Collin R. Mulliner

Back from SyScan

Mon, 09 Jul 2007 06:17:00 GMT

I'm back from SyScan (and Singapore). It was a lot of fun I and I met many interesting people. It was a really good time.

The slides for my talk are available here.

PocketPC MMS talk at SyScan07

Tue, 22 May 2007 12:00:00 GMT

In early July I am giving my PocketPC MMS talk at SyScan in Singapore. Looking at the speakers list you will find another trifinite member and many guys from Germany :-)

This will be my first time to Asia and I'm really looking forward to it!

F-Secure has a Signature for my MMS PocketPC Exploit

Wed, 10 Jan 2007 12:42:00 GMT

see the story in the F-Secure Labs blog here.

Very cool to have your own VirusScanner signature (without writing a virus) ;-)

Anti NotiFlood

Sat, 06 Jan 2007 18:19:00 GMT

here is a quick and easy way to protect yourself against NotiFlood (my MMS notification attack against PocketPC-based mobile phones, see my PocketPC Security Research).

As I explained, the PushRouter is the application that listens on port 2948 it basically gets all WAP push messages and routes them the destination application. If the PushRouter doesn't know which destination application to use it discards the WAP push message. So in order to protect us against a NotiFlood attack we simply need to remove the MMS mime type from the PushRouter configuration, after this the PushRouter will not be able to forward any WAP push messages to tmail.exe (the MMS application).

The PushRouter configuration for MMS is stored in the WinCE registry at:

\HKEY_LOCAL_MACHINE\Security\PushRouter\Registrations\ ByCTAndAppId\application/vnd.wap.mms-message;

The only value in this registry key is DEFAULT for me it is set to 80FBE375B731C701.

Now we have a couple of options: delete the complete key, delete the value, and modify the value. I for my part just modified the value (so I can easily switch MMS back on). I basically just added a underline (_) to the key value. Now since the value of the key is wrong the PushRouter can no longer forward the MMS message to tmail.exe.

Note, also these settings are from my IPAQ PocketPC 4.2 they should be the same on all 4.2x devices.

WARNING:

This modification disables receiving MMS all together! Don't do it if you still want to receive MMS messages.
Since there is no regedit on PocketPC you need to get a third party application. I used PHM RegEdit.

That is it! You're secure now ;-)

Video of NotiFlood crashing a WinCE 5 Device

Thu, 04 Jan 2007 08:58:00 GMT

Lutz made a small video where he uses NotiFlood to crash his WinCE 5.x smart phone. It is quite fun to watch.

notiflood_wm5_dos.avi (80MB)

Advanced Attacks Against PocketPC Phones 23c3 edition

Fri, 29 Dec 2006 22:53:00 GMT

...get the proof-of-concept exploit here. I also updated the slides but just cosmetics.

Have fun and be responsible!

Screenshots from the MMS Exploit

Tue, 15 Aug 2006 02:36:00 GMT

I posted some action shots of the PocketPC MMS / SMIL exploit on my PocketPC Security Research page. The screen shots are somewhat older (I think this might even be from the first day I got this to work). Anyway I just didn't want to keep these from you guys. Btw. as far as I remember I took the pictures with the camera of the i-mate PDA2k my only other test device next to the iPAQ h6315.

MMS DoS Attack, have you tested your device?

Wed, 09 Aug 2006 23:37:00 GMT

So I'm really wondering if all PocketPC-based phones are affected by the vulnerabilities I found and presented at defcon. Since I released a proof-of-concept tool for the M-Notification.ind/WapPush/UDP denial-of-service attack I would like to get some feedback from people who tested their device. I would especially like people to test WinCE5.0 devices.

So if you have tested any device besides the iPAQ h6315 or the i-mate PDA2k please send me an email at: collin[at]trifinite.org

All the info is here: My PocketPC Security Research site

PocketPC Podcasting

Fri, 18 Nov 2005 09:26:00 GMT

so I finally got around to look for some decent podcasting software for PocketPC (for my h6315). Until now I just downloaded the stuff by hand and transfered it to a SD or MMC card, this was pretty annoying. Even if you have an automated download this sucks. The software I use now is smartfeed (free!). Its pretty simple, just select the feeds you want - choose the download directory (e.g. /Storage Card/ to use the SD card) and you're done. It nicely downloads the feeds and you can use what ever player you want.

I really like it this way, I just need to have a wireless connection and I'm good to go. I guess I will listen to more stuff then before, since its so easy now. Any show suggestions?

Exploiting PocketPC slides online

Sat, 30 Jul 2005 13:15:00 GMT

The slides from my talk on PocketPC exploits at What The Hack! can be downloaded from my PocketPC section.

The h6315 update

Wed, 06 Apr 2005 06:22:00 GMT

...it really helps. I have much better reception (more bars) and the battery seems to live longer (could be due to the fact that the device is not constantly trying to connect to a cell tower). Now a general OS upgrade would be nice, I know it's unlikely to become true.

Also the Linux port seems to make some progress, this would be the better solution anyway.

Finally a h6315 update!

Fri, 01 Apr 2005 22:24:00 GMT

Just got an SMS from T-Mobile which told me to get my update.
Get it TMO_SP29764_1_10_08.exe

I hope it's not a very bad April joke :-)

Changing the Bluetooth device class of the h6315

Wed, 15 Dec 2004 09:59:00 GMT

I just played with my h6315's registry (using PHM Registry Editor) and found this MinorClass key (in \HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BtConfig\General) which lets you (only!) change the MinorDeviceClass of your iPAQ. Now I have to find out how to change the MajorClass and the ServiceClass to build something like BtClass. I tried to add several keys like MajorClass or ServiceClass but non did work.

I will keep on working on this.