Thursday, April 17 2014
Update 2:
I scanned Tor starting Friday April 11th and ended Sunday April 13th. I stopped cause I got enough evidence on leaked plain text.
I wasn't sure what to do with the data so I was sitting on it for a couple of days but than decided to just blog about it.
Update:
Tor doesn't have too many exitnodes, the nodes I was testing are Tor nodes in general not only exitnodes. Never the less I found
a number of vulnerable exitnodes that leak plain text data.
The Tor Project has started to black list vulnerable nodes.
Tuesday April 7th I started my own investigations of the Heartbleed issue. In this blog post I want
to talk about one of the things I've been looking into that is the effect heartbleed has on TOR.
TOR heavily uses SSL to encrypt traffic between the various TOR nodes. TOR was obviously vulnerable as reported by the TOR project.
For my investigation I pulled a list of about 5000 TOR nodes using dan.me.uk. Using one of the many proof-of-concept
exploits I scanned the TOR nodes to determine if they are vulnerable. I found 1045 of the 5000 nodes to be vulnerable to the heartbleed bug, that is about 20%.
I briefly checked the leaked memory to determine if plain text is leaked that is related to TOR user traffic. Yes, TOR exitnodes that are vulnerable to heartbleed
leak plain text user traffic. You can find anything ranging from hostnames, downloaded web content, to session IDs, etc.
The majority of the vulnerable TOR nodes are located in Germany, Russia, France, Netherlands, United Kingdom, and Japan. The TOR network has more than
5000 nodes so this is not a complete picture but it provides a good overview of the possible number of vulnerable exitnodes.
The heartbleed bug basically allows any one to obtain traffic coming in and out of TOR exitnodes (given that the actual connection that is run over TOR is
not encrypted itself). Of course a malicious party could run a TOR exitnode and inspect all the traffic that passes thru it, but this requires
running a TOR node in the first place. Using the heartbleed bug anyone can query vulnerable exitnodes to obtain TOR exit traffic.
There are a number of possible solutions for this problem. 1) update vulnerable TOR nodes (hopefully in progress), 2) create a blacklist of vulnerable TOR nodes and
avoid them, 3) stop using TOR until all nodes are updated.
Further Steps:
Scan all TOR exitnodes to create a black list of vulnerable nodes so users can avoid them.
Notes:
One interesting thing I found is the large number of requests that seem to be originating from malware due to the domain names looking like the output of a DGA.
Links:
Wednesday, March 26 2014
A few weeks ago I upgraded from a Galaxy Nexus to a Nexus 5. I therefore took the chance
and investigated lightweight and practical device hardening tools.
I didn't have anything specific in mind I just wanted to improve my overall situation.
Here is what I came up with.
Basics:
File system encryption, of course, using the build-in functionality of Android.
To improve the security and usability I use Cyrptfs Password to
have a separate passphrase for the file system encryption and the screen lock. This tool requires root.
Encrypted SMS and messaging using TextSecure. The application
is very user friendly and a nice replacement for Google Hangout.
Network:
I started using SSHTunnel and ProxyDroid
to secure network traffic while traveling. In combination both tools provide the ability to tunnel all network traffic of your device through any box you have a SSH access on.
Both apps require root.
I'm trying out Pry-fi a Wifi privacy tool.
App Security:
This category is a little hard to describe. I was looking for an app to vet APK, but without using any AV software. I found Checksum,
this app calculates a checksum for each APK and compares it with a global repository that is feed with checksums from other users.
I further using my own tool TelStop to inspect TEL Uri to determine if the contain MMI codes.
If I was using an older Android device I would also install: ReKey to patch Master Key and X-Ray to
scan for vulnerabilities.
Rooting:
Many of the hardening apps I use require root access. Rooting is a tricky business and you should only do it if you know what you are getting into.
If you want to encrypt and root, first root then encrypt. Rooting a Nexus device is straightforward, unlock the bootloader, install su + superSU.
One thing todo is install a recovery image that can handle encrypted file systems like TWRP. A decent guide is posted here.
You should also consider re-locking your bootloader after rooting, see What's the security implication of having an unlocked boot loader?.
This is a lot of work and pretty painful when installing firmware patches, but you likely don't want to run around with a unlocked bootloader.
All together I'm pretty happy with this limited set of security applications. If you think I'm missing something important please let me know.
Monday, March 03 2014
Conferences
InfoSecSouthWest April 4-6 Austin Texas. jduck: Android Security Research and Testing at Scale. Thomas Wang: Breaking through the bottleneck: Mobile malware is outbreak spreading like wildfire.
CFPs
TextSecure: secure and easy to use text (SMS) for Android (and soon iOS)
I'm not really into advertising for stuff here but the recent update of
TextSecure made a gigantic impression on me. The application works well, is uber user friendly, and looks just great.
They further added IM like functionality (using IP rather then SMS), see here: The New TextSecure: Privacy Beyond SMS. Further there is the possibility to run your own
server for TextSecure IP backend, see here.
I switched to TextSecure for a number of reasons: transparent encrypted SMS, super usable application (I can finally stop using the Hangout app - worst thing so far on my Nexus 5), TextSecure source code is available, and did I mention that the UI looks really great? All in all this is good quality security software that even looks better then the less secure competitors, YES!
WebViews and Security on Android
The security (insecurity) of WebView lately got a lot of attention.
There has been some early academic work such as A View to A Kill: WebView Exploitation by Matthias Neugschwandtner et al. Then there was Dave Hartley's blog post on ad-network security. Most recently Joshua 'jduck' Drake wrote a very detailed blog post about the WebView addJavaScriptInterface Saga. All in all the WebView story is not over for sure as WebViews are a widely used framework feature of Android. I'll keep following this issue for sure.
Links
Saturday, January 25 2014
This is an early update for February. Two reasons, I have stuff to write
about right now, second I'm going to be super busy in February.
This year I attended ShmooCon for the first time. I liked it a lot and plan
to go again. I didn't know ShmooCon was running for 10 years already. They
seem to have a good grip on the conference and don't let it explode in size.
Conferences
CanSecWest one of my favorite cons (maybe my #1). Talks: No Apology Required: Deconstructing Blackberry10 - Zach Lanier, Ben Nei ; Duo Security & Accuvant. Outsmarting Bluetooth Smart - Mike Ryan ; iSEC Partners. The Real Deal of Android Device Security: the Third Party - Colin Mulliner, Jon Oberheide ; Northwestern University, Duo Security.
Troopers (Heidelberg, Germany). There is one mobile talk in the main conference but there in addition they have TelSecDay (invite only) that focuses on Telecommunication security. The main conference talk is: Modern smartphone forensics: Apple iOS: from logical and physical acquisition to iCloud backups, document storage and keychain; encrypted BlackBerry backups (BB 10 and Olympia Service)
by Vladimir Katalov.
nullcon (Goa, India) has a mobile talk this year: Modern smartphone forensics: Apple iCloud, encrypted BlackBerry backups, Windows Phone 8 cloud backup - by Vladimir Katalov.
SyScan 2014 looks super awesome this year. Josh "Monk" Thomas : "How to train your Snapdragon: Exploring Power Regulation Frameworks on Android". Dr Thaddeus (The) Grugq : "Click and Dragger: Denial and Deception on Android Smartphones". Alex Plaskett & Nick Walker "Navigating a sea of Pwn? : Windows Phone 8 AppSec".
Black Hat Asia THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES by Simon Roses Femerling.
HITB Amsterdam Shellcodes for ARM: Your Pills Don't Work on Me, x86 by SVETLANA GAIVORONSKI and IVAN PETROV.
RootedCON (Spain) talks: Raul Siles - iOS: Regreso al futuro, Pau Oliva - Bypassing wifi pay-walls with Android. Some talks look like they are mobile talks too :) (my Spanish is kinda bad)
Links
There are a lot of interesting talks in the next month. I'm working on (and finished) some interesting projects that I can hopefully talk about soon.
Our Android book is finalized and thus should be available in April.
The Defcon CFP is already open so make sure you submit your talks early. Also checkout Area 41 a fine security conference in Switzerland, the CFP is still open.
This year I'm co-chairing ARES an academic security conference. Please consider submitting your papers.
If you are interested in NFC (Near Field Communication) check out the current draft of the Web NFC API. The standard defines how a "web page" can interact with NFC devices.
Sunday, January 05 2014
30C3 was
awesome. A lot of good talks, many friendly people, and an awesome location.
The recordings of all talks can be found here.
The slides and source for my talk Android DDI are available here: slides and source.
I was super busy so I guess I missed a lot that was going on in the 2nd half of December. I will start posting stuff again later this month.
I'm going to ShmooCon in mid January and to Troopers in March.
Advertisement: If you are a computer science student and are interested in security and want to spent some time in the US, please contact me. I'm always looking for motivated people to do research with.
Thursday, November 21 2013
Conferences
30c3 did not announce the program yet but I know a bunch of people who got their talks accepted. It is going to be a good conference. I will talk about my Dynamic Dalvik Instrumentation framework for Android (more about this soon).
ShmooCon has announced a number of talks. Armor For Your Android Apps by Roman Faynberg, Apple iOS Certificate Tomfoolery by Tim Medin, How Smart Is Bluetooth Smart? by Mike Ryan, Protecting Sensitive Information on iOS Devices by David Schuetz
News and Links
I bet I missed a lot of stuff that happened in the last weeks.
I'm going to be at 30c3 in Hamburg, Germany between Christmas an New Years.
Friday, October 11 2013
September was a busy month, but the monthly update is back!
Conferences
HACK.LU Debugging and Reversing the HTC Android Bootloader by Cedric Halbronn and Nicolas Hureau, Grand Theft Android: Phishing with permission by Joany Boutet and Tom Leclerc, Abusing Dalvik Beyond Recognition by Jurriaan Bremer, Playing Hide and Seek with Dalvik executables by Axelle Apvrille. So Hack.Lu has a lot of Android talks this year, but most of the other talks look super interesting too. I would love to go, but can't.
PacSec Tokyo, November 2013. "Android games + free Wi-Fi = Privacy leak" Takayuki Sugiura & Yosuke Hasegawa, NetAgent, @hasegawayosuke, "Defeating the protection mechanism on Android platform"
Tim Xia, Baidu, "Mobile Phone Baseband Exploitation in 2013: Hexagon challenges"
Dr. Ralf-Philipp Weinmann, Affiliation, @esizkur, "Deeper than ever before: Exploring, Subverting, Breaking and Pivoting with NAND Flash Memory"
Josh m0nk Thomas. The PacSec program kicks ass!
Missed conferences: ekopart 2013 they had a bunch of mobile (mostly Android) talks.
Links