...stuff I do and things I like...

Friday, February 27 2015

Mobile Security News Update February 2015 part 2

Conferences
    BruCon 5-7 October: Daan Raman - A distributed approach to mobile malware scanning, Markus Vervier - Stealing a Mobile Identity Using Wormholes


CFPs
My good friend Nick has started a campaign to support Android users in risk and will provide free iPhones to them

Nice captures of what happens with the cellular service when the President is around: 1 2.

Inside a StingRay. Matt Blaze would take your spare StingRay base unit.

The Gemalto hack by GSHQ/NSA makes a lot of sense and is pretty interesting. Stories by Wired and The Register.


Links

Wednesday, February 11 2015

Mobile Security News Update February 2015

Conferences
    TelcoSecDay @ Troopers Markus Vervier: Borrowing Mobile Network Identities - Just Because We Can, Tobias Engel: Securing the SS7 Interconnect, Ravishankar Borgaonkar - TelcoSecurity Mirage: 1G to 5G, Dieter Spaar - How to Assess M2M Communication from an Attacker's Perspective.

    CanSecWest Timur Yunusov & Kirill Nesterov - Bootkit via SMS: 4G access level security assesment. Team Pangu Userland Exploits of Pangu 8, the first untethered iOS8 jailbreak.

    Hack in the Box Amsterdam The Savage Curtain: Mobile SSL Failures; Eight Ou Two Mobile; Mobile Authentication Subspace Travel; Fuzzing Objects d'ART: Digging Into the New Android L Runtime Internals; Relay Attacks in EMV Contactless Cards with Android OTS Devices; Bootkit via SMS: 4G Access Level Security Assessment

TelcoSecDay @ Troopers looks pretty awesome. Too bad that I can't go because of the 100% overlap with CanSec. Sadly this seems to be a new trend that a number of top conferences overlap or are so close to each other that it is impossible to attend both.

Somebody is selling fake versions of the Android Hacker's Handbook on Amazon. Indicators are missing pictures or the white book backside (original one is black).

We recently presented BabelCrypt at Financial Crypto. I would love to see a usable implementation of this. Unfortunately I don't have the time to make this happen. I would pay money for this app.


Links

Tuesday, January 20 2015

Mobile Security News Update January 2015

Conferences
    SyScan Singapore, March. Dmitry Kurbatov: Attacks on telecom operators and mobile subscribers using SS7: from DoS to call interception. Peter Fillmore: Crash & Pay: Owning and Cloning NFC Payment cards. Stefan Esser: iOS 678 Security - A Study in Fail.

    Black Hat Asia Singapore, March. (IN)SECURITY OF MOBILE BANKING by Eric Filiol & Paul Irolla. ATTACKING SAP MOBILE by Vahagn Vardanyan & Dmitry Chastuhin. DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS by Jin-hyuk Jung & Jieun Lee. HIDING BEHIND ANDROID RUNTIME (ART) by Paul Sabanal. RELAYING EMV CONTACTLESS TRANSACTIONS USING OFF-THE-SHELF ANDROID DEVICES by Jordi Van den Breekel. RESURRECTING THE READ_LOGS PERMISSION ON SAMSUNG DEVICES by Ryan Johnson & Angelos Stavrou. THE NIGHTMARE BEHIND THE CROSS PLATFORM MOBILE APPS DREAM by Marco Grassi & Sebastian Guerrero. WE CAN STILL CRACK YOU! GENERAL UNPACKING METHOD FOR ANDROID PACKER (NO ROOT) by Yeonung Park.


This year's SyScan unfortunatelly is the last one. Very sad to see this conference go away. SyScan was the first industry conference I spoke at!

There is a new mobile specific venu Black Hat Mobile Security Summit taking place in London in June.

The problem with unpatched bugs in Android continues: Google No Longer Provides Patches for WebView Jelly Bean and Prior. This is really one of the major issues of Android security in my opinion. In 2013 I was working on a system that helps to address this issue. Details can be found here: 1 2.

Links

Friday, January 02 2015

Mobile Security News Update New Year's 2015 Edition

Conferences
    ShmooCon January 2015. Knock Knock: A Survey of iOS Authentication Methods by David Schuetz; There's Waldo! Tracking Users via Mobile Apps by Colby Moore and Patrick Wardle; Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry by Kristen K. Greene, Joshua Franklin, and John Kelsey.

    Black Hat Asia March. DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS by Jin-hyuk Jung & Jieun Lee; HIDING BEHIND ANDROID RUNTIME (ART) by Paul Sabanal; RELAYING EMV CONTACTLESS TRANSACTIONS USING OFF-THE-SHELF ANDROID DEVICES by Jordi Van den Breekel.

    Troopers March. Hacking FinSpy - a Case Study about how to Analyse and Defeat an Android Law-enforcement Spying App by Attila Marosi (not all speaker slots are filled)


31c3 Review

The Chaos Communication Congress was super fun again (no big surprise!). It was really good to see everybody again at the end of the year. As the congress is getting bigger and bigger every year it is hard to see people more once and I even missed a bunch of you guys! The talks were pretty good this year and I saw quite a few of them. Here a short overview of the mobile related talks that I actually saw live at the conference. Recordings are available: here Slides of most talks are linked in the schedule: here.

The SS7 talks were super interesting. I actually only saw 2 of the 3 talks on SS7 but I'll watch the third one once I get home. The summary of all the talks is: once you get access to SS7 you can easily track phones as often shown on TV shows. Commercial products exist to do this via SS7 (but depending on the manufacturer you cannot use it against every country). SS7-based tracking can be implemented in various ways as Karsten Nohl showed. Very interesting is the fact that IMSI Catchers can benefit from SS7 access as it can be used to access to encryption keys. This basically allows building 3G IMSI catchers. Karsten Nohl showed this live on stage (he intercepted a SMS). SS7 access can be used to steal SMS messages by redirecting the delivery path in the HLR. All in all you can conclude that organizations with SS7 access can do a lot of interesting/bad things. Luckily all the German operators already block many of the security critical SS7 messages from entering their network. SRLabs also released and Android application that analyzes the debug messages from Qualcomm-based phones to determine if your phone is in an unfriendly cellular environment. The tool is called SnoopSnitch.

Slides: 1 2

I also really enjoyed the talk from Sylvain Munaut about GMR-based Sat-Phones (specifically the technology used by Thuraya). He presented the progress of the Osmocom project's implementation of an open GMR stack. One interesting detail was that you can break the GMR crypto within 500msec using a known plain text attack against the control traffic.

Slides: 1

The talk about pagers based on the Iridium satellite network was similar interesting. The presenters build an SDR-based Iridium receiver and sniffed some paging traffic as the satellite beam covers a large region they were able to receive quite a lot of interesting messages. Yes, the traffic is not encrypted! Their code is available here.

Slides: 1

The guys from @scadasl totally rocked the 31c3 as they also gave a lighting talk on their 4G modem research. No slides unfortunately.

The talk Ich sehe, also bin ich ... Du about biometrics vs. cameras by Starbug also looked into smartphone screen reflections in your eye. He showed that you can partially determine what your screen shows and what area you touched with your finger.

The guys from the 31c3 GSM network where playing with the Alert system while I was visiting them in their NOC. One of the results is this:

Links

Wednesday, December 10 2014

Mobile Security News Update December 2014

Conferences
    Kiwicon (going down right now) Wellington, NZ. MitMing GSM with criminal intent by William "AmmonRa" Turner

    31C3 Hamburg, Germany. (In)Security of Mobile Banking by Paul Irolla and Eric Filiol; Mobile self-defense by Karsten Nohl; osmo-gmr: What's new? by tnt; SS7: Locate. Track. Manipulate. by Tobias Engel; SS7map : mapping vulnerability of the international mobile roaming infrastructure by Laurent Ghigonis and Alexandre De Oliveira; Unlocking the bootloader of the BlackBerry 9900 by Alex

    ShmooCon Washington D.C., Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry by Kristen K. Greene, Joshua Franklin, and John Kelsey (not all talks posted yet).

31C3 has an impressive number of good mobile security related talks, in addition to a lot of other good looking security talks. This will be good!

We recently finished a research project on end-to-end encryption for mobile messaging apps. The idea was to have a universal "plugin" that encrypts messages before they are handed over to the messaging app. This way you can use any messaging app with the add-on of end-to-end encryption (providing the other end has the same tool installed too). The result was BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications a joint project with my co-researchers and interns at NEU SecLab. The paper is going to be published in January 2015. A pre-print is available here: BabelCrypt.


News / Links

Word on the street is that all the cool kids are getting pagers again!

Sunday, November 23 2014

Mobile Security News Update November 2014

I'm still waiting for the 31C3 program to be released, but since I was reviewing the security submissions I can tell you that there will be a bunch of good mobile security related talks this year. As usual I will be in Hamburg to attend CCC.

So far there are no upcoming conferences that have released their program yet.

I've recently updated to Android 5.0. Overall I think it turned out quite nice. The changes related to notifications suck really badly. Apparently you cannot turn off audio and vibration but still get the visual notification (LED). I really liked the old way to set notifications: ring/vibrate/off. The extended battery time everybody is talking about I don't recognize (Nexus 5). The more tight integration with googles services sucks too. Why does it need to show my google account logo on the top right of my status bar? This is useful for what?

Links and Stories: Android bugs:

Thursday, October 23 2014

Mobile Security News Update October 2014

Time files, I've been super busy the last two month and will be busy until mid/end of November. I just relaized that I haven't posted anything in September at all.

Conferences
    Hack.Lu October 21-24: Stripping the controversial FinFisher application for Android phones by Attila Marosi; SherlockDroid, an Inspector for Android Marketplaces by Axelle Apvrille, Ludovic Apvrille

    PacSec Tokyo, Nov 12-13: An Infestation of Dragons: Exploring Vulnerabilities in the ARM TrustZone Architecture by Josh "m0nk" Thomas, Charles Holmes, Nathan Keltner; Hey, we catch you - dynamic analysis of Android applications by Wenjun Hu; Root via SMS: 4G access level security assessment by Sergey Gordeychik, Alexander Zaytsev; Blowing up the Celly - Building Your Own SMS/MMS Fuzzer by Brian Gorenc and Matt Molinyawe.

    DeepSec Vienna, Nov 18-21: Mobile SSL Failures by Tony Trummer & Tushar Dalvi; TextSecure and RedPhone-bring them to iOS by Christine Corbett; Creating a kewl and simple Cheating Platform on Android by Milan Gabor & Danijel Grah


There is again a new talk on SMS and MMS fuzzing. I really wonder what is going to be different from all the previous work?

Links