Tuesday, January 20 2015
Conferences
SyScan Singapore, March. Dmitry Kurbatov: Attacks on telecom operators and mobile subscribers using SS7: from DoS to call interception. Peter Fillmore: Crash & Pay: Owning and Cloning NFC Payment cards. Stefan Esser: iOS 678 Security - A Study in Fail.
Black Hat Asia Singapore, March. (IN)SECURITY OF MOBILE BANKING by Eric Filiol & Paul Irolla. ATTACKING SAP MOBILE by Vahagn Vardanyan & Dmitry Chastuhin. DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS by Jin-hyuk Jung & Jieun Lee. HIDING BEHIND ANDROID RUNTIME (ART) by Paul Sabanal. RELAYING EMV CONTACTLESS TRANSACTIONS USING OFF-THE-SHELF ANDROID DEVICES by Jordi Van den Breekel. RESURRECTING THE READ_LOGS PERMISSION ON SAMSUNG DEVICES by Ryan Johnson & Angelos Stavrou. THE NIGHTMARE BEHIND THE CROSS PLATFORM MOBILE APPS DREAM by Marco Grassi & Sebastian Guerrero. WE CAN STILL CRACK YOU! GENERAL UNPACKING METHOD FOR ANDROID PACKER (NO ROOT) by Yeonung Park.
This year's SyScan unfortunatelly is the last one. Very sad to see this conference go away. SyScan was the first industry conference I spoke at!
There is a new mobile specific venu Black Hat Mobile Security Summit taking place in London in June.
The problem with unpatched bugs in Android continues: Google No Longer Provides Patches for WebView Jelly Bean and Prior. This is really one of the major issues of Android security in my opinion. In 2013 I was working on a system that helps to address this issue. Details can be found here: 1 2.
Links
Friday, January 02 2015
Conferences
ShmooCon January 2015. Knock Knock: A Survey of iOS Authentication Methods by David Schuetz; There's Waldo! Tracking Users via Mobile Apps by Colby Moore and Patrick Wardle; Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry by Kristen K. Greene, Joshua Franklin, and John Kelsey.
Black Hat Asia March. DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS by Jin-hyuk Jung & Jieun Lee; HIDING BEHIND ANDROID RUNTIME (ART) by Paul Sabanal; RELAYING EMV CONTACTLESS TRANSACTIONS USING OFF-THE-SHELF ANDROID DEVICES by Jordi Van den Breekel.
Troopers March. Hacking FinSpy - a Case Study about how to Analyse and Defeat an Android Law-enforcement Spying App by Attila Marosi (not all speaker slots are filled)
31c3 Review
The Chaos Communication Congress was super fun again (no big surprise!). It was really good to see everybody again at the end of the year. As the congress is getting bigger and bigger every year it is hard to see people more once and I even missed a bunch of you guys! The talks were pretty good this year and I saw quite a few of them. Here a short overview of the mobile related talks that I actually saw live at the conference. Recordings are available: here Slides of most talks are linked in the schedule: here.
The SS7 talks were super interesting. I actually only saw 2 of the 3 talks on SS7 but I'll watch the third one once I get home. The summary of all the talks is: once you get access to SS7 you can easily track phones as often shown on TV shows. Commercial products exist to do this via SS7 (but depending on the manufacturer you cannot use it against every country).
SS7-based tracking can be implemented in various ways as Karsten Nohl showed. Very interesting is the fact that IMSI Catchers can benefit from SS7 access as it can be used to access to encryption keys. This basically allows building 3G IMSI catchers. Karsten Nohl showed this live on stage (he intercepted a SMS). SS7 access can be used to steal SMS messages by redirecting the delivery path in the HLR. All in all you can conclude that organizations with SS7 access can do a lot of interesting/bad things. Luckily all the German operators already block many of the security critical SS7 messages from entering their network. SRLabs also released and Android application that analyzes the debug messages from Qualcomm-based phones to determine if your phone is in an unfriendly cellular environment. The tool is called SnoopSnitch.
Slides: 1
2
I also really enjoyed the talk from Sylvain Munaut about GMR-based Sat-Phones (specifically the technology used by Thuraya). He presented the progress of the Osmocom project's implementation of an open GMR stack. One interesting detail was that you can break the GMR crypto within 500msec using a known plain text attack against the control traffic.
Slides: 1
The talk about pagers based on the Iridium satellite network was similar interesting. The presenters build an SDR-based Iridium receiver and sniffed some paging traffic as the satellite beam covers a large region they were able to receive quite a lot of interesting messages. Yes, the traffic is not encrypted! Their code is available here.
Slides: 1
The guys from @scadasl totally rocked the 31c3 as they also gave a lighting talk on their 4G modem research. No slides unfortunately.
The talk Ich sehe, also bin ich ... Du about biometrics vs. cameras by Starbug also looked into smartphone screen reflections in your eye. He showed that you can partially determine what your screen shows and what area you touched with your finger.
The guys from the 31c3 GSM network where playing with the Alert system while I was visiting them in their NOC. One of the results is this:
Links
Wednesday, December 10 2014
Conferences
Kiwicon (going down right now) Wellington, NZ. MitMing GSM with criminal intent by William "AmmonRa" Turner
31C3 Hamburg, Germany. (In)Security of Mobile Banking by Paul Irolla and Eric Filiol; Mobile self-defense by Karsten Nohl; osmo-gmr: What's new? by tnt; SS7: Locate. Track. Manipulate. by Tobias Engel; SS7map : mapping vulnerability of the international mobile roaming infrastructure by Laurent Ghigonis and Alexandre De Oliveira; Unlocking the bootloader of the BlackBerry 9900 by Alex
ShmooCon Washington D.C., Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry by Kristen K. Greene, Joshua Franklin, and John Kelsey (not all talks posted yet).
31C3 has an impressive number of good mobile security related talks, in addition to a lot of other good looking security talks. This will be good!
We recently finished a research project on end-to-end encryption for mobile messaging apps. The idea was to have a universal "plugin" that encrypts messages before they are handed over to the messaging app. This way you can use any messaging app with the add-on of end-to-end encryption (providing the other end has the same tool installed too). The result was BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications a joint project with my co-researchers and interns at NEU SecLab. The paper is going to be published in January 2015. A pre-print is available here: BabelCrypt.
News / Links
Word on the street is that all the cool kids are getting pagers again!
Sunday, November 23 2014
I'm still waiting for the 31C3 program to be released, but since I was reviewing the security submissions I can tell you that there will be a bunch of good mobile security related talks this year. As usual I will be in Hamburg to attend CCC.
So far there are no upcoming conferences that have released their program yet.
I've recently updated to Android 5.0. Overall I think it turned out quite nice. The changes related to notifications suck really badly. Apparently you cannot turn off audio and vibration but still get the visual notification (LED). I really liked the old way to set notifications: ring/vibrate/off.
The extended battery time everybody is talking about I don't recognize (Nexus 5). The more tight integration with googles services sucks too. Why does it need to show my google account logo on the top right of my status bar? This is useful for what?
Links and Stories:
Android bugs:
Thursday, October 23 2014
Time files, I've been super busy the last two month and will be busy until mid/end of November. I just relaized that
I haven't posted anything in September at all.
Conferences
Hack.Lu October 21-24: Stripping the controversial FinFisher application for Android phones by Attila Marosi; SherlockDroid, an Inspector for Android Marketplaces by Axelle Apvrille, Ludovic Apvrille
PacSec Tokyo, Nov 12-13: An Infestation of Dragons: Exploring Vulnerabilities in the ARM TrustZone Architecture by Josh "m0nk" Thomas, Charles Holmes, Nathan Keltner; Hey, we catch you - dynamic analysis of Android applications by
Wenjun Hu; Root via SMS: 4G access level security assessment by Sergey Gordeychik, Alexander Zaytsev; Blowing up the Celly - Building Your Own SMS/MMS Fuzzer by Brian Gorenc and Matt Molinyawe.
DeepSec Vienna, Nov 18-21: Mobile SSL Failures by Tony Trummer & Tushar Dalvi; TextSecure and RedPhone-bring them to iOS by Christine Corbett; Creating a kewl and simple Cheating Platform on Android by Milan Gabor & Danijel Grah
There is again a new talk on SMS and MMS fuzzing. I really wonder what is going to be different from all the previous work?
Links
Tuesday, October 07 2014
I just moved all my domains to a new box. Hope everything is working ;-)
Saturday, August 30 2014
The Vegas week was as great as it can be as anybody knows who has this ongoing love hate relationship with the yearly pilgrimage.
The Blackphone kinda got rooted, ars on Blackphone root I had to laugh so hard when I saw Jon running around in his new t-shirt.
The SecurityCookies project was a lot of fun. I think people really liked it, likely Guillaume and I had the most fun. We will likely do this again at some point.
The iPhone is finally getting NFC iPhone 6 will reportedly feature NFC and Apple's own mobile payments platform. This should be a lot of fun cause everybody will scramble to actually build and deploy NFC now. I'm not really worried about NFC-payment insecurity but about all the other fun stuff that will be possible. Maybe I have to buy an iPhone 6 and continue my NFC work.
If I actually do get an iPhone I should also get the FLIR ONE an thermal camera case for iPhones. There are various articles about what you could do with this and I think this could be super interesting to play with.
My friend Ravi released darshak an Android app that notifies you if your phone receives silent SMS that are used for tracking your phone. It further displays current network security settings. This can be an indicator about your phone being connected to an IMSI-catcher. So far you need to have a Samsung Galaxy S3 to use this tool, but the S3 is fairly popular. I would like to see vendors providing information about phone network security parameters to the user.
Conferences
44con September 10-11 London, UK: GreedyBTS: Hacking Adventures in GSM by Hacker Fantastic; Researching Android Device Security with the Help of a Droid Army by Joshua J. Drake (jduck); Manna from Heaven; Improving the state of wireless rogue AP attacks by Dominic White; On Her Majesty's Secret Service: GRX and a Spy Agencyby Stephen Kho; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar & Swapnil Udar
SEC-T September 18-19 Stockholm, Sweden: Attacking Mobile Broadband Modems Like A Criminal by Andreas Lind
T2 October 23-24, Helsinki, Finland: Style over Substance - how OEMs are breaking Android security by Robert Miller; Reversing iOS Apps - a Practical Approach by Patrick Wardle; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar and Swapnil Udar
BruCON September 25-26 in Ghent, Belgium: Stealing a Mobile Identity Using Wormholes by Markus Vervier.
Links
August so far was my busiest month of the year, so I guess I missed a lot of what was going on.
