...stuff I do and things I like...

Together with my former colleagues Ravi, Patrick, Jean-Pierre from TU Berlin / SecT I have been working on an enhancement for mobile phones in order to protect SMS messages especially mTANs against trojans.

We investigated several ways to improve mTAN security and finally came to the conclusion that we just need to change the SMS routing on the mobile phone itself.

Basically we remove SMS messages that contain mTANs from the normal delivery queue and only deliver them to a special application. This way no other program (including trojans) can access the SMS message.

We implemented and tested our idea on Android. The paper SMS-based One-Time Passwords: Attacks and Defense will be presented at DIMVA 2013 in July in Berlin, Germany.

A demo video of the prototype is shown below:

Conferences

NoSuchCon finally released their agenda.They have an interesting lineup but no mobile talk.

SourceDublin Android application reverse engineering & defensesi by Patrick Schulz & Felix Matenaar.

SummerCon has posted it's schedule. I'll present some work I've done on Dynamic Dalvik Instrumentation.

REcon has stared to post talks. Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to Ericsson by Philippe Langlois. Reversing and Auditing Android's Proprietary Bits by Joshua J. Drake.

Shakacon Deviant Ollam - Android Phones Can Do That?!? Custom Tweaking for Power Security Users. Max Sobell - Android 4.0: Ice Cream "Sudo Make Me a" Sandwich. Andreas Kutz - Pentesting iOS Apps - Runtime Analysis & Manipulation.

Some interesting upcoming talks! I guess everybody else an their moms are waiting to hear back from the Black Hat USA CfP.


SyScan'13 review

SyScan was a totally awesome event. Really good talks and lots of them. My favorite talk was: Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns by Mateusz Jurczyk and Gynvael Coldwind.

News

ACLU Files FTC Complaint Over Android Smartphone Security this story is a little older already but insecurity of old Android devices is a pressing issue.

Links

Changing the IMEI, Provider, Model, and Phone Number in the Android emulator

Finding Similarities and Differences at DEX Level

Securing Two-factor Authentication for Smartphones in a Usable Way by Adding a Connected Token Two-factor authentication for smartphones is easy to break and can be secured by using a smart watch which acts as a connected token. Matthias Lange (Technische Universität Berlin

Android Apps: What are they doing with your precious Internet? The majority of Android apps are not malicious, but use internet access in ways that are not compatible with the user's interests. Amy Tang (University of California Berkeley), Ashwin Rao (INRIA), Justine Sherry (University of California Berkeley), Dave Choffnes (University of Washington)

Conferences:

HackCon No.8 10-11 April in Oslo Norway. First time I hear about this conference. Mobile talks: Leveraging Mobile Devices on Penetration Tests and Want to control smart phones?

Call for Papers:

The 14th International Workshop on Information Security Applications (WISA2013) an academic workshop but they seek more practical papers comparable with Usenix WOOT.

News:

Unlocking the Motorola Bootloader (Android phones) by Dan Rosenberg. A real nice read. Most interesting part is that the unlock is via attacking a vulnerability in code running in TrustZone.

I have been super busy with work so I might missed a few things here and there. Right now I'm waiting to here back from SummerCon and Black Hat USA about talks I submitted. I'm still thinking about submitting to ReCON ;)

CanSecWest was pretty good this year. My favorite talks were (no order): Desktop Insecurity - Ilja van Sprundel & Shane "K2" Macaulay, Smart TV Security - SeungJin Lee, Godel's Gourd - Fuzzing for Logic Issues - Mike "dd" Eddington, and Reflecting on Reflection - Exploiting Reflection Vulnerabilities in Managed Languages - James Forshaw. I can't wait to get the slides.

Call for Papers:

Workshop on Offensive Technologies (WOOT) August, Washington D.C., academic but targeting people who would normally speak at Black Hat/CanSecWest/etc.

SummerCon in June, New York City

BeaCon local mini con in Boston

I totally missed Black Hat Europe, it had some interesting talks: The M2M Risk Assessment Guide, A Cyber Fast Track Project - Don A. Bailey, Practical Attacks Against MDM Solutions - Daniel Brodie + Michael Shaulov, Off Grid Communications With Android- Meshing The Mobile World - Josh Thomas + Jeff Robble, Next Generation Mobile Rootkits - Thomas Roth.

An interesting looking paper from TROOPERS13 UI Redressing Attacks on Android Devices (apparently it was released at Black Hat Abu Dhabi last year).

News

Andy Rubin steps down as head of Android ...interesting.

A few android security issues ... worth reading!

Under the Hood: Dalvik patch for Facebook for Android

Fun find by my former co-worker Matthias: Lost connection to Battery ... WTF!?!

Review RSA

Last week I attend the RSA Conference for the first timer ever. I always had the impression that it is not worth going but this year I went anyway. The plan was to just hang around at the various side events that take place during RSAC. Meeting with people etc. That part is totally worth it if you can spent the day doing actual work. I ended up going to the conference to speak on the Mobile Security Battle Royale panel (as a replacement for Jon Oberheide). So I got a conference pass and could checkout the actual conference and expo. The expo was pretty standard if you are used to attend events like CeBIT or maybe CES. Just smaller and security companies only. I didn't have the chance to attend other talks besides Big Brother's Greek Tragedy State-Deployed Malware & Trojans so I can't really make my mind up if it is worth the money or not.

SC Magazine wrote an article about the panel I spoke on. Here are some comments: Android certainly does support remote updates. But the problem really is that manufacturers and mobile carriers stop supporting devices after 12-18 month.

Conferences

Infiltrate posted a few more talks. The one I'm really interested in is: Josh "m0nk" Thomas - NAND-Xplore -> Bad Blocks = Well Hidden.

Troopers in Heidelberg Germany (March). They have a few interesting talks: UI Redressing Attacks on Android Devices by Marcus Niemietz, Malicious Pixels: QR-Codes as attack vectors by Peter Kieseberg, Corporate Espionage via Mobile Compromise: A Technical Deep Dive by David Weinstein and a few other non mobile talks that look really interesting.

Hack in the Box Amsterdam LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements, SMS To Meterpreter: Fuzzing USB Internet Modems. I really need to go to HITB some day.

New Conferences

NSC - NoSuchCon is a new conference held in May in Paris, France. The organizers seek strong (only) technical content.

News

HTC Settles Privacy Case Over Flaws in Phones Interesting read, quote: The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device's microphone to record the user's phone calls.

Personal note:

Wiley announced our book Android Hacker's Handbook

Conferences:

CanSecWest coming up in March has started posting talks: Doug DePerry @dugdep & Tom Ritter @TomRittervg - CDMA Femptocell Traffic Interception and Remote Mobile Phone Cloning, Rahul Sasi @fb1h2s - SMS to Meterpreter, Fuzzing USB Modems, Stephan Esser @i0n1c will be talking about iOS, Joshua J. Drake @jduck1337i - Tackling the Android Challenge. In addition to mobile security there is another super interesting talk about embedded system security: @beist will be talking about Samsung SmartTVs.

SyScan Singapore is coming up in April and also posted talks. There are not too many mobile talks but all talks sound pretty good. Stefan Esser ( @i0n1c ) - Mountain Lion / iOS Vulnerability Garage Sale. I will also show some stuff I've been working on in the past month during a lightning talk, all brand new!

SourceBoston also in April: Protecting sensitive information on iOS devices David Schuetz, Attacking NFC Mobile Wallets: Where Trust Breaks Down Max Sobell.

Infiltrate Matias Soler - The Chameleon: A cellphone-based USB impersonator, Stephen Lawler & Stephen Ridley - Advanced Exploitation of Mobile/Embedded Devices: The ARM Microprocessor.

News:

The end of the line for Symbian is kinda sad. Although I wasn't a big Symbian fan, Symbian was still pretty cool as a mobile OS. I had fun hacking it.

Android botnet abuses people's phones for SMS spam this is just too funny. I kinda hat that on my slides for a couple of years already.

Personal notes: I'm going to be in San Francisco during RSA, ping me if you want to chat. I'm also going to be at CanSecWest, just attending this year. Further I'm going to SyScan. I also plan to be around SourceBoston but unfortunately not attending (ticket prices vs. university etc, I'm not complaining).

Conferences:

Shmoocon 2013 has posted their schedule. Mobile talks are: Armor for your Android Apps by Roman Faynberg, Protecting Sensitive Information on iOS Devices by David Schuetz, Apple iOS Certificate Tomfoolery by Tim Medin.

All other upcoming conferences (SyScan, CanSecWest, SourceBoston, Infiltrate) haven't posted any talks yet.

My 29c3 conference review. The new location CCH in Hamburg is really nice. There is a lot of space and the space was used very well. Due to the space the conference was much more relaxed. This also counted for the talks. Most of the time everybody had a place to sit. One small downside of this years conference the schedule, sometimes three tech talks were running in parallel in different rooms. But all together I don't think anybody could complain about 29c3. For me personally one of the best congresses I ever attended. The recordings of the talks can be downloaded from here.

Happy New Year.

Conferences:

29c3 end of December in Hamburg, Germany. They have a few mobile talks: Small footprint inspection techniques for Android - Reverse engineering on Android platforms by Pierre Jaury, Setting mobile phones free by Mark van Cuijk. there should be more mobile talks, that are not announced yet.

News:

Top Mobile Vulnerabilities And Exploits Of 2012 by darkreading. I have mixed feelings about this top list. The SMS Spoofing should not be on this list.

Hacking Windows 8 Games (google-cache link) shows how badly the Windows 8 game and app payment stuff is protected.

Random stuff:

For a side project I'm looking for original ROMs of Android devices. So far I only have found one site that has a collection of some devices: Shipped-Roms.com. I know it is likely not legal to host stuff like this but I would be interested in getting roms for other devices.

Android SMS Spoofer is a PoC for a well known Android bug that enables malware to trick the user into believing an SMS has been received.

I finally managed to release v0.2 of my Android DBI framework. The version I announced at BreakPoint and RuxCon.

New in this version: actually working Thumb support, nfc card emulation code for fuzzing.

Slides
collin_android_dbi_v02.zip

Happy hacking! Feedback is welcome!

The last weeks were pretty crazy for me in terms of work, but stuff got done so I have some new stuff to show next year.

Last month I've travelled to Melbourne Australia to speak at BreakPoint and RuxCon. This was my first time travelling to Australia and I must say it was good fun. BreakPoint was a good conference with some good talks and many interesting people. RuxCon was great fun too, good talks, nice friendly people. The trip was just too short.

Conferences

Black Hat Abu Dhabi Advanced Exploitation of ARM-based Mobile and Embedded Devices by Stephen Ridley , Droid Exploitation Saga by Aditya Gupta and Subho Halder, Inspection of Windows Phone applications by Dmitriy Evdokimov and Andrey Chasovskikh, Over-the-Air Cross-platform Infection for Breaking mTAN-based Online Banking Authentication by Alexandra Dmitrienko and Ahmad Sadeghi and Christopher Liebchen and Lucas Davi, Practical Security Testing for LTE Networks by Martyn Ruks and Nils, UI Redressing Attacks on Android Devices by Marcus Niemietz

BayThreat in Sunnyvale has a mobile talk. Daniel Peck - "Dynamic Analysis and Exploration of Android Apps". Some of the other talks look good to.

29c3 Chaos Communication Congress didn't publish a schedule yet. But some talks should be very interesting, such as Nico's.

Other upcoming conferences are: ShmooCon in February, CanSecWest in March, Infiltrate in April, and Source Boston also in April.

As I said, crazy weeks behind me. So I didn't see much of what happened in the mobile security space.

I'm the Publicity Chair for the upcoming 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013), thus I'm taking the liberty to announce the opening of our Call for Papers here. The conference is in July 2013 in Berlin, Germany. A good chance to travel to Berlin next summer.

DIMVA 2013 main site.
DIMVA 2013 CFP

First I want to talk about Ravi's awesome findings on USSD and TEL URIs (RFC 2806). Ravi was working on USSD security in general and found that on Android phones you can inject USSD codes into the phone dialer via the TEL URI handler without user interaction. Meaning you don't have to press the call button (aka the green button) to activate the USSD code. Using this he showed howto brick SIM cards and howto wipe Samsung made Android phones. The beauty about TEL URIs is that it is super easy to have them activated on a mobile phone. In 2010 I did a talk on this at CanSecWest (Random tales from a mobile phone hacker skip to the end of the talk for the TEL/SMS URI stuff). The basic technique used for this kind of attack are iframes but very well can be any other kind of URI activation method (redirects, img tag, etc.).

A video of Ravi's demo from Ekoparty is here Demo Dirty use of USSD Codes in Cellular Network en Ekoparty 2012.

Further infos:

RFC2806
the iPhone/iOS auto dialer bug I discovered a few years ago is based the TEL URI

This is a super fun bug class also a little bit sad that stuff like this works at all.

Second, more cool NFC/RFID mobile hacking from the good guys at Intrepidus. They investigated RFID based transit passed and wrote an Android application that can reset the pass. While the actual basic idea is not new I really like the phone as the attack tool since you always carry it around with you. Some guy could stand one the corner next to the subway entry and sell you the service of resetting your transit pass. Check out their writeup: UltraReset - Bypassing NFC access control with your smartphone

On the topic of NFC and security. The guy(s) behind RadioWarCN released an Android toolkit for messing with RFID/NFC tags. Check it out here: Radiowar Release NFC-WAR Preview. I didn't had the time to try it myself.

Conferences:

ToorCon in mid October (damn I can't go) so far has mobile talks lined up: Mobile Device attack graphs for fun and profit - Jimmy Shah. {Malandroid} The Crux of Android Infections - Aditya K Sood. When Cell Towers Become Too Smart For Their Own Good - Drew "RedShift" Porter. Also my former co-worker Dmitry (hwsec.net) seems to be giving a talk, my bet is one hardware security.

That is it for now. I'm super busy working one a new Android security project. This will kick ass.

Conferences:

Ekoparty in Buenos Aires September 19-21. Alfredo Ortega & Sebastian "topo" Muniz - Satellite baseband mods: Taking control of the InmarSat GMR-2 phone terminal, Ravishankar Bhaskarrao Borgaonkar - Dirty use of USSD Codes in Cellular Network. Ravi's talk will be awesome - this will hurt a lot.

EuSecWest Dragos keeps adding mobile talks! Way to go!

SEC-T also added a few talks since my last blog entry.

Hashdays end of October in Lucern Switzerland (the place to get a bank account ;) Ben April - NFC: I don't think it means what you think it means; Martin Rutishauser - Satellite Hacking: An Introduction. Ilja van Sprundel - The Security (or Insecurity) of 3rd Party iOS Applications.

Links:

State of Mobile Security 2012 by the good guys from Lookout

HushSMS got cracked again. Do I care? No! Should you? Yes! (read why) fun read about why you should not use cracked Android Apps that have SMS permissions ;-)

Multiple Samsung (Android) Application Vulnerabilities

More conferences!

DeepSec taking place end of November in Vienna has published their schedule. They have a number of mobile talks as usual but unfortunately they also have THE one talk that every conference has this year :-( The talks are: Introducing the Smartphone Pentesting Framework Georgia Weidman (Bulb Security LLC), Pentesting iOS Apps - Runtime Analysis and Manipulation Andreas Kurtz (NESO Security Labs / University of Erlangen-Nuremberg), Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz (BT (formerly known as British Telecom)), The Security (or Insecurity) of 3rd Party iOS Applications Ilja van Sprundel (IOActive, Inc.).

EuSecWest happening in late September in Amsterdam. Dragos always had this love for mobile security and this year he is showing this at EuSec. Basically EuSec is a mobile security event this year, especially because of the mobile pwn2own! Talks so far: Mapping and Evolution of Android Permissions - Andrew Reiter & Zach Lanier, APK Infection on Android - Robert McArdle & Bob Pan, NFC For Free Rides and Rooms (on your phone) - Corey Benninger & Max Sobell, Using HTTP headers pollution for mobile networks attacks - Bogdan Alecu , iOS Application Auditing - Julien Bachmann.

Hack.LU in October also has a mobile talk. Benedikt Driessen -Satellite phone - an analysis of the GMR-1 and GMR-2 standards.

Hack in The Box Malaysia seems to have a bunch of mobile stuff. But their conference website is so ugly that it is hard to find details :-(

SEC-T takes place in September in Stockholm - one of my favorit cons!. So far they have: Dead Addict - Mobile PKI UX: the state of shit, Torbjörn Lofterud - iPhone raw NAND recovery and forensics.

T2 does not seem to have any mobile stuff this year.

More upcoming CFPs should include ToorCon in San Diego but sadly it overlaps with BreakPoint. I would really like to go to ToorCon once.

It looks like I will come to NYC in November to give a talk at an event at NY-Poly. It is also likely that I will come to SF early in December.


News:

SMSZombie Malware Infecting Android Devices, Stealing Money more SMS-based trojans for Android. This stuff wont go away until something in Android changes.

By now I arrived in Boston and started working at my new job at Northeastern University. So far I haven't done much in the city. I'm still looking for an apartment so if you have good pointers shoot me an email.

This really is the first update since May, wow I have been really busy.

Conferences:

Toorcamp (takes place as you read) has a few interesting talks on Android. I originally planed to go but didn't have time, very said about it :-(

Nordic Security Conference is a new event that takes place end of August. Nordic Sec seems to be a very mixed conference but they have some mobile related talks.

BruCON at the end of September is one of those cons I always wanted to attend once, never made it. They also have just a few mobile related talks. Mobile talks seem to overlap with Nordic Sec :-(

BreakPoint is also a new event taking place in Melbourne, Australia. This event will have more then a few mobile talks due to the people who are scheduled to speak there. Including myself ;-)

Source Seattle has a mobile talk.

Open CFPs: 29c3 this year in Hamburg not Berlin, a real bummer. hashdays in Lucerne, Switzerland.

General News:

Zeus now supports Black Berry in addition to WinMo, Android, and Symbian.

This is really interesting. I was working on countermeasures against this threat with two of my co-workers at SecT in Berlin. Hopefully our paper gets accepted. I really hope we can help to defend against this threat.

Personal news: I will move to Boston, MA in August to work as a Postdoctoral researcher at Northeastern University. I will continue doing mostly mobile security related work. Please ping me if you are doing similar work and are in the area. It seems like I know a bunch of people but don't actually know where they live.

I hope from now one to continue my biweekly mobile security news update.

I just uploaded my Android Dynamic Binary Instrumentation (DBI) framework. As I wrote before the framework is very simple. It supports hooking function entry points only. The source includes the shared library (.so) injector and the hooking/patching functionality. I also included one simple example instrument to sniff the UART communication between com.android.nfc and the NFC chip on a Galaxy Nexus.

I plan to further enhance this toolset and welcome everybody to submit patches. If there is a lot of interest I will move the source to a public archive like github.

The first release is available here: collin_android_dbi_v01.zip

To use this tool you need a Linux ARM gcc compiler such as included in the Android NDK.

Last weekend I attended SummerCon in Brooklyn NYC and presented my take at doing binary instrumentation on Android. My way of doing instrumentation is very simple compared with other instrumentation frameworks but so far nobody build and released anything for Android / ARM so I had to build my own. Have said that I will for sure release my framework I just need a few days to do this! Please feel free to bug me about this!

So why did I start with binary instrumentation? Well I wanted to continue my NFC security research on Android. Since NFC involves extra hardware it also includes a bunch of native code and thus I started instrumenting that. The result so far was that I build an instrument that acts as an emulation layer inside com.android.nfc. This emulation layer allows me to inject payloads of RFID tags into the nfc process as if they where read from an actually tag. This is of course build for fuzzing ;-) I haven't done any real fuzzing using this so far because I just finished the tool before SummerCon. A demo video that shows tag read emulation can be seen here: nfcemuvideo.mp4

More updates on both subjects will follow soon!


SummerCon was totally awesome, many thanks to the organizers! The conference was small enough to speak to all presenters and to many of the attendees. I met like half of the US people I follow on twitter for the first time in person. How awesome is this!

Conferences:

Black Hat USA has more or less publish the speaker list. Very mixed but some mobile stuff as always.

Defcon started to publish some talks. So far one talk on mobile spyware.

Papers:

Off-Path TCP Sequence Number Inference Attack a interesting attack with a nice proof-of-concept for mobile operators.

Security week in Europe, we have: HITB in Amsterdam, Confidence in Krakow, BerlinSides in Berlin lets hope all the people who fly out for HITB and Confidence make it over to Berlin for the weekend.

Conferences:

Hack in The Box Amsterdam has a number mobile talks this year

SummerCon has some Android related talks by Jon, Charlie, and myself :)

Recon looks pretty good this year: GPUs for Mobile Malware, Mitigation and More Thinking outside-the-CPU by Jared Carlson. Baseband debugging by Ralf-Philipp Weinmann. The other talks also look quite interesting. Happy to attend this year!

Black Hat USA is starting to post talks: most interesting so far is the Windows Phone 7 talk by Tuskasa Oi

Nordic Security Conference seem to be a new conference out in Reykjavik Iceland. They also seem to have some mobile talks.

So I will be going to SummerCon this year after all! I'm staying in NYC for a few days even after SummerCon. Ping me if you want to meet.

Other news:

20 years of SMS I for sure had a lot of fun with SMS over the last years :)

Links:

R&D Into JTAG Process in Relation to Blackberry 8130 a whole blog about JTAGing smartphones.

Some fun:

Two really funny Dilbert comics of last week. Free Apps Stealing your personal info and A tazer that looks like a cellphone

EOF

It has been a while but I was travelling a lot for work and fun so I really didn't have time.

Conferences:

Hackito Ergo Sum in Paris just started today. This seems to be one of the cool new European Security Cons. I actually wanted to attend but after almost 7 weeks of travelling no chance. The program looks very mixed but they have a few mobile talks: Hacking the NFC credit cards for fun and debit by Renaud Lifchitz, TBD (Android Exploitation) by Georg Wicherski.

SyScan Singapore iOS Kernel Heap Armageddon by Stefan Esser, iOS Applications - Different Developers, Same Mistakes by Paul Craig, and Exploiting the Linux Kernel: Measures and Countermeasures (not a mobile talk but sounds interesting) by Jon Oberheide.

Upcoming in June without program yet: SummerCon in NYC (sadly I can't make it), Recon in Montreal (which I try to make).

On the academic front please consider submitting to WOOT one of my favorite workshops!

More conferences, and a lot of mobile stuff :-)

Source Boston in April. Reverse Engineering Mobile Applications, Adam Meyers, Security Researcher; Mobile Snitch - Devices telling the world about you, Luiz Eduardo, Director, SpiderLabs LAC, Trustwave (@effffn) & Rodrigo Montoro, Security Researcher, Trustwave's SpiderLabs, rmontoro@trustwave.com (@spookerlabs); Android Modding for the Security Practitioner, Dan Rosenberg, Senior Security Consultant, VSR (@djrbliss) ; Privacy at the Border: A Guide for Traveling with Devices, Marcia Hofmann, Senior Staff Attorney & Seth Schoen, Senior Staff Technologist, Electronic Frontier Foundation

So SourceBoston actually has some interesting stuff for us mobile people.

Black Hat Europe in Amsterdam. Axelle Apvrille - Guillaume Lovet An Attacker's Day into Virology: Human vs Computer; Don A. Bailey War Texting: Weaponizing Machine to Machine Systems; Tyrone Erasmus The Heavy Metal That Poisoned the Droid; Eric Fulton Workshop: Mobile Network Forensics Workshop ; Dan Guido - Mike Arpaia The Mobile Exploit Intelligence Project; Felix Lindner Apple vs. Google Client Platforms; Simon Roses Femerling Smartphones Apps Are Not That Smart: Insecure Development Practices;

Conferences:

CanSecWest: OS5 - An Exploitation Nightmare? - Stefan Esser; Probing Mobile Operator Networks - myself; Legal Issues in Mobile Security Research - Marcia Hofmann, EFF; Unveiling LTE Security - Dr. Galina D. Pildush, Juniper; Intro to Near Field Communication (NFC) Mobile Security - Corey Benninger and Max Sobell, Intrepidus Group; Root-Proof Smartphones, and Other Myths and Legends - Scott G. Kelly, Netflix

Interesting lineup for mobile stuff, and the rest looks pretty good too.

SyScan Singapore: iOS Kernel Heap Armageddon - Stefan Esser; iOS Applications - Different Developers, Same Mistakes - Paul Craig

Troopers (Germany): Welcome to Bluetooth Smart - Mike Ossmann

Links:

Database for Android Malware
Google Wallet PIN security cracked in seconds
Android.Bmaster: A Million-Dollar Mobile Botnet

An analysis of the GMR-1 and GMR-2 standards for satellite telephony. Really interesting work.

In other news. I'm done with my work in Berlin and looking to move to the US for a postdoc in the near future (location is not yet decided).

Conferences:

Infiltrate already passed. But they only had two mobile talk anyway. Secrets in Your Pocket: Analysis of [Your] Wireless Data by Mark Wuergler. Don't Hassle The Hoff: Breaking iOS Code Signing by Charlie Miller.

Shmoocon which I miss again, this is way to early in the year so every year so far I totally miss it. Talks: Building Measurement and Signature Intelligence (MASINT) Capabilities on a Hackers Budget: Tracking and Fingerprinting RF Devices for Fun and Profit by Brad Bowers. Intro to Near Field Communication (NFC) Mobile Security by Corey Benninger and Max Sobell. Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility by Joe Sylve. Whack-a-Mobile: Getting a Handle on Mobile Testing with MobiSec Live Environment by Tony DeLaGrange and Kevin Johnson. Credit Card Fraud: The Contactless Generation by Chris Paget.

CanSecWest is upcoming. So far no talks have been posted but I'm going speak on "Probing Mobile Operator Networks". This is a long ongoing side project of mine.

Links: Infographics: Mobile Security Android vs. iOS

The video recordings from 28c3 are online. Check out Harald's talk Cellular protocol stacks for Internet, Luca's and Karsten's talk Defending mobile phones, Sylvain's talk Introducing Osmo-GMR.

so 2011 is history, it was a fun year for us mobile people. Many things happened many things got hacked - just great.

In the last few days I have been reading some of those security predictions for 2012 (this year!). Most of them 1 2 3 4 5 are kinda boring since these are things that are already happening. Never the less these will very likely become reality.

In the mobile area these seem to be:

Android as the target for mobile malware attacks. This is already happening as Android became the major smartphone platform last year.

Mobile Markets such as the AppStore and Android Market as a key issue problem solver in the mobile field.

More Monetization as mobile malware evolves we will see more monetization of it. This is especially interesting for everything that involves spending money using a smartphone. Not only SMS, but advertisement, in-App payment, the phone as a credit card, etc..


Happy mobile security research 2012 to everybody!

There was an awesome SMS bug in Windows Phone 7. This is exactly the bug class I have been looking into in the last two years. Too bad that I didn't have the time to look into Windows Phone 7.

Corrections to a news article about my research. NFC mobile threats on the horizon: What happens when we wave our wallets to pay? The article says ...malicious code could be 'injected' into the device.... I want to say that I never claimed I can do code injection through NFC. They probably misunderstood me when I said that this could be possible in the future.

It is really great to see how NFC security research is taking of this year. If I remember back to early 2008 when I did my research everybody was kinda laughing.

In other news mobile (in)security is further on the rise. So we all never loose our jobs!

Android root exploit for 2.3.5 and older by the Jons levitator.c

I don't get this whole Carrier IQ thing 1 2.

The people from the Intrepidus Group seem to really get into RFID and NFC. They just posted an article about using a USRP for NFC. Hopefully they release their code after they are done with their research.

In other news: I wont attend the CCC / 28c3 this year due to multiple reasons. I will stick around for the other events outside the congress. So ping we if you want to chat and/or have beers.

Security Mobile and RFID by Nick von Dadelszen at KiwiCon. Interesting talk on RFID attacks using the Nexus S. This does not cover NFC but is a good read. Unfortunately not many details in the slides.

Axelle Apvrille did some nice work on how to utilize OpenBTS for mobile malware analysis. Both, paper and slides, make a nice read.

Ruxcon is already on, I found one possibly interesting talk Mobile and Contactless Payment Security by Peter Fillmore. But since the con is not done yet slides are not available at the time.

SyScan Taipei has a bunch of mobile stuff. Charlie Miller on iOS code signing. Stefan Esser on iOS kernel exploitation. I'm waiting for slides as the con is just over today.

New Academic Workshop MoST on Mobile Security Technologies at IEEE S&P in May 2012.

I'm finally back from my two weeks in the US of A where I attended Black Hat and Defcon (19) in Vegas. This was very exhausting as always, no surprise there. But I must say the talk quality was not that high and again too many parallel tracks at Black Hat. As I see it now I will probably skip Black Hat and Defcon in the near future. After Vegas I travelled to USENIX Security in San Francisco to finally present our paper on SMS insecurity on feature phones. USENIX was quite okay - but I didn't get to enjoy it in full due to the one week of Las Vegas before :-/ To compensate for the stressful travel I attended the last two days of the CCCamp outside of Berlin. Also I only attended the lasts days the CCCamp rocked! Still one of the best events ever!


News:

So Palm is finally dead now that HP killed their WebOS devices. Although I've read something about HP wanting to continue with developing WebOS as a platform but this is kinda useless if they don't intend to sell devices running WebOS. Sad sad thing.

Conferences:

DeepSec that takes place in Vienna in November has a bunch of mobile related talks. Intelligent Bluetooth fuzzing - Why bother? by Tommi Mäkilä (Codenomico; Windows Pwn 7 OEM - Owned Every Mobile? by Alex Plaskett (MWR InfoSecurity); SMS Fuzzing - SIM Toolkit Attack by Bogdan Alecu (Independent security researcher); Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks by Laurent 'kabel' Weber (Ruhr Uni Bochum); Attack vectors on mobile devices by Tam Hanna (Tamoggemon Limited); Defeating BlackBerry Malware & Forensic Analysis by Sheran A. Gunasekera (ZenConsult Pte. Ltd.)

T2 in October in Helsinki. Sofar they have only one talk on mobile security. Windows Pwn 7 OEM - Owned Every Mobile? by Alex Plaskett (MWR InfoSecurity).

Hack.lu in September in Luxenburg. They seem to have a few interesting talks. Project Ubertooth: Building a Better Bluetooth Adapter by Michael Ossmann. Extending Scapy by a GSM Air Interface and Validating the implementation Using Classical and Novel Attacks by Laurent Weber. Locating a GSM phone in a given area without user consent by Iosif Androulidakis.Weaponizing the Smartphone: Deploying the Perfect WMD by Kizz Myanthia.

Hack in the Box Malaysia in October. Some talks: Packets in the Dark - Pwning a 4G Device for the Lulz by biatch0 & RuFI0. Satellite Telephony Security: What is and What Will Never Be by Jim Geovedi. Femtocells: A Poisonous Needle in the Operator's Hay Stack by Kevin, Ravi, and Nico (SecT - TU Berlin). All Your Base Stations are Belong to Us: Extending Scapy with a GSM Air Interface - Laurent 'Kabel' Weber. Blackbox Android: Breaking "Enterprise Clas" Applications and Secure Containers by Marc Blanchou, Justine Osborne & Mathew Solnik (Security Consultants, iSEC Partners). Attacking The GPRS Roaming eXchange (GRX) by Philippe Langlois. Hacking Androids for Profit by Riley Hassell. iPhone Exploitation: One ROPe to Bind Them All? by Stefen Esser.

hashdays in October. Talks: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy.

Thats this for now. I guess I missed a bunch of things during the last three weeks (two weeks of travel and one week of recovery!). If something major had happened in the mobile sec world I guess I would have heard about it ;-)

Not much to tell in this update since I was kinda busy with non work stuff ;-)

Conferences:

Chaos Communication Camp has a few mobile related talks: Applied Research on security of TETRA radio by Harald Welte, GPRS Intercept by Karsten Nohl, iOS application security by Ilja van Sprundel, Machine-to-machine (M2M) security by hunz, Open-source 4G radio by Alexander Chemeris, The blackbox in your phone (about SIM cards) by hunz and some more closely related talks. The camp talks look really good this year.

Defcon Cellular Privacy: A Forensic Analysis of Android Network Traffic by Eric Fulton, Seven Ways to Hang Yourself with Google Android by Jacob West and Yekaterina Tsipenyuk ONeil.

BruCon iOS Data Protection Internals (Andrey Belenko), Smart Phones - The Weak Link in the Security Chain (Nick Walker - tel0seh)

Links:

Exploring Android Malware
L4Android
L4OpenBSD

ZIMTO (Zeus in the Mobile) hits Android. This was long overdue since Android now more or less is the strongest smartphone platform. See Axelle Apvrille blog post on Zimto for Android.

Android malware is really a rising trend (no secret there) but the malware gets more and more interesting. Mark Balanz discovered a malware that acts as an SMS relay. Such malware has interesting possibilities to say the least.

JailBreakMe 3.0 was released a couple of days ago, again a nice user-level jailbreak for all iOS devices ;-) There is a nice article from the people of the intrepidus group on how the jailbreak works. Reversing Jailbreakme.com 4.3.3.

Conferences are all covered as far as I know.

Not too much happened or I just missed it because I'm way to busy these days. I'll just update my mobile conference monitor.

Conference:

Black Hat USA has way more mobile talks then last year. Hacking Androids for Profit by Riley Hassell. ARM exploitation ROPmap by Long Le. War Texting: Identifying and Interacting with Devices on the Telephone Network by Done Bailey. Mobile Malware Madness, and How To Cap the Mad Hatters by Neil Daswani. The Law of Mobile Privacy and Security by Jennifer Granick.

Defcon is a little weak on mobile stuff this year. Only very few talks, one of the being: Mobile App Moolah: Profit taking with Mobile Malware by Jimmy Shah.

There seems to be a massive rise in Android malware. Mostly modified versions of legit applications. Again one piece of malware [1] contains a root exploit - the one already used by DroidDream. Many of the new trojans will try sending SMS messages to premium numbers. Other SMS trojans are just funny [2] as they send jokes to every entry in the phonebook.

Conferences:

BlackHat USA: Ravishankar Borgaonkar + Kevin Redon + Nico Golde: Femtocells: A poisonous needle in the operator's hay stack. Dino Dai Zovi: Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption. Stefan Esser: Exploiting the iOS Kernel. Anthony Lineberry: Don't Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle. Tyler Shields: Owning Your Phone at Every Layer - A Mobile Security Panel.

Don Bailey will do something on mobile infrastructure security.

Brucon: iOS Data Protection Internals by Andrey Belenko. Smart Phones - The Weak Link in the Security Chain, Hacking a network through an Android device by Nick Walker.

NinjaCon / BSides vienna: Hacking NFC and NDEF, why I go and look at it again (by myself). A Midsummer Droid's Dream (grab a drink, come around, let's reverse some malware) by Manuel Acanthephyra.

ToorCon Seattle: Scott Dunlop, Reverse Engineering Using the Android Emulator. Joshua Brashars, Owning the phone system (and why it still matters).

Defcon: This is REALLY not the droid you're looking for... Nicholas J. Percoco + Sean Schulte.

Every since Google announced Google wallet I'm getting hammered with requests regarding NFC security. Funny part about that I just was getting back working on NFC security because of the Nexus S. First bug reports already filed ;-). Due to the new rising interest in NFC and NFC security I'll decided to give a NFC security talk at NinjaCon / BSides Vienna on June 18th.

So Foursquare has started to use NFC: Foursquare NFC checkin. This sounds like fun :-) I guess you can't seriously do harm but pranks sound possible.

Moxie is really cracking out cool Android stuff lately. He just released WhisperMonitor a personal firewall for Android.

Slides for the Android Attacks talk from Infiltrate. Really really good and complete talk on Android security.

Academic papers:

Usenix Security 2011 has a few interesting looking papers: Forensic Triage for Mobile Phones with DEC0DE by Robert J. Walls, Erik Learned-Miller, and Brian Neil Levine, University of Massachusetts Amherst. Secure In-Band Wireless Pairing by Shyamnath Gollakota, Nabeel Ahmed, Nickolai Zeldovich, and Dina Katabi, MIT. A Study of Android Application Security by William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri, Pennsylvania State University. Permission Re-Delegation: Attacks and Defenses by Adrienne Porter Felt, University of California, Berkeley; Helen J. Wang and Alexander Moshchuk, Microsoft Research; Steve Hanna and Erika Chin, University of California, Berkeley. QUIRE: Lightweight Provenance for Smart Phone Operating Systems by Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach, Rice University.

Conferences:

The Black Hat Vegas CFP is still running. So no talks posted yet.

I spotted two talks at Virus Bulletin: An OpenBTS GSM replication jail for mobile malware by Axelle Apvrille Fortinet and Android malware is on the rise by Timothy Armstrong and Denis Maslennikov.

That is it for May I guess. Since I'll be either traveling or writing papers ;)

A nice blog post by Frank Rieger on the iPhone location logging: Was the iPhone location logging put in by quiet law-enforcement / intelligence agency request?

The talk A Million Little Tracking Devices by Don Bailey is really worth reading if you are in to GSM and GSM equipped hardware.

Whisper Systems (Moxie) released their Android FDE image for the Nexus One. Try it out and go full disk crypto on your Android phone. Whispercore.

News:

Skype for Android Leaks your Private Data. This has been fixed by now.

Conferences:

Recon has one mobile talk so far: AndBug -- A Scriptable Debugger for Android's Dalvik Virtual Machine by Scott Dunlop of IOActive

In other news. I'll be in SF for Oakland 2011. I'll be there a few days before the conference so ping me if you want to meet up.

Conferences:

SyScan Singapore Mobile Money is not a Ringtonea by The Grugq COSEINC; Targeting the iOS Kernel by Stefan Esser SektionEins; I'm going hunting, I'm the Hunter by Don Bailey iSEC Partners;Telecom Signaling attacks on 3G and LTE networks from SS7 to all-IP, all open by Philippe Langlois P1 Security inc.;

Infiltrate Rock'm Sock'm Robots: Exploiting the Android Attack Surface by Bas Alberts and Massimiliano Oldani;

SourceBosten Secure Development Lifecycle in the Mobile World by Marc French and Iron Mountain; Secure Development for iOS by David Thiel iSEC Partners; Tinker, Tailor, Soldier, A-GPS: How Cost Turns Security Devices Into Weapons by Don Bailey iSEC Partners.

Hack in The Box Amsterdam Attacking 3G and 4G Telecommunication Networks by Enno Ray; I'm Going Hunting. I'm the Hunter. by Don Bailey; Popping Shell On A(ndroid)RM Devices by Itzhak Avrah; iPhone Data Protection in-Depth by Jean-Baptiste Bédrun; iNception Planting and Extracting Sensitive Data From Your iPhone's Subconscious by Laurent Oudot; Antid0te 2.0 - ASLR in iOS by Stefan Esser

Looks quite okay, I never attended any SourceConference but the speakers are the usual suspects :-) Infiltrate is new. I would be mostly interested to hear Don Bailey's talk but judging from the number of talks he does on the subject I guess I'll catch it at BlackHat or Defcon in summer.

The mTAN trojan problem finally spread over to Europe and Germany. This version is called SpyEye and comes as a developer signed Symbian application.

Nico and myself finally released our Tech Report on SMS filtering recommendations. It's available here: Countering SMS Attacks: Filter Recommendations. Feedback is welcome.

I guess I missed a bunch of stuff but right now I'm kinda busy with work ;-)

The BlackBerry pwnage seems to cause some trouble as RIM seems to not tell the truth (1 2) in their advisory. Lets see what happens here.

Finally the first Android mod with encrypted storage was released by Whisper Systems. This is really really cool. Now they just need to support more Android devices besides the Nexus S. But moxie told me they are adding support for more soon :-)

For those of you interested in NFC there are two interesting papers from this years NFC Conference 1) Security Vulnerabilities of the NDEF Signature Record Type 2) Practical Attacks on NFC Enabled Cell Phones.

March looks busy for mobile security people ;-)

Android Malware becomes serious: The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor. This malware contains a root exploit. Yea, after you install the APK it roots your device.

Interesting papers (from ACM Hotmobile 2011)

MockDroid: trading privacy for application functionality on smart phones It shows a really interesting Android modification where one can selectively fake/mock unavailability of resources such as GPS or network to individual apps.

Mobile Token-Based Authentication on a Budget this is about using a cheap token to authenticate to your smart phone (using the digital compass).

Very brief update, but I'm quite busy at the moment.

News:

Android Trojan found in alternative app markets

ZeuS in the Mobile is back (Man-in-the-Mobile now for Windows Mobile)

Conferences:

LEET'11 has two interesting papers on mobile malware: Why Mobile-to-Mobile Wireless Malware Won't Cause a Storm and Andbot: Towards Advanced Mobile Botnets. I'm looking forward to actually read them.

As I wrote in my last blog entry last week I attended the Mobile World Congress in Barcelona. Over all it was quite interesting, meeting old friends and people so far I knew only through email.

I also had a nice chat with Elinor Mills from CNET about Visa's NFC payment stuff at the Visa booth at MWC. Her article is here: Mobile phone e-wallets get closer to reality

In two weeks Nico and I am going to speak at CanSecWest about our feature phone SMS research. I'm really looking forward to Vancouver again.

Conferences:

BlackHat Europe (Barcelone): Nitesh Dhanjani talks about New Age Attacks Against Apple's iOS (and Countermeasures)

CanSecWest: iPhone and iPad Hacking by Ilja van Sprundel, IOActive, Project Ubertooth: Building a Better Bluetooth Adapter by Michael Ossmann, U.S. Department of Commerce and Great Scott Gadgets and Nico and myself on SMS-o-Death.

Here a collection of some ShmooCon 2011 video recordings.

Some comments on smartphone botnet C&C over SMS from Shmoocon 2011: this is basically a redo of my iBots paper. The only difference is the implementation for Android in place of our iPhone implementation.

Also from ShmooCon: Attacking 3G and 4G mobile telecommunications networks looks quite interesting.

Sadly I didn't find the slides for the other interesting talks, especially for TEAM JOCH and the mTan talk. Also what about the video streams from ShmooCon, were they recorded?

Interesting story: Would-Be Suicide Bomber Killed by Unexpected SMS From Mobile Carrier if this is true...

Funny story on stealing SIM cards from traffic lights, Schneier has a few nice pointers on the story: here.

Don't Sacrifice Security on Mobile Devices by Chris Palmer (@ EFF) makes a nice read. Spontaneous idea: what about something like hardened android?

A story on mobile phone forensics.

A Android trojan with botnet-like features?

Conferences:

The ShmooCon schedule. The BlackHat DC slides. A few notes to some slides. A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications this is what every serious GSM hacker/security research has in his lab - no rocket science - but nice roundup for noobs and beginners. Exploiting Smart-Phone USB Connectivity For Fun And Profit fun read, good job.

Upcoming events for myself: Mobile World Congress, I'll be there for all four days. Catch me at Hall: 2 Booth: H04 (City of Berlin -> Technische Universitaet Berlin and others)

Happy new year mobile phone security enthusiasts!

Conferences:

Black Hat DC Itzhak Avraham's talk: Popping Shell on A(ndroid)RM Devices; Rob Havelt, Bruno Goncalves de Oliveira: Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE (not directly mobile phones); David Perez, Jose Pico talk about: A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications; Angelos Stavrou, Zhaohui Wang talk on: Exploiting Smart-Phone USB Connectivity For Fun And Profit; Ralf-Philipp Weinmann's talk on: The Baseband Apocalypse (exploiting baseband software)

Shmoocon as a number of talks but sadly no abstracts online. Also I wont be able to attend. Here are some talks that have interesting titles: Defeating mTANs for profit by Axelle Apvrille and Kyle Yang, something about smart phone botnets (the news part of the site gone now).

Bugs:

On Android SMS are intermittently sent to wrong and seemingly random contact. This could go bad. Not a real security bug - but a bad bad fuckup.

Finds:

ClamTXT a service for bombing mobile phones with hundreds of text messages. via Mikko Hypponen

Finally our (Nico and myself) talk SMS-o-Death is in the 27c3 schedule. The talk will be kick ass.

Stefan Esser of PHP Security fame released a tool called Antid0te to add ASLR to jailbroken iPhones.

This looks like really awesome work, very interesting slides.

I will give a talk at the 27th Chaos Communication Congress together with my student/colleague Nico Golde The title of our talk is SMS-o-Death: from analyzing to attacking mobile phones on a large scale. The talk is about attacking feature phones. This should be very interesting for everybody since we put quite some effort into this research and prepared a good talk. This will be on Day-1 in Saal 1. (We are still not listed yet).

I hope to see many of you guys at the congress!

TAC Database needed for research...

recently I (and a friend of me too) was looking for a open TAC database but we could not find one. Does anybody have a hint? If nothing exists what about a TAC database around the OpenBSC/osmocom projects?

Smartphone security paper by enisa

Smartphones: Information security risks, opportunities and recommendations for users . In my opinion not bad but not good either.

Past conferences:

POC2010 had two mobile related talks. 1) Stefan Esser, "iPhone Hacking and Security(Adding ASLR to Jailbroken iPhones)" and 2) Silverbug, "Android Application Hacking & Security Threat". Unfortunately no slides are available yet.

Fun:

BBC video clip: My Blackberry Is Not Working! too funny.

DeepSec was real good and a lot of fun this year. Especially putting faces to email/twitter accounts. The mobile talks were really good and there was a lot to learn and spark new project ideas ;)

Quickies:

Spoof your geolocation

Android Data Stealing Vulnerability thru the web browser.

Kinda happy about my iBots paper, since I got two non-academic reviews about it. 1 and 2.

Conferences: It is fixed that I will go to DeepSec in late November. It's kind of a must since they have a strong mobile security program this year.

Unfortunately I missed hashdays in Lucerne. This seems to be a nice event and I'll try to go next year. This reminds me once again that we have many cool Cons here in Europe.

Bugs: once again Safari on the iPhone starts voice calls without user interaction this time powered by Skype. See here. Very similar to the bug I found last year. Nice catch.

In the news: Hackers take control of 1 million mobile phones apparently some trojan (user installed) sent out a lot of SMS spam.

I got mentioned on the McAfee blog iBots? Mobile phone network 0wnage for my work on smartphone botnet C&C.

Ralf published is awesome work on mobile/smart phone baseband attacks. The slides to his talk All Your Baseband are Belong to Us are available here.

Travel / Cons:

In late November I plan to go to Vienna for DeepSec, who else is coming?

In December I will be speaking at Cisco Expo Germany (in Berlin). Hit me up if your coming.

So from now on I will include academic publications to my news updates. I screen the stuff anyway so why keep it only for me.

ACM CCS

(7) A Methodology for Empirical Analysis of the Permission-Based Security Models and its Application to Android David Barrera, H. Gunes Kayacik, Paul C. van Oorschot, Anil Somayaji
(8) Mobile Location Tracking in Metropolitan Areas: malnets and others Nathanial Husted, Steve Myers
(9) On Pairing Constrained Wireless Devices Based on Secrecy of Auxiliary Channels: The Case of Acoustic Eavesdropping Tzipora Halevi, Nitesh Saxena
(10) PinDr0p: Using Single-Ended Audio Features to Determine Call Provenance Vijay A. Balasubramaniyan, Aamir Poonawalla, Mustaque Ahamad, Michael T. Hunter, Patrick Traynor

A funny bug in the Nokia E72: Nokia E72 Keyboard Password bypass

Conferences: Upcoming is the 27C3 it's CFP runs until October 9th. I will try to also do a talk this year again.

Together with Daniel Bachfeld from heise I wrote the artikel Risiko Smartphone which will be published in the upcoming issue 20 of the c't magazin (German only). First time mass media publication :-)

Mobile phone HTTP header privacy issue in Spain [1] xuf got them to fix it [2].

In October I will present two papers. First, Privacy Leaks in Mobile Phone Internet Access which is about mobile phone HTTP header leakage. Second, Rise of the iBots: 0wning a telco network a paper on smartphone botnet C&C.

The Osmocom people have added a security section to their wiki. One really interesting part is the section on Will my Phone Show An Unencrypted Connection?

Conferences: ToorCon has a nice lineup sofar. Real Men Carry Pink Pagers. The Carmen San Diego Project. iPhone Rootkit? There's an App for That. The Hidden Nemesis: Backdooring Embedded Controllers. Smartphone Ownage: The State of Mobile Botnets and Rootkits. Moving Target: Location-Based Threats and Mitigations. Black Hat Abu Dhabi Mobile Phony: Why You Can't Trust Mobile Phone Networks For Critical Infrastructure.

Need some hints

I'm looking for a number of statistics. 1) How many people update their mobile phones (I don't care about smartphones such as iPhone or Android). 2) The most popular mobile phones around the world. There should be some sales stats on this, right? Any help will be very welcome. Email: collin[at]mulliner.org

The thing called a phone by Scott Adams. I almost never use it as a phone.

So since I have decided to use Flattr I also decided to put my own Thing for Mobile Security News on Flattr.

At T2 Nils talks about some WebOS and Android vulns this should be quite interesting since he likely will cover the bugs he recently found. T2 is really one of the European cons I want to go to, very high priority! Especially since I can't go to SEC-T this year. hacking the RKF ticket system and How to stay invisible (while still using cellphones) sounds quite interesting.

The BruCON schedule looks quite interesting. GSM Security: Fact and Fiction NFC Malicious Content sharing, the abstract sounds like something I've done some years ago - I wonder what kind of new stuff they found. The Monkey Steals the Berries: The State of Mobile Security So BruCON actually looks quite good, another CON I need to go to at some point.

At SecTor there seems to be a single mobile talk: Black Berry Security FUD Free.

Thats it for August as far as I can see.

Update: I totallty forgot DeepSec. This year it seems like a mobile only security conference. Talks are: Pentesting Internet Handheld Devices Debugging GSM Targeted DOS Attack and various fun with GSM Um Mobile VoIP Steganography: From Framework to Implementation Mobile privacy: Tor on the iPhone and other unusual devices OsmocomBB: A tool for GSM protocol level security analysis of GSM networks Malicious applications for Smartphones All your baseband are belong to us Android: Reverse Engineering and Forensics LTE Radio Interface structure and its security mechanism

So the PalmPre seems to have a small problem with vCards? Pwn20wn Nils found a nice little bug that seems to be exploitable. Nice find!

Then we got the first Android trojan that sends premium SMS messages. Jon did a nice decode of the trojan over here.

Since this is now on a public website I want to mention it once: Decrypting GSM phone calls by Karsten and other from the Security Research Labs (Berlin)

A short overview of the talk How to stay invisible (still using cellphones) from PlumberCon. No slides unfortunately.

Some Vulnerable setuid binaries on 4G and HTC Hero (Android phones).

Latest version of Hijacking Mobile Data Connections from the Mobile Security Lab guys this time with iPhone and Android. This was shown at HITB Amsterdam.

The final schedule for Defcon is out - with a few more talks that should be interesting for us mobile guys. Also I kind of forgot to post some stuff because of my feature phone rant.

Defcon talks: These Aren't the Permissions You're Looking For by some guys from Lookout. This is about Android security. App Attack: Surviving the Mobile Application Explosion by the CXO guys from Lookout.

Unrelated by cool: Advanced Format String Attacks by Paul Haas who was an undergrad student in the RSL at UCSB while I was there, nice!

Android vs. Jon Oberheide :)

Jon recently did a few cool things with Android. His slides from SummerCon 2010. Two interesting blog posts about Remote Kill and Install possibilities on Android and some insides on the GTalkService Connection that is always active between your Android phone and Google. Nice reads!

PS: I organized that I will be able to attend Black Hat :-) So I will get the full Vegas experience once again.

Most important thing: I will travel to Defcon this year. Really looking forward to meet some people again. Ping me if you want to meet up!

More and more Defcon talks show up: Exploitation on ARM - Technique and Bypassing Defense Mechanisms by Itzhak "Zuk" Avraham. This is a must see for me.And wow a new Bluetooth security talk, I've been waiting for this. Breaking Bluetooth By Being Bored by JP Dunning. Practical Cellphone Spying by Chris Paget also looks interesting. It looks like there are some more talks in the pipe that are interesting for us mobile guys.

A small rant on feature phones. So we are playing with feature phones, and many of those phones don't support a full hard reset were you can erase all data. WTF??!?! Some manufactures have a PC program to flash those phones in order to restore them. But then they check the software version and don't allow you to reflash the same version. WTF!??!?!

Vegas update: Carmen Sandiego is On the Run! by Don Bailey & Nick DePetrillo. They seem to have updated their talk for Black Hat. Very interesting for me but not related to mobile phones: How to Hack Millions of Routers by Craig Heffner. He is talking at both Black Hat and Defcon. So far only one mobile talk at Defcon: This is not the droid you're looking for... by Nicholas J. Percoco and Christian Papathanasiou.

SyScan Singapore has one talk on GSM security by the Grugq (the same one he will give in Vegas).

I'm still looking for a new Android device. The device closest to my needs is a Motorola Milestone (I want a keyboard). But I really don't want to buy a device with a closed bootloader. For sometime I considered a Nexus One even without a keyboard, but the price is a little to high in my opinion.

A paper on mobile phones as bugging devices: Roving Bugnet: Distributed Surveillance Threat and Mitigation.

Black Hat USA 2010 talks: Base Jumping: Attacking GSM Base Station Systems and mobile phone Base Bands by The Grugq. I'm really wondering about this talk. You will be billed $90,000 for this call by Mikko Hypponen. This talk sounds like fun. More Bugs In More Places: Secure Development On Moble Platforms by David Kane-Parry. Attacking phone privacy by Karsten Nohl.

Too bad that I decided to skip most cons this year. But PH-Neutral coming up this weekend. See u guys there!

EuSecWest moved to June and to Amsterdam but still looks promising. So far two talks look interesting: Immature Femtocels by Ravishankar Borgaonkar & Kevin Redon, Technical University of Berlin and BlackBerry Proof-of-Concept malicious applications by Mayank Aggarwal, SMobile Systems. I hope to see more mobile stuff at EuSec. I would really like to go but I have too many other stuff todo.

Somebody claims to have found a iPhone data protection vulnerability . I haven't checked it out myself.

Waiting to see some of you at Ph-Neutral. Only 2 weeks to go!

Confidence in Krakow has a few interesting talks. Especially the GSM/Cell Networks and telephony security by Don Bailey and Nick DePetrillo - this should be the stuff from SourceBoston. Android Reverse Engineering - Workshop by Jesse Burns. Mobile attacks and preventions - how security will change the mobile market by Tam Hanna. And The Four Horsemen - Malware for mobile by Axelle Apvrille.

I'm seriously considering going there.

while going through my morning RSS feeds I stumbled across this simple but cool SMS-based attacks against WebOS (Palm's PRE). The attacks are based on simple SMS text messages that contain iframes. The bugs where found in WebOS 1.3.5 and are fixed in the current version. Read the full details on the blog of /intrepidus group the researchers who found these bugs. I especially like the phone dialing stuff where they inject so-call GSM codes in order to switch of the GSM radio. Nice. Too bad I was a little behind with WebOS :-(

Conferences: SourceBoston 2010: Attacking WebOS by Chris Clark and Blackberry Mobile Spyware - The Monkey Steals the Berries (Part Deux) by Tyler Shields.

As usual I call for hints and tips on interesting papers/slides/website on mobile security.

Update:

There seems to be another mobile security related talk at SourceBoston. We Found Carmen San Diego by Don Bailey, iSec Partners & Nick DePetrillo. Reading the abstract this looks like Locating Mobile Phones using Signalling System #7 by Tobias Engel at 25C3 in 2008. He also didn't have direct access to SS7 but used a web-based interface to some parts of SS7.

Update 2:

I just got an email from Michael he discovered that WindowsMobile 6.5 is also vulnerable to SMS messages that contain HTML and JavaScript. He posted a small advisory yesterday after reading about the Palm Pre stuff. His advisory is here: XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp.

CanSecWest is just over - it was a real nice conference and I'm looking forward to come here again.

The slides for my talk Random tales of a mobile phone hacker are available here. The most interesting part should be my mobile phone HTTP header logging and analysis. See also this story.

I've put up a test page where you can check if your operator leaks your private data such as your mobile phone number (MSISDN), IMSI (SIM card ID), or IMEI (phone hardware ID). The test page is here: www.mulliner.org/pc.cgi. I promise that I don't log any data when visiting this page.

Two stories I want to comment on:

FatSkunk software-based attestation as a solution to mobile malware. Article by the German Technology Review. They promise a lot. I don't think this will work as advertised (I haven't seen this at work - also I can't really find a paper about it).

Smartphone Weather App Builds A Mobile Botnet. So these guys created a classic trojan application (does something very simple and useful but has a malicious part too). Of course people will download the application from some trusted website - nothing to wonder about.

Just found another mobile security talk that will be held at CanSecWest: Stuff we don't want on our Phones: On mobile spyware and PUPs - Jimmy Shah, McAfee, Inc


Update March 9th:

I forgot the Hack-in-the-Box conference in April in Dubai. They have two mobile security related talks: Base Jumping: Attacking GSM Base Stations and Mobile Phone Basebands by the Grugq and Open Sesame: Examining Android Code with undx2 by Marc Schoenefeld.

Just links...

Gartner Says Worldwide Mobile Phone Sales to End Users Grew 8 Per Cent in Fourth Quarter 2009; Market Remained Flat in 2009 so you know what OS/platform you want to PWN this year :-)

NeoPwn = BackTrack Mobile NeoPwn Merges with BackTrack. Produces BT Mobile for #N900 it seems that WiFi driver for the nokia N900 (wl1251) was patched for RFMON and injection.

Android link collection mostly OS and security stuff

...thats it!

Yea I will be going to CanSecWest for the first time this year. I'll have a talk on my favorite subject: Mobile Phone Security (Random tales from a mobile phone hacker). I'm really looking forward to this!

Second, there will be a mobile phone PWN2OWN again this year. They increased the cash pool for mobile devices to $60K, this looks like a statement! The devices/platforms are: iPhone (of course), BlackBerry, S60 (Nokia), Android.

SecurStar did it again in 2006 there was RexSpy and in 2010 we have this mobile phone crypto comparison. But the knowledgeable community is big enough to identify and point out this kind of advertising/scam fast enough.

Conferences, the only interesting talk I found is: iPhone Privacy by Nicolas Seriot at Black Hat DC this week.

In other news, I still need a Nexus One. It is still not available to buy out side of the US. *ARG*

Updated (Feb 2nd):

Something from a few days ago: iPhone PKI handling flaws

I have been busy as hell from mid December to now, this was due to the Chaos Communication Congress (26C3), the fact that I turned 30, and some work stuff. I guess I have missed some interesting stuff in this time. So once again if you have interesting things on mobile security tell me!

Conferences, ShmooCon taks place in February (I always wanted to go - still haven't made it). The New World of Smartphone Security - What Your iPhone Disclosed About You by Trevor Hawthorn. Karsten is doing his GSM: srsly talk again. Bluetooth Keyboards: Who Owns Your Keystrokes? by Michael Ossmann, for some time I did a lot with Bluetooth keyboards so I would really like to see what they show here - especially since Michael Ossmann is one of the guys who really knows about Bluetooth. honeyM: A Framework For Virtual Mobile Device Honeyclients by whole bunch of Military guys (SCNR). Blackberry Mobile Spyware - The Monkey Steals the Berries by Tyler Shields. So it really looks like ShmooCon has some mobile security content this year.

Random news:

Android Phishing app in the Market

Study of BlackBerry Proof-of-Concept Malicious Applications

Fun find:

Abhoersichers Handy (Anti eavesdropping Mobile Phone) apparently this should cost 4800 Euros. The screen shots look interesting. If anyone has any details on this device please tell me.

very short update...

SRI published an analysis of Ikee.B here: www.csl.sri.com/users/porras/iPhone-Bot.

I wrote about this stuff about a year ago here ;-)

so I was quite busy with various projects therefore this update is really really late.

The most interesting thing that happened recently was the jailbroken iPhone SSH fuck up. See: 1 and 2. There are many other stories on this all over the net, also by now this is kind of old. The interesting thing actually is that I investigated this jailbroken iPhone SSH problem in August of this year. Including a nice statistic and some measurement. I'm planning to show this stuff together with some other work at some conference (academic and hacker) next year (talks/papers are submitted).

Conferences, I attended DeepSec in mid November, this was great fun. Including some good mobile phone security talks. At the upcoming 26C3 there will also be a bunch of talks on mobile phone security. Location tracking does scale up, GSM: SRSLY?, Playing with the GSM RF Interface, Using OpenBSC for fuzzing of GSM handsets, and SCCP hacking, attacking the SS7 & SIGTRAN applications one step further and mapping the phone system.

I actually planed to not attend 26C3 because last year kind of sucked, especially because there were way too many people. So this year I will go to some talks but not hangout at the conference. If you want to hangout during CCC give me a call or write me an email. Although my talk on SMS fuzzing was rejected I recently was asked if I would do it if they find a spot in the schedule. Of course, I would do it.

Recent papers: iPhonePrivacy.pdf shows some privacy issue with the iPhone platform. Nothing really surprising, but a good read.

I know I missed several things in this post but I kind of have info overkill in the last weeks. Please send me hints hints hints!!!

Conferences: PacSec 2009 Charlie Miller is giving a talk on iPhone SMS Fuzzing and Exploitation, Rich Cannings & Alex Stamos are giving titled The Android Security Story: Challenges and Solutions for Secure Open Systems, and Yves Younan is giving a talk on Filter Resistant Code Injection on ARM (this sounds interesting). So PacSec seems to be filled with some good mobile security related talks.


Btw. the CanSecWest CfP is open now. I have something to submit but it will be complicated because of some academic conference. Let's see what happens.

Bug watch:

Some more PalmPre: Floating Point thingy in the browser seems to make a nice DoS.

Links:

Dangers of Customized Android ROMS and Malware
Internet per UMTS: So fälschen deutsche Provider Webinhalte (German)

the guys from the Mobile Security Lab seem to have a lot of time recently a couple of days ago they released a short study on SSL on mobile phones: Tricks for Defeating SSL: effectiveness test on mobile phones.

Tomorrow (7th of October) Hack-in-the-Box 2009 takes place in Malaysia for some reason I always forget HITB. I can't remember ever reading a CFP or anything. They seem to have a few mobile security related talks. Here is the Agenda. Bugs and Kisses: Spying on BlackBerry Users for Fun by Sheran Gunasekera, Side Channel Analysis on Embedded Systems by Job De Haas.

Bug watch:
Palm Pre WebOS <=1.1 Remote File Access Vulnerability The short description is: The Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on the mobile device. Things get more and more interesting with web stuff on smartphones.


On October 9th the CFP ends for:
26C3: Here Be Dragons (26th Chaos Communication Congress)
December 27th to 30th, 2009 in Berlin, Germany

They always like mobile phone related talks, so go and submit something interesting.

Lets start with conferences again. I'll be speaking at the 5th Annual Mobile Device Management and Security Forum this is a more high level non-technical conference, haven't been to stuff like this so it should be interesting. Another speaking event will be at the TelekomForum - Mobilfunktrends 2010 in Bonn, lets see how this goes.

Michael Mueller of silentservices.de found some nice SMS/MMS/Wap Push bugs in various smart phones. The bugs allow to spoof/obfuscate the sender address/number of MMS messages. This could be used for spam or social engineering I guess. The advisories are here and here.

The guys from the Mobile Security Lab published a primer on Service Load (SL) attacks. I haven't had time to read it yet. You can find it: here

So stuff happens in the mobile security world.

SEC-T was a nice event, I had a good time. The location was nice, the talks were good and I talked to some interesting people.

Some highlights: a reverse engineering challenge, a Wifi antenna building contest, and a bar quiz (a nerdy one). The best part, the team I was on won the quiz *G*

Bonus. I had the chance to play with a Nokia N900 (the Nokia Linux smart phone). This is a sweet device.

Vorsicht - ansteckend! (in German) something about mobile phone malware, this was even printed *G*

Researchers discuss iPhone, SMS bug Interview done by NetworkWorld at Black Hat this year.

I rather should be doing slides but I don't want to right now.

Upcoming conferences:

#T2 in Helsinki October 29-30 will have a two talks first Forensics on GSM phones by David Batanero and second Spying via Bluetooth by Jamo Niemela. Especially the talk on phone forensics would be very interesting for me since lately the subject was brought to my attention by multiple people. David Batanero was also scheduled to talk at SEC-T in September but his talk was cancelled, too bad since I'm going to SEC-T but not #T2. As far as I can see my talk is the only mobile security talk at SEC-T this year.

DeepSec in Vienna on November 19-20 will have two mobile security talks. First Hijacking Mobile Data Connections 2.0: Automated and Improved by Roberto Piccirillo and Roberto Gassir (Mobile Security Lab) and second A practical DOS attack to the GSM network by Dieter Spaar.

Btw. I'll actually attend DeepSec this year. I'm looking forward to it since it will be my first time at DeepSec, and Vienna is a fun city.

Other interesting developments:

The various GSM cracking projects seem to be taking off this time around. The people behind AirProbe and Creating A5/1 Rainbow Tables seem to really want to build something that is easy usable. I really wait for the day this stuff is done and anybody with a old GSM phone has to be worried that someone with hardware for about 100 Euros can listen to his/her phone calls and can read his/her text messages (SMS).

I recently I had a fun idea for this idea I want/need a list of hardware that has a build-in mobile phone or GSM modem. If you know of such hardware please tell me (collin[AT]mulliner.org or comment on this post). Please don't tell me about laptop/netbook X with a build in modem but rather about your fridge or microwave that can call or text. So this is a call for hardware with embedded mobile phones!

this blog post is long overdue, but due to traveling and catching up on work this had to wait.

Black Hat USA had quite a few mobile security related talks, the slides are here: Exploratory Android Surgery by Jesse Burns (haven't read this yet), Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone by Vincenzo Iozzo and Charlie Miller. Attacking SMS by Zane Lackey and Luis Miras, Is Your Phone Pwned? Auditing, Attacking and Defending Mobile Devices (only the white paper - no slides so far) by Kevin Mahaffey and Anthony Lineberry and John Hering. The stuff for our talk Fuzzing the Phone in your Phone by Charlie Miller and myself is here.

It was nice to see that Zane and Luis took my MMS research and followed some ideas I had and made them work. Especially the part about running a your own MMSC (MMS Server). At the point in time where I tested this it did not work because the WAP-gateway that is configured in the MMS profile only connects to the MMSC of the mobile operator. I tested this with multiple US providers and some German providers in 2005/2006. I guess I have to do some testing here in Germany to see if anything changed for our local operators.

HAR2009 had a few interesting talks too. In no particular order: Cracking A5 GSM encryption by Karsten Nohl, Public transport SMS ticket hacking by Pavol Luptak, OpenBSC - running your own GSM network by Harald Welte (the slides are the same as the 25C3 slides), Airprobe - Monitoring GSM traffic with USRP by Harald Welte (could not find any slides, somebody took notes and put them here).

Did anything else happen in August? I think there was something but I can't remember. Hints welcome!

It looks like I'm going to speak at SEC-T in Stockholm (Sweden). I'll talk about the SMS Security Research I've done together with Charlie Miller.

I'm really looking forward to go to Stockholm since I love both Sweden and Stockholm!

currently I'm hanging out at USENIX Security in Montreal. Talks are quite good and Montreal is a nice city to visit.

I just found out that our paper Injecting SMS Messages into Smart Phones for Security Analysis is already available for download. I also uploaded my slides for the talk. It is available on my SMS Security Research page.

I just created the SMS security research page in order to publish the slides from our (Charlie and myself) talk at Black Hat USA 2009 titled: Fuzzing the Phone in your Phone.

The injection frameworks for the iPhone, for Android, and for Windows Mobile are available for download just now. Charlie provided his Sulley fuzzing test cases. The page is far from complete as we have more tools and scripts to share. But since I'm on vacation/business trip (depending on the actual day) I didn't find time to sort it all out.

I also updated my iPhone Security page with the link to Apple's security advisory for the vulnerability we reported. iPhone OS 3.0.1 fixes this vulnerability.

SexyView a Symbian Virus/Worm or bot(net)? I really don't care too much about viruses, so until this thing has a real control channel and can auto-update it is nothing. The one thing that I find interesting about it is the fact that it seems to be signed. This more or less proofs that signatures don't buy you any security. One can always somehow obtain a signature for a piece of malware. This is as good as having no signatures at all - well not exactly it still puts the bar a little higher.

The Windows Mobile HTC OBEX path traversal bug is interesting. Not because it is new but rather that this kind of bug made it once again into a device. So I guess no quality control at HTC. Alberto, the guy who found and reported the bug, told me that HTC was not really interested in communicating with him. This is sad since HTC will also be building their own Android devices soon. I just read that HTC seems to offer a hotfix for the issue.

On a personal note. As I wrote before I'll be going to Black Hat and Defcon in Vegas. Directly after Vegas I'll travel to the Valley (Los Altos and Mountain View). Before going to Montreal for USENIX I will spend some time around Santa Barbara. So if anybody is up for some mobile phone security stuff contact me.

Otherwise see you in VEGAS!

Bernhard Mueller from SEC Consult posted this fine work on Symbian security to the full disclosure list. His white paper Pwning Symbian looks interesting (I haven't actually read it completely yet).

I guess it is time again for a news update. I actually wanted to write one for June but I somehow forgot.

Let's start with the most recent stuff. Charlie Miller partially disclosed what we are going to talk about at Black Hat at the end of the month. Sadly some reporter over hyped his story. This sucked btw! Here are the original (over hyped) and the actual facts stories.

The HAR2009 program is out and there will be some mobile phone security related talks. Public transport SMS ticket hacking seems to talk about how to hack a SMS-based ticketing systems. cracking a5 gsm encryption will do a state of the art talk. There will also be a OpenBSC talk that will show how to build and run a GSM network based on opensource software an hardware everybody can buy. All in all HAR seems to be quite some fun. Sadly I wont be able to go due to time conflicts.

Fun find on BugTraq: Multiple Flaws in Huawei D100. The Huawei D100 is a small home 3G router (product page) that seems to be given out by some ISPs.

A personal side note: I now own/have-full-access-to a BS-11 Abis GSM base station and will soon start to play around with it. Happy happy fun fun.

I've been waiting for quite some time to publish the full details of the iPhone Safari Phone-auto-Dial vulnerability. But since Apple included it again in the just published security fixes for iPhone OS 3.0 I decided to finally go ahead and publish the details. The examples in the advisory show only the original bug also we found some variations of it, we didn't put any examples in the advisory.

iPhone Safari Phone Auto-dial Vulnerability also see my iPhone page.

I'm also credited, together with many others, for reporting the issue that Mail loads remote images when displaying HTML emails. The problem is actually a little bit bigger since also iframes are loaded. I actually showed them a demo where I can start QuickTime from Mail without user interaction. Do I need to say more?

The second advisory is about the Nokia 6212 classic an Near Field Communication mobile phone. I did a full disclosure of the bugs at 25C3 in late December 2008 but I never published an actual advisory. I do this now.

Nokia 6212 Classic URI Spoofing and DoS vulnerabilities also see my NFC page.

First of all conferences. EUSecWest is taking place the coming week in London. It will feature multiple mobile security related presentations. First Charlie Miller and Vincent Iozzo each have a iPhone related talk. Second Petr Matousek will speak about rootkits on Windows Mobile/Embedded and third Ralf-Philipp Weinmann will talk about DECT decryption. Looks like EUSecWest will be an interesting place to be this coming week.

Right after EUSecWest PH-Neutral is taking place in Berlin where I will be showing of a small side project on mobile phones and web usage. Many other interesting talks will be held as usual.

Black Hat USA started to announce the speaker lineup for this year and yes I'm one of the speakers. Together with Charlie Miller we will talk about SMS Fuzzing. So far Black Hat seems to become very strong on mobile phone security this year. Jesse Burns will talk about Android, Zane Lackey and Luis Miras will also have a talk on SMS but from the description they took a different angle than Charlie and myself. John Hering from Flexilis also seems to have gotten accepted with a mobile phone related talk that sounds very interesting Is your phone pwned? Auditing, attacking, and defending mobile devices. Last but not least Charlie Miller and Vincent Iozzo will do an iPhone talk. I actually hope for more mobile phone related talks, lets wait and see.

The Nokia 1100 story is getting more and more annoying. In this article it is reported that this company called Ultrascan replicated the SMS interception. No technical details of course. So now I'm looking for people who are interested in the topic and who would also like to understand this and possibly replicate it.

See you at PH-Neutral this weekend!

Update:

So it seems Google/HTC pushes Android security updates without publishing a change log. WTF?!? Any rumors about what this is about?

just a quickie, the slides from BlackHat Europe are up for a few days. Here are the slides for Hijacking Mobile Data Connections and for Passports Reloaded Goes Mobile (clone a RFID passport using an NFC mobile phone). So far Charlie Miller and Vincenzo Iozzo only put up a whitepaper of their OS X and iPhone talk.

If you can understand German (spoken word) you might want to listen to Chaosradio Express episode 120 which is about OpenBSC and generally about building GSM networks or actually the software to run a network in your cellar/garage.

In the last week there was a short buzz about a old Nokia phone (Nokia 1100) that could be reprogrammed to sniff SMS messages. The story really sounds like a hoax since the whole subscriber ID stuff is handled through the SIM card rather then through the phone itself. There are not many details just the story. F-Secure has something in their blog about this too.

Yesterday the new Android version cupcake was released for developer phones, get your cupcake while its still warm :-) Get it from here.

Btw the Technology Review article citing me is only in the next issue (06.2009).

BlackHat Europe brought some new stuff:

First the guys from the Mobile Security Lab showed us that the OMA provisioning functionality can be easily abused to reconfigure the Internet connection settings on many mobile phones. Although the attack requires some user interaction and therefore some social engineering the attack is quite cool. Technology Review has an article on their work. Nice Work guys!

The second mobile device related piece from BlackHat Europe is that Charlie Miller showed a workaround for the non-executable memory of the iPhone. I haven't see the slides of his talk but NetworkWorld has an article on Charlie's iPhone find.

I was interviewed by the German version of Technology Review on the subject of smart phone security and malware. As far as I know the article citing me should be in the current issue (05.2009).

Otherwise not much happened in the world of mobile device security.

few things happened besides Pwn2Own. One thing I missed about the mobile pwn2own is that Sergio Alvarez apparently tried to own a BlackBerry device but failed due to device/software mismatch. Hey at least he seems to have a exploitable bug for BlackBerry, nice!

Since today the slides for CanSecWest are online. The mobile security stuff is here: 1 2 3 4

At the upcoming BlackHat Europe some guys from the Mobile Security Lab will give a talk on Hijacking Mobile Data Connections . This sounds interesting too bad I can't go.

Feedback is welcome, any good sources to recommend? Any mailing lists?

so it looks like Pwn2Own mobile failed the first time it was around. This is a surprise for me.

Pwn2Own is over, all mobile devices remain unscathed. #cansecwest (via Twitter)

I would have guessed that the iPhone would be have been taken even it's Non-Exec-Memory since many more people try to break it in comparison with the other mobile platforms.

Symbian was the only mobile platform somebody tried to pwn?

#cansecwest we've got someone trying the Symbian phone now- stand bye (via Twitter)

This is a bigger surprise to me. Especially since Pwn2Own only offers a Nokia N95, a device that has Non-Exec memory. I tried to closely follow Pwn2Own mobile so when I first saw that Symbian was in the game I thought this will be uninteresting since they will take a brand new device with Non-Exec memory. When I read about the Nokia E61 in this announcement I was really happy since this device doesn't have Non-Exec memory. In the latest announcement the E61 seems to have been removed. Possible because the figured out that it was way to old, bummer.

I actually predicted that somebody will own the Windows Mobile device and the Android G1 but they all survived. Maybe all the bugs were already reported to the manufacturers before mobile pwn2own was announced so they could not be cashed (I at least know about one case). So I guess people will hold on to their (mobile) bugs until next year's CanSecWest/Pwn2Own. Especially now that some well known people called for their no more free bugs campaign. One last point that I found nice was that for mobile pwn2own the goal was not necessary code execution but 1) loss of information (user data) OR 2) incur financial cost. My iPhone phone call bug would probably have counted, so I guess I should also keep bugs for myself now.

SIMKO2 is the new super secure smart phone for German government officials. According to heise.de the device is based on HTC touch pro and runs a hardened version of Windows Mobile. The device and all it's communication with the outside is going to be encrypted using a micro-sd smartcard (see here). Also the SIMKO2 devices seem far from being deployed since they seem to have some performance issues with the encryption, see here, also heise.de reports that the SIMKO2 devices are faster then the original touch pro. If you can read german you should check out these three links: 1 2 3.

Sexy View is the first signed Symbian worm (makes it the first effective worm for S60 3rd edition). The worm spreads through simple social engineering, it sends a SMS to every contact in the contact list of an infected phone. The SMS simply contains a URL to the worm's SIS file on the internet. What I find interesting is the payload of the worm, since it doesn't seem to send any premium rate SMS or MMS but collects information about the phone (IMEI) and the SIM card (probably IMSI and MSISDN). This makes me wonder what these information are being used for or maybe used for in the future. Fortinet thinks that the worm could be the first step of a mobile botnet, also there is no proof yet that the worm contains any update or remote control mechanism. This could be a really interesting thing in the near future.

The mobile bug of the week is a XSS attack against a HSDPA router using SMS, see here. Like most routers the Huawei E960 is controlled via a web interface. The interesting feature of the E960 seems to be that it displays un-escaped SMS messages in the web interface and therefore can be exploited through SMS messages containing HTML and JavaScript. The attack is really funny, also I think it is quite impractical since the victim would need to load the router configuration page in his web browser in order to trigger the attack. Never the less this is a great attack!

This year's CanSecWest will have a good amount of smart phone security related talks besides the earlier announced mobile pwn2own contest. Talks seem to be focused on the iPhone and the Android platform. 1) Alfredo Ortega and Nico Economou - Multiplatform Iphone/Android Shellcode, and other smart phone insecurities 2) Jon Oberheide - A Look at a Modern Mobile Security Model: Google's Android and 3) Sergio 'shadown' Alvarez - The Smart-Phones Nightmare. I suppose Sergio Alvarez is also going to talk about the iPhone since Apple fixed multiple bugs that he submitted in the iPhone 2.2 update. I'm a bit sad that I can't attend CanSecWest.

At BlackHat Europe Jeroen van Beek will show his NFC-phone-based e-Passport cloning tools. Maybe there is even more mobile security stuff going on there since the speaker list is not yet complete.

Done with conferences for this post. The guys from the Mobile Security Lab just launched their poc site where people can test their phones using exploits developed by the mobile security lab. Nice idea!

Last weekend at ShmooCon Charlie Miller released details on a vulnerability in Android's audio player. Some links: 1 2

Related news: Palm has finally killed PalmOS. I really waited a long time for this to happen. PalmOS was just way past its time. This a good and sad thing but now its over.

Did I miss anything?

I just read that CanSecWest's Pwn2Own is going mobile this year. It looks like they are going to have an iPhone, a Android (should be a G1), a Symbian, and a Windows Mobile device too pwn and own. I wonder how the rules are going to be for these devices. via twitter

Second part. There seems to be the first mobile phone banking micro payment trojan out in the wild according to Kaspersky Labs. The trojan targets a micro payment service that allows transfer of money and minutes between users of the service using SMS. Another interesting part of the story is that the trojan is just a modified version of an existing premium SMS trojan. Stories: 1 2.

I've just uploaded the latest version of my NFC/NDEF tools. This is the version that I presented at my talk at 25C3. I mainly added some parsers for the new NDEF records supported by the Nokia 6212 Classic. Also included are some bug fixes and a small fix to talk to the BtNfcAdapter running on the Nokia 6212. I further included some more attack samples and an updated version of my ndef_mifare reader/writer tool.

At 25C3 I had the chance to take a look at Motorola's L7 NFC phone that is used by Deutsche Bahn Touch and Travel. The phone is not a real NFC phone, Motorola just replaced the battery lid with a lid that also contains the NFC hardware (or maybe only the antenna). The only NFC functionality the phone supports is the Touch and Travel application. What is really bad is that the user first needs to start the application and then hold the phone up to the Touch Point. WTF? How is this going to be a good user experience? The Nokia phones constantly scan for NFC tags and start the appropriate application as soon as one holds the phone up to a tag.

Finally I have noticed that RMV ConTags are starting to appear all over the place out side Frankfurt/Main. Also they only seem to be placed at big stations like the Darmstadt main station (Hauptbahnhof) but not inside the city. As always I like to know about interesting new NFC services around Europe and especially Germany.

here is another nice Windows Mobile (HTC) security bug that is related to WAP push. The vulnerability can be triggered by sending vCards to port 9204/UDP over either WiFi or GPRS/UMTS. The effect seems to be significant device slow down and/or device freezing that requires battery removal. This again reminds me of my good all MMS Notification DoS attack.

The bug was discovered by the Mobile Security Lab (who ever this is). I hope we will see more interesting discoveries from them, they just seem to have setup their site in October.

first, I known I'm not the first one to write/warn about this so don't flame me for it.

I recently jailbroken my iPhone so I could take a closer look at the iPhone and it's OS. As most people I just used the PwnageTool from the iPhone Dev-Team. It is easy, fast and just works. So what most people forget is that the jailbroken iPhone OS comes with an ssh server and that the root and mobile users have their password set to alpine (mobile password is dottie). This basically means that everybody can log into every jailbroken iPhone as user root. When I jailbroke my iPhone I didn't change my password right away since I was too busy playing with the new features and I strongly believe that many other people never changed the password of their jailbroken iPhone.

Again the danger lies in public Wifi hotspots or any other situation where you share Wifi with people you don't know. A good example is the upcoming Chaos Communication Congress which has one of the most hostile (wireless) networks I know.

So what can happen if you leave your iPhone's password unchanged? That is what I cooked up the last few nights.

The Basics:

• Anyone can log into your iPhone as user root and/or mobile
• Anyone can copy files to and from your iPhone using scp

In further detail this means all your private data is gone, just like this:

SSH_PARAMS="-q -o NumberOfPasswordPrompts=1 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
scp $SSH_PARAMS root@$IP:/var/mobile/Library/AddressBook/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/SMS/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Notes/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Calendar/* /tmp/yourdata/

The code shown above simply copies your Addressbook, SMS, Notes, and Calendar from your iPhone using scp (secure copy - part of ssh). I know there is much more to steal like: photos, email, or vpn configuration. This attack is so simple everybody can do it without any special knowledge or tools.

Getting your personal data stolen can happen to you anywhere but there is another threat that is more likely at events like the Chaos Communication Congress, defcon, and any other conference with a high number of jailbroken iPhones: a worm.

A worm that simply spreads using ssh/scp and the default root/mobile password can be written in bash (which is installed on all jailbroken iPhones) in about 4 hours. The worm just (tries to) copies itself (a bash script) to every host on the local wifi network in the background. Background tasks can be easily setup using launchd. Just add a new task that runs the worm shell script every couple of minutes. This is no big deal for anyone with just basic understanding of ssh,scp,bash, and launchd/launchctl. I was able to do this in an evening mainly using Google to get the appropriate launchd plist syntax.

Don't get me wrong, I don't want to encourage anyone to do all this. I just show you how damn easy this is. So please change your root/mobile password on your jailbroken iPhone - or somebody else will do it for you.

Btw. if you are looking for the images that the iPhone takes about anything you do some of these are located here: /var/mobile/Library/Caches/Snapshots (of course this is not new either see here).

today I submitted the camera ready version of my paper Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones to the Workshop on Sensor Security at ARES 2009. Finally a academic publication again. Done this now I'm official on Christmas vacation until 25C3.

Today we published a small security bug present in the iPhone OS until version 2.1. The bug is small but has big impact in the way that it can be used to call arbitrary phone numbers from visiting a website.

More details including a video (but not full-disclosure) can be found here (German only): www.sit.fraunhofer.de/pressedownloads/pressemitteilungen/iPhoneHack.jsp

We will do a full-disclosure as soon as the update is out and people had time to install it. Details will be available here.

NIST just released their Guidelines on Cell Phone and PDA Security here are some comments from my side.

Overall I think the document is quite good covering the field well. My main point of critic is the way they present their references. The document cites many news sites instead of the original publisher's site/document. Therefore some of the references are more or less useless since they don't provide the path to more detailed information. I not only write this because they quote theregister on my MMS vulnerability but also because of quoting zdnet on various other vulnerabilities rather than the original advisories. To make it clear I don't think the articles by these news sites are bad or wrong, I just think people reading NIST publications expect a little more detail.

This post in the XDA-Developers forum shows that Windows Mobile 6 on HTC devices is vulnerable to malicious WAP Push SI (Service Indication) and SL (Service Load) messages. An attacker can send a message containing a URL to an executable, the executable will be automatically downloaded and executed WITHOUT any user interaction. The problem is that HTC disabled the security settings for these kinds of WAPPush messages, normally a device should only accept these kinds of messages from trusted originators (e.g. your service provider - don't know if I want this either).

The fix to this problem is very easy as it just requires modification of a few keys in the mobile phones registry (yes Windows Mobile has a registry). (The steps to do this modification is described in the original advisory.)

The bug is kind of similar to one of the MMS-based bugs I discovered 2 years ago where the Windows Mobile devices would accept WAPPush messages over UDP (WiFi).

This WAPPush auto execute configuration bug is really bad since it would allow anybody to write a very simple worm that only needs to send WAPPush messages (SMSs) to spread. The victim device than downloads and executes the worm binary from the Internet.

They even made a demo video, also you don't see too much.

Some open questions from my side:

• Is it really only HTC devices?
• Is it only Windows Mobile 6?
• Does this work via WiFi (like my notiflood tool)?

Slientservices.de Author's website
The Advisory

Here are my slides for my BlackHat Japan talk Exploiting Symbian. This work was done as part of my research at Fraunhofer SIT. If you have any questions please contact me through my website at Fraunhofer SIT.

I just setup pptpd for my iPhone. Since I don't really trust all the application developers to think about my passwords and my privacy.

I know PPTP is not the best VPN solution but it works and was easy to setup.

@Joe du auch wolle?

Alex recently got a Mifare (RFID) ID spoofing device. Last weekend at the MRMCD111b we got to play with it. I'm looking forward to try it against some real targets.

so looks like I'm going to BlackHat Japan in October to talk about my latest project SymbianOS Exploitation. I'm really looking forward to it since I never been to Japan and BlackHat before.

BlackHat Japan speakers page

I finally came to post the official advisory Nokia 6131 NFC URI Spoofing and DoS Advisory to the usual mailing lists in order for this thing to get into the vulnerability archives.

slides for for BlackHat and DefCon 2008 are already available online.

Get them here and here

here are my NFC security tools this time for your Nokia 6131 NFC. The tool set consists out of: BtNfcAdapter (a simple NDEF reader/writer that is controllable via Bluetooth - basically turns your 6131 NFC into a lightweight tag reader/writer), BtNfcAdapterRaw (Mifare Classic raw reading version of BtNfcAdapter), and MfStt (the Mifare Sector Trailer tool, a very basic tag security checker).

All the tools are for educational purposes only! They are not stable! Especially take care when using the writing features of MfStt).

Feedback is welcome as always. I also accept dumps of cool NFC tags (only including a picture of that very tag).

I just uploaded the first version of my Python NDEF library.The library supports all types standardized by the NFC-Forum until now. I also implemented support for Nokia's Bluetooth Imaging tag and added a parser for the RMV ConTag.

I also uploaded some tag samples (dumps of the tag data). The dumps also include the Mifare sector trailers (if this is of interest for you).

Feedback is very welcome!

here are the slides for my talk Attacking NFC Mobile Phones that I gave at EUSecWest2008. The tools, libraries, examples and data dumps will be uploaded soon.

looks like I've been selected to give a talk at EUSecWest this year. The subject will be the security of NFC (Near Field Communication) mobile phones.

My friend Alech also seems to have a talk there. This should be some fun.

another bug I found in the software of the NAS-4220-B is that you can use telnet to login to the NAS-4220-B as root without being ask for as password. This is possible right after boot of the device. The problem seems to originate from the fact that the software puts together the filesystem in ram during boot. The actual bug is that telnetd is started before /etc/passwd is populated with a root account that has a password set.

[1] raidsonic nas4220 disk crypt key leak

Found while playing with my NAS-4220-B last Sunday. RaidSonic didn't answer my emails so here you go.

--- BEGIN ADVISORY ---

Manufacturer: RaidSonic (www.raidsonic.de)
Device:       NAS-4220-B
Firmware:     2.6.0-n(2007-10-11)
Device Type:  end user grade NAS box
OS:           Linux 2.6.15
Architecture: ARM 
Designed by:  Storm Semiconductor Inc (www.storlinksemi.com)


Problem: 
 Hard disk encryption key stored in plain on unencrypted partition.


Time line:
 Found: 09. March 2008
 Reported: 09. March 2008
 Disclosed: 16. March 2008 


Summary:
 The NAS-4220-B offers disk encryption through it's web interface. The key
 used for encrypting the disk(s) is stored on a unencrypted partition.
 Therefore one can extract the encryption key by removing the disk from
 the NAS and reading the value from the unencrypted partition. The key
 itself is stored in a file in plain (base64 encoded). Therefore the 
 NAS-4220 crypt disk support can not be considered secure.


Details:
 The NAS-4220-B can hold two SATA disks. Disk are encrypted through a 
 loop back device using AES128. The problem came to my attention when
 I could access the NAS after reboot without suppling the hard disk key.
 
 The key is stored in /system/.crypt, "/system" is a small configuration 
 partition on the same disk that holds the encrypted partition. The system
 partition is created by the system software running on the NAS-4220. The
 configuration partition of the second hard disk is not mounted by default
 but also contains the .crypt file holding the key for the encrypted 
 partition on the same disk.


 Accessing the key (key value is the example I used):
  $ cat /system/.crypt
  MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
 
  key in plain           key in base64
  12345678901234567890   MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=


 Base64 decode:
  #!/usr/bin/python
  from base64 import *
  print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")


Reported by:
 Collin Mulliner 

--- END ADVISORY ---

raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt

Some guys from Princeton found a way to defeat disk encryption systems by extracting the key from the memory of a computer/laptop. While this is not really new (other people did that before), their way is quite cool. They remove the RAM module from the computer and read it in a other computer in order to do this without loosing the content of the RAM module they freeze the RAM module and with freeze they really mean freeze.

Check out the demo video.



Their paper explains it in all details. Read it if you use disk encryption and feel safe.

[1] Cold Boot Attacks on Encryption Keys (paper, video, faq, ...)

Somebody or some group seems to have found a exploitable buffer overflow in the iPhone's baseband processor. The baseband processor is the subsystem of the phone that talks to the GSM network. The overflow seems to be in the SIM Toolkit manager.

The exploit lets one upload code into the baseband, so one could insert some application into your iPhones baseband. The this application would be mostly undetectable since the memory can not be read from the application processor.

Lets see what happens with this little thing...

Source:

From: steve 
To: gsm@lists.segfault.net
Subject: [gsm] JerrySIM -> Executing shellcode on the iPhone baseband

Hi,

JerrySIM leaked yesterday. It was posted here:
http://code.google.com/p/iphone-elite/wiki/JerrySim

The exploit code has been removed shortly after but google cached it
already :/ It's out.

The program exploits a bug in the SIM Toolkit manager (which is running
on the baseband) and thus enables the execution of shellcode directly
on the baseband.

This is good work.

This has the potential to turn the iPhone into a listening device.
It still requires a lot of work and I do not know if any of the iPhone
hackers is working on it. 

regards,

steve

[1] code.google.com/p/iphone-elite/wiki/JerrySim
[2] Exploit code from Google cache

here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS rebinding attacks against private networks (192.168,10.,...). The patch basically adds a filter to the forward resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range. But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should offer sufficient protection.

dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)

To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line. I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and you still want to be able to resolve local IP addresses.


Feedback is welcome!

Links

DNS rebinding
DNS rebinding (wikipedia)
DNS rebinding talk (by Dan Kaminsky)
Dns-wall
Dnsmasq
OpenWRT.org
0sec

Last week I moved my last computer to full disk encryption (FDE if you need an acronym). The last computer was my desktop/laptop therefore I thought it will be slightly more work since I wanted to have suspend to disk (aka. hibernation) - it turned out to be quite easy after all (see 1).

Previously I had setup my rented root server and my home server using a small hand build system you can ssh to in order to open the root partition and continue to boot the real system (see 2).

In the recent days I did some research on possible attacks against fully crypted computer systems. Basically there is only one attack (if we rule out a brute force attack against the encryption key) this is keylogging. Keylogging basically is trying to capture all key strokes in order to obtain the passphrase for the crypted disk. Keylogging can be be done in either soft- or hard-ware both have advantages and disadvantages for both the attacker and the victim (the owner of the crypted disk).

Hardware keyloggers basically are small devices that are plugged in between the computer and the keyboard. The device then just logs all key strokes that it sees. The big advantage (for the attacker) is that this is totally OS independent. The big disadvantage for attacker of course is that he needs physical access to the victims computer twice (once to install once to retrieve the logged data). Further the victim can more or less easily find a hardware key logger if he cares to look for one. Also there are PCI-card based keyloggers (see [3]) that are probably harder to find (the computer would need to be opened). There are also keyboards with build in keyloggers (see [4]) but I doubt that these are any good since most people would recognize if their keyboard has suddenly changed. Of course you could also open up the victims keyboard and place the keylogger there, but there is always a chance that you break the keyboard while doing this. The biggest disadvantage of hardware keyloggers is that these can't monitor remote login sessions which can also be used to decrypt and boot a computer, this is where software keyloggers come into play.

Software keyloggers come in two variants, the general kernel/driver based keylogger that just monitors all keyboards and terminal devices (e.g. a remote session) and the application based keylogger where a specific application is modified so that it logs some specific or all input (e.g. the decrypt command could be modified to log the passphrase). So software keyloggers have the advantage that they can log more data (local + remote sessions) but have the big disadvantage that the attacker needs system level access to the plain not encrypted part of the computer (e.g. the boot partition) in order to place the modified kernel or binaries. If the hardware is probably secured (e.g. not booting from external disk or cdrom) the software manipulation will take really long since the hard disk would need to be removed (or at least the PC would need to be opened). Also this might not be possible at all if the victim always boots the computer from an USB stick that he carries around with him at all times. In this case there wouldn't be a plain boot partition on the PC and therefore nothing to modify. If the victim still needs to type-in the crypto password a hardware keylogger could catch him.

Laptops seem special while searching for keyloggers I only found that laptops are harder to attack since they are relatively small and therefore don't have much space to hide a hardware keylogger. The only thing I found was a Mini-PCI card based keylogger (see [5]) but since most laptops have Mini-PCI wireless cards this looks quite strange? Of course you could always disassemble the laptop to add a keylogger but this also takes a lot of time and there is always the chance to break it. The best time to do this would be if you send your laptop in for repair.

PDAs I like my Palm Tungsten T5 because it supports complete filesystem encryption. Of course this encryption is not verifiable since the source is not open but at least it is a secure algorithm (AES).

Backups don't forget to encrypt your backups. Having a fully crypted PC and plain text backup is just stupid. Good backup software should support this. Otherwise PGP/GPG your ZIPs/tarballs/whatever.

I would say that keylogging is only feasible under certain conditions: the attacker is extremely knowledgeable and the victim is some how unaware. All other cases would involve a huge portion of luck for the attacker.

[1] good starting point for crypto suspend: howto completly encrypted harddisk including suspend to encrypted disk with ubuntu
[2] small howto on: build a crypted root server
[3] PCI-based keylogger
[4] Keyboard with built in keylogger
[5] Mini-PCI keylogger
[6] USB keylogger

Marko Rogge finally published his article on RexSpy (see my comments on RexSpy). Marko and I talked a lot about RexSpy in order to determine if a bug/attack like Hafner described is possible at all.

The article is available as Blog Entry and PDF

One actually funny part of the whole story is that after I published my comments on RexSpy I got tones of emails from various people of which some seem to hope that I know how it works. So folks tried to get more information from me (I didn't have any more information). One guy even had product ideas based on this technology. Just hilarious!

some time ago I setup a new root server for a new project of a friend and myself, this time I wanted to go full crypto. In the beginning I thought this might be a lot of work but as it turned out it is quite simple if you do some thinking.

There are many ways to do this, this is how I did it.

The setup works like this: the server boots into a minimal system starting only the SSH daemon. The you login and enter/upload the passphrase to unlock the disk(s). Finally you tell the system that you are done, after which you are kicked out and the system completes the boot by mouting the real root partition and executing init from there. At this point everything is as usual.

There are two basic parts in this setup: first building a good minimal system so you don't waste too much space and second build the init script for the minimal system.

The minimal system needs to contain stuff like: sshd, filesystem tools such as mkfs, fsck, fdisk, etc., cryptsetup, networking tools like ifconfig, route, ip, etc., mdadm (if you run raid), and of course all the required libraries. The easiest way to do this is using the recovery tool your hoster provides. Just setup a minimal system on one partition and strip it down before moving it to the boot partition.

The init script is quite simple, it needs to do three things: first, configure the network (ip address and route); second, start sshd; and third, start the actual system after the root partition has been unlocked. My script works as follows: after sshd has been started the script waits for a file to be created in the tmp directory. As soon as the file is created all ssh processes are killed, and the real system is booted.


Files:

file list of my minimal system
init script for minimal system (touch /tmp/READY_TO_BOOT after you unlocked the root partition)

Some notes:

You need to encrypt your swap otherwise this is useless!
If you upload a key to your minimal system only upload to key to a ram drive, never write it to disk. Otherwise all the work is useless!
Remember your key! Remember your key! Remember your key!

Todo:

Filesystem integrity check for the minimal system. This is a very hard task and I don't have a solution so far.

I just benchmarked Aircrack-ptw on my Nokia N800 (ARMv6 320Mhz) and it finished in 19 seconds. Sadly enough the wireless packet injection doesn't work on the N800/770. 19 Seconds is quite impressive.

Erik Tews with the help of two others published a new attack on WEP called: Breaking 104 bit WEP in less then 60 Seconds.

Like the older attacks on WEP this attack uses sniffed IVs in order to break/compute/crack the WEP key. The nice thing about this attack is that it only needs between 40.000 and 85.000 unique IVs (older attacks needed between 250.000 and 1.000.000 in order to succeed). This already reduces the overall attack time since one needs to capture less packages. But the attack also uses a new/other attack on RC4 which further improves the speed. The paper gives an average of 3 seconds on 1.7Ghz Pentium-M. The attack even works with 5000 keys.

Paper
Info and tool

here are the slides on RexSpy. They say nothing at all, I just post the link for completeness.

since I first heard about RexSpy in late February (I know it was announced in October 2006) I wanted to know how real it is and how it works.

RexSpy is supposed to be the ultimate mobile phone trojan that allows one to monitor (listen to) all calls of the infected device. Also the Wilfrid Hafner (the author) claims that it works on every single mobile phone.

The German Focus (a mainstream non technical magazine) interviewed Hafner and did a trial using a SymbianOS and WinCE based phone. They claim that he could listen to calls made with both phones. Other websites like Techworld.com quote him saying that this attack also works against a Siemens C45 (which is a very simple phone with out a fancy smart phone OS).

I myself connected Hafner to find out if he is willing to release real technical information to the public about his findings, but he refused saying that he sold the RexSpy Technology and therefore no longer could publish any material. This is very bad especially because Hafner's company is selling a protection kit against mobile phone tapping. This makes you wonder if this is just a marketing thing.

Since I'm not a student anymore I don't have too much spare time on my hands so I only did some basic research. The basic operation of RexSpy as claimed by Hafner is: the trojan is install via a SMS (a Service-SMS to be precise). The trojan itself creates a kind of back channel by calling home as soon as the infected phone has an incoming or outgoing call, thereby the attacker can listen to the call. But how does this work? First idea was: a bug/feature in the GSM module or SIM card (or SIM Toolkit). A bug is kind of unlikely to be present on all platforms. A monitoring feature would be documented by someone, so this is also unlikely.

I searched a little more and found the recording of Hafner's talk at Systems, in his talk he kind of gives it away (if you know what you have too look for). He says he only implemented it for Windows Mobile (WinCE / PocketPC). That is very interesting since he first claims the RexSpy is universal across all platforms. The thing that keep me thinking is the Service-SMS which others (including myself) call binary-SMS, since I used binary-SMS for my MMS attack. Here you basically tell the device where to download a MMS message. But as far as I remember there are other binary-SMS messages (or actually WAPPush messages that are send via binary-SMS) that tell a mobile phone to go and download a WAP/WEB page. The URL could of course also point to a application binary, which could be downloaded and executed without user interaction. So maybe Hafner just found a small back door in the WAPPush handler that allows silent application installation, and writing a phone monitor tool for Windows Mobile and SymbianOS shouldn't be hard at all. For monitoring one could use the simple feature like a conference call, this way the trojan application would be very simplistic and small.

I'm still not 100% sure how it works (especially because he claims that it works with a old Siemens C45) but analyzing the Windows Mobile RexSpy Killer provided by SecurStar should bring me a step further (I haven't done this yet). I'll keep working on this and keep you updated.


I would really love to hear some comments on this.

Links:
Zone-H
Techworld (Hafner's talk at Systems in German language)
SecurStar

I just uploaded the web page I made for HID Attack. It explains how it all works. Enjoy.

Finally I released my HID attack kit I build over a year ago, get it here. Thanks to Thierry for including it in his talk!

Story on Heise.

Gary McGraw's Silver Bullet Podcast is a real nice podcast on computer security. If you are a security person check it out!

The Reliable Software Group (RSG) the lab I used to work for at UCSB finally put up the new website including all my Smart Phone Security research. I also put up my Master's Thesis titled Security of Smart Phones.

I also updated my Mobile Security Research website.

I'm going to do my 0wnd by an MMS talk at 23c3. The talk is more or less a redo from defcon-14, but I will try to fix it up a little. This will be my first talk at a Chaos Communication Congress and I'm already looking forward to it.

my second scientific paper, this time at ACSAC. The topic is MMS again - actually the paper was done before DEFCON. For more infos see details for Session 2. The paper is the last one in the session.

PS: I also applied to 23c3 with the same topic aka the DEFCON talk.

I'll be giving a talk at this years defcon (#14). My talk will be on Advanced Attacks Against PocketPC Phones and I will show some neat new stuff for/against PocketPC phones.

I've added greylisting to the list of spam countermeasures for our server project. It works surprisingly well and the amount of spam arriving at my inbox is reduced by a ratio of 20:1. While this is good there are of course downsides of greylisting such as an artificial delay for delivery of valid or good email. Also auto whitelisting should take care of regular contacts. Anyway I'm really interested in how many of our users will see the change in amount of spam vs. delivery delay, and if anyone of them will demand permanent whitelisting :-)

My (with others) first scientific paper: Using Labeling to Prevent Cross-Service Attacks Against Smart Phones

just put up my mobile security research page. It will basically be a annotated link collection, since my stuff will mostly be PocketPC Security and I have a separate section for this. Feel free to send me additions and/or corrections.

Pierre Betouin wrote this nice little L2CAP fuzzer based on my psm_scan (l2cap port scanner). He also already discovered bugs in several phones with it.

The tool can be found at: www.secuobs.com

nice work!

mh57 just pointed me to a Spiegel Online article about Bluetooth advertising or BlueSpam as I like to call it. Its about a German company which uses Bluetooth to beef up their billboards in Berlin. Apparently they just push images, videos, text ads and coupons to any Bluetooth device in range. This is annoying but you can of course just ignore/reject the transmission or turn of visibility. The actual security/privacy problem is that people maybe get used to accept connections from certain senders e.g. BlueSpam (of course you wouldn't name your system BlueSpam). So what keeps me from standing next to one of the billboards naming my laptop BlueSpam and instead of sending a coupon I send hello.jpg. And since some phones still don't show what the Bluetooth connection is for I just pull their phonebook etc., the user will just see Allow connection from BlueSpam? Sure I want that coupon.

This is not a good idea!

Btw. the company doing this stuff is: Wall AG

on Friday Dec. 09. another UCSB iCTF took place once again. As always I was just helping out (the main work is done by others Greg,Vika and Marco) writing services, placing backdoors and doing what ever is needed. Every time the event gets bigger and bigger, this time there were 22 teams with about 20 players each plus 2-5 admins for each team and about 10+ people at UCSB organizing - this is about 500 people!

In the last years teams from Italy dominated the CTF, but not this time! The winners are all German speaking #1 Aachen, #2 Vienna and #3 Darmstadt. The full scoreboard with all teams is here.

This was really fun, even for just watching the teams fighting each other :-)

I all ways wanted to go crypto for my data storage but until now I never owned any big storage device. Now I have an external 250 gig USB disk which I want to secure.

The thing with crypted disk all ways comes down to where can I read the disk? Only on my computer, only with one specific OS, etc. For me it's basically Linux and from time to time Windows. The two solutions I found where BestCrypt which is commercial (at least for Windows) and dm_crypt/FreeOTFE which is free and has much more features.

I ended up using dm_crypt/FreeOTFE.

dm_crypt is the Linux part of the crypto solution and is in part of Linux Kernel since 2.6.4. With cryptsetup its super simple to setup. You can setup a partition or a file based crypto device. The device then can be formated with whatever filesystem you want. Of course you need one which is readable by Windows (e.g. vfat/fat32).

FreeOTFE is the Windows counterpart of dm_crypt and can mount whatever you created with dm_crypt. I guess multi-disk volumes don't work but I haven't tryed it. When mounting a filesystem use mount Linux... otherwise it doesn't work :)

For the external USB disk I have two partitions, one small partition which is not encrypted - this holds the Windows drivers (FreeOTFE), the second partition is the crypto filesystem. With this you can also take your disk to a friend without downloading drivers and stuff from the net. All in all a nice solution.

MobileBugtraq is a new bugtracking maillinglist dedicated to mobile device technology. The list is super new, so not many posts by now. I actually only saw two sofar and I couldn't find an archieve.

Anyway everybody who is into mobile and security (like myself) should check it out.

while doing some web research on PDA/phone security I found this company Paraben which sells special seizure equipment for PDAs and phones. They really sell a lot of crazy stuff. I especially like the StrongHold Tent (the image on the left).

today (at/for 21C3) Martin and I released our Bluetooth fingerprinting tool BluePrint.

It is a really nice and simple Perl script and just reads the output of sdptool (BlueZ). Please also check the Bluetooth Device Security Database.

I just started learning how to write exploits utilizing buffer overflows. It is a real fun thing to do and the best part of all: it is a part of a homework for university :-) Now I know why many people write exploits it is a nice way to get around a rainy weekend day.