kyrgyzstan: 4, Libya: 21, Philippines:
41, Finland: 10, Israel: 2, Mauritius: 8, Sri Lanka: 33,
Vietnam: 14, Ireland: 3, Brazil - Belo Horizonte: 4, Guyana: 4,
Croatia: 1, New Zealand: 7, Guadeloupe: 2, Pakistan: 18,
Romania: 23, Malaysia: 16, Myanmar: 1, Uruguay: 11, Tunisia: 4,
Fiji: 3, South Africa: 166, India: 330, United Kingdom: 33,
Egypt: 5, Montenegro: 2, Swaziland: 1, Uganda: 1, Paraguay: 5,
Kenya: 1, Tuvalu - Mobile: 2, Cyprus: 1, Botswana: 5
●
Like I said, mobile web access is global now
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
29
Check your MNO
●
I put up a small page where you can
check your mobile network operator
●
http://www.mulliner.org/pc.cgi
–
I will not log any visits to this page!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
30
Data Leaks: Conclusions
●
This data leakage is totally not necessary
●
Operators
●
Need to fix their proxies
●
Make their contractors fix their proxies
●
If my privacy checker turns red on you
please visit my main site to leave me
trace
●
http://www.mulliner.org/
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
31
SIM Cards
●
Consumer Electronics (CE) devices with
SIM cards
●
101 Kindle 2 tethering (aka freewireless4life)
●
A digital picture frame with a phone number
●
Pre-paid SIMs mobile internet with a →
twist of free
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
32
The Kindle 2 Wireless Service
●
Amazon advertises world wide (global)
free wireless with the Kindle 2
●
The Kindle 2 also a web browser
●
In the U.S. you can just go an browse
the web
●
Everywhere else you can just look at
Wikipedia
●
This kinda sucks, so lets see if we
can hack it...
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
33
Kindle 2 with it's SIM Card
●
AT&T SIM card
●
Works in any phone
●
But no voice calls or SMS
●
GPRS/3G APN:
●
kindleatt1.amazon.com
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
34
Kindle 2 Web Access
●
Communication via HTTP proxy
●
fints-g7g.amazon.com
●
Namesserver only resolves the proxy's IP
●
...and some “audible.com” names
●
Proxy rejects traffic not coming from the
Kindle browser
●
Why is that so... some kind of authentication
token or what?
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
35
Kindle 2 Proxy Authentication
GET http://www.mulliner.org/impressum.php HTTP/1.1
Accept: image/png, image/gif, image/x-xbitmap, image/jpeg, */*
Host: mulliner.org
User-Agent: Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4
Kindle/2.3 (screen 600x800; rotate)
Proxy-Connection: Keep-Alive
Accept-Encoding: deflate, gzip
Referer: http://mulliner.org
x-fsn: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
x-appNamespace: WEB_BROWSER
x-appId: Kindle_2.2
●
Let's run tcpdump [1] on the Kindle
●
Enable USB networking before [2]
●
Browse some site using the Kindle's browser
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
36
Tethering Setup
●
Add x-fsn header to your “web browser”
●
Privoxy [3] {+add-header{x-fsn: xxx}}/
–
I like “Modify Headers” better but it doesn't give
you HTTPS
●
Configure your browser to use Privoxy
●
Forward local port 8080 to Kindle proxy
●
SSH -L 8080:72.21.210.242:80 root@192.168.2.2
●
Configure Privoxy to use HTTP proxy
●
forward / 127.0.0.1:8008
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
37
Kindle Tethering: Conclusions
●
Web access is controlled at the proxy
●
Need to configure a US postal address in
order to get full web access
●
No bypass for non-U.S. users
●
Tethering works well and seems fast
●
Fun little hacking project from last x-mas
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
38
A Digital Picture Frame with a
Phone Number
●
The HUAWEI DP230 can receive
Multimedia Messages (MMS)
●
Picture Frame has a modem and a SIM card
●
and of course a phone number
●
Exactly the features to get me interested
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
39
Looking Inside...
●
Disassemble it
●
Find serial port (the 3.3V pin and his pals)
●
Get a root shell
●
admin:admin ;-)
●
See how it works
●
Download binaries
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
40
How does it work
●
Picture Frame has a GPRS connection
●
Can receive SMS messages
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
41
SMS Commands
●
From looking at the binaries...
●
Simple text message (SMS)
●
Need to originate from specific number
●
Operator specific
●
Part of configuration stored on the device
<req><del num="1"/><ID nr="583"/></req> <-- delete picture
<setting><slideshow intv="15"/></setting> <-- change interval
<req><add/></req> <-- download picture(s)
<setting><color rgb="663"/></setting> <-- set background color
<req><GPRS apn="apn.mno.com"/></req> <-- change GPRS settings
<req><sync/></req> <-- re-sync pictures
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
42
Pranks
●
SMS sender spoofing is easy
●
Plenty of online services to do this, cheap too
●
Pranks
●
Change background color
●
Change time interval
●
… lame, no harm done...
●
Works since only MMS messages are checked
●
SMS messages are directly delivered to the picture
frame
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
43
Attack (aka bricking it)
●
Disable Internet connectivity
●
Set GPRS APN to non-working value
–
<req><GPRS apn="brick"/></req>
●
Delete all pictures
●
Send sync command: <req><sync/></req>
–
Re-Download fails since GPRS is not working
●
No way to recover since reset method
depends on Internet connectivity
●
Spoof settings-SMS yourself ;-)
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
44
Picture Frame: Conclusions
●
Simple and cheap design
●
Ease target for trouble makers
●
I would be pissed if some dude bricks my
~80 Euro hardware by sending it two SMS
messages (for less than 5cent each)
●
If operator fucks-up the phone number
assignment and numbers are guessable...
●
Brick all devices in the field
●
So guess what?... No I wont tell ya!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
45
Pre-paid SIM Cards
●
Pre-paid SIM cards are insanely popular
●
In all countries around the world
●
Of course voice and text messaging
●
But Internet too
●
You even get HSDPA (3.6Mbit/s)
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
46
Let's start with an Observation
Dear customer your account is almost empty, please
reload it.
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
47
What, Why, How?
●
If the pre-paid account is empty a PDP
context should not be established
●
This is how most operators do it
●
If you get a connection and IP address, try
to resolve arbitrary host names
●
If this works and you are sure that your pre-
paid account is really empty you have it
●
Maybe you even get redirected to a “please
fill up” page
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
48
Wifi style free Internet
●
DNS tunnel
●
Warning you need an endpoint, so they know
who you are even if you bought the 3G
modem and pre-paid SIM without giving your
name
●
Works on your smart phone too
●
I have an Android package [4] with automatic
setup (needs root access)
–
It's not in the Market! D'oh!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
49
Pre-paid SIMs: Conclusions
●
Speed is an issue
●
I was able to watch YouTube using this :)
●
This stuff is not new
●
WiFi hotspots have the same problem
●
Mobile operators don't seem to learn
●
Don't get caught!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
50
TEL & SMS: URIs from Hell
●
Special protocols for accessing the
telephony subsystems
●
Implemented mostly on mobile phones
●
All phone browsers I've seen implement them
●
Examples:
<a href=”tel:911”>Call the cops</a>
<a href=”sms:5559876543”>write something smart</a>
<a href=”sms:55512345678?body=whats up>”>whats up?</a>
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
51
Trigger the Handler
●
User clicks link...
●
Automatic triggers
●
(I guess there are many more but I'm not a
web sec guy)
<frame src=..>
<iframe src=...>
<img src=...>
<meta http-equiv=refresh content=...>
HTTP redirect (e.g. 303)
Javascript: window.location=...
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
52
Nokia S40
●
Browser catches all methods to open TEL
URIs and checks for appropriate length
●
Well they forgot javascript...
●
Reboots GUI of phone OS
●
Nokia white-screen-of-death
<script lang=javascript>
function crash() {
window.location =
"tel:0177555555000000000000000000000000000000000000000000000000
000";
}
crash();
</script>
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
53
iPhone (2.2.1)
●
Trigger phone call without user interaction
●
CVE-ID: CVE-2009-0961
●
How it worked
●
TEL URI triggers phone dialer
–
The Cancel / Call popup
●
SMS URI “kills” browser...
–
and therefore selects “Call” and the phone dials
–
combined with GUI freeze to make it unstoppable
<iframe src="sms:0177555123456" width=10 height=10></iframe>
<iframe src="tel:017712345555 height=10 width=10></iframe>
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
54
Other Platforms
●
As said before all mobile phone browsers
seem to support these URIs
●
99% of them open the phone dialer and
SMS app automatically
●
iframe, etc...
●
So far no real harm done
●
DoS phones by constantly “starting” the
phone dialer or SMS app
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
55
TEL & SMS URI: Conclusions
●
URIs specially created for telephony
●
Mobile phone browsers should handle them
very well
●
Sadly, mobile browsers handle them like
any other URI
●
Causing many small and a few big fuck-ups
●
Take away: If you play/hack with mobile
phones always try these URI types!
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
56
Final Words
●
Smart Phones are not the only thing
around in “the mobile security world”
●
“Dump“ mobile phones
●
Mobile Networks (and operators)
●
Consumer Electronics devices
●
Smart Phones will become a much harder
target in the future
●
CE devices will become very interesting
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
57
Q & A
●
Thank you for your time!
●
Questions?
●
Ask now!
●
or write me at: collin@sec.t-labs.tu-berlin.de
●
Follow me: @collinrm
Collin Mulliner SecT @ TU-Berlin CanSecWest March 2010
58
References
●
[1] http://www.eecs.umich.edu/~timuralp/tcpdump-arm
●
[2] http://www.avenard.org/kindle2/usbnetwork23-0.10.tar.gz
●
[3] Privoxy: http://www.privoxy.org/
●
[4] DNS-Tunnel package for Android: http://www.mulliner.org/android/
●
[5] My personal security stuff: http://www.mulliner.org/security/
●
[6] SecT: http://www.sec.t-labs.tu-berlin.de