Tuesday, February 02 2010
Saturday, September 01 2007
SecurStar did it again in 2006 there was RexSpy and in 2010 we have this mobile phone crypto comparison. But the knowledgeable community is big enough to
identify and point out this kind of advertising/scam fast enough.
Conferences, the only interesting talk I found is: iPhone Privacy by Nicolas Seriot at Black Hat DC this week.
In other news, I still need a Nexus One. It is still not available to buy out side of the US. *ARG*
Updated (Feb 2nd):
Friday, March 16 2007
Marko Rogge finally published his article on RexSpy (see my comments on RexSpy).
Marko and I talked a lot about RexSpy in order to determine if a bug/attack like Hafner described is possible at all.
The article is available as Blog Entry and PDF
One actually funny part of the whole story is that after I published my comments on RexSpy I got tones of emails from various people of which some seem to hope that I know
how it works. So folks tried to get more information from me (I didn't have any more information). One guy even had product ideas based on this technology.
Thursday, March 15 2007
here are the slides on RexSpy. They say nothing at all, I just post the link for completeness.
since I first heard about RexSpy in late February (I know it was
announced in October 2006) I wanted to know how real it is and how it works.
RexSpy is supposed to be the ultimate mobile phone trojan that allows one to monitor (listen to) all calls of the
infected device. Also the Wilfrid Hafner (the author) claims that it works on every single mobile phone.
The German Focus (a mainstream non technical
magazine) interviewed Hafner and did a trial using a SymbianOS and WinCE based phone. They claim that he could listen to
calls made with both phones. Other websites like Techworld.com quote him saying that this attack also works against a Siemens C45 (which is a very simple phone with out a fancy smart phone OS).
I myself connected Hafner to find out if he is willing to release real technical information to the public about his findings,
but he refused saying that he sold the RexSpy Technology and therefore no longer could publish any material. This is very bad
especially because Hafner's company is selling a protection kit against mobile phone tapping. This makes you wonder if this
is just a marketing thing.
Since I'm not a student anymore I don't have too much spare time on my hands so I only did some basic research. The basic
operation of RexSpy as claimed by Hafner is: the trojan is install via a SMS (a Service-SMS to be precise). The trojan
itself creates a kind of back channel by calling home as soon as the infected phone has an incoming or outgoing call, thereby
the attacker can listen to the call. But how does this work? First idea was: a bug/feature in the GSM module or SIM card
(or SIM Toolkit). A bug is kind of unlikely to be present on all platforms. A monitoring feature would be documented
by someone, so this is also unlikely.
I searched a little more and found the recording of Hafner's talk at Systems, in his
talk he kind of gives it away (if you know what you have too look for). He says he only implemented it for Windows Mobile
(WinCE / PocketPC). That is very interesting since he first claims the RexSpy is universal across all platforms. The thing
that keep me thinking is the Service-SMS which others (including myself) call binary-SMS, since I used
binary-SMS for my MMS attack. Here you basically tell the device where to download a MMS message. But
as far as I remember there are other binary-SMS messages (or actually WAPPush messages that are send via binary-SMS) that
tell a mobile phone to go and download a WAP/WEB page. The URL could of course also point to a application binary, which
could be downloaded and executed without user interaction.
So maybe Hafner just found a small back door in the WAPPush handler that allows silent application installation, and
writing a phone monitor tool for Windows Mobile and SymbianOS shouldn't be hard at all. For monitoring one could
use the simple feature like a conference call, this way the trojan application would be very simplistic and small.
I'm still not 100% sure how it works (especially because he claims that it works with a old Siemens C45)
but analyzing the Windows Mobile RexSpy Killer provided by SecurStar
should bring me a step further (I haven't done this yet). I'll keep working on this and keep you updated.
I would really love to hear some comments on this.
Techworld (Hafner's talk at Systems in German language)