...stuff I do and things I like...

Friday, May 06 2016

Mobile Security News Update May 2016

Conferences
    Black Hat USA Las Vegas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Tarjei Mandt and Mathew Solnik. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei and Yulong Zhang. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza.

    AppSec EU Rome. Don't Touch Me That Way. by David Lindner and Jack Mannino. Automated Mobile Application Security Assessment with MobSF by Ajin Abraham. Why Hackers Are Winning The Mobile Malware Battle - Bypassing Malware Analysis Techniques by Yair Amit.

    Hack in The Box Amsterdam, NL. SANDJACKING: PROFITING FROM IOS MALWARE by Chilik Tamir. FORCING A TARGETED LTE CELLPHONE INTO AN EAVESDROPPING NETWORK by Lin Huang. ADAPTIVE ANDROID KERNEL LIVE PATCHING by Tim Xia and Yulong Zhang. COMMSEC TRACK: INSPECKAGE - ANDROID PACKAGE INSPECTOR by Antonio Martins.

    Area41 When providing a native mobile application ruins the security of your existing Web solution by Jeremy Matos. IMSecure - Attacking VoLTE and other Stuff by Hendrik Schmidt & Brian Butterly. Reversing Internet of Things from Mobile Applications by Axelle Apvrille.

    Recon Montreal, CA. Breaking Band by Nico Golde and Daniel Komaromy. Hardware-Assisted Rootkits and Instrumentation: ARM Edition by Matt Spisak

This was a long break, I was covered in work and had other things to do. But I'm not giving up this blog. Sadly I missed a bunch of conferences earlier this year. Especially CanSecWest and Troopers/TelSecDay. TelSecDay looked really awesome this year! Sad to have missed it.

Work with me and other awesome people at Square we are looking for a bunch of different mobile security related people. Android and iOS!

For those who are interested in TrustZone or TrustZone implementations check out: War of the Worlds - Hijacking the Linux Kernel from QSEE This blog has a lot of awesome research on TrustZone and Qualcomm's implementation.

60 Minutes: shows how easily your phone can be hacked. As I said earlier on Twitter, this is as good as it gets on TV. All of the people on the show are pros (know all of them personally!). Of course if you are an expert yourself you will complain about anything shown on TV ;-)

Dilbert gets it:


Related to the iPhone will be bricked if the clock is set back too far.



Links

Tuesday, March 08 2016

Mobile Security News Update March 2016

Conferences
    CanSecWest Vancouver, Canada. Don't Trust Your Eye: Apple Graphics Is Compromised! - Liang Chen + Marco Grassi. Having fun with secure messengers and Android Wear - Artem Chaykin. Pwn a Nexus device with a single vulnerability - Guang Gong.

    Troopers Heidelberg, Germany. QNX: 99 Problems but a Microkernel ain't one! Georgi Geshev, Alex Plaskett.


Looks like I will go to very few conferences this year.

We finally published our paper on Android application analysis support using intelligent GUI stimulation. The work CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes uses / enhances Andrubis.

Excellent post on Apple vs FBI by Dan Guido: Apple can comply with the FBI court order


Links

Tuesday, February 09 2016

Mobile Security News Update February 2016

Conferences:
    SyScan360 March, Singapore. Browsers Bug Hunting and Mobile device exploitation by Francisco Alonso.

    Black Hat Asia March, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.


Mobile Pwn0rama the SyScan version of mobile pwn2own. Very cool!

CopperheadOS beta released for Nexus 5, 9, and 5X. I need to buy a new phone to try this out. For those who don't know about CopperheadOS, it is a hardened Android. I was waiting for something like this for a long time. Not as a user more like somebody should really do this. Anyway, looks pretty cool.

Last weekend I published a write-up on CVE-2016-0728 vs Android. The TL;DR is that this vulnerability was totally over hyped for Android. There is no practical impact for the Android platform.

Links:

Saturday, February 06 2016

CVE-2016-0728 vs Android

CVE-2016-0728 has made some headlines in the security world since it is a relatively easy to exploit Linux local privilege escalation vulnerability. Perception Point (the company who found the vulnerability) claimed that approximately 66% of all Android devices are vulnerable to this issue, if this is true that would have quite some impact on Android users. Perception Point did not evaluate if the vulnerability is actually present and exploitable on the Android platform. A lot of people, including myself, were very curious about the impact of this bug on Android. Here is a write-up of my investigation of the impact of CVE-2016-0728 on the Android world. TL;DR impact almost none! (please continue reading).

When I first heard about this vulnerability I modified the PoC and tried to validate the presence of the vulnerability using various Android devices. I could not find any device that contained the vulnerability. I had access to several Nexus devices and number of Samsung devices. After failing blindly I started investigating the details. I also asked friends who do a lot of Android work to see if they had tried and/or made it work. Nobody was able to find a device that was actual vulnerable. I only found one person who claimed to gotten the exploit working on LG device. According to his post it takes more than 6 hours to trigger the vulnerability and only one out of three tries he got it working. This alone gives you a good indication on the impact on this vulnerability. The battery of most phones will run out in less than 6 hours due to running an application that constantly hits the kernel.

Here a technical rundown of why this vulnerability is not an issue for the vast majority of Android devices.

Mitigating Factors

Kernel Version

The vulnerability supposingly was introduced with Kernel version 3.8 and later. A lot of Android 5.0 devices run a 3.4 Kernel.

Kernel Configuration

CONFIG_KEYS:
The code containing the vulnerability is part of the key retention service of the Linux kernel. The service is only present if the kernel was built with CONFIG_KEYS enabled. Looking at the default AOSP kernel config you can see that CONFIG_KEYS is not enabled. Android devices that are based on the AOSP kernel config do not contain the vulnerable code, as a result they are not affected by this vulnerability. Further, not all versions of the key retention service contained the vulnerable code, this again reduces the number of affected devices. When looking at the overall device population the presence of the key retention service provides an upper bound for the number of affected devices.

We can also use the Android Census to identify which devices and firmware versions use kernels with CONFIG_KEYS enabled. If CONFIG_KEYS is enabled, the /proc/keys directory will be present. Based on this data, only 125 out of the 480 unique Android installations examined have /proc/keys and therefore, CONFIG_KEYS enabled in their kernels.

KALLSYMS:
A portable and automated exploit (based on the PoC) would require access to /proc/kallsyms to acquire memory addresses of kernel code. Recent Android versions zero out the actual memory addresses when kallsyms is read by a non uid=0 process.

SELinux

Android 4.4 (KitKat) and later include SELinux, but Android 5.0 (Lollipop) notably requires SELinux to be in enforcing mode instead of permissive as was the case in Android 4.4. SELinux on Android reduces the attack surface of the Linux kernel by restricting the use of a number of kernel services to trusted applications. In this case, the SELinux policy in the Android Open Source Project (AOSP) and on Nexus devices restricts access to kernel keyring objects from the untrusted_app domain and this prevents apps from the Play Store or other sources from triggering or exploiting the vulnerability. For example, when an app tries to execute the keyctl system call to create or access a keyring object, the system call is denied and an SELinux kernel error is logged to the system log:
[ 3683.432511] type=1400 audit(1453676165.345:15): avc: denied 
{ search } for pid=7848 comm="PoCtest" 
scontext=u:r:untrusted_app:s0:c512,c768 
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=key permissive=0
The public PoC exploit uses SysV IPC (msgget) to allocate the memory chunk that is passed to the vulnerable code. The SELinux policy on Android 5.0 and upwards blocks SysV IPC and thus blocks the method of obtaining a usable memory chunk that is used by the PoC exploit. Below is the output of SELinux blocking the call to msgget taken from the Linux kernel ring buffer on a Android 5.0 device. I tested the this on a Nexus 5x running Android 6 and on a Nexus 7 running Android 5.0running the PoC from an adb shell, system log output below:
<4>[59201.392059] type=1400 audit(1453400116.210:13): avc: 
denied { create } for pid=21470 comm="PoCtest" 
scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=msgq
The PoC can be adapted to use a different method for allocating memory rather than SysV IPC msgget, but historically Android malware only uses of-the-shelf exploits, if they use any vulnerability at all.

The Android device ecosystem, however, is much more varied and diverse than the stock AOSP tree and Nexus devices that follow it very closely. In particular, SEAndroid policies in the wild often add more types, domains, type transitions, and rules to the AOSP SELinux policies. Using the Android Census we find 160 sepolicies have key rules from untrusted_app.

Results

There are several limiting factors that make this vulnerability a non issue for Android:
  • SELinux policies from Android 5.0 and later block access to the vulnerable kernel code
  • Kernel versions used by various Android devices are either too old or don't use CONFIG_KEYS
  • The exploit requires 30 minutes to run on a 3.0 Ghz Intel i7 and according to XDA developers it took several tries and a runtime of 6 hours to get this working on an Android device


The conclusion I draw is that this vulnerability will not pose a serious risk to the Android ecosystem due to the mitigating factors described above. Maybe individual devices do contain the vulnerability but the worst case scenario is that the owner of the device will use the bug to root his own device. Given he is very patient and can live without using his device for 6 hours or more. One thing that is certain is that the percentage given by Perception Point is absolutely not true and should not haven been repeated by everyone who reported on this.

Acknowledgments:
    This blog post is based on discussions I had with various people, most notably Dino Dai Zovi and Janek Klawe. Vlad Tsyrklevich deserves massive credit for his Android Census database, a super valuable source for this kind of research.

Links:

Monday, January 18 2016

Mobile Security News Update January 2016

Conferences:
    Black Hat Asia March 29, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.


I guess it is still too early in the year for conference programs. ShmooCon just concluded, Infiltrate doesn't have any mobile talks, and SyScan didn't post accepted talks yet. This weekend I attended the first BSidesNYC. The conference was pretty good, some expected and some unexpected good talks. The conference venue was pretty nice and spacious. I will go again.

If you are into NFC research checkout: ChameleonMini - A Versatile NFC Card Emulator a new kickstarter project. The guys who run it definitely know what they are doing.

Links:

Thursday, December 24 2015

Mobile Security News Update December 2015

I've gotten a little lazy with this blog but I promise I will post more often in 2016.

Conferences
    32c3 27-30 December, Hamburg, Germany. Iridium Update: more than just pagers by Schneider and Sec. Running your own 3G/3.5G network: OpenBSC reloaded by LaForge. (Un)Sicherheit von App-basierten TAN-Verfahren im Onlinebanking (in German) by Vincent Haupert.

    ShmooCon January 15 - 17, Washington D.C. Hiding from the Investigator: Understanding OS X and iOS Code Signing to Hide Data by Joshua Pitts. LTE Security and Protocol Exploits by Roger Piqueras Jover.

    BSides NYC January 16, NYC. 99 Problems but a Microkernel ain't one! by Alex Plaskett. Mobile implants in the age of cyber-espionage by Dmitry Bestuzhev.

    Black Hat ASIA March 31 - April 1, Singapore. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He.

    NDSS 2016 February 21 - 24, San Diego. Has a good number of Android related papers. Some titles look quite interesting.

As I said before, I'm neither attending 32c3 nor Shmoocon. I'll be attending BSides NYC tho.

Google suspended Android-vts the only up to date Android device vulnerability scanner. No idea if Google would allow it back after fixing the issues. On the other side I rather have a tool that can find a large number vulnerabilities rather than having a crippled version in the Play Store.

Jobs

Links

Thursday, November 19 2015

Mobile Security News Update November 2015

Conferences
    upcoming: 32C3 (December), ShmooCon (January)

CFPs
$10 Android Phone Walmart has a $10 Android phone. It is an LG device with Android 4.4 specs. I agree with Patrick McCanna on Smartphones @ featurephone prices will be a significant milestone towards monetizing mobile hacking. These prices really mean everybody is going to have a smartphone. Like everybody. I ordered two of those to play with.

Mobile pwn2own: two interesting results. (1) baseband of a Samsung S6 Edge, the payload was able to redirect incoming calls. This was done by my buddies Nico Golde and Daniel Komaromy. Here a picture of their setup. Story by various sites: 1, 2 (German), 3. (2) drive by APK install on Nexus 6 without user interaction by Guang Gong. tweets: 1 2 (with picture).

LTE Security: pretty interesting talk and paper about LTE design and implementation vulnerabilities. slides white paper. Blogpost by the same people: Practical attacks against 4G (LTE) access network protocols. One thing I didn't notice is how cheap LTE research is already. Their setup is just over $1000, which seems rather cheap for LTE.


Jobs

Links