Saturday, August 30 2014
Wednesday, July 30 2014
The Vegas week was as great as it can be as anybody knows who has this ongoing love hate relationship with the yearly pilgrimage.
The Blackphone kinda got rooted, ars on Blackphone root I had to laugh so hard when I saw Jon running around in his new t-shirt.
The SecurityCookies project was a lot of fun. I think people really liked it, likely Guillaume and I had the most fun. We will likely do this again at some point.
The iPhone is finally getting NFC iPhone 6 will reportedly feature NFC and Apple's own mobile payments platform. This should be a lot of fun cause everybody will scramble to actually build and deploy NFC now. I'm not really worried about NFC-payment insecurity but about all the other fun stuff that will be possible. Maybe I have to buy an iPhone 6 and continue my NFC work.
If I actually do get an iPhone I should also get the FLIR ONE an thermal camera case for iPhones. There are various articles about what you could do with this and I think this could be super interesting to play with.
My friend Ravi released darshak an Android app that notifies you if your phone receives silent SMS that are used for tracking your phone. It further displays current network security settings. This can be an indicator about your phone being connected to an IMSI-catcher. So far you need to have a Samsung Galaxy S3 to use this tool, but the S3 is fairly popular. I would like to see vendors providing information about phone network security parameters to the user.
44con September 10-11 London, UK: GreedyBTS: Hacking Adventures in GSM by Hacker Fantastic; Researching Android Device Security with the Help of a Droid Army by Joshua J. Drake (jduck); Manna from Heaven; Improving the state of wireless rogue AP attacks by Dominic White; On Her Majesty's Secret Service: GRX and a Spy Agencyby Stephen Kho; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar & Swapnil Udar
SEC-T September 18-19 Stockholm, Sweden: Attacking Mobile Broadband Modems Like A Criminal by Andreas Lind
T2 October 23-24, Helsinki, Finland: Style over Substance - how OEMs are breaking Android security by Robert Miller; Reversing iOS Apps - a Practical Approach by Patrick Wardle; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar and Swapnil Udar
BruCON September 25-26 in Ghent, Belgium: Stealing a Mobile Identity Using Wormholes by Markus Vervier.
August so far was my busiest month of the year, so I guess I missed a lot of what was going on.
Tuesday, June 24 2014
Not much to say about conferences in this post since in early August everybody will be in Las Vegas. I'll post an update after the
show is over.
The one thing I over read was the round tables that are going down at Black Hat. Specifically: EMBEDDED DEVICES ROUNDTABLE: EMBEDDING THE MODERN WORLD, WHERE DO WE GO FROM HERE? hosted by Don Bailey & Zach Lanier, MOBILE SECURITY ROUNDTABLE: WHAT DOES MOBILE SECURITY LOOK LIKE TODAY? WHAT WILL IT LOOK LIKE TOMORROW? hosted by Vincenzo Iozzo & Peiter Zatko and RESPONSIBLE DISCLOSURE ROUNDTABLE: YOU MAD BRO? hosted by Trey Ford look interesting.
There was a lot of fuzz about iOS backdoors. I didn't have time to go into all details but the
basic facts seem to be that iOS has capabilities to exfiltrate data to paired computers.
The danger seems to lie in that fact that you can steal/copy the paring from a computer.
The initial slide deck from Jonathan Zdziarski are available here. There was a huge follow up discussion on twitter. Roundup from the Jonathan:
counter side from Violet Blue: 2
also see Dino Dai Zovi's post: 3
Thursday, May 29 2014
SyScan 360 Play With an Unpublished Kernel Vulnerability for iOS 7.0.x by windknown and dm557; Be cautious, there is an attack window in your android app by pLL; Click and Dagger: Denial and Deception on Android Smartphones by The Grugq; Advanced Bootkit Techniques on Android by Chen Zhangqi and Shen Di; Mobile Browsers Security: iOS by Lukasz Pilor and Pawel Wylecial
Defcon Detecting Bluetooth Surveillance Systems by Grant Bugher; Android Hacker Protection Level 0 by Tim Strazzere and Jon Sawyer; Shellcodes for ARM: Your Pills Don't Work on Me, x86 by Svetlana Gaivoronski and Ivan Petrov; Blowing up the Celly - Building Your Own SMS/MMS Fuzzer by Brian Gorenc and Matt Molinyawe; Burner Phone DDOS 2 dollars a day : 70 Calls a Minute by Weston Hecker; NSA Playset : GSM Sniffing by Pierce and Loki
So people are still building SMS and MMS fuzzers in 2014. I'm really interested to see what new techniques the ZDI guys came up with.
Tuesday, April 22 2014
Recon A Bedtime Tale for Sleepless Nights: Josh "m0nk" Thomas and Nathan Keltner; The Making of the Kosher Phone: Assaf Nativ
ShakaconResearching Android Device Security with the Help of a Droid Army: Joshua Drake - Accuvant; Practical OpSec for Android Devices: The Grugq
ToorCamp Collin Mulliner: Hacking Android Apps with Dynamic Instrumentation
Black Hat ABUSING PERFORMANCE OPTIMIZATION WEAKNESSES TO BYPASS ASLR: Byoungyoung Lee & Yeongjin Jang & Tielei Wang; ANDROID FAKEID VULNERABILITY WALKTHROUGH: Jeff Forristal; ATTACKING MOBILE BROADBAND MODEMS LIKE A CRIMINAL WOULD: Andreas Lindh; CELLULAR EXPLOITATION ON A GLOBAL SCALE: THE RISE AND FALL OF THE CONTROL PROTOCOL: Mathew Solnik & Marc Blanchou; IT JUST (NET)WORKS: THE TRUTH ABOUT IOS 7'S MULTIPEER CONNECTIVITY FRAMEWORK: Alban Diquet; MOBILE DEVICE MISMANAGEMENT: Stephen Breen; REFLECTIONS ON TRUSTING TRUSTZONE: Dan Rosenberg; RESEARCHING ANDROID DEVICE SECURITY WITH THE HELP OF A DROID ARMY: Joshua Drake; SIDEWINDER TARGETED ATTACK AGAINST ANDROID IN THE GOLDEN AGE OF AD LIBS: Tao Wei & Yulong Zhang; STATIC DETECTION AND AUTOMATIC EXPLOITATION OF INTENT MESSAGE VULNERABILITIES IN ANDROID APPLICATIONS: Daniele Gallingani; UNDERSTANDING IMSI PRIVACY: Ravishankar Borgaonkar & Swapnil Udar; UNWRAPPING THE TRUTH: ANALYSIS OF MOBILE APPLICATION WRAPPING SOLUTIONS: Ron Gutierrez & Stephen Komal
Defcon NSA Playset - GSM Sniffing: Pierce and Loki; more upcoming but they are not listed yet.
I'm really happy to see two talks accepted at Black Hat that investigate Mobile Device Management (MDM) systems and app wrapping
security solutions. This should be quite interesting since this is more or less the state of the art when it comes
to third-party mobile security applications.
I've been super busy in the last weeks mostly work and travel and more traveling coming up in a few days. Summer will be
pretty awesome again. My talk on GUI security was accepted at Black Hat so did the talks of many of my friends. This
should be a pretty epic year. Also I'm finally making it out to ToorCamp. More updates after I return from ASIA CCS.
Thursday, April 17 2014
Infiltrate has Joshua J. Drake: Researching Android Device Security with the Help of a Droid Army
IEEE Security and Privacy (academic) has a number of papers: Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating; The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations; From Zygote to Morula: Fortifying Weakened ASLR on Android
ReCon has The Making of the Kosher Phone by Assaf Nativ (CFP not complete yet)
Hack in the Box Amsterdam has Shellcodes for ARM: Your Pills Don't Work on Me, x86; Exploring and Exploiting iOS Web Browsers; State of the ART: Exploring the New Android KitKat Runtime; On Her Majesty's Secret Service: GRX and a Spy Agency (HITB folks fix your website, finding talks and speakers is sooo hard I almost do not bother to do it - worst conference website I know!!)
ASIA CCS (academic) has a number of papers: Timothy Vidas, Nicolas Christin:
Evading Android Runtime Analysis via Sandbox Detection; Collin Mulliner, William Robertson, Engin Kirda: VirtualSwindle: An Automated Attack Against In-App Billing on Android; Min Zheng, Mingshen Sun, John C.S. Lui: DroidRay: A Security Evaluation System for Customized Android Firmwares;
Wenbo Yang, Juanru Li, Yuanyuan Zhang, Yong Li, Junliang Shu, Dawu Gu: APKLancet: Tumor Payload Diagnosis and Purification for Android Applications
Heartbleed and Mobile
Heartbleed and Android  I couldn't find any detailed discussion of Android itself or Android apps being vulnerable to the heartbleed attack. Sure some apps are linked against
vulnerable versions of OpenSSL but I couldn't find any attack description. If you know anything specific please email me!
Checkout reverseheartbleed.com a heartbleed testing service for clients software (e.g., web browsers).
SMS bulk operators vulnerable to heartbleed, leak 2FA tokens see heise.de (in German)
I'll be speaking at Duo Tech Talks in Ann Abor, MI (this will be a IoT related talk).
I'm on a panel about Internet of Things security at The Security of Things Forum in Cambridge, MA.
Mid-End of May I'll spent some time in the Bay Area for IEEE S&P, with plenty of time afterward to hangout.
I'm also planning to go to ToorCamp, who else is going?
Wednesday, March 26 2014
I scanned Tor starting Friday April 11th and ended Sunday April 13th. I stopped cause I got enough evidence on leaked plain text.
I wasn't sure what to do with the data so I was sitting on it for a couple of days but than decided to just blog about it.
Tor doesn't have too many exitnodes, the nodes I was testing are Tor nodes in general not only exitnodes. Never the less I found
a number of vulnerable exitnodes that leak plain text data.
The Tor Project has started to black list vulnerable nodes.
Tuesday April 7th I started my own investigations of the Heartbleed issue. In this blog post I want
to talk about one of the things I've been looking into that is the effect heartbleed has on TOR.
TOR heavily uses SSL to encrypt traffic between the various TOR nodes. TOR was obviously vulnerable as reported by the TOR project.
For my investigation I pulled a list of about 5000 TOR nodes using dan.me.uk. Using one of the many proof-of-concept
exploits I scanned the TOR nodes to determine if they are vulnerable. I found 1045 of the 5000 nodes to be vulnerable to the heartbleed bug, that is about 20%.
I briefly checked the leaked memory to determine if plain text is leaked that is related to TOR user traffic. Yes, TOR exitnodes that are vulnerable to heartbleed
leak plain text user traffic. You can find anything ranging from hostnames, downloaded web content, to session IDs, etc.
The majority of the vulnerable TOR nodes are located in Germany, Russia, France, Netherlands, United Kingdom, and Japan. The TOR network has more than
5000 nodes so this is not a complete picture but it provides a good overview of the possible number of vulnerable exitnodes.
The heartbleed bug basically allows any one to obtain traffic coming in and out of TOR exitnodes (given that the actual connection that is run over TOR is
not encrypted itself). Of course a malicious party could run a TOR exitnode and inspect all the traffic that passes thru it, but this requires
running a TOR node in the first place. Using the heartbleed bug anyone can query vulnerable exitnodes to obtain TOR exit traffic.
There are a number of possible solutions for this problem. 1) update vulnerable TOR nodes (hopefully in progress), 2) create a blacklist of vulnerable TOR nodes and
avoid them, 3) stop using TOR until all nodes are updated.
Scan all TOR exitnodes to create a black list of vulnerable nodes so users can avoid them.
One interesting thing I found is the large number of requests that seem to be originating from malware due to the domain names looking like the output of a DGA.
A few weeks ago I upgraded from a Galaxy Nexus to a Nexus 5. I therefore took the chance
and investigated lightweight and practical device hardening tools.
I didn't have anything specific in mind I just wanted to improve my overall situation.
Here is what I came up with.
File system encryption, of course, using the build-in functionality of Android.
To improve the security and usability I use Cyrptfs Password to
have a separate passphrase for the file system encryption and the screen lock. This tool requires root.
Encrypted SMS and messaging using TextSecure. The application
is very user friendly and a nice replacement for Google Hangout.
I started using SSHTunnel and ProxyDroid
to secure network traffic while traveling. In combination both tools provide the ability to tunnel all network traffic of your device through any box you have a SSH access on.
Both apps require root.
I'm trying out Pry-fi a Wifi privacy tool.
This category is a little hard to describe. I was looking for an app to vet APK, but without using any AV software. I found Checksum,
this app calculates a checksum for each APK and compares it with a global repository that is feed with checksums from other users.
I further using my own tool TelStop to inspect TEL Uri to determine if the contain MMI codes.
If I was using an older Android device I would also install: ReKey to patch Master Key and X-Ray to
scan for vulnerabilities.
Many of the hardening apps I use require root access. Rooting is a tricky business and you should only do it if you know what you are getting into.
If you want to encrypt and root, first root then encrypt. Rooting a Nexus device is straightforward, unlock the bootloader, install su + superSU.
One thing todo is install a recovery image that can handle encrypted file systems like TWRP. A decent guide is posted here.
You should also consider re-locking your bootloader after rooting, see What's the security implication of having an unlocked boot loader?.
This is a lot of work and pretty painful when installing firmware patches, but you likely don't want to run around with a unlocked bootloader.
All together I'm pretty happy with this limited set of security applications. If you think I'm missing something important please let me know.