Finally I have time to write a new blog post again. The last couple of weeks have been super busy for me. I had to finish a project, prepare a talk about it, and give a bunch of talks at various places in July and August.
T2 Helsinki, Finland. LTE (in) Security Ravishankar Borgaonkar & Altaf Shaik.
BalcCon Novi Sad, Vojvodina, Serbia. Private communications with mobile phones in the post-Snowden world, the _open_source_ way by Bojan Smiljanic.
APPSEC USA San Francisco, CA. QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid' Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.
GrrCon Grand Rapids, MI. Phones and Privacy for Consumers by Matthew and David
I recently bought an Apple Watch. The primary reason was fun. Also since I switched to Two-Factor Authentication (2FA) for all my private infrastructure and all my web accounts that support it I though it would make life easier. I use Duo 2FA for my own stuff and they have a Watch app which is pretty convenient. Before I owned the first pebble watch. I liked that a lot even tho I had a lot of issues with the Bluetooth connection between the pebble and my Nexus 5. Sometimes it worked great and sometimes it just didn't work at all. I also got a LG G Watch R (W110) (Android Wear) but I didn't really use it. It was much too big for my wrist. Also the round display was kinda strange. Some of the apps seem to not be designed for it and cut off parts of the information that should be displayed. I also found the interface to be confusing, but this might be due to my very very short trial run of the watch. Between the pebble and the LG Watch I also had a Toq but the Toq had many issues besides its size so I never really used it. I tried to wear it like once.
Anyway the only reason I write about smartwatches is because I really like the Duo 2FA watch app. This makes 2FA much much easier and user friendly. I known I'm not the first to write about smartwatches or wearables in the security context but the user friendliness could really make a difference. Also a watch is harder to loose then a token (if you still use one of those).
I guess I don't have to say much about the Stagefright series of Android security vulnerabilities. The vulnerabilities are present in Android's media format handling library (named stagefright). Several factors make this bugs interesting. First, every Android version after 2.2 was vulnerable (at the time of discovery) that was around 95% of all devices. Second, the bug can be remotely triggered via MMS. Yes MMS once again provides the ultimate attack vector against smartphones. Who would have known? ;-)Links
The bug was patched relatively fast by Google since Joshua provided patches. Google started shipping OTA updates for their Nexus devices relatively fast. Still most Android devices will not get patched or will receive their patches super late (and thus users will not be protected in a timely fashion). The reason for this is mostly the mobile ecosystem which is largely not suited for fast patch deployment. I provided some comments about this issue on NPR in late July.
While patches/updates were rolled out Jordan from Exodus found that the patches are not complete and contain more vulnerabilities in the exact code that was fixed in the update. His blog post describing the issue is here.
The only way to protect yourself is to update your device to firmware version that does not contain the vulnerability. If you are one of the many people who own phones that did not yet receive an update your only chance is to disable MMS auto-download. This will not kill the bug since you can still be attacked using other vectors (e.g. download and play a .mp4 file) but disabling MMS auto-download will at at least remove the automatic remote exploitation problem. A step by step way to disable MMS auto-download for various MMS clients is provided by Lookout here.
Demo video is: here.
Joshua's Black Hat slides are: here
Android detector app is: here
There is even a wikipedia page for Stagefright_(bug)
StageFright, Telegram Stage-Left & WhatsApp Stage-Right
disarm - Quick & (very) dirty command line instruction lookup for ARM64
JEB Plugin for decrypt DexGuard encrypted Strings.
Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)
Fuzzing utility which enables sending arbitrary SCMs to TrustZone
Full TrustZone exploit for MSM8974
Android Security Toolkit
First public Android Security Bulletin
Locker: an Android ransomware full of surprises
Remote Exploitation of an Unaltered Passenger Vehicle (white paper) I link this because the cars were sitting on cellular networks with OPEN ports that allowed to issue D-Bus commands to activate the wipers or change volume on the radio. CRAZINESS
Exploring Qualcomm's TrustZone implementation
HTC "zerodays" from our Defcon workshop
Qualcomm LPE vuln from our #defcon workshop
Black Hat slides are online now
New acquisition method based on firmware update protocols for Android smartphones
Boxify: Full-fledged App Sandboxing for Stock Android
Android Market Downloaders
ONE CLASS TO RULE THEM ALL 0-DAY DESERIALIZATION VULNERABILITIES IN ANDROID (paper)
Universal Android rooting (slides Black Hat USA 2015)
Faux Disk Encryption - Realities of Secure Storage on Mobile Devices slides (Black Hat 2015)
Koodous collaborative platform for Android malware analysts
Windows Phone PIN cracking
Hardening Android's Bionic libc
How to use old GSM protocols/encodings to know if a user is Online on the GSM Network AKA PingSMS 2.0
imgtool quick tool to unpack Android images
Android M: A Security Research Perspective (Part 1)
SnooperStopper: Automatically prompts you to change FDE password if lockscreen PIN/password is changed (needs root) Android App
HackingTeam's Android Exploit < nice review by Tencent Sec Response Center.
PGP on Android using GPG applet on Yubikey, via NFC. Useful to PGP while mobile without storing priv key on dev.
Android Vulnerability that Can Lead to Exposure of Device Memory Content
dexposed enable 'god' mode for single android application (fork of exposed)
Xposed for lollipop (5.0) now allows hooking native methods, also arm64 and x86
A Program Analysis Toolkit for Android
Could it be true that Android 5.1.1_r5 enables both dm-verity *and* HW accelerated FDE? Great success if so.
Password storage in Android M
lecture: Advanced interconnect attacks Chasing GRX and SS7 vulns