...stuff I do and things I like...

Conferences:

Infiltrate already passed. But they only had two mobile talk anyway. Secrets in Your Pocket: Analysis of [Your] Wireless Data by Mark Wuergler. Don't Hassle The Hoff: Breaking iOS Code Signing by Charlie Miller.

Shmoocon which I miss again, this is way to early in the year so every year so far I totally miss it. Talks: Building Measurement and Signature Intelligence (MASINT) Capabilities on a Hackers Budget: Tracking and Fingerprinting RF Devices for Fun and Profit by Brad Bowers. Intro to Near Field Communication (NFC) Mobile Security by Corey Benninger and Max Sobell. Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility by Joe Sylve. Whack-a-Mobile: Getting a Handle on Mobile Testing with MobiSec Live Environment by Tony DeLaGrange and Kevin Johnson. Credit Card Fraud: The Contactless Generation by Chris Paget.

CanSecWest is upcoming. So far no talks have been posted but I'm going speak on "Probing Mobile Operator Networks". This is a long ongoing side project of mine.

Links: Infographics: Mobile Security Android vs. iOS

The video recordings from 28c3 are online. Check out Harald's talk Cellular protocol stacks for Internet, Luca's and Karsten's talk Defending mobile phones, Sylvain's talk Introducing Osmo-GMR.

so 2011 is history, it was a fun year for us mobile people. Many things happened many things got hacked - just great.

In the last few days I have been reading some of those security predictions for 2012 (this year!). Most of them 1 2 3 4 5 are kinda boring since these are things that are already happening. Never the less these will very likely become reality.

In the mobile area these seem to be:

Android as the target for mobile malware attacks. This is already happening as Android became the major smartphone platform last year.

Mobile Markets such as the AppStore and Android Market as a key issue problem solver in the mobile field.

More Monetization as mobile malware evolves we will see more monetization of it. This is especially interesting for everything that involves spending money using a smartphone. Not only SMS, but advertisement, in-App payment, the phone as a credit card, etc..


Happy mobile security research 2012 to everybody!

There was an awesome SMS bug in Windows Phone 7. This is exactly the bug class I have been looking into in the last two years. Too bad that I didn't have the time to look into Windows Phone 7.

Corrections to a news article about my research. NFC mobile threats on the horizon: What happens when we wave our wallets to pay? The article says ...malicious code could be 'injected' into the device.... I want to say that I never claimed I can do code injection through NFC. They probably misunderstood me when I said that this could be possible in the future.

It is really great to see how NFC security research is taking of this year. If I remember back to early 2008 when I did my research everybody was kinda laughing.

In other news mobile (in)security is further on the rise. So we all never loose our jobs!

Android root exploit for 2.3.5 and older by the Jons levitator.c

I don't get this whole Carrier IQ thing 1 2.

The people from the Intrepidus Group seem to really get into RFID and NFC. They just posted an article about using a USRP for NFC. Hopefully they release their code after they are done with their research.

In other news: I wont attend the CCC / 28c3 this year due to multiple reasons. I will stick around for the other events outside the congress. So ping we if you want to chat and/or have beers.

Security Mobile and RFID by Nick von Dadelszen at KiwiCon. Interesting talk on RFID attacks using the Nexus S. This does not cover NFC but is a good read. Unfortunately not many details in the slides.

Axelle Apvrille did some nice work on how to utilize OpenBTS for mobile malware analysis. Both, paper and slides, make a nice read.

Ruxcon is already on, I found one possibly interesting talk Mobile and Contactless Payment Security by Peter Fillmore. But since the con is not done yet slides are not available at the time.

SyScan Taipei has a bunch of mobile stuff. Charlie Miller on iOS code signing. Stefan Esser on iOS kernel exploitation. I'm waiting for slides as the con is just over today.

New Academic Workshop MoST on Mobile Security Technologies at IEEE S&P in May 2012.

so I'm finally back to work. I had to take care about a bunch of stuff, but thats done now! Sadly I had to turn down a few conferences invitations. Some of which I was looking forward to for some time already. That was kinda sad but I plan to fix that soon. Especially T2, damn!

Of course I will continue my Mobile Security News Update. Need to get back into the news circle :-)

I have a bunch of cool projects in the pipe so be prepared!

I'm finally back from my two weeks in the US of A where I attended Black Hat and Defcon (19) in Vegas. This was very exhausting as always, no surprise there. But I must say the talk quality was not that high and again too many parallel tracks at Black Hat. As I see it now I will probably skip Black Hat and Defcon in the near future. After Vegas I travelled to USENIX Security in San Francisco to finally present our paper on SMS insecurity on feature phones. USENIX was quite okay - but I didn't get to enjoy it in full due to the one week of Las Vegas before :-/ To compensate for the stressful travel I attended the last two days of the CCCamp outside of Berlin. Also I only attended the lasts days the CCCamp rocked! Still one of the best events ever!


News:

So Palm is finally dead now that HP killed their WebOS devices. Although I've read something about HP wanting to continue with developing WebOS as a platform but this is kinda useless if they don't intend to sell devices running WebOS. Sad sad thing.

Conferences:

DeepSec that takes place in Vienna in November has a bunch of mobile related talks. Intelligent Bluetooth fuzzing - Why bother? by Tommi Mäkilä (Codenomico; Windows Pwn 7 OEM - Owned Every Mobile? by Alex Plaskett (MWR InfoSecurity); SMS Fuzzing - SIM Toolkit Attack by Bogdan Alecu (Independent security researcher); Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks by Laurent 'kabel' Weber (Ruhr Uni Bochum); Attack vectors on mobile devices by Tam Hanna (Tamoggemon Limited); Defeating BlackBerry Malware & Forensic Analysis by Sheran A. Gunasekera (ZenConsult Pte. Ltd.)

T2 in October in Helsinki. Sofar they have only one talk on mobile security. Windows Pwn 7 OEM - Owned Every Mobile? by Alex Plaskett (MWR InfoSecurity).

Hack.lu in September in Luxenburg. They seem to have a few interesting talks. Project Ubertooth: Building a Better Bluetooth Adapter by Michael Ossmann. Extending Scapy by a GSM Air Interface and Validating the implementation Using Classical and Novel Attacks by Laurent Weber. Locating a GSM phone in a given area without user consent by Iosif Androulidakis.Weaponizing the Smartphone: Deploying the Perfect WMD by Kizz Myanthia.

Hack in the Box Malaysia in October. Some talks: Packets in the Dark - Pwning a 4G Device for the Lulz by biatch0 & RuFI0. Satellite Telephony Security: What is and What Will Never Be by Jim Geovedi. Femtocells: A Poisonous Needle in the Operator's Hay Stack by Kevin, Ravi, and Nico (SecT - TU Berlin). All Your Base Stations are Belong to Us: Extending Scapy with a GSM Air Interface - Laurent 'Kabel' Weber. Blackbox Android: Breaking "Enterprise Clas" Applications and Secure Containers by Marc Blanchou, Justine Osborne & Mathew Solnik (Security Consultants, iSEC Partners). Attacking The GPRS Roaming eXchange (GRX) by Philippe Langlois. Hacking Androids for Profit by Riley Hassell. iPhone Exploitation: One ROPe to Bind Them All? by Stefen Esser.

hashdays in October. Talks: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy.

Thats this for now. I guess I missed a bunch of things during the last three weeks (two weeks of travel and one week of recovery!). If something major had happened in the mobile sec world I guess I would have heard about it ;-)