...stuff I do and things I like...

Thursday, March 26 2009

Mobile Security News March 2009

few things happened besides Pwn2Own. One thing I missed about the mobile pwn2own is that Sergio Alvarez apparently tried to own a BlackBerry device but failed due to device/software mismatch. Hey at least he seems to have a exploitable bug for BlackBerry, nice!

Since today the slides for CanSecWest are online. The mobile security stuff is here: 1 2 3 4

At the upcoming BlackHat Europe some guys from the Mobile Security Lab will give a talk on Hijacking Mobile Data Connections . This sounds interesting too bad I can't go.

Feedback is welcome, any good sources to recommend? Any mailing lists?

Saturday, March 21 2009

Some notes on Pwn2Own Mobile

so it looks like Pwn2Own mobile failed the first time it was around. This is a surprise for me. I would have guessed that the iPhone would be have been taken even it's Non-Exec-Memory since many more people try to break it in comparison with the other mobile platforms.

Symbian was the only mobile platform somebody tried to pwn? This is a bigger surprise to me. Especially since Pwn2Own only offers a Nokia N95, a device that has Non-Exec memory. I tried to closely follow Pwn2Own mobile so when I first saw that Symbian was in the game I thought this will be uninteresting since they will take a brand new device with Non-Exec memory. When I read about the Nokia E61 in this announcement I was really happy since this device doesn't have Non-Exec memory. In the latest announcement the E61 seems to have been removed. Possible because the figured out that it was way to old, bummer.

I actually predicted that somebody will own the Windows Mobile device and the Android G1 but they all survived. Maybe all the bugs were already reported to the manufacturers before mobile pwn2own was announced so they could not be cashed (I at least know about one case). So I guess people will hold on to their (mobile) bugs until next year's CanSecWest/Pwn2Own. Especially now that some well known people called for their no more free bugs campaign. One last point that I found nice was that for mobile pwn2own the goal was not necessary code execution but 1) loss of information (user data) OR 2) incur financial cost. My iPhone phone call bug would probably have counted, so I guess I should also keep bugs for myself now.

Wednesday, March 11 2009

Samsung SGH-X700N NFC phone

I had the chance to play with the Samsung SGH-X700N, one of Samsung's NFC mobile phones. The hardware is OK not as crappy as the Motorola L7. The software part is rather sad since there is no NFC support in the basic phone applications this seems to be something only Nokia manages to do. The only piece of NFC software I found was a simple demo application. Sadly the demo application could not read my NDEF formated Mifare tags. The demo app shows an access error so I guess they haven't implemented NDEF and therefore they don't know the NDEF Mifare-keys. I haven't bothered looking at their SDK.

I gladly borrow NFC phones from anybody (and any company who is not afraid about honest reviews).

HTC Touch 3G

yesterday I got a HTC Touch 3G that I bought to play with a recent version of Windows Mobile (Windows Mobile 6.1 and WinCE Kernel 5.x). The Touch is my first encounter with TouchFLO the HTC specific user interface for Windows Mobile. TouchFLO is a nice idea but the device is way to slow to make usable, otherwise this could really be something. Behind TouchFLO everything else is still the old WinMobile where you need to use a pen to be able to hit the small buttons.