...stuff I do and things I like...

At T2 Nils talks about some WebOS and Android vulns this should be quite interesting since he likely will cover the bugs he recently found. T2 is really one of the European cons I want to go to, very high priority! Especially since I can't go to SEC-T this year. hacking the RKF ticket system and How to stay invisible (while still using cellphones) sounds quite interesting.

The BruCON schedule looks quite interesting. GSM Security: Fact and Fiction NFC Malicious Content sharing, the abstract sounds like something I've done some years ago - I wonder what kind of new stuff they found. The Monkey Steals the Berries: The State of Mobile Security So BruCON actually looks quite good, another CON I need to go to at some point.

At SecTor there seems to be a single mobile talk: Black Berry Security FUD Free.

Thats it for August as far as I can see.

Update: I totallty forgot DeepSec. This year it seems like a mobile only security conference. Talks are: Pentesting Internet Handheld Devices Debugging GSM Targeted DOS Attack and various fun with GSM Um Mobile VoIP Steganography: From Framework to Implementation Mobile privacy: Tor on the iPhone and other unusual devices OsmocomBB: A tool for GSM protocol level security analysis of GSM networks Malicious applications for Smartphones All your baseband are belong to us Android: Reverse Engineering and Forensics LTE Radio Interface structure and its security mechanism

I've been waiting for quite some time to publish the full details of the iPhone Safari Phone-auto-Dial vulnerability. But since Apple included it again in the just published security fixes for iPhone OS 3.0 I decided to finally go ahead and publish the details. The examples in the advisory show only the original bug also we found some variations of it, we didn't put any examples in the advisory.

iPhone Safari Phone Auto-dial Vulnerability also see my iPhone page.

I'm also credited, together with many others, for reporting the issue that Mail loads remote images when displaying HTML emails. The problem is actually a little bit bigger since also iframes are loaded. I actually showed them a demo where I can start QuickTime from Mail without user interaction. Do I need to say more?

The second advisory is about the Nokia 6212 classic an Near Field Communication mobile phone. I did a full disclosure of the bugs at 25C3 in late December 2008 but I never published an actual advisory. I do this now.

Nokia 6212 Classic URI Spoofing and DoS vulnerabilities also see my NFC page.

Gerald Madlmayr's Forum Nokia Blog NFC Phones - Open up! or Where to put the Antenna in an NFC Phone..

Yes, the antenna of the Nokia 6212 classic really sucks. It is almost impossible to read small RFID tags with this phone.

Nicely done, Gerald!

just a quickie, the slides from BlackHat Europe are up for a few days. Here are the slides for Hijacking Mobile Data Connections and for Passports Reloaded Goes Mobile (clone a RFID passport using an NFC mobile phone). So far Charlie Miller and Vincenzo Iozzo only put up a whitepaper of their OS X and iPhone talk.

If you can understand German (spoken word) you might want to listen to Chaosradio Express episode 120 which is about OpenBSC and generally about building GSM networks or actually the software to run a network in your cellar/garage.

In the last week there was a short buzz about a old Nokia phone (Nokia 1100) that could be reprogrammed to sniff SMS messages. The story really sounds like a hoax since the whole subscriber ID stuff is handled through the SIM card rather then through the phone itself. There are not many details just the story. F-Secure has something in their blog about this too.

Yesterday the new Android version cupcake was released for developer phones, get your cupcake while its still warm :-) Get it from here.

Btw the Technology Review article citing me is only in the next issue (06.2009).

I had the chance to play with the Samsung SGH-X700N, one of Samsung's NFC mobile phones. The hardware is OK not as crappy as the Motorola L7. The software part is rather sad since there is no NFC support in the basic phone applications this seems to be something only Nokia manages to do. The only piece of NFC software I found was a simple demo application. Sadly the demo application could not read my NDEF formated Mifare tags. The demo app shows an access error so I guess they haven't implemented NDEF and therefore they don't know the NDEF Mifare-keys. I haven't bothered looking at their SDK.

I gladly borrow NFC phones from anybody (and any company who is not afraid about honest reviews).

This year's CanSecWest will have a good amount of smart phone security related talks besides the earlier announced mobile pwn2own contest. Talks seem to be focused on the iPhone and the Android platform. 1) Alfredo Ortega and Nico Economou - Multiplatform Iphone/Android Shellcode, and other smart phone insecurities 2) Jon Oberheide - A Look at a Modern Mobile Security Model: Google's Android and 3) Sergio 'shadown' Alvarez - The Smart-Phones Nightmare. I suppose Sergio Alvarez is also going to talk about the iPhone since Apple fixed multiple bugs that he submitted in the iPhone 2.2 update. I'm a bit sad that I can't attend CanSecWest.

At BlackHat Europe Jeroen van Beek will show his NFC-phone-based e-Passport cloning tools. Maybe there is even more mobile security stuff going on there since the speaker list is not yet complete.

Done with conferences for this post. The guys from the Mobile Security Lab just launched their poc site where people can test their phones using exploits developed by the mobile security lab. Nice idea!

Last weekend at ShmooCon Charlie Miller released details on a vulnerability in Android's audio player. Some links: 1 2

Related news: Palm has finally killed PalmOS. I really waited a long time for this to happen. PalmOS was just way past its time. This a good and sad thing but now its over.

Did I miss anything?

I've just uploaded the latest version of my NFC/NDEF tools. This is the version that I presented at my talk at 25C3. I mainly added some parsers for the new NDEF records supported by the Nokia 6212 Classic. Also included are some bug fixes and a small fix to talk to the BtNfcAdapter running on the Nokia 6212. I further included some more attack samples and an updated version of my ndef_mifare reader/writer tool.

At 25C3 I had the chance to take a look at Motorola's L7 NFC phone that is used by Deutsche Bahn Touch and Travel. The phone is not a real NFC phone, Motorola just replaced the battery lid with a lid that also contains the NFC hardware (or maybe only the antenna). The only NFC functionality the phone supports is the Touch and Travel application. What is really bad is that the user first needs to start the application and then hold the phone up to the Touch Point. WTF? How is this going to be a good user experience? The Nokia phones constantly scan for NFC tags and start the appropriate application as soon as one holds the phone up to a tag.

Finally I have noticed that RMV ConTags are starting to appear all over the place out side Frankfurt/Main. Also they only seem to be placed at big stations like the Darmstadt main station (Hauptbahnhof) but not inside the city. As always I like to know about interesting new NFC services around Europe and especially Germany.