Tuesday, October 18 2016
Tuesday, September 20 2016
PacSec October, Tokyo.
Demystifying the Secure Enclave Processor by Mathew Solnik.
Finding Vulnerabilities in Firefox for iOS by Muneaki Nishimura.
ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) October, Vienna Austria.
All talks are related to mobile security.
O'Reilly Security Conference October, NYC.
Securing 85% of the world's smartphones by Adrian Ludwig.
How Plantronics honed its headsets to create secure wearables by Erik Perotti.
SyScan360 November, Shanghai.
Browser Bug Hunting and Mobile by Francisco Alonso and Jaime Penalba.
Demystifying the Secure Enclave Processor by Mathew Solnik.
Running Code in the TrustZone Land by Edgar Barbosa.
Analysis of iOS 9.3.3 Jailbreak & Security Enhancements of iOS 10 by Team Pangu.
Security Vulnerabilities on Online Payment: Summary and Detection by Zhang Qing and Bai Guangdong.
KiwiCon November Wellington, NZ.
Let's do the Timewarp Again by Karit.
I'm going to be at the O'Reilly Security Conference on Monday the 31st (maybe also the other days). I super excited to speak at KiwiCon this year!
I'm interested in Google's Project Fi does anybody have insights into using it with non Android phones? I've found several posts on this topic but nothing convincing yet. Posts also seem conflicting.
Best of mobile security in pictures:
I've seen this warning a lot in the last couple of weeks while traveling:
This is the real reason for the Galaxy Note 7 recall
While searching for the link to the recall:
Tuesday, August 30 2016
Black Hat EU November, London UK.
ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY
Speaker: Clementine Maurice, Moritz Lipp.
DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK
Speaker: Bhanu Kotte, Dr. Silke Holtmanns, Siddharth Rao.
MOBILE ESPIONAGE IN THE WILD: PEGASUS AND NATION-STATE LEVEL ATTACKS
Speaker: Max Bazaliy, Seth Hardy.
POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME
Speaker: Federico Maggi, Stefano Zanero.
ROOTING EVERY ANDROID: FROM EXTENSION TO EXPLOITATION
Speaker: Di Shen, Jiahong (James) Fang.
SIGNING INTO ONE BILLION MOBILE APP ACCOUNTS EFFORTLESSLY WITH OAUTH2.0
Speaker: Ronghai Yang, Wing Cheong Lau.
STUMPING THE MOBILE CHIPSET
Speaker: Adam Donenfeld.
WIFI-BASED IMSI CATCHER
Speaker: Piers O'Hanlon, Ravishankar Borgaonkar.
The most interesting read this week was The bumpy road towards iPhone 5c NAND mirroring a paper by Sergei Skorobogatov. In this paper he shows how to implement a NAND mirroring attack against an iPhone 5C. The basic idea behind this attack is erase the PIN failure counter between each set of tries to avoid the artificial brute force delay and to avoid data deletion after N failed PINs. The paper goes into great detail on various problems he encountered while implementing the attack. I highly recommend reading this paper. The picture below is taken from this paper.
PacSec Tokyo Japan, October.
Demystifying the Secure Enclave Processor by Mathew Solnik.
Google's Project Zero now has an Android "Prize" for achieving RCE on a Nexus device with only knowing
it's email address or phone number. Apparently you can't use a BTS (via @jduck) for this attack. Overall this looks interesting, I wonder if anybody is going to claim the money soon. Announcement: Project Zero Prize.
Tuesday, July 12 2016
Black Hat EU November: ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY by Clementine Maurice and Moritz Lipp.
DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK by Bhanu Kotte, Siddharth Rao and Silke Dr Holtmanns.
POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME by Federico Maggi and Stefano Zanero.
STUMPING THE MOBILE CHIPSET by Adam Donenfeld.
DerbyCon September: Beyond The ?Cript: Practical iOS Reverse Engineering by Michael Allen.
AWSh*t. Pay-as-you-go Mobile Penetration Testing by Nathan Clark.
Breaking Android Apps for Fun and Profit by Bill Sempf.
AppSec USA November: QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer.
SecureMe - Droid: Android Security Application by Vishal Asthana and Abhineet Jayaraj.
OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Dave Bott and Jonathan Carter.
ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.
Apple now has a bug bounty program. Details were presented at Black Hat in Ivan Krstic's talk BEHIND THE SCENES OF IOS SECURITY. Also see Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs (via Ars).
Motorola confirms that it will not commit to monthly security patches. This is pretty bad since I actually liked their Pure Edition devices (devices that basically are just AOSP).
Protecting Android with more Linux kernel defenses. They added some features from Grsecurity. This makes me happy.
Google's Android has gotten so out of control that $55 billion Salesforce had to take drastic measures, basically Salesforce in the close future will only support specific Samsung Galaxy and Nexus devices. This is an interesting way to deal with the
very diverse Android ecosystem.
Pegasus Spyware / Trident for iOS was based on 3 vulnerabilities unsurprisingly a WebKit memory corruption,
a Kernel info leak, and a kernel memory corruption. The spyware was capable of accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others. (Source: Lookout Technical Report).
Oversec.io seems to implement our idea of mobile OTR on top of any messenger app. Oversec still looks very beta and I haven't tried it out. If anybody has tried it I would like to hear about it.
Pictures of the month:
Monday, June 06 2016
SummerCon July, Brooklyn, NY.
THE FIREWALL ANDROID DESERVES: A CONTEXT-AWARE KERNEL MESSAGE FILTER AND MODIFIER by DAVID WU.
Defcon August, Las Vegas.
SITCH - Inexpensive, Coordinated GSM Anomaly Detection by ashmastaflash.
A Journey Through Exploit Mitigation Techniques in iOS by Max Bazaliy.
Stumping the Mobile Chipset by Adam Donenfeld.
How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire by Stephan Huber and Siegfried Rasthofer.
Discovering and Triangulating Rogue Cell Towers by JusticeBeaver (Eric Escobar).
Samsung Pay: Tokenized Numbers, Flaws and Issues and Salvador Mendoza.
Attacking BaseStations - an Odyssey through a Telco's Network by Henrik Schmidt and Brian Butterly.
Forcing a Targeted LTE Cellphone into an Unsafe Network by Haoqi Shan and Wanqiao Zhang.
Another month has passed and I'm super late again on this blog post.
HushCon EAST badges were super awesome (picture below) did some hacking on them with
Trammell Hudson: Hushcon 2016 pagers.
The wait is over, here is the final blog post including source code on Qualcomm's TrustZone:
Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption Source extractKeyMaster
The Android Security Bulletin July 2016 fixes a really large number of bugs, including a Remote code execution vulnerability in Bluetooth and Remote code execution vulnerability in OpenSSL & BoringSSL. It is really
good to see stuff being fixed and talked about in the open.
Summary on Pokemon GO's permission to your Google Account by the guys from Trail of Bits.
Funny picture of the month:
Friday, May 06 2016
Black Hat USA August, Las Vegas.
1000 WAYS TO DIE IN MOBILE OAUTH by Eric Chen, Patrick Tague, Robert Kotcher, Shuo Chen, Yuan Tian, Yutong Pei.
ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS
by Tao Wei, Yulong Zhang.
ATTACKING BLUETOOTH SMART DEVICES - INTRODUCING A NEW BLE PROXY TOOL
by Slawomir Jasek.
PANGU 9 INTERNALS by Hao Xu, Tielei Wang, Xiaobo Chen.
SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza.
CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE
by Josh Thomas.
DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR
by Mathew Solnik, Tarjei Mandt.
BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS by Vincent Tan
THE ART OF DEFENSE - HOW VULNERABILITIES HELP SHAPE SECURITY FEATURES AND MITIGATIONS IN ANDROID by Nick Kralevich.
Defcon still doesn't have the agenda or accepted talks up.
Shakacon July 13-14, Honolulu, HI. FRUIT VS ZOMBIE: DEFEAT NON-JAILBROKEN IOS MALWARE BY CLAUD XIAO. Bluetooth Low Energy...by SUMANTH NAROPANTH, CHANDRA PRAKASH GOPALAIAH & KAVYA RACHARLA
The Qualcomm Mobile Security Summit was super awesome once again. Good talks, interesting hallway conversations and always good to see friends.
SektionEins (Stefan Esser) release a jailbreak and anomaly detection app for iOS and eventually got
band from the AppStore by Apple. The speculation is that Apple wants to hide the fact that certain sandbox
and security features don't work as advertised and thus his App got band. The app likely wasn't band just
because it can detect a jailbreak since like every app does exactly this, including apps like WhatsApp.
There are also several process list viewers for iOS.
I finally could checkout a Blackberry PRIV. The actual hardware looks pretty sweet.
I got a quick demo of the security and privacy features added by RIM, specially DTEK. I really liked the
device security/privacy status overview, every phone should have that.
Qualcomm KeyMaster keys etracted from TrustZone waiting for the writeup. The previous blog posts where super good already, but this one should be really interesting.
Tuesday, March 08 2016
Black Hat USA Las Vegas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Tarjei Mandt and Mathew Solnik. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei and Yulong Zhang. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza.
AppSec EU Rome. Don't Touch Me That Way. by David Lindner and Jack Mannino. Automated Mobile Application Security Assessment with MobSF by Ajin Abraham. Why Hackers Are Winning The Mobile Malware Battle - Bypassing Malware Analysis Techniques by Yair Amit.
Hack in The Box Amsterdam, NL. SANDJACKING: PROFITING FROM IOS MALWARE by Chilik Tamir.
FORCING A TARGETED LTE CELLPHONE INTO AN EAVESDROPPING NETWORK
by Lin Huang. ADAPTIVE ANDROID KERNEL LIVE PATCHING
by Tim Xia and Yulong Zhang. COMMSEC TRACK: INSPECKAGE - ANDROID PACKAGE INSPECTOR
by Antonio Martins.
When providing a native mobile application ruins the security of your existing Web solution by
Jeremy Matos. IMSecure - Attacking VoLTE and other Stuff by Hendrik Schmidt & Brian Butterly.
Reversing Internet of Things from Mobile Applications by Axelle Apvrille.
Recon Montreal, CA. Breaking Band by Nico Golde and Daniel Komaromy.
Hardware-Assisted Rootkits and Instrumentation: ARM Edition by Matt Spisak
This was a long break, I was covered in work and had other things to do. But I'm not giving up this blog.
Sadly I missed a bunch of conferences earlier this year. Especially CanSecWest and Troopers/TelSecDay. TelSecDay
looked really awesome this year! Sad to have missed it.
Work with me and other awesome people at Square we are looking for
a bunch of different mobile security related people. Android and iOS!
For those who are interested in TrustZone or TrustZone implementations check out: War of the Worlds - Hijacking the Linux Kernel from QSEE This blog has a lot of awesome research on TrustZone and Qualcomm's implementation.
60 Minutes: shows how easily your phone can be hacked. As I said earlier on Twitter, this is as good as it gets on TV. All of the people on the show are pros (know all of them personally!). Of course if you are an expert yourself you will complain about anything
shown on TV ;-)
Dilbert gets it:
Related to the iPhone will be bricked if the clock is set back too far.