...stuff I do and things I like...

Wednesday, December 10 2014

Mobile Security News Update December 2014

    Kiwicon (going down right now) Wellington, NZ. MitMing GSM with criminal intent by William "AmmonRa" Turner

    31C3 Hamburg, Germany. (In)Security of Mobile Banking by Paul Irolla and Eric Filiol; Mobile self-defense by Karsten Nohl; osmo-gmr: What's new? by tnt; SS7: Locate. Track. Manipulate. by Tobias Engel; SS7map : mapping vulnerability of the international mobile roaming infrastructure by Laurent Ghigonis and Alexandre De Oliveira; Unlocking the bootloader of the BlackBerry 9900 by Alex

    ShmooCon Washington D.C., Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry by Kristen K. Greene, Joshua Franklin, and John Kelsey (not all talks posted yet).

31C3 has an impressive number of good mobile security related talks, in addition to a lot of other good looking security talks. This will be good!

We recently finished a research project on end-to-end encryption for mobile messaging apps. The idea was to have a universal "plugin" that encrypts messages before they are handed over to the messaging app. This way you can use any messaging app with the add-on of end-to-end encryption (providing the other end has the same tool installed too). The result was BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications a joint project with my co-researchers and interns at NEU SecLab. The paper is going to be published in January 2015. A pre-print is available here: BabelCrypt.

News / Links

Word on the street is that all the cool kids are getting pagers again!

Sunday, November 23 2014

Mobile Security News Update November 2014

I'm still waiting for the 31C3 program to be released, but since I was reviewing the security submissions I can tell you that there will be a bunch of good mobile security related talks this year. As usual I will be in Hamburg to attend CCC.

So far there are no upcoming conferences that have released their program yet.

I've recently updated to Android 5.0. Overall I think it turned out quite nice. The changes related to notifications suck really badly. Apparently you cannot turn off audio and vibration but still get the visual notification (LED). I really liked the old way to set notifications: ring/vibrate/off. The extended battery time everybody is talking about I don't recognize (Nexus 5). The more tight integration with googles services sucks too. Why does it need to show my google account logo on the top right of my status bar? This is useful for what?

Links and Stories: Android bugs:

Thursday, October 23 2014

Mobile Security News Update October 2014

Time files, I've been super busy the last two month and will be busy until mid/end of November. I just relaized that I haven't posted anything in September at all.

    Hack.Lu October 21-24: Stripping the controversial FinFisher application for Android phones by Attila Marosi; SherlockDroid, an Inspector for Android Marketplaces by Axelle Apvrille, Ludovic Apvrille

    PacSec Tokyo, Nov 12-13: An Infestation of Dragons: Exploring Vulnerabilities in the ARM TrustZone Architecture by Josh "m0nk" Thomas, Charles Holmes, Nathan Keltner; Hey, we catch you - dynamic analysis of Android applications by Wenjun Hu; Root via SMS: 4G access level security assessment by Sergey Gordeychik, Alexander Zaytsev; Blowing up the Celly - Building Your Own SMS/MMS Fuzzer by Brian Gorenc and Matt Molinyawe.

    DeepSec Vienna, Nov 18-21: Mobile SSL Failures by Tony Trummer & Tushar Dalvi; TextSecure and RedPhone-bring them to iOS by Christine Corbett; Creating a kewl and simple Cheating Platform on Android by Milan Gabor & Danijel Grah

There is again a new talk on SMS and MMS fuzzing. I really wonder what is going to be different from all the previous work?


Tuesday, October 07 2014

New Webserver

I just moved all my domains to a new box. Hope everything is working ;-)

Saturday, August 30 2014

Mobile Security News Update August 2014

The Vegas week was as great as it can be as anybody knows who has this ongoing love hate relationship with the yearly pilgrimage.

The Blackphone kinda got rooted, ars on Blackphone root I had to laugh so hard when I saw Jon running around in his new t-shirt.

The SecurityCookies project was a lot of fun. I think people really liked it, likely Guillaume and I had the most fun. We will likely do this again at some point.

The iPhone is finally getting NFC iPhone 6 will reportedly feature NFC and Apple's own mobile payments platform. This should be a lot of fun cause everybody will scramble to actually build and deploy NFC now. I'm not really worried about NFC-payment insecurity but about all the other fun stuff that will be possible. Maybe I have to buy an iPhone 6 and continue my NFC work.

If I actually do get an iPhone I should also get the FLIR ONE an thermal camera case for iPhones. There are various articles about what you could do with this and I think this could be super interesting to play with.

My friend Ravi released darshak an Android app that notifies you if your phone receives silent SMS that are used for tracking your phone. It further displays current network security settings. This can be an indicator about your phone being connected to an IMSI-catcher. So far you need to have a Samsung Galaxy S3 to use this tool, but the S3 is fairly popular. I would like to see vendors providing information about phone network security parameters to the user.

    44con September 10-11 London, UK: GreedyBTS: Hacking Adventures in GSM by Hacker Fantastic; Researching Android Device Security with the Help of a Droid Army by Joshua J. Drake (jduck); Manna from Heaven; Improving the state of wireless rogue AP attacks by Dominic White; On Her Majesty's Secret Service: GRX and a Spy Agencyby Stephen Kho; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar & Swapnil Udar

    SEC-T September 18-19 Stockholm, Sweden: Attacking Mobile Broadband Modems Like A Criminal by Andreas Lind

    T2 October 23-24, Helsinki, Finland: Style over Substance - how OEMs are breaking Android security by Robert Miller; Reversing iOS Apps - a Practical Approach by Patrick Wardle; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar and Swapnil Udar

    BruCON September 25-26 in Ghent, Belgium: Stealing a Mobile Identity Using Wormholes by Markus Vervier.

August so far was my busiest month of the year, so I guess I missed a lot of what was going on.

Wednesday, July 30 2014

Mobile Security News Update July 2014

Not much to say about conferences in this post since in early August everybody will be in Las Vegas. I'll post an update after the show is over.

The one thing I over read was the round tables that are going down at Black Hat. Specifically: EMBEDDED DEVICES ROUNDTABLE: EMBEDDING THE MODERN WORLD, WHERE DO WE GO FROM HERE? hosted by Don Bailey & Zach Lanier, MOBILE SECURITY ROUNDTABLE: WHAT DOES MOBILE SECURITY LOOK LIKE TODAY? WHAT WILL IT LOOK LIKE TOMORROW? hosted by Vincenzo Iozzo & Peiter Zatko and RESPONSIBLE DISCLOSURE ROUNDTABLE: YOU MAD BRO? hosted by Trey Ford look interesting.

There was a lot of fuzz about iOS backdoors. I didn't have time to go into all details but the basic facts seem to be that iOS has capabilities to exfiltrate data to paired computers. The danger seems to lie in that fact that you can steal/copy the paring from a computer. The initial slide deck from Jonathan Zdziarski are available here. There was a huge follow up discussion on twitter. Roundup from the Jonathan: 1 counter side from Violet Blue: 2 also see Dino Dai Zovi's post: 3


Tuesday, June 24 2014

Mobile Security News Update June 2014

    SyScan 360 Play With an Unpublished Kernel Vulnerability for iOS 7.0.x by windknown and dm557; Be cautious, there is an attack window in your android app by pLL; Click and Dagger: Denial and Deception on Android Smartphones by The Grugq; Advanced Bootkit Techniques on Android by Chen Zhangqi and Shen Di; Mobile Browsers Security: iOS by Lukasz Pilor and Pawel Wylecial

    Defcon Detecting Bluetooth Surveillance Systems by Grant Bugher; Android Hacker Protection Level 0 by Tim Strazzere and Jon Sawyer; Shellcodes for ARM: Your Pills Don't Work on Me, x86 by Svetlana Gaivoronski and Ivan Petrov; Blowing up the Celly - Building Your Own SMS/MMS Fuzzer by Brian Gorenc and Matt Molinyawe; Burner Phone DDOS 2 dollars a day : 70 Calls a Minute by Weston Hecker; NSA Playset : GSM Sniffing by Pierce and Loki

So people are still building SMS and MMS fuzzers in 2014. I'm really interested to see what new techniques the ZDI guys came up with.