It has been a while since I wrote anything on this blog (October 2017 to be specific) and it will be a bit until I start doing blog posts on a regular basis again. This has multiple reasons. First, I'm not doing the mobile security update anymore since I have kinda stopped working in mobile security space. Second, I'm working on super fun things at the moment and therefore don't have time or energy to work on side projects. Some in progress long term projects will be continued. Third, I will likely attend fewer conferences this year since I'm spending time on different aspects of security research.
I will likely blog about random things every now and then.
Collin
I wrote an article for the Parallax about the security of third party Android app stores.
ConferencesPacSec Nov 1-2, Tokyo, Japan. Grandma's old bag, how outdated libraries spoil Android app security by Marc Schoenefeld. When encryption is not enough: Attacking Wearable - Mobile communication over BLE by Kavya Racharla. The Art of Exploiting Unconventional Use- after-free Bugs in Android Kernel by Di Shen.
DeepSec Nov 14-17, Vienna, Austria. Normal Permissions In Android: An Audiovisual Deception by Constantinos Patsakis.
Black Hat Europe 2017 Dec 4-7, London, UK. ATTACKING NEXTGEN ROAMING NETWORKS by Daniel Mende, Hendrik Schmidt. ATTACKS AGAINST GSMA'S M2M REMOTE PROVISIONING by Maxime Meyer. BLUEBORNE - A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE by Ben Seri, Gregory Vishnepolsky. DIFUZZING ANDROID KERNEL DRIVERS by Aravind Machiry, Chris Salls, Jake Corina, Shuang Hao, Yan Shoshitaishvili. HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT by HC MA. INSIDE ANDROID'S SAFETYNET ATTESTATION by Collin Mulliner, John Kozyrakis. JAILBREAKING APPLE WATCH by Max Bazaliy. RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX by Adam Donenfeld.
Quick conference review: both 44con and ekoparty were great. Ekoparty was especially awesome since I got to check the last continent off my list. Also the size of ekoparty was way beyond what I was expecting. They managed to have a really good conference that is professionally run while stilling maintaining the vibe of a hacker / underground con <3
Two weeks ago there was a post on Medium about two companies that provide a mobile identification service. That service basically can be used to convert your phone's IP address into real information about the owner of the phone (the contract owner). This is done via APIs that are provided by multiple Mobile Network Operators (such as AT&T). The medium article linked to demo pages of those two service providers (payfone and danal inc) that show not only your phone number but also your operator's name, your name and address.
I played with the two demo sites for a bit (while they were still online - offline now). I'm on Google Fi with a number proted from T-Mobile (pre-paid). Payfone only had my phonenumber and old carrier (T-Mobile) while Danal inc showed no data at all. I never provided any data to T-Mobile since it is not required for a pre-paid card. Google has all the data but likely does not share it with 3rd parties.
Overall this is a service that I really don't want to exist. I don't want an abritary company to be able to identify me while visiting their website from my mobile phone. I hope those companies don't just sell their services to anybody. Read the Medium article again: AT&T consumer choice opt-out doesn't affect this!
iOS 11 the tragedy continues: 11.0 had a bunch of flaws that were annyoing. Now 11.0.3 randomly frezzes my phone for minutes. Also I have some issues with voice call audio not working sometimes. Highly disaspointing!
Pictures of the month:Saw a throne of phones in Göteborg. pic.twitter.com/wE6M5e2WPa
— Mikko Hypponen (@mikko) October 17, 2017
Today marks the third time one of my iPhones has vibrated itself out of alignment with its wireless charging pad over night. pic.twitter.com/HFchysZ7L9
— Matthew Panzarino (@panzer) October 10, 2017
Have you ever seen two Android Banking Trojans beating each other for victim's credit card information? #Malware cc @malwrhunterteam pic.twitter.com/EY6yQifVqp
— Lukas Stefanko (@LukasStefanko) June 27, 2017
— jellphonic (@jellphonic) September 25, 2017
LinksIT TAKES JUST $1,000 TO TRACK SOMEONE'S LOCATION WITH MOBILE ADS
Oppo/Oneplus .ops Firmware decrypter
[WIP] Crappy iOS app analyzer
Magisk v14.3
Down the Rabbit Hole with a BLU Phone Infection
eSIM for Consumer Devices (PDF)
Android Crypto-Ransomware that misuses accessibility services + encrypts data + changes PIN.
iOS jailbreak detection toolkit now available from TraiOfBits
Administering Chromebooks For teams traveling to complex and hostile environments
HackingTeam back for your Androids, now extra insecure!
iOS 11 security updates
Researchers: Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen
How To Obtain Real-Time Data from iCloud and Forget About 2FA with Just an Old iTunes Backup. No Passwords Needed
Meet Danny, the Guy Authorities Say Is Selling Encrypted Phones to Organized Crime
Android Reverse Engineering tools Not the Usual Suspects (slides)
Understanding new APK Signature Scheme V2?
Google Play Security Reward Program
SAMSUNG TEEgris
source for suhide
Dieser Mann weiss, wie man in Smartphones einbricht (German)
NEW Rainbow Table added: GSM A5/1 table, 1.52 Terabytes in size. Torrent now available
Alarming number of DNS requests made by iOS devices
Bluetooth Hacking Tools Comparison
Unpatched Bugs Rampant on Mobile Devices in Financial Services Firms
Legitimacy: a Memory Research Platform for iOS
Samsung Android Security Bulletin Oct 2017 (a very long list!)
SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes (slides)
Android Security Bulletin - October 2017 (now calling out individual vendors)
Frida All The Things (slides)
Magisk Module to Allow Location Mocking, Screenshots in Any App, and Disabling System Signature Verification
notes on Hacking BLE - list of resources
Blue Pill for Your Phone (slides)
Bill Gates just switched to an Android phone (Windows Phones is dead!)
NFC - Contactless Cards: Brute Forcing Processing Options
Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices
XNU kernel 4570.1.46 sources
Linux Kernel Self Protection Project (slides)
CLKSCREW: Exposing the perils of security-oblivious energy management (paper)
(pdf)
In a first, Android apps abuse serious 'Dirty Cow' bug to backdoor phones
Label enums for Android JNI to aid in reversing
IDA jni helper
Google Play apps with as many as 2.6m downloads added devices to botnet
Samsung is gonna let you run any Linux distro on a Galaxy
Shim to grab keystore backed data
Android Security Reference (largely private notes of @doriancussen)
Google Play Billing Library 1.0 released
The Stony Path of Android Bug Bounty - Bypassing Certificate Pinning
Hardening the Kernel in Android Oreo
since I always rant about how I don't like biometrics in smartphones some people have asked me to formulate what I actually would like to see to happen in this area.
My dislike for biometrics is that you cannot change your password anymore because your password is your finger, eye (iris), or face. That means you basically show you password to everybody. A good example of this is here: Politician's fingerprint 'cloned from photos' by hacker.
The second part of the problem is that many biometric systems can be easily bypassed, some face recognition systems even with a picture shown on a smartphone screen.
My main issue is that biometric systems can be bypassed by forcing the owner of the device to unlock it. This can be done without leaving evidence, a funny example of this issue: 7-Year-Old Boy Uses Sleeping Dad's Finger To Unlock iPhone. Also see this interesting case: Court rules against man who was forced to fingerprint-unlock his phone.
The main argument I always hear is that people who wouldn't set a password (or use just a simple PIN) are using biometrics and therefore are more secure now with the help of biometrics. The kid from the previous story wasn't stopped by biometrics it was just as good as not having a password.
What would have stopped the kid from unlocking his dad's phone? A simple timeout! Basically what I want to see is a timeout for your biometrics. Once you entered your password you can unlock your phone using biometrics, after a specific amount of time you have to re-enter your password and cannot unlock the device using biometrics. With a timeout of say 30 minutes to one hour you can prevent simple attacks while still being able to use the convenience of biometrics. Apple recently introduced the SOS mode that will also disable biometric authentication until you enter your password. I wish this was taken one step further and let you set a timeout.
I personally see biometrics on a smartphone as a pure convenience feature and treat it as a weak security feature. I only use it for ApplePay.
I think it is pretty bad to get people used to biometric authentication, Apple may get it right but other companies wont. Normal users can't determine this easily. Also how much did the additional hardware components cost to implement fingerprint authentication or face recognition. FaceID doesn't use a normal camera so there are definitely additional costs that you as the user have to pay for this convenience feature.
Face recognition in consumer products also gets people to accept this as an normal everyday thing and thus helps the argument for face recognition being used in surveillance.
/rant
References:Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8 in May 2017
Chaos Computer Club breaks Apple TouchID iPhone 5s in 2013
Conferencesekoparty Sep 27-29, Buenos Aires. Blue Pill for your phone by Oleksandr Bazhaniuk. Unbox Your Phone - Exploring and Breaking Samsung's TrustZone Sandboxes by Daniel Komaromy. Inside Android's SafetyNet Attestation: Attack and Defense by Collin Mulliner. How to cook Cisco: Exploit Development for Cisco IOS by George Nosenko. Bypass Android Hack by Marcelo Romero.
Some comments on BlueBorne: I've been involved with Bluetooth security since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and gives you kernel privileges (code exec in the kernel).
Virus Bulletin 4-6 Oct, Madrid Span. Last-minute paper: Publishing our malware stats by Jason Woloz (Google) [This is about Android Malware]. Android reverse engineering tools: not the usual suspects by Axelle Apvrille.
In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue. Exploit mitigations and built variances help mitigating the risk. Devices are not always visible therefore the attacker cannot easily find your device and attack it.
Also see: Hackers Could Silently Hack Your Cellphone And Computers Over Bluetooth.
FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.
Pics:
Huh, here I was looking to get a phone similar to Walmarts in-store model... And eBay just has their actual in-store model... Perfect! pic.twitter.com/sq4pUtCBe3
— Tim Strazzere (@timstrazz) September 17, 2017
https://t.co/zqdwIa27IR
— sp (@LambdaCube) August 28, 2017
"Certified devices are also required to ship without pre-installed malware"
A good requirement IMHO. 😛
I agree ^^^
Badass! @cmwdotme just demoed his new company's ARM hypervisor -- capable of running iOS instances on virtual iPhone6 hardware #TenSec pic.twitter.com/vb9ld8cjIE
— Ralf (RPW) (@esizkur) August 31, 2017
Android Oreo feature spotlight: Changes to Verified Boot won't allow you to start a downgraded OS https://t.co/9RZqASUyeb pic.twitter.com/Zz6OD4xliv
— Android Police (@AndroidPolice) September 5, 2017
LinksSELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes (presentation)
Kernel Driver mmap Handler Exploitation (paper)
BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews (paper)
AndroidXRef now with Android O/8
Now the native-shim loader can create VM's for ART based Android devices by rednaga
Good thread about the Android Key Store API
IDA AArch64 processor extender extension: Adding support for ARMv8.1 opcodes
INJECTING MISSING METHODS AT RUNTIME
Oppo/Oneplus .ops Firmware decrypter
Android Hardware-backed Keystore (docs)
Samsung to Launch Mobile Security Rewards Program, Welcoming Security Research Community
Android 8.0 includes the following security-related changes
WHAT'S NEW IN KNOX 2.9?
ANDROID O AND DEX 38: DALVIK OPCODES FOR DYNAMIC INVOCATION
The public release of shadow v2 jemalloc exploitation tool with support for Android (both ARM32 and ARM64)
Making it safer to get apps on Android O
Dig Deep into FlexiSpy for Android
Tool for leaking and bypassing Android malware detection system
iOS 8.4.1 32 bit jailbreak
Conferencestoorcon san diego Aug 28th - Sep 3rd. Dig Deep into FlexiSpy for Android by Kai Lu(@k3vinlusec).
Quick Conference Review
HITB Singapore August 21-25. The Original Elevat0r - History of a Private Jailbreak by Stefan Esser. The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.
Tencent Security Conference, August 30-31. Pointer Authentication by Robert James Turner. Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu. Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.
44con 13-15 September London, UK. Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.
BalCCon2k17 Novi Sad, Vojvodina, Serbia. September 15-17. Mobile phone surveillance with BladeRF by Nikola Rasovic.
T2 October 26-27 Helsinki, Finland. Breaking Tizen by Amihai Neiderman.
DeepSec Vienna 13-17 November. Normal permissions in Android: An Audiovisual Deception by Constantinos Patsakis. How secure are your VoLTE and VoWiFi calls? by Sreepriya Chalakkal.It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it was in the CanSecWest hotel. I link a few relevant papers below.
Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!
Ralf is on point as usual:
Pictures of the month:Exhibit A) Our communities are tribalized: https://t.co/e1uATFviYT (JTAG on iPhone 4S BB + exploitation of baseband vulns from SIM, in 2014)
— Ralf (RPW) (@esizkur) August 19, 2017
Burner kiddies at defcon be like: pic.twitter.com/3QyPTuJwFg
— the grugq (@thegrugq) July 22, 2017
Some Chinese USB adapters have a hidden SIM that will send a text message with GPS coordinates to track an unknowing victim… https://t.co/PK5bpkaBmv
— Dimitri Bouniol (@dimitribouniol) August 9, 2017中国のUSB充電アダプター型盗聴器が先進的すぎる。
— 若ちゃん (@wk_tyn) August 8, 2017
充電器の上のふたを開けると、なんとSIMスロットがある。
SIMカードを挿入した状態で、このSIMカードの電話番号宛にSMSを送ると、コールバックし、これに出ると盗聴できる仕様。
もちろんGPS機能付きである。 pic.twitter.com/aMEF8sBdiL😂 accident happens #htc #privacy #security #Android pic.twitter.com/AJRAJRO1xK
— nixCraft (@nixcraft) July 19, 2017
LinksBootStomp: On the Security of Bootloaders in Mobile Devices (paper)
Fixes in iOS 10.3.3
Reviewing the Security of ASoC Drivers in Android Kernel
Hacking Cell Phone Embedded Systems
Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite
Seccomp filter in Android O
This source code was obtained by reversing a sample of SLocker. It's not the original source code
Trust Issues: Exploiting TrustZone TEEs
Universal Android SSL Pinning bypass with Frida
USING AN RTL-SDR AS A SIMPLE IMSI CATCHER
BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS
Surveillance: German police ready to hack WhatsApp messages
Google May Have Just Uncovered An Israeli Surveillance Start-Up Spying On Androids
Gas Pump Skimmer Sends Card Data Via Text
Defeating Samsung KNOX with zero privilege (slides)
Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices
Port(al) to the iOS Core
New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor
Ghost Telephonist Link Hijack Exploitations in 4G
OnePlus 2 Lack of SBL1 Validation Broken Secure Boot
iOS 10.3.2 XPC Userland Jailbreak Exploit Tutorial - CVE-2017-7047 by Ian Beer (Video)
Samsung: Trustonic t-base TEE does not perform revocation of trustlets
A (hopefully) generic unpacker for packed Android apps
The original elevat0r jailbreak exploit explained
Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstall apk.
Shattered Trust: When Replacement Smartphone Components Attack (paper)
Patch iOS Apps, The Easy Way, Without Jailbreak
Android Banking Trojan misuses accessibility services
Get details and download apps from https://play.google.com by emulating an Android (Nexus 5X) device by default.
vTZ: Virtualizing ARM TrustZone (paper)
objection - runtime mobile exploration
Xposed for Nougat & abforce Submodule Explained, and Why It's Worth Waiting for rovo89's Full Release
A Linux kernel IPC firewall and logger for Android and Binder
White-Stingray: Evaluating IMSI Catchers Detection Applications (paper)
BootStomp: a bootloader vulnerability finder
iOS 11 has a 'cop button' to temporarily disable Touch ID
Simple tool to dynamically discover hidden fastboot OEM commands based on static knowledge
Blue Pill for your Phone
Android Instant Apps: Best practices for managing download size (who has played with instant apps yet?)
Decrypt the iOS SEP
How much does your phone know about you?
Identifying and Evading Android Protections
Breaking Mobile App Protection Mechanisms
Isolation of HALs in Android O
ANTIVIRUS FOR ANDROID HAS A LONG, LONG WAY TO GO
PoC CVE-2016-3935
PoC CVE-2016-6738
Fake Snapchat in Google Play Store
Next-generation Dex Compiler Now in Preview
Detecting Android Root Exploits by Learning from Root Providers (paper)
Downgrade Attack on TrustZone (paper)
Testing Biometric Authentication
shadow v2 public release
Android O security changes
Magisk Documentations
SonicSpy: Over a thousand spyware apps discovered, some in Google Play
SMS touch sends customer information and SMS messages over a cleartext network
ZIMPERIUM blog post that describes how the Zero Packet Inspection (ZPI) approach is trained
Using Hover to Compromise the Confidentiality of User Input on Android (paper)
Various Scripts for Mobile Pen-testing with Frida
circuit board (PCB) schematics for 30-pin iPod serial debugging
SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers' lives much harder on mobile networks (slides)
This blog post is to provide some more details about my idea that was mentioned on Risky Business #463 by Haroon Meer.
What are Canary Tokens (from Thinkst).You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.
Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.
...
Canary tokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)
The idea: Embed Canary Tokens into binaries (or application data) to help identify reverse engineering of your software.
Every reverse engineer looks for unique information (often just strings) in the target binary to help understand it. The strings are thrown into Google (or other search engines) with the hope to get additional information. The returned information can be extremely helpful to determine what the software is, what other code is linked in, what versions, etc. Everybody who reverse engineers stuff does this! I personally don't reverse engineer for a living so I asked around to confirm that professionals actually do this (I already knew the answer anyway!).
The plan:
- Embed unique looking strings into the binary
- Stand-up web page that contains the string, log access to that page (alert on access)
- Make Google crawl that page (various tools for that)
- Ship software
This is pretty straight forward, right? But do you care about somebody who just ran strings on your binary? Likely not! So what's next?
Many applications protect their code and other assets that come with it through different kinds of methods (called obfuscation techniques for this article - even not all of it will be actual obfuscation). The next step for the RE-canaries is to generate canaries and embed them into each obfuscation layer. If someone accesses a more obfuscated canary you know that a certain level of effort was put into reversing your app. This part is really where the creativity of the RE-canary deployment comes into play. This will be highly depended on the specific software, on the protection mechanisms used, the language and framework that app is written in and so on. Mobile apps (I'm a mobile app guy, yeah!) contain API endpoints and URLs and maybe some hardcoded credentials (tokens of course). The URLs have the advantage that you wouldn't need to put up a website. You just make them accessible and add logging and alerting.
The final part of this is automation. You want to automate canary creation and embedding into your built process, so that you can generate unique canaries with each built or major release or whatever fits your software.
In the end it will likely happen that advanced REs are going to use an anonymization service such as TOR when searching for strings or trying out URLs (specifically for URLs!). In this case at least you will know that someone is looking at your stuff and passed a certain skill/time/effort threshold, which I guess in most cases is enough information.
That's it! This idea was inspired heavily by Haroon Meer's Canarytokens a great free service that I use once in awhile!
Comments and feedback is welcome via the usual channels.