...stuff I do and things I like...

Tuesday, June 06 2017

Mobile Security News Update June 2017

Conferences
    Black Hat USA July 26-27 Las Vegas. 'GHOST TELEPHONIST' LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SONIC GUN TO SMART DEVICES: YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND by Aimin Pan, Bo Yang, Shangyuan LI, Wang Kang, Zhengbo Wang. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. THE FUTURE OF APPLEPWN - HOW TO SAVE YOUR MONEY by Timur Yunusov.

    (Black Hat has a very strong mobile security line up this year.)

    Defcon July 27-30 Las Vegas. Man in the NFC by Haoqi Shan & Jian Yuan. (speaker selection not final)

    MOSEC June, Shanghai added a bunch of talks (all mobile security related, obviously).

    Recon June 16-18 Montreal, Canada. FreeCalypso: a fully liberated GSM baseband by Mychaela Falconia. Hacking Cell Phone Embedded Systems by Keegan Ryan.
This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on a day to day basis currently.

The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!

I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.

So iOS will finally support NDEF tags.
This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction. Pictures of the month:





Links

Tuesday, April 25 2017

Mobile Security News Update April 2017

Conferences
    Black Hat USA July 22-27 Las Vegas. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. (Program not complete)

    SyScan360 May 30-31 Seattle. Exploit iOS 9.x Userland with LLDB JIT by Wei Wang. The wounded android WIFI driver New attack surface in cfg80211 by Hao Chen.

    MOSEC June, Shanghai. Revisiting the Kernel Security Enhancements in iOS 10 AND Pwning Apple Watch. (Program still not complete)


Recordings for the first OsmoCon are available here. OsmoCon is, of course, a conference about the OsmoCom projects!

Android O news: will prompt for pin/passcode before enabling developer options, further Android O changes device identifiers and how to access them.

If you are interested in mobile backing Trojans you should follow Lukas Stefanko:

Somebody released the source code of FlexiSpy (mobile phone spyware) to the public. The release notes are here: readme.txt. The download is here: FlexiSpyOmni.zip, collection of all data is here: Source code and binaries of FlexiSpy from the Flexidie dump and a writeup of the dump is here: FlexSpy Application Analysis. I bet we will see more details in the coming weeks!

Does Blackberry give out review samples for the KEYone? I would really like one and give it a try (would post full review here of course!).


All Nokia phones ever made.

Yo Ralf where the slides at?


Links

Tuesday, March 28 2017

Mobile Security News Update March 2017 part2

Conferences
    Qualcomm Mobile Security Summit 2017 San Diego, May. All talks are on mobile security - super strong lineup!

    AppSec EU May 11-12, Belfast. How to steal mobile wallet? - Mobile contactless payments apps attack and defense. Fixing Mobile AppSec: The OWASP Mobile Project.

    MOSEC June Shanghai. Pwning Apple Watch. (program not complete yet!)


OffensiveCon is a new security conference in Berlin Germany focused on Offense. No details yet but they chose the right location for sure.

For everybody who didn't make it to the Android Security Symposium, they recorded the talks and the videos are available: here.

Google published a blog post and a detailed report on Android Security in 2016. The report covers everything from patching and update stats to high impact vulnerabilities. People posted a lot of summaries but you should really read it yourself if you work with Android.

Google pulls March security update for Nexus 6, after it breaks SafetyNet and Android Pay. This was pretty interesting, not the fact that they broke SafetyNet but that they broke it for their own devices (Nexus). This happened to some really small manufacturer before and if you have an idea of how SN works on the backend - it is clear what happened.



Links

Tuesday, March 07 2017

Mobile Security News Update March 2017

Conferences
    Black Hat ASIA Singapore March 28-31. FRIED APPLES: JAILBREAK DIY by Alex Hude, Max Bazaliy, Vlad Putin. ANTI-PLUGIN: DON'T LET YOUR APP PLAY AS AN ANDROID PLUGIN by Cong Zheng, Tongbo Luo, Xin Ouyang, Zhi Xu. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi. 3G/4G INTRANET SCANNING AND ITS APPLICATION ON THE WORMHOLE VULNERABILITY by Guangdong Bai, Zhang Qing. MOBILE-TELEPHONY THREATS IN ASIA by Lion Gu, Marco Balduzzi, Payas Gupta. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky.

    CanSecWest Vancouver Canada, March 15-17. Qidan He : Pwning Nexus of Every Pixel: Chain of Bugs demystified. Logic Bug Hunting in Chrome on Android by Georgi Hershey & Robert Miller.

    Zer0Con Seoul, Korea April 13-14. Ian Beer : Through the mach portal.

    OsmoCon (Osmocom Conference) 2017 is the first technical conference for Osmocom users, operators and developers! April 21, Berlin. All about Osmocom!

    HITB Amsterdam April 13-14. FEMTOCELL HACKING: FROM ZERO TO ZERO DAY by JeongHoon Shin. CAN'T TOUCH THIS: CLONING ANY ANDROID HCE CONTACTLESS CARD by Slawomir Jasek. EXTRACTING ALL YOUR SECRETS: VULNERABILITIES IN ANDROID PASSWORD MANAGERS by Stephan Huber, Steven Artz, Siegfried Rasthofer. HUNTING FOR VULNERABILITIES IN SIGNAL by Markus Vervier.

    Opcde Dubai, UAE April 26-27. Practical attacks against Digital Wallet by Loic Falletta.


I took a way too long break again. So many things happen in the world of mobile security every week. I really wish I had more time for this. I also have a bunch of small things I need to put on this blog but I think they are too specific for the news and will likely get their own posts.

Some news from MWC (I didn't attend):
    First the BlackBerry KEYone a new Android-based phone with a physical keyboard. Other then the BB Priv the KEYone's keyboard is fix and doesn't slide. Movable parts are really not a good idea, they break way too fast. In my opinion this device looks super solid and likely will be supported longer than the average flagship phone from other manufacturers (data on this would be awesome).

    Nokia released 3 new Android phones the 3 (MTK), 5 (QCOM) and 6 (QCOM). The phones seem to run Android N without any modifications or vendor crap. Very low price (230Euro for the 6). The bottom of their website specifically says: You get an experience that's focused and clutter-free, and we'll make sure you keep getting regular updates, so you'll always stay on top of features and security. that is what you should expect in 2017.


The Android Devices Security Patch Status page is an awesome resource to determine if a specific device from a specific vendor has been patched and when the patch was released. From the page: This list is Prepared to Serve as a Quick reference to identify which Device is being actively maintained by the Vendor.. This is super useful, thanks!







MOSEC mobile security conference in June in Shanghai. This seems to be the 3rd year of the conference. There is no schedule yet.

The story of the day Vault 7: CIA Hacking Tools Revealed. Vault 7: CIA Hacking Tools Revealed : iOS Exploit list. Yes, the CIA uses n-day exploits! The Android exploits.

They talk about Android, Defcon, and backdooring your repo? ;-)


Pic of the month:

Links

Tuesday, January 24 2017

Mobile Security News Update January 2017

Conferences
    Recon Brussels Brussels, 27-29 January. Analyzing iOS apps: road from AppStore to security analysis report by Lenar Safin, Yaroslav Alexandrov, Egor Fominykh, Alexander Chernov.

    31CON Auckland NZ, 23-24 February. RAVISHANKAR BORGAONKAR (UK): PRIVACY ISSUES IN 4G. PHILIPPE LANGLOIS (FRANCE): something about mobile networks.

    Android Security Symposium 2017 Vienna Austria, March. Many interesting talks.

    Troopers Heidelberg, Germany. March. Hunting For Vulnerabilities in Signal by Jean-Philippe Aumasson, Markus Vervier. Samsung Pay: Tokenized Numbers, Flaws and Issues by Salvador Mendoza.

    TelcoSecDay @ Troopers It's no use crying over spilled 2G,3G,4G - what we need to fix in 5G. Outlook on 5G security from 3GPP perspective. Automated large-scale detection of rogue base stations: A field report. Exploring fraud in telephony networks, an illustration with Over-The-Top Bypass.

    Infiltrate Miami, FL. March. Jean-Philippe Aumasson, Markus Vervier: Hunting For Vulnerabilities in Signal. Georgi Geshev, Robert Miller: Logic Bug Hunting in Chrome on Android. Marco Grassi, Liang Chen: Remotely Compromising a Modern iOS Device. Vasilis Tsaousoglou, Patroklos Argyroudis: The Shadow over Android: Heap exploitation assistance for Android's libc allocator. Ralf-Phillip Weinmann: Did I hear a shell popping in your baseband?.


CFPs I'm not a fan or a user of WhatsApp but this backdoor story is just bad and will drive users away from a secure messaging app (maybe even the biggest install based of all of them). Zeynep Tufekci wrote an open letter to the Guardian to have them update the story. Moxie also wrote a blog post about these claims. The Guardian should have asked people with the technical expertise for advice before publishing the story.

AT&T 2G network shutdown happened on Dec 31 2016

AndroidXRef is looking for sponsors!

The mobile talks from 33c3 are all totally worth watching (no particular order): Pics of the month:



Links

Tuesday, December 13 2016

Mobile Security News Update December 2016

Conferences
    33c3 Hamburg, Germany 27-30 December. Downgrading iOS: From past to present by tihmstar. A look into the Mobile Messaging Black Box by Roland Schilling and Frieder Steinmetz. Dissecting modern (3G/4G) cellular modems by LaForge and holger. Geoloation methods in mobile networks by Erik.

    Shmoocon Washington D.C. January. A Context-Aware Kernel IPC Firewall for Android - David Wu, Sergey Bratus.

    Black Hat ASIA March 2017. FRIED APPLES: JAILBREAK DIY by Alex Hude and Max Bazaliy. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi.

I had to skip the November update due to a long overdue vacation. Playing with iOS webviews also did cost some time. Writing this blog becomes more and more time consuming since for some parts I would rather spent time on research than writing about other peoples research. Will see next year if I continue doing this or not. I'm doing this since January 2009 so it has been a few years.

New Conference: Samsung confirms it will render the US Note 7 useless with next update since the owners don't seem to care to return the phones to Samsung even tho they would get a replacement device. This is kind of hilarious.



Browser based iOS 9.3.x jailbreak (64bit only) it has been a while.

Chinese company installed secret backdoor on hundreds of thousands of phones


Recently the topic of SMS 2FA came up again. While I agree that SMS is not the most secure version of 2FA it is far far better then not providing any 2FA mechanism for your service.


Links

Friday, November 04 2016

Using Google Fi on an iPhone

TL;DR: Google Fi on an iPhone is iMessage plus Google Wifi calling with awesome international coverage.

Google Project Fi is super interesting as it provides an actual low cost alternative to other carriers especially if you travel. The free data-only SIM is also a nice add-on.

Project Fi is exclusively targeting users of Google Nexus Android devices and you actually need one of the supported phones to activate the SIM which can be ordered on the Fi website.

I currently use an iPhone SE (mainly due to the device's tech specs and form-factor - I can't stand phablets!) so I was curious if I can just buy a Google Fi SIM and use it in an iPhone or any other phone actually. Of course I'm not the first person to think about this, but the only decent article on this topic is this one. Sadly most articles that are returned for a search on iPhone Google Fi are just totally useless. Even this article is not good.

I decided to just order Google Fi and a data-only SIM and give it a try. I used a Nexus 5x that I have access to for activating the SIM card. The activation process is really simple. Basically you need to put the SIM card into a compatible phone and install the Google Fi app. Done.

The activated SIM card can be put into any other phone, I tried an iPhone 5c and it just works. You automatically get the APN settings (the mobile data settings) pushed to your phone. Cellular data immediately works! Voice calls work too.

Wifi calling also works, although it (obviously) only works via the Hangout app but it does work. I put my phone into airplane mode and called the number from another phone and yea it rings.

The only service that is a bit unsatisfying is SMS (text messaging). The default option for Google Fi is to send and receive SMS via Google Hangout. Google Hangout exists for iOS and if you login with your Google Account that is associated with your Google Fi service you just install Hangouts and everything just works! If you actually want to use the iOS Messages app you can deactivate SMS via Hangout in the Hangout app on your phone. This will allow you to send and receive SMS via Messages. The only issue here is that incoming SMS messages get some Google specific data attached, as shown below. This is a little annoying but is only on incoming messages (you don't look like an idiot when sending messages to other people). Most of my contacts are on iMessage anyway these days so this is a non issue. Also I'm ok with using Hangouts for SMS since yea iMessage and other messaging apps.


The switch to change between native SMS and Hangout SMS the switch above it does the same for voice calls (to enable Wifi calling).


The broken* incoming SMS, the ~Dgr... is added by Google Fi, this does not show up in Hangouts. Other people have reported that this just went away after short time.

Things that don't work? switching between T-Mobile, Sprint, and US Cellular since this is done via the Google Fi app on Android devices (I actually don't have any idea about this yet).

Preliminary Conclusions
    Altogether Google Fi looks pretty cool and works with an iPhone (besides the hick-up with SMS). iMessage works (it is just an Internet service after all). Wifi calling via Hangouts is nice.

    If you are a hardcore iOS/Mac user Google Fi is too much Google for you. I'm a Linux user with an iPhone so Google Fi makes a lot of sense. Desktop calls and SMS via Hangouts is a nice thing to have in addition to iMessage.


Google Fi on an oooold phone (Android 4.0). Hangouts seem to work fine too.

*The data is a BASE64 encoded blob, no obvious data after looking at a bunch of them of an hour or less.