...stuff I do and things I like...

Tuesday, October 24 2017

Mobile Security News Update October 2017

Conferences
    PacSec Nov 1-2, Tokyo, Japan. Grandma's old bag, how outdated libraries spoil Android app security by Marc Schoenefeld. When encryption is not enough: Attacking Wearable - Mobile communication over BLE by Kavya Racharla. The Art of Exploiting Unconventional Use- after-free Bugs in Android Kernel by Di Shen.

    DeepSec Nov 14-17, Vienna, Austria. Normal Permissions In Android: An Audiovisual Deception by Constantinos Patsakis.

    Black Hat Europe 2017 Dec 4-7, London, UK. ATTACKING NEXTGEN ROAMING NETWORKS by Daniel Mende, Hendrik Schmidt. ATTACKS AGAINST GSMA'S M2M REMOTE PROVISIONING by Maxime Meyer. BLUEBORNE - A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE by Ben Seri, Gregory Vishnepolsky. DIFUZZING ANDROID KERNEL DRIVERS by Aravind Machiry, Chris Salls, Jake Corina, Shuang Hao, Yan Shoshitaishvili. HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT by HC MA. INSIDE ANDROID'S SAFETYNET ATTESTATION by Collin Mulliner, John Kozyrakis. JAILBREAKING APPLE WATCH by Max Bazaliy. RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX by Adam Donenfeld.


Quick conference review: both 44con and ekoparty were great. Ekoparty was especially awesome since I got to check the last continent off my list. Also the size of ekoparty was way beyond what I was expecting. They managed to have a really good conference that is professionally run while stilling maintaining the vibe of a hacker / underground con <3

Two weeks ago there was a post on Medium about two companies that provide a mobile identification service. That service basically can be used to convert your phone's IP address into real information about the owner of the phone (the contract owner). This is done via APIs that are provided by multiple Mobile Network Operators (such as AT&T). The medium article linked to demo pages of those two service providers (payfone and danal inc) that show not only your phone number but also your operator's name, your name and address.

I played with the two demo sites for a bit (while they were still online - offline now). I'm on Google Fi with a number proted from T-Mobile (pre-paid). Payfone only had my phonenumber and old carrier (T-Mobile) while Danal inc showed no data at all. I never provided any data to T-Mobile since it is not required for a pre-paid card. Google has all the data but likely does not share it with 3rd parties.

Overall this is a service that I really don't want to exist. I don't want an abritary company to be able to identify me while visiting their website from my mobile phone. I hope those companies don't just sell their services to anybody. Read the Medium article again: AT&T consumer choice opt-out doesn't affect this!

iOS 11 the tragedy continues: 11.0 had a bunch of flaws that were annyoing. Now 11.0.3 randomly frezzes my phone for minutes. Also I have some issues with voice call audio not working sometimes. Highly disaspointing!

Pictures of the month:






Links

Thursday, July 13 2017

Mobile Security News Update July 2017

Conferences
    Black Hat USA Las Vegas, July 26-27. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. GHOST TELEPHONIST LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. BLUE PILL FOR YOUR PHONE by Oleksandr Bazhaniuk, Yuriy Bulygin. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.

    Defcon Las Vegas. Jailbreaking Apple Watch by Max Bazaliy. Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks by CINCVolFLT (Trey Forgety). macOS/iOS Kernel Debugging and Heap Feng Shui by Min(Spark) Zheng & Xiangyu Liu. Using GPS Spoofing to Control Time by David "Karit" Robinson. Phone System Testing and Other Fun Tricks by "Snide" Owen. Unboxing Android: Everything You Wanted To Know About Android Packers by Avi Bashan & Slava Makkaveev. Ghost in the Droid: Possessing Android Applications with ParaSpectre by chaosdata. Ghost Telephonist' Impersonates You Through LTE CSFB by Yuwei Zheng & Lin Huang. Bypassing Android Password Manager Apps Without Root by Stephan Huber & Siegfried Rasthofer. Man in the NFC by Haoqi Shan & Jian Yuan.

    USENIX Workshop on Offensive Technologies (WOOT) Vancouver Canada, 14-15 August. Shattered Trust: When Replacement Smartphone Components Attack by Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren. White-Stingray: Evaluating IMSI Catchers Detection Applications by Shinjo Park and Altaf Shaik, Ravishankar Borgaonkar, Andrew Marti, Jean-Pierre Seifert. fastboot oem vuln by Roee Hay.
Black Hat and Defcon have a really good number of mobile related talks this year.

It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August



Picture of month:


There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.

Links:

Tuesday, June 06 2017

Mobile Security News Update June 2017

Conferences
    Black Hat USA July 26-27 Las Vegas. 'GHOST TELEPHONIST' LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SONIC GUN TO SMART DEVICES: YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND by Aimin Pan, Bo Yang, Shangyuan LI, Wang Kang, Zhengbo Wang. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. THE FUTURE OF APPLEPWN - HOW TO SAVE YOUR MONEY by Timur Yunusov.

    (Black Hat has a very strong mobile security line up this year.)

    Defcon July 27-30 Las Vegas. Man in the NFC by Haoqi Shan & Jian Yuan. (speaker selection not final)

    MOSEC June, Shanghai added a bunch of talks (all mobile security related, obviously).

    Recon June 16-18 Montreal, Canada. FreeCalypso: a fully liberated GSM baseband by Mychaela Falconia. Hacking Cell Phone Embedded Systems by Keegan Ryan.
This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on a day to day basis currently.

The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!

I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.

So iOS will finally support NDEF tags.
This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction. Pictures of the month:





Links

Tuesday, March 08 2016

Mobile Security News Update March 2016

Conferences
    CanSecWest Vancouver, Canada. Don't Trust Your Eye: Apple Graphics Is Compromised! - Liang Chen + Marco Grassi. Having fun with secure messengers and Android Wear - Artem Chaykin. Pwn a Nexus device with a single vulnerability - Guang Gong.

    Troopers Heidelberg, Germany. QNX: 99 Problems but a Microkernel ain't one! Georgi Geshev, Alex Plaskett.


Looks like I will go to very few conferences this year.

We finally published our paper on Android application analysis support using intelligent GUI stimulation. The work CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes uses / enhances Andrubis.

Excellent post on Apple vs FBI by Dan Guido: Apple can comply with the FBI court order


Links

Monday, January 18 2016

Mobile Security News Update January 2016

Conferences:
    Black Hat Asia March 29, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.


I guess it is still too early in the year for conference programs. ShmooCon just concluded, Infiltrate doesn't have any mobile talks, and SyScan didn't post accepted talks yet. This weekend I attended the first BSidesNYC. The conference was pretty good, some expected and some unexpected good talks. The conference venue was pretty nice and spacious. I will go again.

If you are into NFC research checkout: ChameleonMini - A Versatile NFC Card Emulator a new kickstarter project. The guys who run it definitely know what they are doing.

Links:

Sunday, October 04 2015

Mobile Security News Update October 2015

Conferences
    Black Hat Europe November, Amsterdam NL. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen. ANDROBUGS FRAMEWORK: AN ANDROID APPLICATION SECURITY VULNERABILITY SCANNER by Yu-Cheng Lin. AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai. FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez. FUZZING ANDROID: A RECIPE FOR UNCOVERING VULNERABILITIES INSIDE SYSTEM COMPONENTS IN ANDROID by Alexandru Blanda. LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan & Valtteri Niemi & Jean-Pierre Seifert. TRIAGING CRASHES WITH BACKWARD TAINT ANALYSIS FOR ARM ARCHITECTURE by Dongwoo Kim & Sangwho Kim.

    Secret Conference October 9th, NYC. Talks by Jon Callas and Dan Ford from Silent Circle / Blackphone.

    Ruxcon October 24-25 Melbourne, Aus. TEAM PANGU on DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS. MARK DOWD on MALWAIRDROP: COMPROMISING IDEVICES VIA AIRDROP. JOSHUA KERNELSMITH SMITH on HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC. BABIL GOLAM SARWAR on HACK NFC ACCESS CARDS & STEAL CREDIT CARD DATA WITH ANDROID FOR FUN &PROFIT. COLBY MOORE on SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE GLOBALSTAR SDS.

    ToorCon San Diego October 24-25, San Diego, CA. The Phr3$h Pr1nc3 0f Bellk0r3 on Fuzzing GSM for fun and profit.

    SyScan360i October 21-22 Beijing China. Fuzzing Android System Service by Binder Call to Escalate Privilege by Guang Gong.

    PacSec November, Tokyo JP. BlueToot / BlueProx - when Bluetooth met NFC by Adam Laurie.

    ZeroNights 25-26 November, Russia. Extracting the painful (Blue)tooth by Matteo Beccaro and Matteo Collura.


HP / ZDI will not run Mobile Pwn2Own at PacSec (in Japan) due to export restrictions. Source Dragos Ruiu. This is unfortunate.

Personal note: Since September I'm working for Square doing mobile security engineering. This blog will only be temporarily affected by the job switch as I get settled I will return to more then one post per month.

Links

Tuesday, August 18 2015

Mobile Security News Update August 2015

Finally I have time to write a new blog post again. The last couple of weeks have been super busy for me. I had to finish a project, prepare a talk about it, and give a bunch of talks at various places in July and August.

Conferences
    T2 Helsinki, Finland. LTE (in) Security Ravishankar Borgaonkar & Altaf Shaik.

    BalcCon Novi Sad, Vojvodina, Serbia. Private communications with mobile phones in the post-Snowden world, the _open_source_ way by Bojan Smiljanic.

    APPSEC USA San Francisco, CA. QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid' Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.

    GrrCon Grand Rapids, MI. Phones and Privacy for Consumers by Matthew and David


Smartwatches
    I recently bought an Apple Watch. The primary reason was fun. Also since I switched to Two-Factor Authentication (2FA) for all my private infrastructure and all my web accounts that support it I though it would make life easier. I use Duo 2FA for my own stuff and they have a Watch app which is pretty convenient. Before I owned the first pebble watch. I liked that a lot even tho I had a lot of issues with the Bluetooth connection between the pebble and my Nexus 5. Sometimes it worked great and sometimes it just didn't work at all. I also got a LG G Watch R (W110) (Android Wear) but I didn't really use it. It was much too big for my wrist. Also the round display was kinda strange. Some of the apps seem to not be designed for it and cut off parts of the information that should be displayed. I also found the interface to be confusing, but this might be due to my very very short trial run of the watch. Between the pebble and the LG Watch I also had a Toq but the Toq had many issues besides its size so I never really used it. I tried to wear it like once.

    Anyway the only reason I write about smartwatches is because I really like the Duo 2FA watch app. This makes 2FA much much easier and user friendly. I known I'm not the first to write about smartwatches or wearables in the security context but the user friendliness could really make a difference. Also a watch is harder to loose then a token (if you still use one of those).


Stagefright
    I guess I don't have to say much about the Stagefright series of Android security vulnerabilities. The vulnerabilities are present in Android's media format handling library (named stagefright). Several factors make this bugs interesting. First, every Android version after 2.2 was vulnerable (at the time of discovery) that was around 95% of all devices. Second, the bug can be remotely triggered via MMS. Yes MMS once again provides the ultimate attack vector against smartphones. Who would have known? ;-)

    The bug was patched relatively fast by Google since Joshua provided patches. Google started shipping OTA updates for their Nexus devices relatively fast. Still most Android devices will not get patched or will receive their patches super late (and thus users will not be protected in a timely fashion). The reason for this is mostly the mobile ecosystem which is largely not suited for fast patch deployment. I provided some comments about this issue on NPR in late July.

    While patches/updates were rolled out Jordan from Exodus found that the patches are not complete and contain more vulnerabilities in the exact code that was fixed in the update. His blog post describing the issue is here.

    The only way to protect yourself is to update your device to firmware version that does not contain the vulnerability. If you are one of the many people who own phones that did not yet receive an update your only chance is to disable MMS auto-download. This will not kill the bug since you can still be attacked using other vectors (e.g. download and play a .mp4 file) but disabling MMS auto-download will at at least remove the automatic remote exploitation problem. A step by step way to disable MMS auto-download for various MMS clients is provided by Lookout here.

    Stagefright links:

Links