Thursday, November 19 2015
Friday, October 23 2015
Sunday, October 04 2015
ekoparty October 21-23, Buenos Aires.
ARM disassembling with a twist by Agustin Gianni and Pablo Sole.
Exploiting GSM and RF to Pwn you Phone by Manuel Moreno and Francisco Cortes.
Faux Disk Encryption: Realities of Secure Storage on Mobile Devices by Drew Suarez and Daniel Mayer.
New Age Phreacking: Tacticas y trucos para fraudes en Wholesale by David Batanero.
Hackito Ergo Sum October 29-30, Paris, France.
Malicious AVPs: Exploits to the LTE Core by Laurent Ghigonis & Philippe Langlois.
Android malware that won't make you fall asleep by By Lukasz Siewierski.
The RIM BlackBerry PRIV looks
like a real interesting device. The PRIV seems to focus on security.
The website claims a hardend linux kernel, and indeed they seem to run a grsec kernel as you can see in
this picture (lower left corner) posted on the Crackberry forum. Some comments about this in this series of tweets.
There is a new security news outlet with focus on the consumer angle it is called The Parallax.
It is super new and does not have many articles yet. But I think the consumer focus could be interesting.
Job Section (just because I know about a bunch of stuff)
Tuesday, September 01 2015
Black Hat Europe November, Amsterdam NL. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen.
ANDROBUGS FRAMEWORK: AN ANDROID APPLICATION SECURITY VULNERABILITY SCANNER by Yu-Cheng Lin.
AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai.
FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez.
FUZZING ANDROID: A RECIPE FOR UNCOVERING VULNERABILITIES INSIDE SYSTEM COMPONENTS IN ANDROID by Alexandru Blanda.
LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan & Valtteri Niemi & Jean-Pierre Seifert.
TRIAGING CRASHES WITH BACKWARD TAINT ANALYSIS FOR ARM ARCHITECTURE by Dongwoo Kim & Sangwho Kim.
Secret Conference October 9th, NYC. Talks by Jon Callas and Dan Ford from Silent Circle / Blackphone.
Ruxcon October 24-25 Melbourne, Aus. TEAM PANGU on
DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS. MARK DOWD on
MALWAIRDROP: COMPROMISING IDEVICES VIA AIRDROP.
JOSHUA KERNELSMITH SMITH on HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC.
BABIL GOLAM SARWAR on
HACK NFC ACCESS CARDS & STEAL CREDIT CARD DATA WITH ANDROID FOR FUN &PROFIT.
COLBY MOORE on
SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE GLOBALSTAR SDS.
ToorCon San Diego October 24-25, San Diego, CA.
The Phr3$h Pr1nc3 0f Bellk0r3 on Fuzzing GSM for fun and profit.
SyScan360i October 21-22 Beijing China.
Fuzzing Android System Service by Binder Call to Escalate Privilege by Guang Gong.
PacSec November, Tokyo JP.
BlueToot / BlueProx - when Bluetooth met NFC by Adam Laurie.
ZeroNights 25-26 November, Russia.
Extracting the painful (Blue)tooth by Matteo Beccaro and Matteo Collura.
HP / ZDI will not run Mobile Pwn2Own at PacSec (in Japan) due to export restrictions.
Source Dragos Ruiu.
This is unfortunate.
Personal note: Since September I'm working for Square doing mobile security engineering. This blog will only be temporarily affected by the job switch as I get settled I will return to more then one post per month.
Tuesday, August 18 2015
Black Hat Europe Nov 12-13 Amsterdam. (IN-)SECURITY OF BACKEND-AS-A-SERVICE by Siegfried Rasthofer & Steven Arzt. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen. AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai. LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik.
Ruxcon Oct 25. Melbourne Australia. HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC by JOSHUA 'KERNELSMITH' SMITH. DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS by Team Pangu.
Hacker Halted September 17th, Atlanta GA. One SMS to hack a company by Dmitry Chastuhin. Why You'll Care More About Mobile Security in 2020 by Tom Bain.
Virus Bulletin September 29th, Prague. Mobile banking fraud via SMS in North America: who's doing it and how by Cathal Mc Daid. Will Android trojan, worm or rootkit survive in SEAndroid and containerization? by William Lee and Rowland Yu. Dare 'DEVIL': beyond your senses with Dex Visualizer by
Jun Yong Park and Seolwoo Joo. Android ransomware: turning CryptoLocker into CryptoUnlocker (live demo) by Alexander Adamov.
Unfortunately I had to cancel my talk at Android Security Symposium in
Vienna due to a scheduling conflict. It is a real bummer but I can't do anything about it. The replacement talk is
done by my friend and research buddy Matthias
he is doing a talk on one of our previous mitigation projects.
The iOS KeyRaider malware looks rather interesting. It combines a lot of different functionality. Such as
steeling AppStore credentials and a ransomware module. This malware again only targets jailbroken iOS devices, users specifically had to download apps from third-party Cydia repositories. So this is not a general threat but a threat to people who jailbreak their device. If you jailbreak you likely have a very specific need and you hopefully know what you are doing. If not, just don't jailbreak your device (no matter what OS is runs).
I just found this recently published paper titled: Header Enrichment or ISP Enrichment? Emerging Privacy Threats in Mobile Networks. The paper studies HTTP header
modifications and injection that is done by mobile network operators. The paper more or less is a direct follow up to my
paper on the same subject titled: Privacy Leaks in Mobile Phone Internet Access. Their paper looks at what happens to smart phones that actually use HTTP (my work was mostly focused on phones that used the WAP technology - even though WAP was translated to HTTP to access regular web pages). Anyway their paper provides a good insight in what is happening. If you run a website that get a lot of mobile traffic you should look if you see some of the HTTP headers that are injected by the mobile carriers.
A rather short updates this time. Until next time!
Tuesday, July 21 2015
Finally I have time to write a new blog post again.
The last couple of weeks have been super busy for me.
I had to finish a project, prepare a talk about it, and give a bunch of talks at various places in July and August.
T2 Helsinki, Finland. LTE (in) Security Ravishankar Borgaonkar & Altaf Shaik.
BalcCon Novi Sad, Vojvodina, Serbia. Private communications with mobile phones in the post-Snowden world, the _open_source_ way by Bojan Smiljanic.
APPSEC USA San Francisco, CA. QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid' Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.
GrrCon Grand Rapids, MI. Phones and Privacy for Consumers by Matthew and David
I recently bought an Apple Watch.
The primary reason was fun. Also since I switched to Two-Factor Authentication (2FA) for all my private
infrastructure and all my web accounts that support it I though it would make life easier. I use Duo 2FA for my own stuff and they have a Watch app which is pretty convenient.
Before I owned the first pebble watch. I liked that a lot
even tho I had a lot of issues with the Bluetooth connection between the pebble and my Nexus 5. Sometimes it worked great and sometimes it just didn't work at all.
I also got a LG G Watch R (W110) (Android Wear) but I didn't really use it.
It was much too big for my wrist. Also the round display was kinda strange. Some of the apps seem to not be designed for it and cut off parts of the
information that should be displayed.
I also found the interface to be confusing, but this might be due to my very very short trial run of the watch.
Between the pebble and the LG Watch I also had a Toq but the Toq had many issues besides its size so I never really
used it. I tried to wear it like once.
Anyway the only reason I write about smartwatches is because I really like the Duo 2FA watch app. This makes 2FA much much easier and user friendly.
I known I'm not the first to write about smartwatches or wearables in the security context but the user friendliness could really make a difference.
Also a watch is harder to loose then a token (if you still use one of those).
I guess I don't have to say much about the Stagefright series of Android security vulnerabilities. The vulnerabilities are present in Android's media format handling library (named stagefright). Several factors make
this bugs interesting. First, every Android version after 2.2 was vulnerable (at the time of discovery) that was around 95% of all devices.
Second, the bug can be remotely triggered via MMS. Yes MMS once again provides the ultimate attack vector against smartphones. Who would have known? ;-)
The bug was patched relatively fast by Google since Joshua provided patches. Google started shipping OTA updates for their Nexus devices relatively fast.
Still most Android devices will not get patched or will receive their patches super late (and thus users will not be protected in a timely fashion). The
reason for this is mostly the mobile ecosystem which is largely not suited for fast patch deployment. I provided some comments about this issue
on NPR in late July.
While patches/updates were rolled out Jordan from Exodus found that the patches are not complete and contain more vulnerabilities
in the exact code that was fixed in the update. His blog post describing the issue is here.
The only way to protect yourself is to update your device to firmware version that does not contain the vulnerability.
If you are one of the many people who own phones that did not yet receive an update your only chance is to disable MMS auto-download.
This will not kill the bug since you can still be attacked using other vectors (e.g. download and play a .mp4 file) but disabling
MMS auto-download will at at least remove the automatic remote exploitation problem. A step by step way to disable MMS auto-download
for various MMS clients is provided by Lookout here.
Tuesday, June 23 2015
Everybody heard that Hacking Team got hacked
While I think this is pretty great since they are kinda known to be scumbags since they
sell to repressive governments I found out about not so great things around this hack.
Actually I didn't find out myself put was pointed to it by other people on Twitter
, via email, and personal (thanks Michael Weissbacher!).
Basically I was told that Hacking Team used a bunch of my Android tools to build their monitoring
software for Android.
What got me really upset is this email:
This person thinks that I wrote the Android voice call interception for Hacking Team.
This is obviously not the case! Hacking Team took my ADBI framework and tools to build their
software around it. The software this specific email is talking about is hackedteam/core-android-audiocapture (the link goes to the hackedteam GitHub repository). You can see that they kept even the original filenames (e.g. libt.c) that was
part of my original ADBI release.
I was analysing recent leak of hacking team from italy, and saw you supply the core android audiocapture for hijack voice calls on android. Have you updated it to new devices like lollypop?
The reason why someone might think I wrote those tools for Hacking Team are pretty obvious once you take
a look at the leaked code. Take, for example, the libt.c file from the HackedTeam repository. Hacking Team left all the copyright information (my name, website, and email address) in those files.
In addition to my ADBI framework Hacking Team also used my SMS fuzzer injector that I wrote in 2009
while working on the SMS fuzzing project together with Charlie Miller. Their Android fuzzer also made use of my ADBI framework.
I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products
to spy on activists. Even worse is the fact that due to the lazy way they managed their source
repository less informed people might get the idea that I developed parts of their tools for them.
Just to make this very clear: I did not write any of those tools for Hacking Team.
For the future I will use a license for all my software that excludes use for this kind of purpose.
I have no clue yet how this license would look like so if anybody has a hint about pre existing open source licenses that exclude this kind of usage please drop me an email.
Obviously Hacking Team also used other open source software such as Cuckoo Sandbox. I hope everybody
is going to think about future license to prevent this kind of usage.
I'm not a lawyer but I would be interested in what legal action one could take if their software
license excluded the use case of Hacking Team.
Below some links to the Hackedteam GitHub repository and the link to my ADBI repository. You can clearly
see that it is based on my software.
Comments welcome via email to: collin AT mulliner.org
Defcon QARK: Android App Exploit and SCA Tool
Tony Trummer and Tushar Dalvi (this is the only talk that was added after my last post)
All other conferences still have their CFPs open and didn't post any talks yet. The BreakPoint schedule is also not final yet.
Breakpoint 22-23 October, Melbourne, Australia. TEAM PANGU:
DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS; JORDI VAN DEN BREEKEL:
RELAYING EMV CONTACTLESS TRANSACTIONS WITH OFF-THE-SHELF ANDROID DEVICES; DMITRY KURBATOV: ATTACKS ON TELECOM OPERATORS AND MOBILE SUBSCRIBERS USING SS7.
I wanted to point to something that apparently not many people know about: Pangu jailbreak installs unlicensed code on millions of devices. Pangu has their own statement about this.
The Wikipedia page about Pangu Team states that they didn't have to sign an NDA for the training and therefore can use the vulnerability. Stefan's point is not about the vulnerability but about his code. All in all I can't verify all claims but I would say I know Stefan well enough to say that he would not make this up simple because he doesn't need to. He is very well known anyway so this is not a publicity issue for him. I 100% agree with Stefan's point of view about denying people from speaking at conferences if they are known to take credit or sell code they don't own or have a license for.
I encourage everybody to read up on this and to read statements made by BOTH sides. Please share your opinion with people who run conferences.
Android now has a bug bounty program, or as the call it Android Security Rewards Program.
Pretty cool, I wonder if they get more submissions because of this.
Apple tries to kill plain-text connections "If you're developing a new app, you should use HTTPS exclusively.". This feature is called
App Transport Security (ATS) and in the current iOS 9 version it can still be disabled. See: Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11.
Android has had a similar feature for some time. Android M introduces a new Manifest option to declare if an app uses
clear text traffic or not. Deepening on this option the framework can deny clear text traffic from the app. A decent writeup on this topic is here: Android M and the war on clear text traffic.