http://www.mulliner.org/blog/blosxom.cgi ...stuff I do and things I like... en Wed, 08 May 2013 20:58:00 GMT http://www.mulliner.org/blog/blosxom.cgi/2013/05/08#smsotppaper Together with my former colleagues Ravi, Patrick, Jean-Pierre from TU Berlin / <a href="http://sec.t-labs.tu-berlin.de">SecT</a> I have been working on an enhancement for mobile phones in order to protect SMS messages especially <a href="http://en.wikipedia.org/wiki/Transaction_authentication_number#Mobile_TAN_.28mTAN.29">mTANs</a> against trojans. <br><br> We investigated several ways to improve mTAN security and finally came to the conclusion that we just need to change the SMS routing on the mobile phone itself.<br><br> <b>Basically we remove SMS messages that contain mTANs from the normal delivery queue and only deliver them to a special application. This way no other program (including trojans) can access the SMS message.</b> <br><br> We implemented and tested our idea on Android. The paper <a href="https://www.mulliner.org/collin/academic/publications/mulliner_dimva2013.pdf">SMS-based One-Time Passwords: Attacks and Defense</a> will be presented at <a href="http://dimva.sec.t-labs.tu-berlin.de/">DIMVA 2013</a> in July in Berlin, Germany. <br><br> A demo video of the prototype is shown below:<br> <iframe width="560" height="315" src="http://www.youtube.com/embed/SF2HoK0D3_4" frameborder="0" allowfullscreen></iframe> Tue, 07 May 2013 19:11:00 GMT http://www.mulliner.org/blog/blosxom.cgi/2013/05/07#mobile_security_update_may2013 Conferences <ul> <a href="http://www.nosuchcon.org/">NoSuchCon</a> finally released their agenda.They have an interesting lineup but no mobile talk.<br><br> <a href="http://www.sourceconference.com/dublin/speakers_2013.html">SourceDublin</a> Android application reverse engineering & defensesi by Patrick Schulz & Felix Matenaar.<br><br> <a href="http://www.summercon.org/schedule.html">SummerCon</a> has posted it's schedule. I'll present some work I've done on Dynamic Dalvik Instrumentation.<br><br> <a href="http://www.recon.cx/">REcon</a> has stared to post talks. Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to Ericsson by Philippe Langlois. Reversing and Auditing Android's Proprietary Bits by Joshua J. Drake. <br><br> <a href="http://shakacon.org/">Shakacon</a> Deviant Ollam - Android Phones Can Do That?!? Custom Tweaking for Power Security Users. Max Sobell - Android 4.0: Ice Cream "Sudo Make Me a" Sandwich. Andreas Kutz - Pentesting iOS Apps - Runtime Analysis & Manipulation. </ul> <br> Some interesting upcoming talks! I guess everybody else an their moms are waiting to hear back from the Black Hat USA CfP.<br> <br> <br> <a href="http://syscan.org/index.php/sg/">SyScan'13</a> review <ul> SyScan was a totally awesome event. Really good talks and lots of them. My favorite talk was: Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns by Mateusz Jurczyk and Gynvael Coldwind. </ul> <br> <br> News <ul> <a href="http://www.aclu.org/blog/technology-and-liberty/aclu-files-ftc-complaint-over-android-smartphone-security">ACLU Files FTC Complaint Over Android Smartphone Security</a> this story is a little older already but insecurity of old Android devices is a pressing issue. </ul> <br><br> Links <ul> <a href="http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html">Changing the IMEI, Provider, Model, and Phone Number in the Android emulator</a><br><br> <A href="https://blog.fortinet.com/Finding-Similarities-and-Differences-at-DEX-Level/">Finding Similarities and Differences at DEX Level</a> <br><br> <a href="http://tinytocs.org/vol2/papers/tinytocs2-lange.pdf">Securing Two-factor Authentication for Smartphones in a Usable Way by Adding a Connected Token</a> Two-factor authentication for smartphones is easy to break and can be secured by using a smart watch which acts as a connected token. Matthias Lange (Technische Universität Berlin<br><br> <a href="http://tinytocs.org/vol2/papers/tinytocs2-tang.pdf">Android Apps: What are they doing with your precious Internet?</a> The majority of Android apps are not malicious, but use internet access in ways that are not compatible with the user's interests. Amy Tang (University of California Berkeley), Ashwin Rao (INRIA), Justine Sherry (University of California Berkeley), Dave Choffnes (University of Washington) </ul> Thu, 11 Apr 2013 23:50:00 GMT http://www.mulliner.org/blog/blosxom.cgi/2013/04/11#mobile_security_update_april2013 Conferences: <ul> <a href="http://www.hackcon.org/">HackCon</a> No.8 10-11 April in Oslo Norway. First time I hear about this conference. Mobile talks: Leveraging Mobile Devices on Penetration Tests and Want to control smart phones?<br><br> </ul> Call for Papers: <ul> <A href="http://www.wisa.or.kr/">The 14th International Workshop on Information Security Applications (WISA2013)</a> an academic workshop but they seek more practical papers comparable with Usenix WOOT.<br><br> </ul> News: <ul> <a href="http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html">Unlocking the Motorola Bootloader</a> (Android phones) by Dan Rosenberg. A real nice read. Most interesting part is that the unlock is via attacking a vulnerability in code running in TrustZone. <br><br> </ul> <br><br> I have been super busy with work so I might missed a few things here and there. Right now I'm waiting to here back from SummerCon and Black Hat USA about talks I submitted. I'm still thinking about submitting to ReCON ;) Thu, 14 Mar 2013 22:40:00 GMT http://www.mulliner.org/blog/blosxom.cgi/2013/03/14#mobile_security_update_March_13_2 CanSecWest was pretty good this year. My favorite talks were (no order): Desktop Insecurity - Ilja van Sprundel & Shane "K2" Macaulay, Smart TV Security - SeungJin Lee, Godel's Gourd - Fuzzing for Logic Issues - Mike "dd" Eddington, and Reflecting on Reflection - Exploiting Reflection Vulnerabilities in Managed Languages - James Forshaw. I can't wait to get the slides. <br><br> Call for Papers: <ul> <A href="https://www.usenix.org/conference/woot13/call-for-papers">Workshop on Offensive Technologies (WOOT)</a> August, Washington D.C., academic but targeting people who would normally speak at Black Hat/CanSecWest/etc. <br><br> <a href="http://www.summercon.org/cfp.html">SummerCon</a> in June, New York City <br><br> <a href="http://masshackers.pbworks.com/w/page/61663884/BeaCon">BeaCon</a> local mini con in Boston </ul> <br> I totally missed Black Hat Europe, it had some interesting talks: The M2M Risk Assessment Guide, A Cyber Fast Track Project - Don A. Bailey, Practical Attacks Against MDM Solutions - Daniel Brodie + Michael Shaulov, Off Grid Communications With Android- Meshing The Mobile World - Josh Thomas + Jeff Robble, Next Generation Mobile Rootkits - Thomas Roth. <br> <br> An interesting looking paper from TROOPERS13 <a href="https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf">UI Redressing Attacks on Android Devices</a> (apparently it was released at Black Hat Abu Dhabi last year). <br><br> News <ul> <a href="http://www.theverge.com/2013/3/13/4099450/andy-rubin-steps-down-as-head-of-android">Andy Rubin steps down as head of Android</a> ...interesting. <br><br> <a href="http://permalink.gmane.org/gmane.comp.security.full-disclosure/88743">A few android security issues</a> ... worth reading! <br><br> <a href="https://www.facebook.com/notes/facebook-engineering/under-the-hood-dalvik-patch-for-facebook-for-android/10151345597798920">Under the Hood: Dalvik patch for Facebook for Android</a><br><br> </ul> Fun find by my former co-worker Matthias: <a href="https://twitter.com/budvisor/status/310278100598534144">Lost connection to Battery</a> ... WTF!?! Mon, 04 Mar 2013 17:14:00 GMT http://www.mulliner.org/blog/blosxom.cgi/2013/03/04#mobile_security_update_March2013 Review RSA <ul> Last week I attend the RSA Conference for the first timer ever. I always had the impression that it is not worth going but this year I went anyway. The plan was to just hang around at the various side events that take place during RSAC. Meeting with people etc. That part is totally worth it if you can spent the day doing actual work. I ended up going to the conference to speak on the <a href="https://ae.rsaconference.com/US13/connect/sessionDetail.ww?SESSION_ID=1982">Mobile Security Battle Royale</a> panel (as a replacement for Jon Oberheide). So I got a conference pass and could checkout the actual conference and expo. The expo was pretty standard if you are used to attend events like CeBIT or maybe CES. Just smaller and security companies only. I didn't have the chance to attend other talks besides <i>Big Brother's Greek Tragedy State-Deployed Malware & Trojans</i> so I can't really make my mind up if it is worth the money or not. <br><br> <a href="http://www.scmagazine.com/rsa-2013-ios-safer-than-android-due-to-open-app-model-patching-delays/article/282697/">SC Magazine</a> wrote an article about the panel I spoke on. Here are some comments: <i>Android certainly does support remote updates. But the problem really is that manufacturers and mobile carriers stop supporting devices after 12-18 month.</i> </ul> <br> Conferences <ul> <a href="http://www.immunityinc.com/infiltrate/speakers.html">Infiltrate</a> posted a few more talks. The one I'm really interested in is: Josh "m0nk" Thomas - NAND-Xplore -> Bad Blocks = Well Hidden. <br><br> <a href="https://www.troopers.de/agenda13/index.html">Troopers</a> in Heidelberg Germany (March). They have a few interesting talks: UI Redressing Attacks on Android Devices by Marcus Niemietz, Malicious Pixels: QR-Codes as attack vectors by Peter Kieseberg, Corporate Espionage via Mobile Compromise: A Technical Deep Dive by David Weinstein and a few other non mobile talks that look really interesting. <br><br> <a href="http://conference.hitb.org/hitbsecconf2013ams/">Hack in the Box Amsterdam</a> LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements, SMS To Meterpreter: Fuzzing USB Internet Modems. I really need to go to HITB some day. </ul> <br> New Conferences <ul> <a href="http://www.nosuchcon.org/">NSC - NoSuchCon</a> is a new conference held in May in Paris, France. The organizers seek strong (only) technical content. </ul> <br> News <ul> <a href="http://www.nytimes.com/2013/02/23/business/htc-settles-ftc-charges-over-security-flaws-in-devices.html">HTC Settles Privacy Case Over Flaws in Phones</a> Interesting read, quote: <i>The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device's microphone to record the user's phone calls.</i> </ul> <br> Personal note: <ul> Wiley announced our book <a href="http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html">Android Hacker's Handbook</a> </ul> Thu, 31 Jan 2013 17:46:00 GMT http://www.mulliner.org/blog/blosxom.cgi/2013/01/31#mobile_security_update_Feb2013 Conferences: <ul> <a href="http://cansecwest.com/">CanSecWest</a> coming up in March has started posting talks: Doug DePerry @dugdep & Tom Ritter @TomRittervg - CDMA Femptocell Traffic Interception and Remote Mobile Phone Cloning, Rahul Sasi @fb1h2s - SMS to Meterpreter, Fuzzing USB Modems, Stephan Esser @i0n1c will be talking about iOS, Joshua J. Drake @jduck1337i - Tackling the Android Challenge. In addition to mobile security there is another super interesting talk about embedded system security: @beist will be talking about Samsung SmartTVs.<br><br> <a href="http://syscan.org/index.php/sg/speakerlist">SyScan</a> Singapore is coming up in April and also posted talks. There are not too many mobile talks but all talks sound pretty good. Stefan Esser ( @i0n1c ) - Mountain Lion / iOS Vulnerability Garage Sale. I will also show some stuff I've been working on in the past month during a lightning talk, all brand new! <br><br> <a href="http://www.sourceconference.com/boston/speakers_2013.html">SourceBoston</a> also in April: Protecting sensitive information on iOS devices David Schuetz, Attacking NFC Mobile Wallets: Where Trust Breaks Down Max Sobell. <br><bR> <a href="http://infiltratecon.com/speakers.html">Infiltrate</a> Matias Soler - The Chameleon: A cellphone-based USB impersonator, Stephen Lawler & Stephen Ridley - Advanced Exploitation of Mobile/Embedded Devices: The ARM Microprocessor. </ul> <br> News: <ul> <a href="http://www.osnews.com/story/26734/The_end_of_the_line_for_Symbian">The end of the line for Symbian</a> is kinda sad. Although I wasn't a big Symbian fan, Symbian was still pretty cool as a mobile OS. I had fun hacking it. <br><br> <a href="http://www.infoworld.com/d/security/android-botnet-abuses-peoples-phones-sms-spam-209415">Android botnet abuses people's phones for SMS spam</a> this is just too funny. I kinda hat that on my slides for a couple of years already. </ul> <br><br> Personal notes: I'm going to be in San Francisco during RSA, ping me if you want to chat. I'm also going to be at CanSecWest, just attending this year. Further I'm going to SyScan. I also plan to be around SourceBoston but unfortunately not attending (ticket prices vs. university etc, I'm not complaining). Fri, 04 Jan 2013 15:45:00 GMT http://www.mulliner.org/blog/blosxom.cgi/2013/01/04#mobile_security_update_Jan_2013 Conferences: <ul> <a href="http://www.shmoocon.org/schedule">Shmoocon 2013</a> has posted their schedule. Mobile talks are: Armor for your Android Apps by Roman Faynberg, Protecting Sensitive Information on iOS Devices by David Schuetz, Apple iOS Certificate Tomfoolery by Tim Medin. </ul> All other upcoming conferences (SyScan, CanSecWest, SourceBoston, Infiltrate) haven't posted any talks yet. <br><br> My 29c3 conference review. The new location CCH in Hamburg is really nice. There is a lot of space and the space was used very well. Due to the space the conference was much more relaxed. This also counted for the talks. Most of the time everybody had a place to sit. One small downside of this years conference the schedule, sometimes three tech talks were running in parallel in different rooms. But all together I don't think anybody could complain about 29c3. For me personally one of the best congresses I ever attended. The recordings of the talks can be downloaded from <a href="http://events.ccc.de/congress/2012/wiki/Documentation#Official_mirrors">here</a>. <br><br> Happy New Year.