...stuff I do and things I like...

Tuesday, September 19 2017

Mobile Security News Update September 2017

Conferences
    ekoparty Sep 27-29, Buenos Aires. Blue Pill for your phone by Oleksandr Bazhaniuk. Unbox Your Phone - Exploring and Breaking Samsung's TrustZone Sandboxes by Daniel Komaromy. Inside Android's SafetyNet Attestation: Attack and Defense by Collin Mulliner. How to cook Cisco: Exploit Development for Cisco IOS by George Nosenko. Bypass Android Hack by Marcelo Romero.

    Virus Bulletin 4-6 Oct, Madrid Span. Last-minute paper: Publishing our malware stats by Jason Woloz (Google) [This is about Android Malware]. Android reverse engineering tools: not the usual suspects by Axelle Apvrille.
Some comments on BlueBorne: I've been involved with Bluetooth security since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and gives you kernel privileges (code exec in the kernel).

In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue. Exploit mitigations and built variances help mitigating the risk. Devices are not always visible therefore the attacker cannot easily find your device and attack it.

Also see: Hackers Could Silently Hack Your Cellphone And Computers Over Bluetooth.

FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.

Pics:


I agree ^^^



Links

Tuesday, August 22 2017

Mobile Security News Update August 2017

Conferences
    toorcon san diego Aug 28th - Sep 3rd. Dig Deep into FlexiSpy for Android by Kai Lu(@k3vinlusec).

    HITB Singapore August 21-25. The Original Elevat0r - History of a Private Jailbreak by Stefan Esser. The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.

    Tencent Security Conference, August 30-31. Pointer Authentication by Robert James Turner. Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu. Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.

    44con 13-15 September London, UK. Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.

    BalCCon2k17 Novi Sad, Vojvodina, Serbia. September 15-17. Mobile phone surveillance with BladeRF by Nikola Rasovic.

    T2 October 26-27 Helsinki, Finland. Breaking Tizen by Amihai Neiderman.

    DeepSec Vienna 13-17 November. Normal permissions in Android: An Audiovisual Deception by Constantinos Patsakis. How secure are your VoLTE and VoWiFi calls? by Sreepriya Chalakkal.
Quick Conference Review
    It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it was in the CanSecWest hotel. I link a few relevant papers below.

Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!


Ralf is on point as usual:
Pictures of the month:



Links

Thursday, July 13 2017

Mobile Security News Update July 2017

Conferences
    Black Hat USA Las Vegas, July 26-27. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. GHOST TELEPHONIST LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. BLUE PILL FOR YOUR PHONE by Oleksandr Bazhaniuk, Yuriy Bulygin. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.

    Defcon Las Vegas. Jailbreaking Apple Watch by Max Bazaliy. Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks by CINCVolFLT (Trey Forgety). macOS/iOS Kernel Debugging and Heap Feng Shui by Min(Spark) Zheng & Xiangyu Liu. Using GPS Spoofing to Control Time by David "Karit" Robinson. Phone System Testing and Other Fun Tricks by "Snide" Owen. Unboxing Android: Everything You Wanted To Know About Android Packers by Avi Bashan & Slava Makkaveev. Ghost in the Droid: Possessing Android Applications with ParaSpectre by chaosdata. Ghost Telephonist' Impersonates You Through LTE CSFB by Yuwei Zheng & Lin Huang. Bypassing Android Password Manager Apps Without Root by Stephan Huber & Siegfried Rasthofer. Man in the NFC by Haoqi Shan & Jian Yuan.

    USENIX Workshop on Offensive Technologies (WOOT) Vancouver Canada, 14-15 August. Shattered Trust: When Replacement Smartphone Components Attack by Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren. White-Stingray: Evaluating IMSI Catchers Detection Applications by Shinjo Park and Altaf Shaik, Ravishankar Borgaonkar, Andrew Marti, Jean-Pierre Seifert. fastboot oem vuln by Roee Hay.
Black Hat and Defcon have a really good number of mobile related talks this year.

It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August



Picture of month:


There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.

Links:

Tuesday, June 06 2017

Mobile Security News Update June 2017

Conferences
    Black Hat USA July 26-27 Las Vegas. 'GHOST TELEPHONIST' LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SONIC GUN TO SMART DEVICES: YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND by Aimin Pan, Bo Yang, Shangyuan LI, Wang Kang, Zhengbo Wang. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. THE FUTURE OF APPLEPWN - HOW TO SAVE YOUR MONEY by Timur Yunusov.

    (Black Hat has a very strong mobile security line up this year.)

    Defcon July 27-30 Las Vegas. Man in the NFC by Haoqi Shan & Jian Yuan. (speaker selection not final)

    MOSEC June, Shanghai added a bunch of talks (all mobile security related, obviously).

    Recon June 16-18 Montreal, Canada. FreeCalypso: a fully liberated GSM baseband by Mychaela Falconia. Hacking Cell Phone Embedded Systems by Keegan Ryan.
This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on a day to day basis currently.

The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!

I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.

So iOS will finally support NDEF tags.
This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction. Pictures of the month:





Links

Tuesday, April 25 2017

Mobile Security News Update April 2017

Conferences
    Black Hat USA July 22-27 Las Vegas. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. (Program not complete)

    SyScan360 May 30-31 Seattle. Exploit iOS 9.x Userland with LLDB JIT by Wei Wang. The wounded android WIFI driver New attack surface in cfg80211 by Hao Chen.

    MOSEC June, Shanghai. Revisiting the Kernel Security Enhancements in iOS 10 AND Pwning Apple Watch. (Program still not complete)


Recordings for the first OsmoCon are available here. OsmoCon is, of course, a conference about the OsmoCom projects!

Android O news: will prompt for pin/passcode before enabling developer options, further Android O changes device identifiers and how to access them.

If you are interested in mobile backing Trojans you should follow Lukas Stefanko:

Somebody released the source code of FlexiSpy (mobile phone spyware) to the public. The release notes are here: readme.txt. The download is here: FlexiSpyOmni.zip, collection of all data is here: Source code and binaries of FlexiSpy from the Flexidie dump and a writeup of the dump is here: FlexSpy Application Analysis. I bet we will see more details in the coming weeks!

Does Blackberry give out review samples for the KEYone? I would really like one and give it a try (would post full review here of course!).


All Nokia phones ever made.

Yo Ralf where the slides at?


Links

Tuesday, March 28 2017

Mobile Security News Update March 2017 part2

Conferences
    Qualcomm Mobile Security Summit 2017 San Diego, May. All talks are on mobile security - super strong lineup!

    AppSec EU May 11-12, Belfast. How to steal mobile wallet? - Mobile contactless payments apps attack and defense. Fixing Mobile AppSec: The OWASP Mobile Project.

    MOSEC June Shanghai. Pwning Apple Watch. (program not complete yet!)


OffensiveCon is a new security conference in Berlin Germany focused on Offense. No details yet but they chose the right location for sure.

For everybody who didn't make it to the Android Security Symposium, they recorded the talks and the videos are available: here.

Google published a blog post and a detailed report on Android Security in 2016. The report covers everything from patching and update stats to high impact vulnerabilities. People posted a lot of summaries but you should really read it yourself if you work with Android.

Google pulls March security update for Nexus 6, after it breaks SafetyNet and Android Pay. This was pretty interesting, not the fact that they broke SafetyNet but that they broke it for their own devices (Nexus). This happened to some really small manufacturer before and if you have an idea of how SN works on the backend - it is clear what happened.



Links

Tuesday, March 07 2017

Mobile Security News Update March 2017

Conferences
    Black Hat ASIA Singapore March 28-31. FRIED APPLES: JAILBREAK DIY by Alex Hude, Max Bazaliy, Vlad Putin. ANTI-PLUGIN: DON'T LET YOUR APP PLAY AS AN ANDROID PLUGIN by Cong Zheng, Tongbo Luo, Xin Ouyang, Zhi Xu. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi. 3G/4G INTRANET SCANNING AND ITS APPLICATION ON THE WORMHOLE VULNERABILITY by Guangdong Bai, Zhang Qing. MOBILE-TELEPHONY THREATS IN ASIA by Lion Gu, Marco Balduzzi, Payas Gupta. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky.

    CanSecWest Vancouver Canada, March 15-17. Qidan He : Pwning Nexus of Every Pixel: Chain of Bugs demystified. Logic Bug Hunting in Chrome on Android by Georgi Hershey & Robert Miller.

    Zer0Con Seoul, Korea April 13-14. Ian Beer : Through the mach portal.

    OsmoCon (Osmocom Conference) 2017 is the first technical conference for Osmocom users, operators and developers! April 21, Berlin. All about Osmocom!

    HITB Amsterdam April 13-14. FEMTOCELL HACKING: FROM ZERO TO ZERO DAY by JeongHoon Shin. CAN'T TOUCH THIS: CLONING ANY ANDROID HCE CONTACTLESS CARD by Slawomir Jasek. EXTRACTING ALL YOUR SECRETS: VULNERABILITIES IN ANDROID PASSWORD MANAGERS by Stephan Huber, Steven Artz, Siegfried Rasthofer. HUNTING FOR VULNERABILITIES IN SIGNAL by Markus Vervier.

    Opcde Dubai, UAE April 26-27. Practical attacks against Digital Wallet by Loic Falletta.


I took a way too long break again. So many things happen in the world of mobile security every week. I really wish I had more time for this. I also have a bunch of small things I need to put on this blog but I think they are too specific for the news and will likely get their own posts.

Some news from MWC (I didn't attend):
    First the BlackBerry KEYone a new Android-based phone with a physical keyboard. Other then the BB Priv the KEYone's keyboard is fix and doesn't slide. Movable parts are really not a good idea, they break way too fast. In my opinion this device looks super solid and likely will be supported longer than the average flagship phone from other manufacturers (data on this would be awesome).

    Nokia released 3 new Android phones the 3 (MTK), 5 (QCOM) and 6 (QCOM). The phones seem to run Android N without any modifications or vendor crap. Very low price (230Euro for the 6). The bottom of their website specifically says: You get an experience that's focused and clutter-free, and we'll make sure you keep getting regular updates, so you'll always stay on top of features and security. that is what you should expect in 2017.


The Android Devices Security Patch Status page is an awesome resource to determine if a specific device from a specific vendor has been patched and when the patch was released. From the page: This list is Prepared to Serve as a Quick reference to identify which Device is being actively maintained by the Vendor.. This is super useful, thanks!







MOSEC mobile security conference in June in Shanghai. This seems to be the 3rd year of the conference. There is no schedule yet.

The story of the day Vault 7: CIA Hacking Tools Revealed. Vault 7: CIA Hacking Tools Revealed : iOS Exploit list. Yes, the CIA uses n-day exploits! The Android exploits.

They talk about Android, Defcon, and backdooring your repo? ;-)


Pic of the month:

Links