Thursday, January 31 2013
Conferences:
CanSecWest coming up in March has started posting talks: Doug DePerry @dugdep & Tom Ritter @TomRittervg - CDMA Femptocell Traffic Interception and Remote Mobile Phone Cloning, Rahul Sasi @fb1h2s - SMS to Meterpreter, Fuzzing USB Modems, Stephan Esser @i0n1c will be talking about iOS, Joshua J. Drake @jduck1337i - Tackling the Android Challenge. In addition to mobile security there is another super interesting talk about embedded system security: @beist will be talking about Samsung SmartTVs.
SyScan Singapore is coming up in April and also posted talks. There are not too many mobile talks but all talks sound pretty good. Stefan Esser ( @i0n1c ) - Mountain Lion / iOS Vulnerability Garage Sale. I will also show some stuff I've been working on in the past month during a lightning talk, all brand new!
SourceBoston also in April: Protecting sensitive information on iOS devices David Schuetz, Attacking NFC Mobile Wallets: Where Trust Breaks Down Max Sobell.
Infiltrate Matias Soler -
The Chameleon: A cellphone-based USB impersonator, Stephen Lawler & Stephen Ridley - Advanced Exploitation of Mobile/Embedded Devices: The ARM Microprocessor.
News:
Personal notes: I'm going to be in San Francisco during RSA, ping me if you want to chat. I'm also going to be at CanSecWest, just attending this year. Further I'm going to SyScan. I also plan to be around SourceBoston but unfortunately not attending (ticket prices vs. university etc, I'm not complaining).
Friday, November 30 2012
I finally managed to release v0.2 of my Android DBI framework. The
version I announced at BreakPoint and RuxCon.
New in this version: actually working Thumb support, nfc card emulation code for fuzzing.
Slides
collin_android_dbi_v02.zip
Happy hacking! Feedback is welcome!
Tuesday, September 25 2012
First I want to talk about Ravi's awesome findings on USSD and TEL URIs (RFC 2806).
Ravi was working on USSD security in general and found that on Android phones you can inject USSD codes
into the phone dialer via the TEL URI handler without user interaction. Meaning you don't have to
press the call button (aka the green button) to activate the USSD code. Using this he showed howto
brick SIM cards and howto wipe Samsung made Android phones. The beauty about TEL URIs is that
it is super easy to have them activated on a mobile phone. In 2010 I did a talk on this at
CanSecWest (Random tales from a mobile phone hacker skip to the end of the talk for the TEL/SMS URI stuff). The basic technique used
for this kind of attack are iframes but very well can be any other kind of URI activation method (redirects, img tag, etc.).
A video of Ravi's demo from Ekoparty is here Demo Dirty use of USSD Codes in Cellular Network en Ekoparty 2012.
Further infos:
This is a super fun bug class also a little bit sad that stuff like this works at all.
Second, more cool NFC/RFID mobile hacking from the good guys at Intrepidus. They investigated
RFID based transit passed and wrote an Android application that can reset the pass. While the
actual basic idea is not new I really like the phone as the attack tool since you always carry
it around with you. Some guy could stand one the corner next to the subway entry and sell
you the service of resetting your transit pass. Check out their writeup: UltraReset - Bypassing NFC access control with your smartphone
On the topic of NFC and security. The guy(s) behind RadioWarCN released an Android toolkit for messing with RFID/NFC tags. Check it out here: Radiowar Release NFC-WAR Preview. I didn't had the time to try it myself.
Conferences:
ToorCon in mid October (damn I can't go) so far has mobile talks lined up: Mobile Device attack graphs for fun and profit - Jimmy Shah. {Malandroid} The Crux of Android Infections - Aditya K Sood. When Cell Towers Become Too Smart For Their Own Good - Drew "RedShift" Porter. Also my former co-worker Dmitry (hwsec.net) seems to be giving a talk, my bet is one hardware security.
That is it for now. I'm super busy working one a new Android security project. This will kick ass.
Monday, September 10 2012
Conferences:
Ekoparty in Buenos Aires September 19-21.
Alfredo Ortega & Sebastian "topo" Muniz - Satellite baseband mods: Taking
control of the InmarSat GMR-2 phone terminal, Ravishankar Bhaskarrao Borgaonkar - Dirty use of USSD Codes in Cellular
Network. Ravi's talk will be awesome - this will hurt a lot.
EuSecWest Dragos keeps adding mobile talks! Way to go!
SEC-T also added a few talks since my last blog entry.
Hashdays end of October in Lucern Switzerland (the place to get a bank account ;) Ben April - NFC: I don't think it means what you think it means; Martin Rutishauser - Satellite Hacking: An Introduction. Ilja van Sprundel - The Security (or Insecurity) of 3rd Party iOS Applications.
Links:
Monday, August 20 2012
More conferences!
DeepSec taking place end of November in Vienna has published their
schedule. They have a number of mobile talks as usual but unfortunately they also have THE one talk
that every conference has this year :-( The talks are: Introducing the Smartphone Pentesting Framework
Georgia Weidman (Bulb Security LLC), Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz (NESO Security Labs / University of Erlangen-Nuremberg), Hacking the NFC credit cards for fun and debit ;)
Renaud Lifchitz (BT (formerly known as British Telecom)), The Security (or Insecurity) of 3rd Party iOS Applications
Ilja van Sprundel (IOActive, Inc.).
EuSecWest happening in late September in Amsterdam. Dragos always had
this love for mobile security and this year he is showing this at EuSec. Basically EuSec is a mobile
security event this year, especially because of the mobile pwn2own! Talks so far: Mapping and Evolution of Android Permissions - Andrew Reiter & Zach Lanier, APK Infection on Android - Robert McArdle & Bob Pan, NFC For Free Rides and Rooms (on your phone) - Corey Benninger & Max Sobell, Using HTTP headers pollution for mobile networks attacks - Bogdan Alecu , iOS Application Auditing - Julien Bachmann.
Hack.LU in October also has a mobile talk. Benedikt Driessen -Satellite phone - an analysis of the GMR-1 and GMR-2 standards.
Hack in The Box Malaysia seems to have a bunch of mobile stuff. But their conference website is so ugly that it is hard to find details :-(
SEC-T takes place in September in Stockholm - one of my favorit cons!. So far they have: Dead Addict - Mobile PKI UX: the state of shit, Torbjörn Lofterud - iPhone raw NAND recovery and forensics.
T2 does not seem to have any mobile stuff this year.
More upcoming CFPs should include ToorCon in San Diego but sadly it overlaps with BreakPoint. I would really like to
go to ToorCon once.
It looks like I will come to NYC in November to give a talk at an event at NY-Poly. It is also likely
that I will come to SF early in December.
News:
By now I arrived in Boston and started working at my new job at Northeastern University. So far I haven't done much in the city. I'm still looking for an apartment so if you have good pointers shoot me an email.
Wednesday, August 01 2012
Once again I attended Black Hat USA and Defcon.
This year I was actually speaking at Black Hat again. My talk
Probing Mobile Operator Networks was received well as what I
understood from the feedback. The slides can be downloaded from
my project web page. I'm
planning a follow up project to extend my work for an academic research
paper.
Some personal comments.
Black Hat: 1. I really liked
the track idea, putting related talks into one room. I basically staid
in my room "Mobile" for the whole day. 2. The new room layout of
Black Hat was good and bad. Moving the vendor area into the back was
an good move. Also for some reason the new layout made it impossible
to meet people randomly (as confirmed by some people I actually met).
3. The "vendor talk" aka the iOS security talk: I didn't like the
talk since it only listed iOS security features. Also the speaker
didn't take questions. 4. All in all a good event.
Defcon: 1. too many people! 2. I saw three talks by accident, the one
I liked was Eddie's NFC Credit Card talk, nice work. 3. too many people!
Both events where to crowed with people I know and like that I didn't get
the chance to hangout with everyone. I even missed a few people entirely,
could even say hi :-(
Best thing this year was playing at HackCup with the good guys
from the Intrepidus Group.
Finally, NinjaTel! How cool is this! See here
Tuesday, June 19 2012
I just uploaded my Android Dynamic Binary Instrumentation (DBI) framework. As I wrote before
the framework is very simple. It supports hooking function entry points only. The source
includes the shared library (.so) injector and the hooking/patching functionality. I also
included one simple example instrument to sniff the UART communication between
com.android.nfc and the NFC chip on a Galaxy Nexus.
I plan to further enhance this toolset and welcome everybody to submit patches. If there
is a lot of interest I will move the source to a public archive like github.
The first release is available here: collin_android_dbi_v01.zip
To use this tool you need a Linux ARM gcc compiler such as included in the Android NDK.