...stuff I do and things I like...

Tuesday, July 21 2015

Hacking Team took a bunch of my Stuff :-(

Everybody heard that Hacking Team got hacked 1, 2, 3, 4 While I think this is pretty great since they are kinda known to be scumbags since they sell to repressive governments I found out about not so great things around this hack. Actually I didn't find out myself put was pointed to it by other people on Twitter (1) , via email, and personal (thanks Michael Weissbacher!).

Basically I was told that Hacking Team used a bunch of my Android tools to build their monitoring software for Android.

What got me really upset is this email:
    I was analysing recent leak of hacking team from italy, and saw you supply the core android audiocapture for hijack voice calls on android. Have you updated it to new devices like lollypop?
This person thinks that I wrote the Android voice call interception for Hacking Team. This is obviously not the case! Hacking Team took my ADBI framework and tools to build their software around it. The software this specific email is talking about is hackedteam/core-android-audiocapture (the link goes to the hackedteam GitHub repository). You can see that they kept even the original filenames (e.g. libt.c) that was part of my original ADBI release.

click for large image
The reason why someone might think I wrote those tools for Hacking Team are pretty obvious once you take a look at the leaked code. Take, for example, the libt.c file from the HackedTeam repository. Hacking Team left all the copyright information (my name, website, and email address) in those files.

In addition to my ADBI framework Hacking Team also used my SMS fuzzer injector that I wrote in 2009 while working on the SMS fuzzing project together with Charlie Miller. Their Android fuzzer also made use of my ADBI framework.

Conclusions:
    I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists. Even worse is the fact that due to the lazy way they managed their source repository less informed people might get the idea that I developed parts of their tools for them. Just to make this very clear: I did not write any of those tools for Hacking Team.

    For the future I will use a license for all my software that excludes use for this kind of purpose. I have no clue yet how this license would look like so if anybody has a hint about pre existing open source licenses that exclude this kind of usage please drop me an email.

    Obviously Hacking Team also used other open source software such as Cuckoo Sandbox. I hope everybody is going to think about future license to prevent this kind of usage. I'm not a lawyer but I would be interested in what legal action one could take if their software license excluded the use case of Hacking Team.


Below some links to the Hackedteam GitHub repository and the link to my ADBI repository. You can clearly see that it is based on my software.

Links:
Comments welcome via email to: collin AT mulliner.org

Tuesday, June 23 2015

Mobile Security News Update June 2015 (part 2)

Conferences
    Defcon QARK: Android App Exploit and SCA Tool Tony Trummer and Tushar Dalvi (this is the only talk that was added after my last post)

    Breakpoint 22-23 October, Melbourne, Australia. TEAM PANGU: DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS; JORDI VAN DEN BREEKEL: RELAYING EMV CONTACTLESS TRANSACTIONS WITH OFF-THE-SHELF ANDROID DEVICES; DMITRY KURBATOV: ATTACKS ON TELECOM OPERATORS AND MOBILE SUBSCRIBERS USING SS7.
All other conferences still have their CFPs open and didn't post any talks yet. The BreakPoint schedule is also not final yet.

I wanted to point to something that apparently not many people know about: Pangu jailbreak installs unlicensed code on millions of devices. Pangu has their own statement about this. The Wikipedia page about Pangu Team states that they didn't have to sign an NDA for the training and therefore can use the vulnerability. Stefan's point is not about the vulnerability but about his code. All in all I can't verify all claims but I would say I know Stefan well enough to say that he would not make this up simple because he doesn't need to. He is very well known anyway so this is not a publicity issue for him. I 100% agree with Stefan's point of view about denying people from speaking at conferences if they are known to take credit or sell code they don't own or have a license for. I encourage everybody to read up on this and to read statements made by BOTH sides. Please share your opinion with people who run conferences.

Android now has a bug bounty program, or as the call it Android Security Rewards Program. Pretty cool, I wonder if they get more submissions because of this.

Apple tries to kill plain-text connections "If you're developing a new app, you should use HTTPS exclusively.". This feature is called App Transport Security (ATS) and in the current iOS 9 version it can still be disabled. See: Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11.

Android has had a similar feature for some time. Android M introduces a new Manifest option to declare if an app uses clear text traffic or not. Deepening on this option the framework can deny clear text traffic from the app. A decent writeup on this topic is here: Android M and the war on clear text traffic.

Links

Monday, June 08 2015

Mobile Security News Update June 2015

Conferences
    Black Hat USA AH! UNIVERSAL ANDROID ROOTING IS BACK by Wen Xu; ANDROID SECURITY STATE OF THE UNION by Adrian Ludwig; ATTACKING YOUR TRUSTED CORE: EXPLOITING TRUSTZONE ON ANDROID by Di Shen; CERTIFI-GATE: FRONT-DOOR ACCESS TO PWNING MILLIONS OF ANDROIDS by Ohad Bobrov & Avi Bashan; CLONING 3G/4G SIM CARDS WITH A PC AND AN OSCILLOSCOPE: LESSONS LEARNED IN PHYSICAL SECURITY by Yu Yu; COMMERCIAL MOBILE SPYWARE - DETECTING THE UNDETECTABLE by Joshua Dalman & Valerie Hantke; CRASH & PAY: HOW TO OWN AND CLONE CONTACTLESS PAYMENT DEVICES by Peter Fillmore; FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez; FINGERPRINTS ON MOBILE DEVICES: ABUSING AND LEAKING by Yulong Zhang & Tao Wei; FUZZING ANDROID SYSTEM SERVICES BY BINDER CALL TO ESCALATE PRIVILEGE by Guang Gong; MOBILE POINT OF SCAM: ATTACKING THE SQUARE READER by Alexandrea Mellen & John Moore & Artem Losev; REVIEW AND EXPLOIT NEGLECTED ATTACK SURFACES IN IOS 8 by Tielei Wang & HAO XU & Xiaobo Chen; STAGEFRIGHT: SCARY CODE IN THE HEART OF ANDROID by Joshua Drake; THIS IS DEEPERENT: TRACKING APP BEHAVIORS WITH (NOTHING CHANGED) PHONE FOR EVASIVE ANDROID MALWARE by Yeongung Park & Jun Young Choi; TRUSTKIT: CODE INJECTION ON IOS 8 FOR THE GREATER GOOD by Alban Diquet & Eric Castro & Angela Chow

    Defcon RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID by Francis Brown and Shubham Shah; How to Shot Web: Web and mobile hacking in 2015 by Jason Haddix; LTE Recon and Tracking with RTLSDR by Ian Kline; Extracting the Painful (blue)tooth by Matteo Beccaro and Matteo Collura; Stagefright: Scary Code in the Heart of Android by Joshua J Drake; Build a free cellular traffic capture tool with a vxworks based femoto by Yuwei Zheng and Haoqi Shan

This year Black Hat US really has a large number of mobile related talks!

There is not too much to talk about otherwise. I still have to read all the stuff about Android M, some stuff is covered in the links section below. Make sure to checkout some of the HITB Amsterdam 2015 slides. Some good stuff in there for us mobile sec people.

I was really amazed how much publicity the iOS messaging crash got. Yes, it was easy to trigger. But yes, this kind of stuff happened before.

Links

Thursday, May 28 2015

Quick look at the Amazon Dash Button

I bought an Amazon Dash button just when it was released. A few weekends ago I had time to play with it and here is my write up. This is not really a security write up, I was just interested in how it works. There is a decent hardware focused overview available here: Inside the Amazon 802.11b/g/n Dash Button. This overview is more on the software side!

Summary:
    The Dash button connects to Wifi and sends a HTTP POST every time you press the Dash's button. The Dash is completely shutdown until you press the button, it will switch off seconds after the HTTP request is done with a small timeout to wait for the server's reply. The HTTP connection is protected via SSL but the Dash button doesn't check the certificate and can be easily intercepted. The main part of the data exchange seems to be the Dash Serial Number (DSN).


Background
    The Dash button is a simple way to reorder a specific item from Amazon. The item that is ordered needs to be preselected at setup time, so far each button only allows you to select from a very small list of related items. My Cottonelle button only allows to pick one out of four Cottonelle products. So unfortunately you cannot just order ANY Amazon item :-(

    Below: my mock-up for what people actually want to use the Dash button for (beer, bacon and condoms).
    this is what Dash should be for


Setup
    The setup process is pretty straight forward. You install the Amazon app on your phone and go to My Account and select the Dash Button menu. The app takes you through the steps and your Dash is configured. Some interesting parts of the setup are.

    Wifi setup
      The Wifi is configured from the app using an audio channel. In the setup mode of the Dash it receives the audio and demodulates it to set the Wifi network name and the password.

      In addition to the audio based configuration the Dash also creates a Wifi access point named Amazon ConfigureMe. Once you connect to it you can go to http://192.168.0.1 and configure the Wifi settings via the web interface. Once you click Configure the Dash reboots. I actually didn't manage to connect the Dash after configuring it through the Wifi interface (I also didn't try that hard).


    As the last part of the setup you select that product you want to reorder every time you press the Dash button.


Investigation
    While playing with the Dash I discovered a number of small things.

    Open Ports
      The Dash opens ports 80 and 443. I was NOT able to connect to 443. Port 80 obviously provides the web interface to configure the Wifi settings (previous paragraph).

    DHCP
      The Dash shows up as WICED*DHCP*Client on your Wifi router host list.

    Networking
      All communication goes to parker-gateway-na.amazon.com on port 443. The Dash button does NOT check the certificates so you can easily MITM it and look at the network traffic.

      I used my Wifi router's DNS service to resolve parker-gateway-na.amazon.com to a local IP address running webmitm (from the dsniff package). Using the generated key/cert you can easily look at all the network traffic using ssldump or wireshark.


    How to generate network traffic without ordering anything!
      The one problem with the Dash is that it is only online (connected to the Wifi) for a short time when you press the button. Pressing the button will initiate an order, so playing with your Dash could end up in a lot of toilet paper showing up at your doorstep.

      One easy way to avoid this is by skipping the last step of the configuration. If you skip that last step your Dash button thinks it is configured but the backend doesn't. The last step of the configuration is selecting the product you want to order. Basically you need to quit/kill the Amazon app when it asks you to select a product for your Dash button. Once you do this you can press the Dash button as often as you want without triggering an order of toilet paper. The Dash button will come online connect to your Wifi and connect back to the Amazon backend. This gives you the time to collect network traffic or port scan the Dash.


    Dash network traffic
      I only looked at the traffic between the Dash and the Amazon server. I didn't look at the traffic from the Amazon app to the Amazon server during setup. I should have done this but I didn't. Now I don't have the time to do it. I barely have the time for this writeup.

      From what I can see the Dash sends only a few messages to the server. The first thing you see is that the messages always contain the Dash serial number (DSN) that is printed on the back of the Dash button. All communication is carried out via HTTP POST. Content-type is set to: binary/rio. The encoding is set to chunked. The encoded data is a mix of ASCII and binary with a length fields for specific parts. I didn't have the time to reverse the message format, I just took a brief look at it. The last part of each message seems to be 20 bytes of binary data.

      During setup the Dash sends some data such as RSSI values to the Amazon backend. There is a status bit field message and of course there is the message that is sent when the button has been pressed and the Dash thinks it is fully configured. If the Dash thinks it is not setup correctly pressing the button will just lead to a blinking red light. If it thinks it is configured it will connect to the Wifi and send a specific message. The message is rather short and mainly consists of the DSN followed by the 20 bytes of binary data. The server answers to this with different messages. The only message I saw so far was the message for a not fully configured Dash button (HTTP 412 Precondition Failed). So far I was not in the mood to actually order something. I leave this exercise for other people.

      Package Captures:

      Message sent during setup:

      Some status message:

      Some message sent from the Dash to the server:

      Message sent when the Dash button is pressed and the Dash thinks it is configured:

      Server answer when the Dash button does not have a product associated:
Conclusion / stuff to do:
    The Dash seems like a fun toy, I wish you could just configure it to order any item from Amazon. I know the current version is just a trial and I hope in the future they will allow you to select any product.

    One thing that I found strange is that there is no back communication from the server to the Dash button at setup time. The only message that is sent from the server to the Dash is after the server receives an order item message after pressing the Dash's button. This must mean that you can either modify the message and change the DSN to initiate an order for another Dash button. OR The last 20 bytes provide integrity protection for the message.

    Hacking Todo List:
      Sniff traffic of an actual order. Specifically the answer from the server.

      Open the device and dump the firmware!

      Reverse message format. What are the last 20 bytes in the message? My guess this is for integrity protection. Like an HMAC. But this is just wild speculation.

      Sniff communication between Amazon App and server during Dash setup.

Happy further hacking!

Monday, May 18 2015

Mobile Security News Update May 2015 part 2

Conferences
    SourceBoston Mat 2015: A Swift Teardown by Jared Carlson; iOS App Analytics VS Privacy: An analysis of the use of analytics by Guillaume Ross. (they still have TBD slots)

    ReCon Montreal, Canada (June): Building a Better Bluetooth Attack Framework by Chris Weedon

    Black Hat USA ADVENTURES IN FEMTOLAND: 350 YUAN FOR INVALUABLE FUN by Alexey Osipov & Alexander Zaitsev; ATTACKING YOUR TRUSTED CORE: EXPLOITING TRUSTZONE ON ANDROID by Di Shen; CERTIFI-GATE: FRONT-DOOR ACCESS TO PWNING MILLIONS OF ANDROIDS by Ohad Bobrov & Avi Bashan; FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez; HACKING INTO SMARTPHONES AND CARS WITH A SIM CARD by Matt Spisak; STAGEFRIGHT: SCARY CODE IN THE HEART OF ANDROID by Joshua Drake; TRUSTKIT: CODE INJECTION ON IOS 8 FOR THE GREATER GOOD by Alban Diquet & Eric Castro

    CONFidence Krakow: iOS Hacking: Advanced Pentest & Forensic Techniques by Omer S. Coskun; Abusing apns for profit by Karol Wiesek

    Defcon Extracting the Painful (blue)tooth by Matteo Beccaro and Matteo Collura; Build a free cellular traffic capture tool with a vxworks based femoto by Yuwei Zheng and Haoqi Shan

    Android Security Symposium Vienna, Austria, from 9-11 September 2015. Only Android security talks!
Some of the upcoming conferences I covered in earlier month (e.g. HITB Amsterdam).

CFPs
    Breakpoint Melbourne, Australia, October 22th-23th

    SEC-T Stockholm 17-18:th of September 2015

    44con

    The Chaos Communication Camp cfp just closed yesterday.


iPhone: I bought an iPhone 5c (as a tryout device) like two weeks ago. I used to have a iPhone 3G back in 2009. I'm pretty happy with it, usability is great and the radio/antenna seems way better then the one in the Nexus 5. One thing I noticed is that most major apps are much better on the iPhone. There are exceptions like Dropbox. The Dropbox client is missing features compared with the android version. I'm missing the text editor! Also inter-app communication is really a weakness of iOS and a strength of Android. Other annoying stuff: I can't set Chrome to be the default browser. I can't have Signal as the default SMS app. One of the most annoying things are notifications. Many apps don't support privacy friendly notifications on the lock screen. I want to see if there are new emails in an account but I don't want the sender, subject, or content to be shown. The same is true with a lot of apps. It is either no notification or notification with content. Not happy with this! But I'm a big fan of handover.

I total I'm still happy with my tryout iPhone 5c. Let's see how long.

Mobile Killswitch: The mobile killswitch now has it's first possibility for abuse: So this killswitch tech in mobile phones now, kinda scary, especially when I can lock you out from your phone from an app w/ no root by @jcase.


Links

Wednesday, May 06 2015

Mobile Security News Update May 2015

This is actually a delayed April update!

Conferences
    CircleCityCon Indianapolis. ZitMo NoM - Clientless Android Malware Control by David Schwartzberg. Making Android's Bootable Recovery Work For You by Drew Suarez. Hacking the Jolla: An Intro to Assessing A Mobile Device by Vitaly McLain and Drew Suarez.

    ShakaCon Hawaii. Making Android's Bootable Recovery Work for You by Drew Suarez.

    PhDays Moscow. Fighting Payment Fraud Within Mobile NetworksTech by Denis Gorchakov and Nikolai Goncharov. GSM Signal Interception ProtectionFast Track by Sergey Kharkov and Artyom Poltorzhitsky. RFID/NFC for the MassesHands-on Labs by Nahuel Grisolia. iOS Application Exploitation by Prateek Gianchandani.


In the last weeks I went to RSA Conference to hangout with a few people. I met the good guys from NowSecure and Zimperium as well as the fellows of DuoSecurity.

The week after I attended Qualcomm Mobile Security Summit 2015. Again this was a super interesting mobile security focused event, most likely the best one of the year. Good talks and good people. There is no general posting of slides but some presenters published their slide deck. Tim and jcase posted their slides here: Android APP Protection. It was good to meet some guys from @K33nTeam. Their presentation was pretty good too.

If you are interested in learning about Android security take Jduck's and Zach's training at DerbyCon. They know what they are talking about.

This picture is sadly very true. I really dislike the trend going towards big smartphones or phablets.


Nexus 5 issue after a long and painful struggle including factory resetting my Nexus 5 and downgrading it to Android 5.0.1 I gave up and determined that it must be a hardware fault. Most likely the power button. I also found out (via @mweissbacher) that the warranty of our Nexus 5 devices ran out in January :-(

I determined that the only decent device to buy right now is a Moto X in the Pure Edition. The pure edition is basically AOSP like shipped with the Nexus devices. So if you are looking for a normal sized smartphone that runs stock Android this might be a device for you. Motorola even states on their site that the pure edition receives more regular updates then carrier branded devices. Most likely also more frequent updates then devices that run a heavily modified Android version (shipped by most other manufacturers).

News and Links

Tuesday, March 31 2015

Mobile Security News Update March 2015

Back from CanSec! Here the mobile update for March (barely made it!).

Conferences
    RSA Conference has a mobile track (link points to track) but I'm not going to list each talk here.

    Black Hat Mobile Security Summit London, UK. Believe it or not it's all mobile talks! Mostly Android, one iOS and one Windows Phone talk and like 2 generic talks.


CFPs

Android 5.1 / Nexus 5 issues: I recently updated to Android 5.1 (so did my friend Michael). Now we both have massive stability issues with our phones. Michael actually doesn't have stability issues his phone refuses to boot up. It boots until the first colored dots appear and then reboots again. The reason for this bootloop are unknown. Some people say this is due to issues with the phones power button. Michael indeed had some power button issues before the bootloop happened. My phone just started to randomly reboot. The issue seems known (search for Android 5.1 random reboot and you will find many reports).

Official Chinese translation of The Android Hacker's Handbook available on April 10th.

Dimple is a small NFC sticker with four or two buttons for Android devices. You are the one who chooses the button functionality. It makes doing everyday tasks quicker and saves your precious time. <-- from their website. This is basically a set of actual buttons (as in hardware) that you can stick on your Android. The buttons likely just activate a RFID tag that is picked up by your phone that then will perform some action. Very simple technology. Should be farely easy to hack (without physically pressing the button). Let's see, maybe I will order a sample just for fun. I have a pending Android NFC blog post anyway (but not time).

Links