...stuff I do and things I like...

Tuesday, September 20 2016

Mobile Security News Update September 2016

Conferences
    Black Hat EU November, London UK. ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY Speaker: Clementine Maurice, Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK Speaker: Bhanu Kotte, Dr. Silke Holtmanns, Siddharth Rao. MOBILE ESPIONAGE IN THE WILD: PEGASUS AND NATION-STATE LEVEL ATTACKS Speaker: Max Bazaliy, Seth Hardy. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME Speaker: Federico Maggi, Stefano Zanero. ROOTING EVERY ANDROID: FROM EXTENSION TO EXPLOITATION Speaker: Di Shen, Jiahong (James) Fang. SIGNING INTO ONE BILLION MOBILE APP ACCOUNTS EFFORTLESSLY WITH OAUTH2.0 Speaker: Ronghai Yang, Wing Cheong Lau. STUMPING THE MOBILE CHIPSET Speaker: Adam Donenfeld. WIFI-BASED IMSI CATCHER Speaker: Piers O'Hanlon, Ravishankar Borgaonkar.

    PacSec Tokyo Japan, October. Demystifying the Secure Enclave Processor by Mathew Solnik.
The most interesting read this week was The bumpy road towards iPhone 5c NAND mirroring a paper by Sergei Skorobogatov. In this paper he shows how to implement a NAND mirroring attack against an iPhone 5C. The basic idea behind this attack is erase the PIN failure counter between each set of tries to avoid the artificial brute force delay and to avoid data deletion after N failed PINs. The paper goes into great detail on various problems he encountered while implementing the attack. I highly recommend reading this paper. The picture below is taken from this paper.

Google's Project Zero now has an Android "Prize" for achieving RCE on a Nexus device with only knowing it's email address or phone number. Apparently you can't use a BTS (via @jduck) for this attack. Overall this looks interesting, I wonder if anybody is going to claim the money soon. Announcement: Project Zero Prize.

Links

Tuesday, August 30 2016

Mobile Security News Update August 2016

Conferences
    Black Hat EU November: ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY by Clementine Maurice and Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK by Bhanu Kotte, Siddharth Rao and Silke Dr Holtmanns. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME by Federico Maggi and Stefano Zanero. STUMPING THE MOBILE CHIPSET by Adam Donenfeld.

    DerbyCon September: Beyond The ?Cript: Practical iOS Reverse Engineering by Michael Allen. AWSh*t. Pay-as-you-go Mobile Penetration Testing by Nathan Clark. Breaking Android Apps for Fun and Profit by Bill Sempf.

    AppSec USA November: QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid: Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Dave Bott and Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.

Apple now has a bug bounty program. Details were presented at Black Hat in Ivan Krstic's talk BEHIND THE SCENES OF IOS SECURITY. Also see Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs (via Ars).

Motorola confirms that it will not commit to monthly security patches. This is pretty bad since I actually liked their Pure Edition devices (devices that basically are just AOSP).

Protecting Android with more Linux kernel defenses. They added some features from Grsecurity. This makes me happy.

Google's Android has gotten so out of control that $55 billion Salesforce had to take drastic measures, basically Salesforce in the close future will only support specific Samsung Galaxy and Nexus devices. This is an interesting way to deal with the very diverse Android ecosystem.

Pegasus Spyware / Trident for iOS was based on 3 vulnerabilities unsurprisingly a WebKit memory corruption, a Kernel info leak, and a kernel memory corruption. The spyware was capable of accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others. (Source: Lookout Technical Report).

Oversec.io seems to implement our idea of mobile OTR on top of any messenger app. Oversec still looks very beta and I haven't tried it out. If anybody has tried it I would like to hear about it.

Pictures of the month:
(source: @raviborgaonkari)

(source: @marcwrogers)

Links

Tuesday, July 12 2016

Mobile Security News Update July 2016

Conferences
    SummerCon July, Brooklyn, NY. THE FIREWALL ANDROID DESERVES: A CONTEXT-AWARE KERNEL MESSAGE FILTER AND MODIFIER by DAVID WU.

    Defcon August, Las Vegas. SITCH - Inexpensive, Coordinated GSM Anomaly Detection by ashmastaflash. A Journey Through Exploit Mitigation Techniques in iOS by Max Bazaliy. Stumping the Mobile Chipset by Adam Donenfeld. How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire by Stephan Huber and Siegfried Rasthofer. Discovering and Triangulating Rogue Cell Towers by JusticeBeaver (Eric Escobar). Samsung Pay: Tokenized Numbers, Flaws and Issues and Salvador Mendoza. Attacking BaseStations - an Odyssey through a Telco's Network by Henrik Schmidt and Brian Butterly. Forcing a Targeted LTE Cellphone into an Unsafe Network by Haoqi Shan and Wanqiao Zhang.

Another month has passed and I'm super late again on this blog post.

HushCon EAST badges were super awesome (picture below) did some hacking on them with Trammell Hudson: Hushcon 2016 pagers.


The wait is over, here is the final blog post including source code on Qualcomm's TrustZone: Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption Source extractKeyMaster

The Android Security Bulletin July 2016 fixes a really large number of bugs, including a Remote code execution vulnerability in Bluetooth and Remote code execution vulnerability in OpenSSL & BoringSSL. It is really good to see stuff being fixed and talked about in the open.

Summary on Pokemon GO's permission to your Google Account by the guys from Trail of Bits.

Funny picture of the month:


Links

Monday, June 06 2016

Mobile Security News Update June 2016

Conferences
    Black Hat USA August, Las Vegas. 1000 WAYS TO DIE IN MOBILE OAUTH by Eric Chen, Patrick Tague, Robert Kotcher, Shuo Chen, Yuan Tian, Yutong Pei. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei, Yulong Zhang. ATTACKING BLUETOOTH SMART DEVICES - INTRODUCING A NEW BLE PROXY TOOL by Slawomir Jasek. PANGU 9 INTERNALS by Hao Xu, Tielei Wang, Xiaobo Chen. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Mathew Solnik, Tarjei Mandt. BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS by Vincent Tan THE ART OF DEFENSE - HOW VULNERABILITIES HELP SHAPE SECURITY FEATURES AND MITIGATIONS IN ANDROID by Nick Kralevich.

    Shakacon July 13-14, Honolulu, HI. FRUIT VS ZOMBIE: DEFEAT NON-JAILBROKEN IOS MALWARE BY CLAUD XIAO. Bluetooth Low Energy...by SUMANTH NAROPANTH, CHANDRA PRAKASH GOPALAIAH & KAVYA RACHARLA
Defcon still doesn't have the agenda or accepted talks up.

The Qualcomm Mobile Security Summit was super awesome once again. Good talks, interesting hallway conversations and always good to see friends.


SektionEins (Stefan Esser) release a jailbreak and anomaly detection app for iOS and eventually got band from the AppStore by Apple. The speculation is that Apple wants to hide the fact that certain sandbox and security features don't work as advertised and thus his App got band. The app likely wasn't band just because it can detect a jailbreak since like every app does exactly this, including apps like WhatsApp. There are also several process list viewers for iOS.


I finally could checkout a Blackberry PRIV. The actual hardware looks pretty sweet. I got a quick demo of the security and privacy features added by RIM, specially DTEK. I really liked the device security/privacy status overview, every phone should have that.

Qualcomm KeyMaster keys etracted from TrustZone waiting for the writeup. The previous blog posts where super good already, but this one should be really interesting.

Links

Friday, May 06 2016

Mobile Security News Update May 2016

Conferences
    Black Hat USA Las Vegas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Tarjei Mandt and Mathew Solnik. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei and Yulong Zhang. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza.

    AppSec EU Rome. Don't Touch Me That Way. by David Lindner and Jack Mannino. Automated Mobile Application Security Assessment with MobSF by Ajin Abraham. Why Hackers Are Winning The Mobile Malware Battle - Bypassing Malware Analysis Techniques by Yair Amit.

    Hack in The Box Amsterdam, NL. SANDJACKING: PROFITING FROM IOS MALWARE by Chilik Tamir. FORCING A TARGETED LTE CELLPHONE INTO AN EAVESDROPPING NETWORK by Lin Huang. ADAPTIVE ANDROID KERNEL LIVE PATCHING by Tim Xia and Yulong Zhang. COMMSEC TRACK: INSPECKAGE - ANDROID PACKAGE INSPECTOR by Antonio Martins.

    Area41 When providing a native mobile application ruins the security of your existing Web solution by Jeremy Matos. IMSecure - Attacking VoLTE and other Stuff by Hendrik Schmidt & Brian Butterly. Reversing Internet of Things from Mobile Applications by Axelle Apvrille.

    Recon Montreal, CA. Breaking Band by Nico Golde and Daniel Komaromy. Hardware-Assisted Rootkits and Instrumentation: ARM Edition by Matt Spisak

This was a long break, I was covered in work and had other things to do. But I'm not giving up this blog. Sadly I missed a bunch of conferences earlier this year. Especially CanSecWest and Troopers/TelSecDay. TelSecDay looked really awesome this year! Sad to have missed it.

Work with me and other awesome people at Square we are looking for a bunch of different mobile security related people. Android and iOS!

For those who are interested in TrustZone or TrustZone implementations check out: War of the Worlds - Hijacking the Linux Kernel from QSEE This blog has a lot of awesome research on TrustZone and Qualcomm's implementation.

60 Minutes: shows how easily your phone can be hacked. As I said earlier on Twitter, this is as good as it gets on TV. All of the people on the show are pros (know all of them personally!). Of course if you are an expert yourself you will complain about anything shown on TV ;-)

Dilbert gets it:


Related to the iPhone will be bricked if the clock is set back too far.



Links

Tuesday, March 08 2016

Mobile Security News Update March 2016

Conferences
    CanSecWest Vancouver, Canada. Don't Trust Your Eye: Apple Graphics Is Compromised! - Liang Chen + Marco Grassi. Having fun with secure messengers and Android Wear - Artem Chaykin. Pwn a Nexus device with a single vulnerability - Guang Gong.

    Troopers Heidelberg, Germany. QNX: 99 Problems but a Microkernel ain't one! Georgi Geshev, Alex Plaskett.


Looks like I will go to very few conferences this year.

We finally published our paper on Android application analysis support using intelligent GUI stimulation. The work CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes uses / enhances Andrubis.

Excellent post on Apple vs FBI by Dan Guido: Apple can comply with the FBI court order


Links

Tuesday, February 09 2016

Mobile Security News Update February 2016

Conferences:
    SyScan360 March, Singapore. Browsers Bug Hunting and Mobile device exploitation by Francisco Alonso.

    Black Hat Asia March, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.


Mobile Pwn0rama the SyScan version of mobile pwn2own. Very cool!

CopperheadOS beta released for Nexus 5, 9, and 5X. I need to buy a new phone to try this out. For those who don't know about CopperheadOS, it is a hardened Android. I was waiting for something like this for a long time. Not as a user more like somebody should really do this. Anyway, looks pretty cool.

Last weekend I published a write-up on CVE-2016-0728 vs Android. The TL;DR is that this vulnerability was totally over hyped for Android. There is no practical impact for the Android platform.

Links: