...stuff I do and things I like...

Wednesday, August 07 2019

FwAnalyzer

today we release FwAnalyzer open source, FwAnalyzer is tool for security analysis of firmware images - specifically for firmware images of Linux-based devices. For more details see the blog post I wrote for the company's blog at: Automating Firmware Security with FwAnalyzer.

Later today I will present on how we do Continuous Automated Firmware Security Analysis at Cruise.

Saturday, January 05 2019

Getting 'rid' of pre-installed Malware on my YellYouth Android Tablet

In November I bought a cheap Android Tablet for a wall-mounted display (see this blog post: Android InfoPanel). After a couple of days (or weeks?) suddenly some overlay ads and warnings from Google Play about malicious apps appeared. I didn't have time to investigate so I just tried to close the apps and ads. This got more complicated since all of it was in Chinese. I ended up navigating the menu of what looked like a 3rd-party app store to uninstall an app named Retipuj that was flag by Google Play for ad-fraud. All of this using Google Translate on my phone.



This solution worked for a couple of days. Returning back from my Holiday trip I was greeted by overlay ads once again. Luckily I had some time on my hands to investigate. Here a short write-up.

Part 1, observations and hoping for an easy way out:
    I found one app that I didn't install (com.hero.filter), I uninstalled it via adb uninstall com.hero.filter. I tried Googling the package name but without success.

    Removing the app didn't seem to do anything. Judging by the task bar there still seem to be a number of apps running but checking via Settings/Apps and on the filesystem (/data/apps) no apps are installed. Every now and then a pop-up appears that looks like a 3rd party market trying to download and install apps. Installation is blocked by Google Play (verified apps I assume).

Part 2, looking at processes:
    I found two interesting looking processes net.atlas.utopia and android.hb.uys.pbuild looking at the SeLinux context they seem to be platform apps (u:r:platform_app:s0). These could be candidates (spoiler - they are). Using pm list packages -f I determined that net.atlas.utopia is install in /system/priv-app/Kyz2203 with the data in /data/data/net.atlas.utopia.

    pm list packages -f (only showing some interesting packages):
      package:/data/app/com.hero.filter-1/base.apk=com.hero.filter
      package:/system/app/AutoDialer/AutoDialer.apk=com.example
      package:/system/priv-app/Kyz2203/Kyz2203.apk=net.atlas.utopia
      package:/system/priv-app/reanimation/reanimation.apk=android.hb.uys.pbuild
      

Part 3, a quick peak into net.atlas.utopia:
    Permissions: this app has like every permission you can think off including install and delete packages, send SMS, read and write any setting and file. Further it has a number of app permissions that correspond to lenovo, oppo, huawei, and htc devices.

    The app registers intent filters for a number of events: boot up, time zone change, packages install/remove, outgoing calls, etc. It basically monitors everything that is going on on the device. Pretty shitty.

    The data directory also contained a dex file with the name whatsappui1.dex. A quick Google search on whatsappui1 has one hit on team cymru's hash list: whatsappui1 with not much details but identify the file as being associated with ad-based malware.

    The most interesting thing I found in this app is the use of a 3rd party library called DroidPlugin. DroidPlugin is a plugin framework for Android that allows to run any third-party apk without installation, modification or repackage. Seems like the perfect tool for malware distribution.

Part 4, a quick peak into android.hb.uys.pbuild:
    Permissions are very similar to the net.atlas.utopia including the permissions corresponding to specific device manufacturers.

    The manifest contains traces of ad related things. The library directory contains libiohook.so. The library contains symbols from Cydia Substrate. The library name appears in various search results that indicate ad related malware.

    The asset directory contains a certificate ky_dsa_public.crt with no interesting issuer. jar file that contains a dex file and two .png files that contain ascii/text.

Part 5, getting rid of it all:
    How do we get rid of pre-installed software? The system partition is read-only so we can't uninstall it! The best idea, that does not involve rooting and flashing new firmware, is disabling the package using the package manager (pm disable net.atlas.utopia) this however requires system privileges. You don't have system privileges without rooting. You can disable apps via Settings but you can only disable them if they are in the list. The ones we want to disable are not in the list.

    How do we get system? The tablet still runs a 3.10.72 kernel so it might be vulnerable to dirtycow. I checked using the tools from timwr and yes it is vulnerable to dirtycow. Using my modified version of run-as as shown in my SafetyNet Talk we can become the system user and disable any package we want by running: pm disable PACKAGE.

    Here the list of packages I disabled, so far no APKs are getting installed and I haven't seen any more ads.

    pm list packages -d
      package:com.mediatek.schpwronoff
      package:android.hb.uys.pbuild
      package:com.mediatek.ygps
      package:com.android.htmlviewer
      package:com.android.browser
      package:com.hero.filter
      package:com.example
      package:com.svox.pico
      package:com.opera.max.global
      package:com.android.dreams.phototable
      package:net.atlas.utopia
      package:com.mediatek.weather
      package:com.opera.max.loader
      package:com.qihoo.appstore
      package:com.fw.upgrade.sysoper
      package:com.android.vpndialogs
      

Part 7, Dirtycow trickery:
    As described on my slides you can modify run-as.c from timwr to become any UID with almost any SELinux context (depending on the device's SeLinux policy!). For our purpose we can become any UID and context that we require. Below some notes on how this works.

    Dirtycow lets you overwrite any file that is how you replace /system/bin/run-as with your own binary. The binary cannot be bigger then the one you are overwriting. This might be a problem when you have a very very small run-as (9k in my case).
    1|shell@KT107:/data/local/tmp $ ls -al /system/bin/run-as                      
    -rwsr-s--- root     shell        9444 2018-09-27 03:44 run-as
    
    The workaround I took was not using ndk-build to build run-as.c and instead manually running arm gcc. This will reduce the binary size due to discarding complier flags used by the ndk. Another solution would be to just load a shared library from run-as to keep the binary size small.

    Once you have my version of run-as you can become (almost) any user.
    shell@KT107:/data/local/tmp $ run-as 1000 u:r:platform_app:s0
    shell@KT107:/data/local/tmp $ id
    uid=1000(system) gid=1000(system) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:platform_app:s0
    
    System (UID 1000) allows you to poke around /data/app/* and /data/data. If you want to explore /data/data/APP you need to assume the UID and context of that app.
    shell@KT107:/data/data $ ls -al
    drwxr-x--x u0_a13   u0_a13            u:object_r:app_data_file:s0 net.atlas.utopia
    run-as 10013 u:r:platform_app:s0
    shell@KT107:/data/data $ id
    uid=10013(u0_a13) gid=10013(u0_a13) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:platform_app:s0
    shell@KT107:/data/data/net.atlas.utopia $ ls -al
    drwx------ u0_a13   u0_a13            2017-12-31 19:00 Plugin
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 app_dex
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 cache
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 databases
    drwx------ u0_a13   u0_a13            2017-12-31 19:00 fankingbox
    lrwxrwxrwx install  install           2015-12-31 19:00 lib -> /data/app-lib/net.atlas.utopia
    drwxrwx--x u0_a13   u0_a13            2019-01-03 15:56 shared_prefs
    -rw------- u0_a13   u0_a13       9572 2019-01-03 15:54 whatsappui1.dex
    

    Below is my patch for run-as.c. My version sets the UID from the first argument and the SELinux context from the second argument.
    --- run-as-crm.c	2019-01-03 17:54:41.153471054 -0500
    +++ run-as.c	2019-01-03 17:58:39.378353437 -0500
    @@ -28,6 +28,8 @@
     {
     	LOGV("uid %s %d", argv[0], getuid());
     
    +	int duid = atoi(argv[1]);
    +
     	if (setresgid(0, 0, 0) || setresuid(0, 0, 0)) {
     		LOGV("setresgid/setresuid failed");
     	}
    @@ -56,7 +58,7 @@
     				LOGV("dlsym setcon error %s", error);
     			} else {
     				setcon_t * setcon_p = (setcon_t*)setcon;
    -				ret = (*setcon_p)("u:r:shell:s0");
    +				ret = (*setcon_p)(argv[2]);
     				ret = (*getcon_p)(&secontext);
     				LOGV("context %d %s", ret, secontext);
     			}
    @@ -66,6 +68,12 @@
     		LOGV("no selinux?");
     	}
     
    +	if (setresgid(duid, duid, duid) || setresuid(duid, duid, duid)) {
    +		LOGV("setresgid/setresuid failed");
    +	}
    +	LOGV("uid %d", getuid());
    +
     	system("/system/bin/sh -i");
     
    -}
    \ No newline at end of file
    +}
    +
    

Conclusions:
    Overall I would have preferred to not get pre-installed malware on my Android Tablet as I would rather have spent my time on my InfoPanel app or on other projects. However it was impossible for me to ignore this issue and simply buy a different tablet. Tracking down the malware still was kinda fun. It was the first time I experienced the issue of pre-installed malware first hand. I' also fairly happy that I didn't have to modify the firmware since this would have cost way more time. The most interesting thing I found was definitely the DroidPlugin project that allows running APKs without installing them. I wish I had more time to reverse engineer all the different apps and how they work together. I uploaded a zip file containing most components I talked about in this blog post here: yellyouth.zip.

    I hope I finally disabled all of the components and have an ad free device.

Friday, January 26 2018

Third Party Android App Stores

I wrote an article for the Parallax about the security of third party Android app stores.

Tuesday, October 24 2017

Mobile Security News Update October 2017

Conferences
    PacSec Nov 1-2, Tokyo, Japan. Grandma's old bag, how outdated libraries spoil Android app security by Marc Schoenefeld. When encryption is not enough: Attacking Wearable - Mobile communication over BLE by Kavya Racharla. The Art of Exploiting Unconventional Use- after-free Bugs in Android Kernel by Di Shen.

    DeepSec Nov 14-17, Vienna, Austria. Normal Permissions In Android: An Audiovisual Deception by Constantinos Patsakis.

    Black Hat Europe 2017 Dec 4-7, London, UK. ATTACKING NEXTGEN ROAMING NETWORKS by Daniel Mende, Hendrik Schmidt. ATTACKS AGAINST GSMA'S M2M REMOTE PROVISIONING by Maxime Meyer. BLUEBORNE - A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE by Ben Seri, Gregory Vishnepolsky. DIFUZZING ANDROID KERNEL DRIVERS by Aravind Machiry, Chris Salls, Jake Corina, Shuang Hao, Yan Shoshitaishvili. HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT by HC MA. INSIDE ANDROID'S SAFETYNET ATTESTATION by Collin Mulliner, John Kozyrakis. JAILBREAKING APPLE WATCH by Max Bazaliy. RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX by Adam Donenfeld.


Quick conference review: both 44con and ekoparty were great. Ekoparty was especially awesome since I got to check the last continent off my list. Also the size of ekoparty was way beyond what I was expecting. They managed to have a really good conference that is professionally run while stilling maintaining the vibe of a hacker / underground con <3

Two weeks ago there was a post on Medium about two companies that provide a mobile identification service. That service basically can be used to convert your phone's IP address into real information about the owner of the phone (the contract owner). This is done via APIs that are provided by multiple Mobile Network Operators (such as AT&T). The medium article linked to demo pages of those two service providers (payfone and danal inc) that show not only your phone number but also your operator's name, your name and address.

I played with the two demo sites for a bit (while they were still online - offline now). I'm on Google Fi with a number proted from T-Mobile (pre-paid). Payfone only had my phonenumber and old carrier (T-Mobile) while Danal inc showed no data at all. I never provided any data to T-Mobile since it is not required for a pre-paid card. Google has all the data but likely does not share it with 3rd parties.

Overall this is a service that I really don't want to exist. I don't want an abritary company to be able to identify me while visiting their website from my mobile phone. I hope those companies don't just sell their services to anybody. Read the Medium article again: AT&T consumer choice opt-out doesn't affect this!

iOS 11 the tragedy continues: 11.0 had a bunch of flaws that were annyoing. Now 11.0.3 randomly frezzes my phone for minutes. Also I have some issues with voice call audio not working sometimes. Highly disaspointing!

Pictures of the month:






Links

Monday, September 25 2017

Biometrics and Smartphones

since I always rant about how I don't like biometrics in smartphones some people have asked me to formulate what I actually would like to see to happen in this area.

My dislike for biometrics is that you cannot change your password anymore because your password is your finger, eye (iris), or face. That means you basically show you password to everybody. A good example of this is here: Politician's fingerprint 'cloned from photos' by hacker.

The second part of the problem is that many biometric systems can be easily bypassed, some face recognition systems even with a picture shown on a smartphone screen.

My main issue is that biometric systems can be bypassed by forcing the owner of the device to unlock it. This can be done without leaving evidence, a funny example of this issue: 7-Year-Old Boy Uses Sleeping Dad's Finger To Unlock iPhone. Also see this interesting case: Court rules against man who was forced to fingerprint-unlock his phone.

The main argument I always hear is that people who wouldn't set a password (or use just a simple PIN) are using biometrics and therefore are more secure now with the help of biometrics. The kid from the previous story wasn't stopped by biometrics it was just as good as not having a password.

What would have stopped the kid from unlocking his dad's phone? A simple timeout! Basically what I want to see is a timeout for your biometrics. Once you entered your password you can unlock your phone using biometrics, after a specific amount of time you have to re-enter your password and cannot unlock the device using biometrics. With a timeout of say 30 minutes to one hour you can prevent simple attacks while still being able to use the convenience of biometrics. Apple recently introduced the SOS mode that will also disable biometric authentication until you enter your password. I wish this was taken one step further and let you set a timeout.

I personally see biometrics on a smartphone as a pure convenience feature and treat it as a weak security feature. I only use it for ApplePay.

I think it is pretty bad to get people used to biometric authentication, Apple may get it right but other companies wont. Normal users can't determine this easily. Also how much did the additional hardware components cost to implement fingerprint authentication or face recognition. FaceID doesn't use a normal camera so there are definitely additional costs that you as the user have to pay for this convenience feature.

Face recognition in consumer products also gets people to accept this as an normal everyday thing and thus helps the argument for face recognition being used in surveillance.

/rant

References:

Tuesday, September 19 2017

Mobile Security News Update September 2017

Conferences
    ekoparty Sep 27-29, Buenos Aires. Blue Pill for your phone by Oleksandr Bazhaniuk. Unbox Your Phone - Exploring and Breaking Samsung's TrustZone Sandboxes by Daniel Komaromy. Inside Android's SafetyNet Attestation: Attack and Defense by Collin Mulliner. How to cook Cisco: Exploit Development for Cisco IOS by George Nosenko. Bypass Android Hack by Marcelo Romero.

    Virus Bulletin 4-6 Oct, Madrid Span. Last-minute paper: Publishing our malware stats by Jason Woloz (Google) [This is about Android Malware]. Android reverse engineering tools: not the usual suspects by Axelle Apvrille.
Some comments on BlueBorne: I've been involved with Bluetooth security since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and gives you kernel privileges (code exec in the kernel).

In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue. Exploit mitigations and built variances help mitigating the risk. Devices are not always visible therefore the attacker cannot easily find your device and attack it.

Also see: Hackers Could Silently Hack Your Cellphone And Computers Over Bluetooth.

FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.

Pics:


I agree ^^^



Links

Tuesday, August 22 2017

Mobile Security News Update August 2017

Conferences
    toorcon san diego Aug 28th - Sep 3rd. Dig Deep into FlexiSpy for Android by Kai Lu(@k3vinlusec).

    HITB Singapore August 21-25. The Original Elevat0r - History of a Private Jailbreak by Stefan Esser. The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.

    Tencent Security Conference, August 30-31. Pointer Authentication by Robert James Turner. Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu. Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.

    44con 13-15 September London, UK. Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.

    BalCCon2k17 Novi Sad, Vojvodina, Serbia. September 15-17. Mobile phone surveillance with BladeRF by Nikola Rasovic.

    T2 October 26-27 Helsinki, Finland. Breaking Tizen by Amihai Neiderman.

    DeepSec Vienna 13-17 November. Normal permissions in Android: An Audiovisual Deception by Constantinos Patsakis. How secure are your VoLTE and VoWiFi calls? by Sreepriya Chalakkal.
Quick Conference Review
    It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it was in the CanSecWest hotel. I link a few relevant papers below.

Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!


Ralf is on point as usual:
Pictures of the month:



Links

Saturday, August 05 2017

RE-Canary: Detecting Reverse Engineering with Canary Tokens

This blog post is to provide some more details about my idea that was mentioned on Risky Business #463 by Haroon Meer.

What are Canary Tokens (from Thinkst).
    You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.

    Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.
    ...
    Canary tokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)


The idea: Embed Canary Tokens into binaries (or application data) to help identify reverse engineering of your software.

Every reverse engineer looks for unique information (often just strings) in the target binary to help understand it. The strings are thrown into Google (or other search engines) with the hope to get additional information. The returned information can be extremely helpful to determine what the software is, what other code is linked in, what versions, etc. Everybody who reverse engineers stuff does this! I personally don't reverse engineer for a living so I asked around to confirm that professionals actually do this (I already knew the answer anyway!).

The plan:
  • Embed unique looking strings into the binary
  • Stand-up web page that contains the string, log access to that page (alert on access)
  • Make Google crawl that page (various tools for that)
  • Ship software

This is pretty straight forward, right? But do you care about somebody who just ran strings on your binary? Likely not! So what's next?

Many applications protect their code and other assets that come with it through different kinds of methods (called obfuscation techniques for this article - even not all of it will be actual obfuscation). The next step for the RE-canaries is to generate canaries and embed them into each obfuscation layer. If someone accesses a more obfuscated canary you know that a certain level of effort was put into reversing your app. This part is really where the creativity of the RE-canary deployment comes into play. This will be highly depended on the specific software, on the protection mechanisms used, the language and framework that app is written in and so on. Mobile apps (I'm a mobile app guy, yeah!) contain API endpoints and URLs and maybe some hardcoded credentials (tokens of course). The URLs have the advantage that you wouldn't need to put up a website. You just make them accessible and add logging and alerting.

The final part of this is automation. You want to automate canary creation and embedding into your built process, so that you can generate unique canaries with each built or major release or whatever fits your software.

In the end it will likely happen that advanced REs are going to use an anonymization service such as TOR when searching for strings or trying out URLs (specifically for URLs!). In this case at least you will know that someone is looking at your stuff and passed a certain skill/time/effort threshold, which I guess in most cases is enough information.

That's it! This idea was inspired heavily by Haroon Meer's Canarytokens a great free service that I use once in awhile!

Comments and feedback is welcome via the usual channels.

Thursday, July 13 2017

Mobile Security News Update July 2017

Conferences
    Black Hat USA Las Vegas, July 26-27. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. GHOST TELEPHONIST LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. BLUE PILL FOR YOUR PHONE by Oleksandr Bazhaniuk, Yuriy Bulygin. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.

    Defcon Las Vegas. Jailbreaking Apple Watch by Max Bazaliy. Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks by CINCVolFLT (Trey Forgety). macOS/iOS Kernel Debugging and Heap Feng Shui by Min(Spark) Zheng & Xiangyu Liu. Using GPS Spoofing to Control Time by David "Karit" Robinson. Phone System Testing and Other Fun Tricks by "Snide" Owen. Unboxing Android: Everything You Wanted To Know About Android Packers by Avi Bashan & Slava Makkaveev. Ghost in the Droid: Possessing Android Applications with ParaSpectre by chaosdata. Ghost Telephonist' Impersonates You Through LTE CSFB by Yuwei Zheng & Lin Huang. Bypassing Android Password Manager Apps Without Root by Stephan Huber & Siegfried Rasthofer. Man in the NFC by Haoqi Shan & Jian Yuan.

    USENIX Workshop on Offensive Technologies (WOOT) Vancouver Canada, 14-15 August. Shattered Trust: When Replacement Smartphone Components Attack by Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren. White-Stingray: Evaluating IMSI Catchers Detection Applications by Shinjo Park and Altaf Shaik, Ravishankar Borgaonkar, Andrew Marti, Jean-Pierre Seifert. fastboot oem vuln by Roee Hay.
Black Hat and Defcon have a really good number of mobile related talks this year.

It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August



Picture of month:


There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.

Links:

Tuesday, June 06 2017

Mobile Security News Update June 2017

Conferences
    Black Hat USA July 26-27 Las Vegas. 'GHOST TELEPHONIST' LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SONIC GUN TO SMART DEVICES: YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND by Aimin Pan, Bo Yang, Shangyuan LI, Wang Kang, Zhengbo Wang. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. THE FUTURE OF APPLEPWN - HOW TO SAVE YOUR MONEY by Timur Yunusov.

    (Black Hat has a very strong mobile security line up this year.)

    Defcon July 27-30 Las Vegas. Man in the NFC by Haoqi Shan & Jian Yuan. (speaker selection not final)

    MOSEC June, Shanghai added a bunch of talks (all mobile security related, obviously).

    Recon June 16-18 Montreal, Canada. FreeCalypso: a fully liberated GSM baseband by Mychaela Falconia. Hacking Cell Phone Embedded Systems by Keegan Ryan.
This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on a day to day basis currently.

The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!

I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.

So iOS will finally support NDEF tags.
This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction. Pictures of the month:





Links

Wednesday, May 10 2017

iOS WebView Dialer Fixed

In November 2016 I wrote a post about the iOS WebView Auto Dialer bug specifically in the iOS Twitter and the iOS LinkedIn apps. Last weekend I finally had the time to retest those apps to see if the bug was fixed. Retests in December and January showed the bug was still present (as far as I remember). Both apps are fixed now!

Playing around with this a bit more I discovered a new security warning on iOS. There now seems to be a detection for the case where a website automatically tries to open a TEL URL. The dialog doesn't always appear but when it does you first have to click allow before being presented with the actual Call/Cancel dialog. Neat!



The conclusion seems to be that the bug was fixed and that they added a new detection and warning dialog. Good!

Tuesday, April 25 2017

Mobile Security News Update April 2017

Conferences
    Black Hat USA July 22-27 Las Vegas. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. (Program not complete)

    SyScan360 May 30-31 Seattle. Exploit iOS 9.x Userland with LLDB JIT by Wei Wang. The wounded android WIFI driver New attack surface in cfg80211 by Hao Chen.

    MOSEC June, Shanghai. Revisiting the Kernel Security Enhancements in iOS 10 AND Pwning Apple Watch. (Program still not complete)


Recordings for the first OsmoCon are available here. OsmoCon is, of course, a conference about the OsmoCom projects!

Android O news: will prompt for pin/passcode before enabling developer options, further Android O changes device identifiers and how to access them.

If you are interested in mobile backing Trojans you should follow Lukas Stefanko:

Somebody released the source code of FlexiSpy (mobile phone spyware) to the public. The release notes are here: readme.txt. The download is here: FlexiSpyOmni.zip, collection of all data is here: Source code and binaries of FlexiSpy from the Flexidie dump and a writeup of the dump is here: FlexSpy Application Analysis. I bet we will see more details in the coming weeks!

Does Blackberry give out review samples for the KEYone? I would really like one and give it a try (would post full review here of course!).


All Nokia phones ever made.

Yo Ralf where the slides at?


Links

Tuesday, March 28 2017

Mobile Security News Update March 2017 part2

Conferences
    Qualcomm Mobile Security Summit 2017 San Diego, May. All talks are on mobile security - super strong lineup!

    AppSec EU May 11-12, Belfast. How to steal mobile wallet? - Mobile contactless payments apps attack and defense. Fixing Mobile AppSec: The OWASP Mobile Project.

    MOSEC June Shanghai. Pwning Apple Watch. (program not complete yet!)


OffensiveCon is a new security conference in Berlin Germany focused on Offense. No details yet but they chose the right location for sure.

For everybody who didn't make it to the Android Security Symposium, they recorded the talks and the videos are available: here.

Google published a blog post and a detailed report on Android Security in 2016. The report covers everything from patching and update stats to high impact vulnerabilities. People posted a lot of summaries but you should really read it yourself if you work with Android.

Google pulls March security update for Nexus 6, after it breaks SafetyNet and Android Pay. This was pretty interesting, not the fact that they broke SafetyNet but that they broke it for their own devices (Nexus). This happened to some really small manufacturer before and if you have an idea of how SN works on the backend - it is clear what happened.



Links

Tuesday, March 07 2017

Mobile Security News Update March 2017

Conferences
    Black Hat ASIA Singapore March 28-31. FRIED APPLES: JAILBREAK DIY by Alex Hude, Max Bazaliy, Vlad Putin. ANTI-PLUGIN: DON'T LET YOUR APP PLAY AS AN ANDROID PLUGIN by Cong Zheng, Tongbo Luo, Xin Ouyang, Zhi Xu. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi. 3G/4G INTRANET SCANNING AND ITS APPLICATION ON THE WORMHOLE VULNERABILITY by Guangdong Bai, Zhang Qing. MOBILE-TELEPHONY THREATS IN ASIA by Lion Gu, Marco Balduzzi, Payas Gupta. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky.

    CanSecWest Vancouver Canada, March 15-17. Qidan He : Pwning Nexus of Every Pixel: Chain of Bugs demystified. Logic Bug Hunting in Chrome on Android by Georgi Hershey & Robert Miller.

    Zer0Con Seoul, Korea April 13-14. Ian Beer : Through the mach portal.

    OsmoCon (Osmocom Conference) 2017 is the first technical conference for Osmocom users, operators and developers! April 21, Berlin. All about Osmocom!

    HITB Amsterdam April 13-14. FEMTOCELL HACKING: FROM ZERO TO ZERO DAY by JeongHoon Shin. CAN'T TOUCH THIS: CLONING ANY ANDROID HCE CONTACTLESS CARD by Slawomir Jasek. EXTRACTING ALL YOUR SECRETS: VULNERABILITIES IN ANDROID PASSWORD MANAGERS by Stephan Huber, Steven Artz, Siegfried Rasthofer. HUNTING FOR VULNERABILITIES IN SIGNAL by Markus Vervier.

    Opcde Dubai, UAE April 26-27. Practical attacks against Digital Wallet by Loic Falletta.


I took a way too long break again. So many things happen in the world of mobile security every week. I really wish I had more time for this. I also have a bunch of small things I need to put on this blog but I think they are too specific for the news and will likely get their own posts.

Some news from MWC (I didn't attend):
    First the BlackBerry KEYone a new Android-based phone with a physical keyboard. Other then the BB Priv the KEYone's keyboard is fix and doesn't slide. Movable parts are really not a good idea, they break way too fast. In my opinion this device looks super solid and likely will be supported longer than the average flagship phone from other manufacturers (data on this would be awesome).

    Nokia released 3 new Android phones the 3 (MTK), 5 (QCOM) and 6 (QCOM). The phones seem to run Android N without any modifications or vendor crap. Very low price (230Euro for the 6). The bottom of their website specifically says: You get an experience that's focused and clutter-free, and we'll make sure you keep getting regular updates, so you'll always stay on top of features and security. that is what you should expect in 2017.


The Android Devices Security Patch Status page is an awesome resource to determine if a specific device from a specific vendor has been patched and when the patch was released. From the page: This list is Prepared to Serve as a Quick reference to identify which Device is being actively maintained by the Vendor.. This is super useful, thanks!







MOSEC mobile security conference in June in Shanghai. This seems to be the 3rd year of the conference. There is no schedule yet.

The story of the day Vault 7: CIA Hacking Tools Revealed. Vault 7: CIA Hacking Tools Revealed : iOS Exploit list. Yes, the CIA uses n-day exploits! The Android exploits.

They talk about Android, Defcon, and backdooring your repo? ;-)


Pic of the month:

Links

Sunday, February 19 2017

ENISA Smartphone Development Guidelines

The European Union Agency for Network and Information Security (ENISA) asked Ioannis Stais, Vincenzo Iozzo, and myself to update their guidelines for secure smartphone app development. The result is not much of an update but an entire rewrite of the guidelines. It was a fun project to do and I think all parties involved in the project are proud of the final result.

The Smartphone Development Guidelines website provides a brief overview of the effort. The actual document can be downloaded here Smartphone_development_Guidelines.pdf

I would like to thank everybody again who helped on the project the project coordinators at ENISA and everybody who reviewed the document and provided feedback!

Tuesday, January 24 2017

Mobile Security News Update January 2017

Conferences
    Recon Brussels Brussels, 27-29 January. Analyzing iOS apps: road from AppStore to security analysis report by Lenar Safin, Yaroslav Alexandrov, Egor Fominykh, Alexander Chernov.

    31CON Auckland NZ, 23-24 February. RAVISHANKAR BORGAONKAR (UK): PRIVACY ISSUES IN 4G. PHILIPPE LANGLOIS (FRANCE): something about mobile networks.

    Android Security Symposium 2017 Vienna Austria, March. Many interesting talks.

    Troopers Heidelberg, Germany. March. Hunting For Vulnerabilities in Signal by Jean-Philippe Aumasson, Markus Vervier. Samsung Pay: Tokenized Numbers, Flaws and Issues by Salvador Mendoza.

    TelcoSecDay @ Troopers It's no use crying over spilled 2G,3G,4G - what we need to fix in 5G. Outlook on 5G security from 3GPP perspective. Automated large-scale detection of rogue base stations: A field report. Exploring fraud in telephony networks, an illustration with Over-The-Top Bypass.

    Infiltrate Miami, FL. March. Jean-Philippe Aumasson, Markus Vervier: Hunting For Vulnerabilities in Signal. Georgi Geshev, Robert Miller: Logic Bug Hunting in Chrome on Android. Marco Grassi, Liang Chen: Remotely Compromising a Modern iOS Device. Vasilis Tsaousoglou, Patroklos Argyroudis: The Shadow over Android: Heap exploitation assistance for Android's libc allocator. Ralf-Phillip Weinmann: Did I hear a shell popping in your baseband?.


CFPs I'm not a fan or a user of WhatsApp but this backdoor story is just bad and will drive users away from a secure messaging app (maybe even the biggest install based of all of them). Zeynep Tufekci wrote an open letter to the Guardian to have them update the story. Moxie also wrote a blog post about these claims. The Guardian should have asked people with the technical expertise for advice before publishing the story.

AT&T 2G network shutdown happened on Dec 31 2016

AndroidXRef is looking for sponsors!

The mobile talks from 33c3 are all totally worth watching (no particular order): Pics of the month:



Links

Tuesday, December 13 2016

Mobile Security News Update December 2016

Conferences
    33c3 Hamburg, Germany 27-30 December. Downgrading iOS: From past to present by tihmstar. A look into the Mobile Messaging Black Box by Roland Schilling and Frieder Steinmetz. Dissecting modern (3G/4G) cellular modems by LaForge and holger. Geoloation methods in mobile networks by Erik.

    Shmoocon Washington D.C. January. A Context-Aware Kernel IPC Firewall for Android - David Wu, Sergey Bratus.

    Black Hat ASIA March 2017. FRIED APPLES: JAILBREAK DIY by Alex Hude and Max Bazaliy. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi.

I had to skip the November update due to a long overdue vacation. Playing with iOS webviews also did cost some time. Writing this blog becomes more and more time consuming since for some parts I would rather spent time on research than writing about other peoples research. Will see next year if I continue doing this or not. I'm doing this since January 2009 so it has been a few years.

New Conference: Samsung confirms it will render the US Note 7 useless with next update since the owners don't seem to care to return the phones to Samsung even tho they would get a replacement device. This is kind of hilarious.



Browser based iOS 9.3.x jailbreak (64bit only) it has been a while.

Chinese company installed secret backdoor on hundreds of thousands of phones


Recently the topic of SMS 2FA came up again. While I agree that SMS is not the most secure version of 2FA it is far far better then not providing any 2FA mechanism for your service.


Links

Saturday, December 10 2016

Kiwicon X

I finally made it to Kiwicon this year (special thanks to vt for dragging us out!). I even managed to get a talk in (con bucket list--) making the trip even sweeter.

The conference was absolutely awesome. Well organized, friendly people (staff and attendees!), and a perfect venue. The conference had about 2500 attendees which seemed like a good fit for the venue. I liked the overall program, the intermissions and speaker introductions were absolutely fantastic. In my opinion Kiwicon is at the sweet spot on the issues of size and target audience. It is big enough to be attract different kinds of folks and it is small enough to find people and hangout. I also really love single track conferences!

Sadly it was announced that this was the last Kiwicon, I'm happy to have made it to the last one! Thanks!

Below a few photos and videos from Kiwicon, the official Kiwicon photos are here.

KiwiCon intro #kiwicon #latergram

A video posted by Collin (@collin_rm) on

KiwiConX

A video posted by Collin (@collin_rm) on

KiwiCon sheep

A photo posted by Collin (@collin_rm) on

IR Fire detector #kiwicon

A video posted by Collin (@collin_rm) on

KiwiCon beer

A photo posted by Collin (@collin_rm) on


Tuesday, November 08 2016

iOS WebView auto dialer bug

TL;DR: iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone's UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible. The Twitter and LinkedIn iOS apps are vulnerable (other apps might be vulnerable too). Demo videos here: Twitter and LinkedIn (embedded videos are below on this page).

About a week ago (on a Friday) I read an news post [1,2] about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI [4,5]. I immediately thought about a bug I reported to Apple in late October 2008 [3]. I couldn't believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.
    If you think automatically dialing a phone number after clicking a link in an app is not a big issue think again. DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen.
Anyway ... I went and looked at the iOS Twitter app. I got a very simple auto phone dialer working in a very short time. I was happy and also devastated that it was that easy. I first thought I reproduced the exact bug but later after re-reading the articles [1,2] more carefully I determined that it is likely a different bug or at least a different trigger. The article reported heavy use of JavaScript and pop-ups being shown and such. My original trigger was one line of HTML (a meta-refresh tag that points to a TEL URL) due to this I decided to report the bug to Twitter via their Bug Bounty program on HackerOne. I never reported to a bug bounty program before so I was happy to gain some experience (I normally report via security@), but it is 2016 and companies pay for bugs so here we go. Twitter acknowledged that it looks like a problem within a few days.
    On Nov. 6th I updated the bug report to Twitter to add the UI blocking issue (continue reading) and uploaded a video. Today Twitter simply closes the bug as a duplicate without any comment. While this might be a simple duplicate they should have an interest in playing nice and being thankful to those who report bugs they find in their spare time. Because of this action I decided to post the full details of the issue today.

During the weekend I took some time to further investigate the issue. I determined that this might be a general issue with iOS apps the use WebViews to display content. I tested a few popular apps I had installed. Vulnerable apps need a way for users to post web links that will be opened in a WebView inside the app itself. Apps that open links in mobile Safari or Chrome would not be vulnerable (I tested this). One app I tested fairly early was the LinkedIn app since LinkedIn basically is social media for the business context. People can send messages and post updates. Updates usually are text and link. I posted a link and clicked it and yes it dialed my other phone (demo video below).

I wanted to submit the bug to LinkedIn and found that they have a bug bounty program. Unfortunately it was a private bounty and you would only be added if you previously submitted bugs. I tried to get around it but it didn't work. After some thinking I decided to not report it to LinkedIn privately but openly (parallel to this blog post). It is 2016 after all and if they don't want to add me to their program that is their choice. In general I will likely not report bugs outside of a bug bounty program if a private bug bounty program exists.

Another weekend comes I have some time and started playing with the bug again. Actually I started looking at my PoC from 2008 while trying to figure out if I report the bug to LinkedIn or not. After playing around for a bit I more or less get my old PoC working with the Twitter and LinkedIn apps. WOW!

Taking one step backwards. The original bug I reported to Twitter was triggering a phone call by visiting a website that redirect to a TEL URL. One could do this with various techniques such as: http-meta refresh, iframe, setting document.location, window.location, or an HTTP redirect (Location header). This would simply dial a number. The victim would see the dialer and the target number on the screen and of course could just cancel the call by pressing the big red button. Just causing the call is already bad since an unobservant person will be baffled (why is my phone dialing some number).

The beauty of my 2008 bug was that I could block the phone's UI for a few seconds and therefore prevent the user from canceling the call. I managed to abuse exactly the same trick to block the UI that I used in 2008. The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application. This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding. In 2008 I used a SMS URL with a really really long phone number to block the UI thread. My best guess on how this works is that the IPC subsystem actually has difficulties to move several kilobytes of URL data through the various layers into the app and the target app might also not be super happy about really large URLs. I ended-up with the code below. The code uses the combination of meta-refresh tag and window.location to execute the attack. The codes delays setting the window.location by 1.3 seconds to guarantee that the dialer is executed first. The delay cannot be too long otherwise the WebView will not execute the URL handler for launching the messages app. Basically you have to get the timing just right.


The PoC to trigger this bug.

Below two video demonstrations of this attack. You can clearly see that the UI is not responsive for a short amount of time. The time is long enough to make somebody pickup on the other side (especially service hot lines automatically pickup).






Normal good app behavior:
Apps should normally check the URL schema before executing it and show the user a pop-up dialog before executing an app on the device. Some examples are shown below:


Mobile Safari asking before calling the Apple Support number. This is how good apps should behave!


Dropbox showing a warning but not showing the target number. Ok but could be better.


The Yelp app normally behaves like Safari but if you hit it with an HTTP redirect it does not show the target number. I just included this for the fun of it.

App developers should review their use of WebViews to determine if they are vulnerable to this attack. Vulnerable apps need to be fixed. Service providers like Twitter and LinkedIn can inspect links posted to their sites for containing malicious code and prevent those links from being posted to their service.

Apple should change the default behavior of WebViews to exclude execution of TEL URIs and make it an explicit feature to avoid this kind of issues in the future. I reported this issue to Apple.

References:

Tuesday, October 18 2016

Mobile Security News Update October 2016

Conferences
    PacSec October, Tokyo. Demystifying the Secure Enclave Processor by Mathew Solnik. Finding Vulnerabilities in Firefox for iOS by Muneaki Nishimura.

    ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) October, Vienna Austria. All talks are related to mobile security.

    O'Reilly Security Conference October, NYC. Securing 85% of the world's smartphones by Adrian Ludwig. How Plantronics honed its headsets to create secure wearables by Erik Perotti.

    SyScan360 November, Shanghai. Browser Bug Hunting and Mobile by Francisco Alonso and Jaime Penalba. Demystifying the Secure Enclave Processor by Mathew Solnik. Running Code in the TrustZone Land by Edgar Barbosa. Analysis of iOS 9.3.3 Jailbreak & Security Enhancements of iOS 10 by Team Pangu. Security Vulnerabilities on Online Payment: Summary and Detection by Zhang Qing and Bai Guangdong.

    KiwiCon November Wellington, NZ. Let's do the Timewarp Again by Karit.


I'm going to be at the O'Reilly Security Conference on Monday the 31st (maybe also the other days). I super excited to speak at KiwiCon this year!

I'm interested in Google's Project Fi does anybody have insights into using it with non Android phones? I've found several posts on this topic but nothing convincing yet. Posts also seem conflicting.


Best of mobile security in pictures:

source ThreatPost

I've seen this warning a lot in the last couple of weeks while traveling:
This is the real reason for the Galaxy Note 7 recall

While searching for the link to the recall:


Links

Tuesday, September 20 2016

Mobile Security News Update September 2016

Conferences
    Black Hat EU November, London UK. ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY Speaker: Clementine Maurice, Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK Speaker: Bhanu Kotte, Dr. Silke Holtmanns, Siddharth Rao. MOBILE ESPIONAGE IN THE WILD: PEGASUS AND NATION-STATE LEVEL ATTACKS Speaker: Max Bazaliy, Seth Hardy. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME Speaker: Federico Maggi, Stefano Zanero. ROOTING EVERY ANDROID: FROM EXTENSION TO EXPLOITATION Speaker: Di Shen, Jiahong (James) Fang. SIGNING INTO ONE BILLION MOBILE APP ACCOUNTS EFFORTLESSLY WITH OAUTH2.0 Speaker: Ronghai Yang, Wing Cheong Lau. STUMPING THE MOBILE CHIPSET Speaker: Adam Donenfeld. WIFI-BASED IMSI CATCHER Speaker: Piers O'Hanlon, Ravishankar Borgaonkar.

    PacSec Tokyo Japan, October. Demystifying the Secure Enclave Processor by Mathew Solnik.
The most interesting read this week was The bumpy road towards iPhone 5c NAND mirroring a paper by Sergei Skorobogatov. In this paper he shows how to implement a NAND mirroring attack against an iPhone 5C. The basic idea behind this attack is erase the PIN failure counter between each set of tries to avoid the artificial brute force delay and to avoid data deletion after N failed PINs. The paper goes into great detail on various problems he encountered while implementing the attack. I highly recommend reading this paper. The picture below is taken from this paper.

Google's Project Zero now has an Android "Prize" for achieving RCE on a Nexus device with only knowing it's email address or phone number. Apparently you can't use a BTS (via @jduck) for this attack. Overall this looks interesting, I wonder if anybody is going to claim the money soon. Announcement: Project Zero Prize.

Links

Tuesday, August 30 2016

Mobile Security News Update August 2016

Conferences
    Black Hat EU November: ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY by Clementine Maurice and Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK by Bhanu Kotte, Siddharth Rao and Silke Dr Holtmanns. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME by Federico Maggi and Stefano Zanero. STUMPING THE MOBILE CHIPSET by Adam Donenfeld.

    DerbyCon September: Beyond The ?Cript: Practical iOS Reverse Engineering by Michael Allen. AWSh*t. Pay-as-you-go Mobile Penetration Testing by Nathan Clark. Breaking Android Apps for Fun and Profit by Bill Sempf.

    AppSec USA November: QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid: Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Dave Bott and Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.

Apple now has a bug bounty program. Details were presented at Black Hat in Ivan Krstic's talk BEHIND THE SCENES OF IOS SECURITY. Also see Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs (via Ars).

Motorola confirms that it will not commit to monthly security patches. This is pretty bad since I actually liked their Pure Edition devices (devices that basically are just AOSP).

Protecting Android with more Linux kernel defenses. They added some features from Grsecurity. This makes me happy.

Google's Android has gotten so out of control that $55 billion Salesforce had to take drastic measures, basically Salesforce in the close future will only support specific Samsung Galaxy and Nexus devices. This is an interesting way to deal with the very diverse Android ecosystem.

Pegasus Spyware / Trident for iOS was based on 3 vulnerabilities unsurprisingly a WebKit memory corruption, a Kernel info leak, and a kernel memory corruption. The spyware was capable of accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others. (Source: Lookout Technical Report).

Oversec.io seems to implement our idea of mobile OTR on top of any messenger app. Oversec still looks very beta and I haven't tried it out. If anybody has tried it I would like to hear about it.

Pictures of the month:
(source: @raviborgaonkari)

(source: @marcwrogers)

Links

Tuesday, July 12 2016

Mobile Security News Update July 2016

Conferences
    SummerCon July, Brooklyn, NY. THE FIREWALL ANDROID DESERVES: A CONTEXT-AWARE KERNEL MESSAGE FILTER AND MODIFIER by DAVID WU.

    Defcon August, Las Vegas. SITCH - Inexpensive, Coordinated GSM Anomaly Detection by ashmastaflash. A Journey Through Exploit Mitigation Techniques in iOS by Max Bazaliy. Stumping the Mobile Chipset by Adam Donenfeld. How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire by Stephan Huber and Siegfried Rasthofer. Discovering and Triangulating Rogue Cell Towers by JusticeBeaver (Eric Escobar). Samsung Pay: Tokenized Numbers, Flaws and Issues and Salvador Mendoza. Attacking BaseStations - an Odyssey through a Telco's Network by Henrik Schmidt and Brian Butterly. Forcing a Targeted LTE Cellphone into an Unsafe Network by Haoqi Shan and Wanqiao Zhang.

Another month has passed and I'm super late again on this blog post.

HushCon EAST badges were super awesome (picture below) did some hacking on them with Trammell Hudson: Hushcon 2016 pagers.


The wait is over, here is the final blog post including source code on Qualcomm's TrustZone: Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption Source extractKeyMaster

The Android Security Bulletin July 2016 fixes a really large number of bugs, including a Remote code execution vulnerability in Bluetooth and Remote code execution vulnerability in OpenSSL & BoringSSL. It is really good to see stuff being fixed and talked about in the open.

Summary on Pokemon GO's permission to your Google Account by the guys from Trail of Bits.

Funny picture of the month:


Links

Monday, June 06 2016

Mobile Security News Update June 2016

Conferences
    Black Hat USA August, Las Vegas. 1000 WAYS TO DIE IN MOBILE OAUTH by Eric Chen, Patrick Tague, Robert Kotcher, Shuo Chen, Yuan Tian, Yutong Pei. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei, Yulong Zhang. ATTACKING BLUETOOTH SMART DEVICES - INTRODUCING A NEW BLE PROXY TOOL by Slawomir Jasek. PANGU 9 INTERNALS by Hao Xu, Tielei Wang, Xiaobo Chen. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Mathew Solnik, Tarjei Mandt. BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS by Vincent Tan THE ART OF DEFENSE - HOW VULNERABILITIES HELP SHAPE SECURITY FEATURES AND MITIGATIONS IN ANDROID by Nick Kralevich.

    Shakacon July 13-14, Honolulu, HI. FRUIT VS ZOMBIE: DEFEAT NON-JAILBROKEN IOS MALWARE BY CLAUD XIAO. Bluetooth Low Energy...by SUMANTH NAROPANTH, CHANDRA PRAKASH GOPALAIAH & KAVYA RACHARLA
Defcon still doesn't have the agenda or accepted talks up.

The Qualcomm Mobile Security Summit was super awesome once again. Good talks, interesting hallway conversations and always good to see friends.


SektionEins (Stefan Esser) release a jailbreak and anomaly detection app for iOS and eventually got band from the AppStore by Apple. The speculation is that Apple wants to hide the fact that certain sandbox and security features don't work as advertised and thus his App got band. The app likely wasn't band just because it can detect a jailbreak since like every app does exactly this, including apps like WhatsApp. There are also several process list viewers for iOS.


I finally could checkout a Blackberry PRIV. The actual hardware looks pretty sweet. I got a quick demo of the security and privacy features added by RIM, specially DTEK. I really liked the device security/privacy status overview, every phone should have that.

Qualcomm KeyMaster keys etracted from TrustZone waiting for the writeup. The previous blog posts where super good already, but this one should be really interesting.

Links

Friday, May 06 2016

Mobile Security News Update May 2016

Conferences
    Black Hat USA Las Vegas. DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR by Tarjei Mandt and Mathew Solnik. ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS by Tao Wei and Yulong Zhang. CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE by Josh Thomas. SAMSUNG PAY: TOKENIZED NUMBERS, FLAWS AND ISSUES by Salvador Mendoza.

    AppSec EU Rome. Don't Touch Me That Way. by David Lindner and Jack Mannino. Automated Mobile Application Security Assessment with MobSF by Ajin Abraham. Why Hackers Are Winning The Mobile Malware Battle - Bypassing Malware Analysis Techniques by Yair Amit.

    Hack in The Box Amsterdam, NL. SANDJACKING: PROFITING FROM IOS MALWARE by Chilik Tamir. FORCING A TARGETED LTE CELLPHONE INTO AN EAVESDROPPING NETWORK by Lin Huang. ADAPTIVE ANDROID KERNEL LIVE PATCHING by Tim Xia and Yulong Zhang. COMMSEC TRACK: INSPECKAGE - ANDROID PACKAGE INSPECTOR by Antonio Martins.

    Area41 When providing a native mobile application ruins the security of your existing Web solution by Jeremy Matos. IMSecure - Attacking VoLTE and other Stuff by Hendrik Schmidt & Brian Butterly. Reversing Internet of Things from Mobile Applications by Axelle Apvrille.

    Recon Montreal, CA. Breaking Band by Nico Golde and Daniel Komaromy. Hardware-Assisted Rootkits and Instrumentation: ARM Edition by Matt Spisak

This was a long break, I was covered in work and had other things to do. But I'm not giving up this blog. Sadly I missed a bunch of conferences earlier this year. Especially CanSecWest and Troopers/TelSecDay. TelSecDay looked really awesome this year! Sad to have missed it.

Work with me and other awesome people at Square we are looking for a bunch of different mobile security related people. Android and iOS!

For those who are interested in TrustZone or TrustZone implementations check out: War of the Worlds - Hijacking the Linux Kernel from QSEE This blog has a lot of awesome research on TrustZone and Qualcomm's implementation.

60 Minutes: shows how easily your phone can be hacked. As I said earlier on Twitter, this is as good as it gets on TV. All of the people on the show are pros (know all of them personally!). Of course if you are an expert yourself you will complain about anything shown on TV ;-)

Dilbert gets it:


Related to the iPhone will be bricked if the clock is set back too far.



Links

Tuesday, March 08 2016

Mobile Security News Update March 2016

Conferences
    CanSecWest Vancouver, Canada. Don't Trust Your Eye: Apple Graphics Is Compromised! - Liang Chen + Marco Grassi. Having fun with secure messengers and Android Wear - Artem Chaykin. Pwn a Nexus device with a single vulnerability - Guang Gong.

    Troopers Heidelberg, Germany. QNX: 99 Problems but a Microkernel ain't one! Georgi Geshev, Alex Plaskett.


Looks like I will go to very few conferences this year.

We finally published our paper on Android application analysis support using intelligent GUI stimulation. The work CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes uses / enhances Andrubis.

Excellent post on Apple vs FBI by Dan Guido: Apple can comply with the FBI court order


Links

Tuesday, February 09 2016

Mobile Security News Update February 2016

Conferences:
    SyScan360 March, Singapore. Browsers Bug Hunting and Mobile device exploitation by Francisco Alonso.

    Black Hat Asia March, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.


Mobile Pwn0rama the SyScan version of mobile pwn2own. Very cool!

CopperheadOS beta released for Nexus 5, 9, and 5X. I need to buy a new phone to try this out. For those who don't know about CopperheadOS, it is a hardened Android. I was waiting for something like this for a long time. Not as a user more like somebody should really do this. Anyway, looks pretty cool.

Last weekend I published a write-up on CVE-2016-0728 vs Android. The TL;DR is that this vulnerability was totally over hyped for Android. There is no practical impact for the Android platform.

Links:

Saturday, February 06 2016

CVE-2016-0728 vs Android

CVE-2016-0728 has made some headlines in the security world since it is a relatively easy to exploit Linux local privilege escalation vulnerability. Perception Point (the company who found the vulnerability) claimed that approximately 66% of all Android devices are vulnerable to this issue, if this is true that would have quite some impact on Android users. Perception Point did not evaluate if the vulnerability is actually present and exploitable on the Android platform. A lot of people, including myself, were very curious about the impact of this bug on Android. Here is a write-up of my investigation of the impact of CVE-2016-0728 on the Android world. TL;DR impact almost none! (please continue reading).

When I first heard about this vulnerability I modified the PoC and tried to validate the presence of the vulnerability using various Android devices. I could not find any device that contained the vulnerability. I had access to several Nexus devices and number of Samsung devices. After failing blindly I started investigating the details. I also asked friends who do a lot of Android work to see if they had tried and/or made it work. Nobody was able to find a device that was actual vulnerable. I only found one person who claimed to gotten the exploit working on LG device. According to his post it takes more than 6 hours to trigger the vulnerability and only one out of three tries he got it working. This alone gives you a good indication on the impact on this vulnerability. The battery of most phones will run out in less than 6 hours due to running an application that constantly hits the kernel.

Here a technical rundown of why this vulnerability is not an issue for the vast majority of Android devices.

Mitigating Factors

Kernel Version

The vulnerability supposingly was introduced with Kernel version 3.8 and later. A lot of Android 5.0 devices run a 3.4 Kernel.

Kernel Configuration

CONFIG_KEYS:
The code containing the vulnerability is part of the key retention service of the Linux kernel. The service is only present if the kernel was built with CONFIG_KEYS enabled. Looking at the default AOSP kernel config you can see that CONFIG_KEYS is not enabled. Android devices that are based on the AOSP kernel config do not contain the vulnerable code, as a result they are not affected by this vulnerability. Further, not all versions of the key retention service contained the vulnerable code, this again reduces the number of affected devices. When looking at the overall device population the presence of the key retention service provides an upper bound for the number of affected devices.

We can also use the Android Census to identify which devices and firmware versions use kernels with CONFIG_KEYS enabled. If CONFIG_KEYS is enabled, the /proc/keys directory will be present. Based on this data, only 125 out of the 480 unique Android installations examined have /proc/keys and therefore, CONFIG_KEYS enabled in their kernels.

KALLSYMS:
A portable and automated exploit (based on the PoC) would require access to /proc/kallsyms to acquire memory addresses of kernel code. Recent Android versions zero out the actual memory addresses when kallsyms is read by a non uid=0 process.

SELinux

Android 4.4 (KitKat) and later include SELinux, but Android 5.0 (Lollipop) notably requires SELinux to be in enforcing mode instead of permissive as was the case in Android 4.4. SELinux on Android reduces the attack surface of the Linux kernel by restricting the use of a number of kernel services to trusted applications. In this case, the SELinux policy in the Android Open Source Project (AOSP) and on Nexus devices restricts access to kernel keyring objects from the untrusted_app domain and this prevents apps from the Play Store or other sources from triggering or exploiting the vulnerability. For example, when an app tries to execute the keyctl system call to create or access a keyring object, the system call is denied and an SELinux kernel error is logged to the system log:
[ 3683.432511] type=1400 audit(1453676165.345:15): avc: denied 
{ search } for pid=7848 comm="PoCtest" 
scontext=u:r:untrusted_app:s0:c512,c768 
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=key permissive=0
The public PoC exploit uses SysV IPC (msgget) to allocate the memory chunk that is passed to the vulnerable code. The SELinux policy on Android 5.0 and upwards blocks SysV IPC and thus blocks the method of obtaining a usable memory chunk that is used by the PoC exploit. Below is the output of SELinux blocking the call to msgget taken from the Linux kernel ring buffer on a Android 5.0 device. I tested the this on a Nexus 5x running Android 6 and on a Nexus 7 running Android 5.0running the PoC from an adb shell, system log output below:
<4>[59201.392059] type=1400 audit(1453400116.210:13): avc: 
denied { create } for pid=21470 comm="PoCtest" 
scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=msgq
The PoC can be adapted to use a different method for allocating memory rather than SysV IPC msgget, but historically Android malware only uses of-the-shelf exploits, if they use any vulnerability at all.

The Android device ecosystem, however, is much more varied and diverse than the stock AOSP tree and Nexus devices that follow it very closely. In particular, SEAndroid policies in the wild often add more types, domains, type transitions, and rules to the AOSP SELinux policies. Using the Android Census we find 160 sepolicies have key rules from untrusted_app.

Results

There are several limiting factors that make this vulnerability a non issue for Android:
  • SELinux policies from Android 5.0 and later block access to the vulnerable kernel code
  • Kernel versions used by various Android devices are either too old or don't use CONFIG_KEYS
  • The exploit requires 30 minutes to run on a 3.0 Ghz Intel i7 and according to XDA developers it took several tries and a runtime of 6 hours to get this working on an Android device


The conclusion I draw is that this vulnerability will not pose a serious risk to the Android ecosystem due to the mitigating factors described above. Maybe individual devices do contain the vulnerability but the worst case scenario is that the owner of the device will use the bug to root his own device. Given he is very patient and can live without using his device for 6 hours or more. One thing that is certain is that the percentage given by Perception Point is absolutely not true and should not haven been repeated by everyone who reported on this.

Acknowledgments:
    This blog post is based on discussions I had with various people, most notably Dino Dai Zovi and Janek Klawe. Vlad Tsyrklevich deserves massive credit for his Android Census database, a super valuable source for this kind of research.

Links:

Monday, January 18 2016

Mobile Security News Update January 2016

Conferences:
    Black Hat Asia March 29, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.


I guess it is still too early in the year for conference programs. ShmooCon just concluded, Infiltrate doesn't have any mobile talks, and SyScan didn't post accepted talks yet. This weekend I attended the first BSidesNYC. The conference was pretty good, some expected and some unexpected good talks. The conference venue was pretty nice and spacious. I will go again.

If you are into NFC research checkout: ChameleonMini - A Versatile NFC Card Emulator a new kickstarter project. The guys who run it definitely know what they are doing.

Links:

Thursday, December 24 2015

Mobile Security News Update December 2015

I've gotten a little lazy with this blog but I promise I will post more often in 2016.

Conferences
    32c3 27-30 December, Hamburg, Germany. Iridium Update: more than just pagers by Schneider and Sec. Running your own 3G/3.5G network: OpenBSC reloaded by LaForge. (Un)Sicherheit von App-basierten TAN-Verfahren im Onlinebanking (in German) by Vincent Haupert.

    ShmooCon January 15 - 17, Washington D.C. Hiding from the Investigator: Understanding OS X and iOS Code Signing to Hide Data by Joshua Pitts. LTE Security and Protocol Exploits by Roger Piqueras Jover.

    BSides NYC January 16, NYC. 99 Problems but a Microkernel ain't one! by Alex Plaskett. Mobile implants in the age of cyber-espionage by Dmitry Bestuzhev.

    Black Hat ASIA March 31 - April 1, Singapore. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He.

    NDSS 2016 February 21 - 24, San Diego. Has a good number of Android related papers. Some titles look quite interesting.

As I said before, I'm neither attending 32c3 nor Shmoocon. I'll be attending BSides NYC tho.

Google suspended Android-vts the only up to date Android device vulnerability scanner. No idea if Google would allow it back after fixing the issues. On the other side I rather have a tool that can find a large number vulnerabilities rather than having a crippled version in the Play Store.

Jobs

Links

Thursday, November 19 2015

Mobile Security News Update November 2015

Conferences
    upcoming: 32C3 (December), ShmooCon (January)

CFPs
$10 Android Phone Walmart has a $10 Android phone. It is an LG device with Android 4.4 specs. I agree with Patrick McCanna on Smartphones @ featurephone prices will be a significant milestone towards monetizing mobile hacking. These prices really mean everybody is going to have a smartphone. Like everybody. I ordered two of those to play with.

Mobile pwn2own: two interesting results. (1) baseband of a Samsung S6 Edge, the payload was able to redirect incoming calls. This was done by my buddies Nico Golde and Daniel Komaromy. Here a picture of their setup. Story by various sites: 1, 2 (German), 3. (2) drive by APK install on Nexus 6 without user interaction by Guang Gong. tweets: 1 2 (with picture).

LTE Security: pretty interesting talk and paper about LTE design and implementation vulnerabilities. slides white paper. Blogpost by the same people: Practical attacks against 4G (LTE) access network protocols. One thing I didn't notice is how cheap LTE research is already. Their setup is just over $1000, which seems rather cheap for LTE.


Jobs

Links

Friday, October 23 2015

Mobile Security News Update October 2015 part II

Conferences
    ekoparty October 21-23, Buenos Aires. ARM disassembling with a twist by Agustin Gianni and Pablo Sole. Exploiting GSM and RF to Pwn you Phone by Manuel Moreno and Francisco Cortes. Faux Disk Encryption: Realities of Secure Storage on Mobile Devices by Drew Suarez and Daniel Mayer. New Age Phreacking: Tacticas y trucos para fraudes en Wholesale by David Batanero.

    Hackito Ergo Sum October 29-30, Paris, France. Malicious AVPs: Exploits to the LTE Core by Laurent Ghigonis & Philippe Langlois. Android malware that won't make you fall asleep by By Lukasz Siewierski.

The RIM BlackBerry PRIV looks like a real interesting device. The PRIV seems to focus on security. The website claims a hardend linux kernel, and indeed they seem to run a grsec kernel as you can see in this picture (lower left corner) posted on the Crackberry forum. Some comments about this in this series of tweets.



There is a new security news outlet with focus on the consumer angle it is called The Parallax. It is super new and does not have many articles yet. But I think the consumer focus could be interesting.


Job Section (just because I know about a bunch of stuff)
Links

Sunday, October 04 2015

Mobile Security News Update October 2015

Conferences
    Black Hat Europe November, Amsterdam NL. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen. ANDROBUGS FRAMEWORK: AN ANDROID APPLICATION SECURITY VULNERABILITY SCANNER by Yu-Cheng Lin. AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai. FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez. FUZZING ANDROID: A RECIPE FOR UNCOVERING VULNERABILITIES INSIDE SYSTEM COMPONENTS IN ANDROID by Alexandru Blanda. LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan & Valtteri Niemi & Jean-Pierre Seifert. TRIAGING CRASHES WITH BACKWARD TAINT ANALYSIS FOR ARM ARCHITECTURE by Dongwoo Kim & Sangwho Kim.

    Secret Conference October 9th, NYC. Talks by Jon Callas and Dan Ford from Silent Circle / Blackphone.

    Ruxcon October 24-25 Melbourne, Aus. TEAM PANGU on DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS. MARK DOWD on MALWAIRDROP: COMPROMISING IDEVICES VIA AIRDROP. JOSHUA KERNELSMITH SMITH on HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC. BABIL GOLAM SARWAR on HACK NFC ACCESS CARDS & STEAL CREDIT CARD DATA WITH ANDROID FOR FUN &PROFIT. COLBY MOORE on SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE GLOBALSTAR SDS.

    ToorCon San Diego October 24-25, San Diego, CA. The Phr3$h Pr1nc3 0f Bellk0r3 on Fuzzing GSM for fun and profit.

    SyScan360i October 21-22 Beijing China. Fuzzing Android System Service by Binder Call to Escalate Privilege by Guang Gong.

    PacSec November, Tokyo JP. BlueToot / BlueProx - when Bluetooth met NFC by Adam Laurie.

    ZeroNights 25-26 November, Russia. Extracting the painful (Blue)tooth by Matteo Beccaro and Matteo Collura.


HP / ZDI will not run Mobile Pwn2Own at PacSec (in Japan) due to export restrictions. Source Dragos Ruiu. This is unfortunate.

Personal note: Since September I'm working for Square doing mobile security engineering. This blog will only be temporarily affected by the job switch as I get settled I will return to more then one post per month.

Links

Tuesday, September 01 2015

Mobile Security News Update September 2015

Conferences
    Black Hat Europe Nov 12-13 Amsterdam. (IN-)SECURITY OF BACKEND-AS-A-SERVICE by Siegfried Rasthofer & Steven Arzt. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen. AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai. LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik.

    Ruxcon Oct 25. Melbourne Australia. HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC by JOSHUA 'KERNELSMITH' SMITH. DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS by Team Pangu.

    Hacker Halted September 17th, Atlanta GA. One SMS to hack a company by Dmitry Chastuhin. Why You'll Care More About Mobile Security in 2020 by Tom Bain.

    Virus Bulletin September 29th, Prague. Mobile banking fraud via SMS in North America: who's doing it and how by Cathal Mc Daid. Will Android trojan, worm or rootkit survive in SEAndroid and containerization? by William Lee and Rowland Yu. Dare 'DEVIL': beyond your senses with Dex Visualizer by Jun Yong Park and Seolwoo Joo. Android ransomware: turning CryptoLocker into CryptoUnlocker (live demo) by Alexander Adamov.

CFPs Unfortunately I had to cancel my talk at Android Security Symposium in Vienna due to a scheduling conflict. It is a real bummer but I can't do anything about it. The replacement talk is done by my friend and research buddy Matthias he is doing a talk on one of our previous mitigation projects.

The iOS KeyRaider malware looks rather interesting. It combines a lot of different functionality. Such as steeling AppStore credentials and a ransomware module. This malware again only targets jailbroken iOS devices, users specifically had to download apps from third-party Cydia repositories. So this is not a general threat but a threat to people who jailbreak their device. If you jailbreak you likely have a very specific need and you hopefully know what you are doing. If not, just don't jailbreak your device (no matter what OS is runs).

I just found this recently published paper titled: Header Enrichment or ISP Enrichment? Emerging Privacy Threats in Mobile Networks. The paper studies HTTP header modifications and injection that is done by mobile network operators. The paper more or less is a direct follow up to my paper on the same subject titled: Privacy Leaks in Mobile Phone Internet Access. Their paper looks at what happens to smart phones that actually use HTTP (my work was mostly focused on phones that used the WAP technology - even though WAP was translated to HTTP to access regular web pages). Anyway their paper provides a good insight in what is happening. If you run a website that get a lot of mobile traffic you should look if you see some of the HTTP headers that are injected by the mobile carriers.

Links
A rather short updates this time. Until next time!

Tuesday, August 18 2015

Mobile Security News Update August 2015

Finally I have time to write a new blog post again. The last couple of weeks have been super busy for me. I had to finish a project, prepare a talk about it, and give a bunch of talks at various places in July and August.

Conferences
    T2 Helsinki, Finland. LTE (in) Security Ravishankar Borgaonkar & Altaf Shaik.

    BalcCon Novi Sad, Vojvodina, Serbia. Private communications with mobile phones in the post-Snowden world, the _open_source_ way by Bojan Smiljanic.

    APPSEC USA San Francisco, CA. QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid' Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.

    GrrCon Grand Rapids, MI. Phones and Privacy for Consumers by Matthew and David


Smartwatches
    I recently bought an Apple Watch. The primary reason was fun. Also since I switched to Two-Factor Authentication (2FA) for all my private infrastructure and all my web accounts that support it I though it would make life easier. I use Duo 2FA for my own stuff and they have a Watch app which is pretty convenient. Before I owned the first pebble watch. I liked that a lot even tho I had a lot of issues with the Bluetooth connection between the pebble and my Nexus 5. Sometimes it worked great and sometimes it just didn't work at all. I also got a LG G Watch R (W110) (Android Wear) but I didn't really use it. It was much too big for my wrist. Also the round display was kinda strange. Some of the apps seem to not be designed for it and cut off parts of the information that should be displayed. I also found the interface to be confusing, but this might be due to my very very short trial run of the watch. Between the pebble and the LG Watch I also had a Toq but the Toq had many issues besides its size so I never really used it. I tried to wear it like once.

    Anyway the only reason I write about smartwatches is because I really like the Duo 2FA watch app. This makes 2FA much much easier and user friendly. I known I'm not the first to write about smartwatches or wearables in the security context but the user friendliness could really make a difference. Also a watch is harder to loose then a token (if you still use one of those).


Stagefright
    I guess I don't have to say much about the Stagefright series of Android security vulnerabilities. The vulnerabilities are present in Android's media format handling library (named stagefright). Several factors make this bugs interesting. First, every Android version after 2.2 was vulnerable (at the time of discovery) that was around 95% of all devices. Second, the bug can be remotely triggered via MMS. Yes MMS once again provides the ultimate attack vector against smartphones. Who would have known? ;-)

    The bug was patched relatively fast by Google since Joshua provided patches. Google started shipping OTA updates for their Nexus devices relatively fast. Still most Android devices will not get patched or will receive their patches super late (and thus users will not be protected in a timely fashion). The reason for this is mostly the mobile ecosystem which is largely not suited for fast patch deployment. I provided some comments about this issue on NPR in late July.

    While patches/updates were rolled out Jordan from Exodus found that the patches are not complete and contain more vulnerabilities in the exact code that was fixed in the update. His blog post describing the issue is here.

    The only way to protect yourself is to update your device to firmware version that does not contain the vulnerability. If you are one of the many people who own phones that did not yet receive an update your only chance is to disable MMS auto-download. This will not kill the bug since you can still be attacked using other vectors (e.g. download and play a .mp4 file) but disabling MMS auto-download will at at least remove the automatic remote exploitation problem. A step by step way to disable MMS auto-download for various MMS clients is provided by Lookout here.

    Stagefright links:

Links

Tuesday, July 21 2015

Hacking Team took a bunch of my Stuff :-(

Everybody heard that Hacking Team got hacked 1, 2, 3, 4 While I think this is pretty great since they are kinda known to be scumbags since they sell to repressive governments I found out about not so great things around this hack. Actually I didn't find out myself put was pointed to it by other people on Twitter (1) , via email, and personal (thanks Michael Weissbacher!).

Basically I was told that Hacking Team used a bunch of my Android tools to build their monitoring software for Android.

What got me really upset is this email:
    I was analysing recent leak of hacking team from italy, and saw you supply the core android audiocapture for hijack voice calls on android. Have you updated it to new devices like lollypop?
This person thinks that I wrote the Android voice call interception for Hacking Team. This is obviously not the case! Hacking Team took my ADBI framework and tools to build their software around it. The software this specific email is talking about is hackedteam/core-android-audiocapture (the link goes to the hackedteam GitHub repository). You can see that they kept even the original filenames (e.g. libt.c) that was part of my original ADBI release.

click for large image
The reason why someone might think I wrote those tools for Hacking Team are pretty obvious once you take a look at the leaked code. Take, for example, the libt.c file from the HackedTeam repository. Hacking Team left all the copyright information (my name, website, and email address) in those files.

In addition to my ADBI framework Hacking Team also used my SMS fuzzer injector that I wrote in 2009 while working on the SMS fuzzing project together with Charlie Miller. Their Android fuzzer also made use of my ADBI framework.

Conclusions:
    I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists. Even worse is the fact that due to the lazy way they managed their source repository less informed people might get the idea that I developed parts of their tools for them. Just to make this very clear: I did not write any of those tools for Hacking Team.

    For the future I will use a license for all my software that excludes use for this kind of purpose. I have no clue yet how this license would look like so if anybody has a hint about pre existing open source licenses that exclude this kind of usage please drop me an email.

    Obviously Hacking Team also used other open source software such as Cuckoo Sandbox. I hope everybody is going to think about future license to prevent this kind of usage. I'm not a lawyer but I would be interested in what legal action one could take if their software license excluded the use case of Hacking Team.


Below some links to the Hackedteam GitHub repository and the link to my ADBI repository. You can clearly see that it is based on my software.

Links:
Comments welcome via email to: collin AT mulliner.org

Tuesday, June 23 2015

Mobile Security News Update June 2015 (part 2)

Conferences
    Defcon QARK: Android App Exploit and SCA Tool Tony Trummer and Tushar Dalvi (this is the only talk that was added after my last post)

    Breakpoint 22-23 October, Melbourne, Australia. TEAM PANGU: DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS; JORDI VAN DEN BREEKEL: RELAYING EMV CONTACTLESS TRANSACTIONS WITH OFF-THE-SHELF ANDROID DEVICES; DMITRY KURBATOV: ATTACKS ON TELECOM OPERATORS AND MOBILE SUBSCRIBERS USING SS7.
All other conferences still have their CFPs open and didn't post any talks yet. The BreakPoint schedule is also not final yet.

I wanted to point to something that apparently not many people know about: Pangu jailbreak installs unlicensed code on millions of devices. Pangu has their own statement about this. The Wikipedia page about Pangu Team states that they didn't have to sign an NDA for the training and therefore can use the vulnerability. Stefan's point is not about the vulnerability but about his code. All in all I can't verify all claims but I would say I know Stefan well enough to say that he would not make this up simple because he doesn't need to. He is very well known anyway so this is not a publicity issue for him. I 100% agree with Stefan's point of view about denying people from speaking at conferences if they are known to take credit or sell code they don't own or have a license for. I encourage everybody to read up on this and to read statements made by BOTH sides. Please share your opinion with people who run conferences.

Android now has a bug bounty program, or as the call it Android Security Rewards Program. Pretty cool, I wonder if they get more submissions because of this.

Apple tries to kill plain-text connections "If you're developing a new app, you should use HTTPS exclusively.". This feature is called App Transport Security (ATS) and in the current iOS 9 version it can still be disabled. See: Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11.

Android has had a similar feature for some time. Android M introduces a new Manifest option to declare if an app uses clear text traffic or not. Deepening on this option the framework can deny clear text traffic from the app. A decent writeup on this topic is here: Android M and the war on clear text traffic.

Links

Monday, June 08 2015

Mobile Security News Update June 2015

Conferences
    Black Hat USA AH! UNIVERSAL ANDROID ROOTING IS BACK by Wen Xu; ANDROID SECURITY STATE OF THE UNION by Adrian Ludwig; ATTACKING YOUR TRUSTED CORE: EXPLOITING TRUSTZONE ON ANDROID by Di Shen; CERTIFI-GATE: FRONT-DOOR ACCESS TO PWNING MILLIONS OF ANDROIDS by Ohad Bobrov & Avi Bashan; CLONING 3G/4G SIM CARDS WITH A PC AND AN OSCILLOSCOPE: LESSONS LEARNED IN PHYSICAL SECURITY by Yu Yu; COMMERCIAL MOBILE SPYWARE - DETECTING THE UNDETECTABLE by Joshua Dalman & Valerie Hantke; CRASH & PAY: HOW TO OWN AND CLONE CONTACTLESS PAYMENT DEVICES by Peter Fillmore; FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez; FINGERPRINTS ON MOBILE DEVICES: ABUSING AND LEAKING by Yulong Zhang & Tao Wei; FUZZING ANDROID SYSTEM SERVICES BY BINDER CALL TO ESCALATE PRIVILEGE by Guang Gong; MOBILE POINT OF SCAM: ATTACKING THE SQUARE READER by Alexandrea Mellen & John Moore & Artem Losev; REVIEW AND EXPLOIT NEGLECTED ATTACK SURFACES IN IOS 8 by Tielei Wang & HAO XU & Xiaobo Chen; STAGEFRIGHT: SCARY CODE IN THE HEART OF ANDROID by Joshua Drake; THIS IS DEEPERENT: TRACKING APP BEHAVIORS WITH (NOTHING CHANGED) PHONE FOR EVASIVE ANDROID MALWARE by Yeongung Park & Jun Young Choi; TRUSTKIT: CODE INJECTION ON IOS 8 FOR THE GREATER GOOD by Alban Diquet & Eric Castro & Angela Chow

    Defcon RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID by Francis Brown and Shubham Shah; How to Shot Web: Web and mobile hacking in 2015 by Jason Haddix; LTE Recon and Tracking with RTLSDR by Ian Kline; Extracting the Painful (blue)tooth by Matteo Beccaro and Matteo Collura; Stagefright: Scary Code in the Heart of Android by Joshua J Drake; Build a free cellular traffic capture tool with a vxworks based femoto by Yuwei Zheng and Haoqi Shan

This year Black Hat US really has a large number of mobile related talks!

There is not too much to talk about otherwise. I still have to read all the stuff about Android M, some stuff is covered in the links section below. Make sure to checkout some of the HITB Amsterdam 2015 slides. Some good stuff in there for us mobile sec people.

I was really amazed how much publicity the iOS messaging crash got. Yes, it was easy to trigger. But yes, this kind of stuff happened before.

Links

Monday, May 18 2015

Mobile Security News Update May 2015 part 2

Conferences
    SourceBoston Mat 2015: A Swift Teardown by Jared Carlson; iOS App Analytics VS Privacy: An analysis of the use of analytics by Guillaume Ross. (they still have TBD slots)

    ReCon Montreal, Canada (June): Building a Better Bluetooth Attack Framework by Chris Weedon

    Black Hat USA ADVENTURES IN FEMTOLAND: 350 YUAN FOR INVALUABLE FUN by Alexey Osipov & Alexander Zaitsev; ATTACKING YOUR TRUSTED CORE: EXPLOITING TRUSTZONE ON ANDROID by Di Shen; CERTIFI-GATE: FRONT-DOOR ACCESS TO PWNING MILLIONS OF ANDROIDS by Ohad Bobrov & Avi Bashan; FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez; HACKING INTO SMARTPHONES AND CARS WITH A SIM CARD by Matt Spisak; STAGEFRIGHT: SCARY CODE IN THE HEART OF ANDROID by Joshua Drake; TRUSTKIT: CODE INJECTION ON IOS 8 FOR THE GREATER GOOD by Alban Diquet & Eric Castro

    CONFidence Krakow: iOS Hacking: Advanced Pentest & Forensic Techniques by Omer S. Coskun; Abusing apns for profit by Karol Wiesek

    Defcon Extracting the Painful (blue)tooth by Matteo Beccaro and Matteo Collura; Build a free cellular traffic capture tool with a vxworks based femoto by Yuwei Zheng and Haoqi Shan

    Android Security Symposium Vienna, Austria, from 9-11 September 2015. Only Android security talks!
Some of the upcoming conferences I covered in earlier month (e.g. HITB Amsterdam).

CFPs
    Breakpoint Melbourne, Australia, October 22th-23th

    SEC-T Stockholm 17-18:th of September 2015

    44con

    The Chaos Communication Camp cfp just closed yesterday.


iPhone: I bought an iPhone 5c (as a tryout device) like two weeks ago. I used to have a iPhone 3G back in 2009. I'm pretty happy with it, usability is great and the radio/antenna seems way better then the one in the Nexus 5. One thing I noticed is that most major apps are much better on the iPhone. There are exceptions like Dropbox. The Dropbox client is missing features compared with the android version. I'm missing the text editor! Also inter-app communication is really a weakness of iOS and a strength of Android. Other annoying stuff: I can't set Chrome to be the default browser. I can't have Signal as the default SMS app. One of the most annoying things are notifications. Many apps don't support privacy friendly notifications on the lock screen. I want to see if there are new emails in an account but I don't want the sender, subject, or content to be shown. The same is true with a lot of apps. It is either no notification or notification with content. Not happy with this! But I'm a big fan of handover.

I total I'm still happy with my tryout iPhone 5c. Let's see how long.

Mobile Killswitch: The mobile killswitch now has it's first possibility for abuse: So this killswitch tech in mobile phones now, kinda scary, especially when I can lock you out from your phone from an app w/ no root by @jcase.


Links

Wednesday, May 06 2015

Mobile Security News Update May 2015

This is actually a delayed April update!

Conferences
    CircleCityCon Indianapolis. ZitMo NoM - Clientless Android Malware Control by David Schwartzberg. Making Android's Bootable Recovery Work For You by Drew Suarez. Hacking the Jolla: An Intro to Assessing A Mobile Device by Vitaly McLain and Drew Suarez.

    ShakaCon Hawaii. Making Android's Bootable Recovery Work for You by Drew Suarez.

    PhDays Moscow. Fighting Payment Fraud Within Mobile NetworksTech by Denis Gorchakov and Nikolai Goncharov. GSM Signal Interception ProtectionFast Track by Sergey Kharkov and Artyom Poltorzhitsky. RFID/NFC for the MassesHands-on Labs by Nahuel Grisolia. iOS Application Exploitation by Prateek Gianchandani.


In the last weeks I went to RSA Conference to hangout with a few people. I met the good guys from NowSecure and Zimperium as well as the fellows of DuoSecurity.

The week after I attended Qualcomm Mobile Security Summit 2015. Again this was a super interesting mobile security focused event, most likely the best one of the year. Good talks and good people. There is no general posting of slides but some presenters published their slide deck. Tim and jcase posted their slides here: Android APP Protection. It was good to meet some guys from @K33nTeam. Their presentation was pretty good too.

If you are interested in learning about Android security take Jduck's and Zach's training at DerbyCon. They know what they are talking about.

This picture is sadly very true. I really dislike the trend going towards big smartphones or phablets.


Nexus 5 issue after a long and painful struggle including factory resetting my Nexus 5 and downgrading it to Android 5.0.1 I gave up and determined that it must be a hardware fault. Most likely the power button. I also found out (via @mweissbacher) that the warranty of our Nexus 5 devices ran out in January :-(

I determined that the only decent device to buy right now is a Moto X in the Pure Edition. The pure edition is basically AOSP like shipped with the Nexus devices. So if you are looking for a normal sized smartphone that runs stock Android this might be a device for you. Motorola even states on their site that the pure edition receives more regular updates then carrier branded devices. Most likely also more frequent updates then devices that run a heavily modified Android version (shipped by most other manufacturers).

News and Links

Tuesday, March 31 2015

Mobile Security News Update March 2015

Back from CanSec! Here the mobile update for March (barely made it!).

Conferences
    RSA Conference has a mobile track (link points to track) but I'm not going to list each talk here.

    Black Hat Mobile Security Summit London, UK. Believe it or not it's all mobile talks! Mostly Android, one iOS and one Windows Phone talk and like 2 generic talks.


CFPs

Android 5.1 / Nexus 5 issues: I recently updated to Android 5.1 (so did my friend Michael). Now we both have massive stability issues with our phones. Michael actually doesn't have stability issues his phone refuses to boot up. It boots until the first colored dots appear and then reboots again. The reason for this bootloop are unknown. Some people say this is due to issues with the phones power button. Michael indeed had some power button issues before the bootloop happened. My phone just started to randomly reboot. The issue seems known (search for Android 5.1 random reboot and you will find many reports).

Official Chinese translation of The Android Hacker's Handbook available on April 10th.

Dimple is a small NFC sticker with four or two buttons for Android devices. You are the one who chooses the button functionality. It makes doing everyday tasks quicker and saves your precious time. <-- from their website. This is basically a set of actual buttons (as in hardware) that you can stick on your Android. The buttons likely just activate a RFID tag that is picked up by your phone that then will perform some action. Very simple technology. Should be farely easy to hack (without physically pressing the button). Let's see, maybe I will order a sample just for fun. I have a pending Android NFC blog post anyway (but not time).

Links

Friday, February 27 2015

Mobile Security News Update February 2015 part 2

Conferences
    BruCon 5-7 October: Daan Raman - A distributed approach to mobile malware scanning, Markus Vervier - Stealing a Mobile Identity Using Wormholes


CFPs
My good friend Nick has started a campaign to support Android users in risk and will provide free iPhones to them

Nice captures of what happens with the cellular service when the President is around: 1 2.

Inside a StingRay. Matt Blaze would take your spare StingRay base unit.

The Gemalto hack by GSHQ/NSA makes a lot of sense and is pretty interesting. Stories by Wired and The Register.


Links

Wednesday, February 11 2015

Mobile Security News Update February 2015

Conferences
    TelcoSecDay @ Troopers Markus Vervier: Borrowing Mobile Network Identities - Just Because We Can, Tobias Engel: Securing the SS7 Interconnect, Ravishankar Borgaonkar - TelcoSecurity Mirage: 1G to 5G, Dieter Spaar - How to Assess M2M Communication from an Attacker's Perspective.

    CanSecWest Timur Yunusov & Kirill Nesterov - Bootkit via SMS: 4G access level security assesment. Team Pangu Userland Exploits of Pangu 8, the first untethered iOS8 jailbreak.

    Hack in the Box Amsterdam The Savage Curtain: Mobile SSL Failures; Eight Ou Two Mobile; Mobile Authentication Subspace Travel; Fuzzing Objects d'ART: Digging Into the New Android L Runtime Internals; Relay Attacks in EMV Contactless Cards with Android OTS Devices; Bootkit via SMS: 4G Access Level Security Assessment

TelcoSecDay @ Troopers looks pretty awesome. Too bad that I can't go because of the 100% overlap with CanSec. Sadly this seems to be a new trend that a number of top conferences overlap or are so close to each other that it is impossible to attend both.

Somebody is selling fake versions of the Android Hacker's Handbook on Amazon. Indicators are missing pictures or the white book backside (original one is black).

We recently presented BabelCrypt at Financial Crypto. I would love to see a usable implementation of this. Unfortunately I don't have the time to make this happen. I would pay money for this app.


Links

Tuesday, January 20 2015

Mobile Security News Update January 2015

Conferences
    SyScan Singapore, March. Dmitry Kurbatov: Attacks on telecom operators and mobile subscribers using SS7: from DoS to call interception. Peter Fillmore: Crash & Pay: Owning and Cloning NFC Payment cards. Stefan Esser: iOS 678 Security - A Study in Fail.

    Black Hat Asia Singapore, March. (IN)SECURITY OF MOBILE BANKING by Eric Filiol & Paul Irolla. ATTACKING SAP MOBILE by Vahagn Vardanyan & Dmitry Chastuhin. DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS by Jin-hyuk Jung & Jieun Lee. HIDING BEHIND ANDROID RUNTIME (ART) by Paul Sabanal. RELAYING EMV CONTACTLESS TRANSACTIONS USING OFF-THE-SHELF ANDROID DEVICES by Jordi Van den Breekel. RESURRECTING THE READ_LOGS PERMISSION ON SAMSUNG DEVICES by Ryan Johnson & Angelos Stavrou. THE NIGHTMARE BEHIND THE CROSS PLATFORM MOBILE APPS DREAM by Marco Grassi & Sebastian Guerrero. WE CAN STILL CRACK YOU! GENERAL UNPACKING METHOD FOR ANDROID PACKER (NO ROOT) by Yeonung Park.


This year's SyScan unfortunatelly is the last one. Very sad to see this conference go away. SyScan was the first industry conference I spoke at!

There is a new mobile specific venu Black Hat Mobile Security Summit taking place in London in June.

The problem with unpatched bugs in Android continues: Google No Longer Provides Patches for WebView Jelly Bean and Prior. This is really one of the major issues of Android security in my opinion. In 2013 I was working on a system that helps to address this issue. Details can be found here: 1 2.

Links

Friday, January 02 2015

Mobile Security News Update New Year's 2015 Edition

Conferences
    ShmooCon January 2015. Knock Knock: A Survey of iOS Authentication Methods by David Schuetz; There's Waldo! Tracking Users via Mobile Apps by Colby Moore and Patrick Wardle; Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry by Kristen K. Greene, Joshua Franklin, and John Kelsey.

    Black Hat Asia March. DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS by Jin-hyuk Jung & Jieun Lee; HIDING BEHIND ANDROID RUNTIME (ART) by Paul Sabanal; RELAYING EMV CONTACTLESS TRANSACTIONS USING OFF-THE-SHELF ANDROID DEVICES by Jordi Van den Breekel.

    Troopers March. Hacking FinSpy - a Case Study about how to Analyse and Defeat an Android Law-enforcement Spying App by Attila Marosi (not all speaker slots are filled)


31c3 Review

The Chaos Communication Congress was super fun again (no big surprise!). It was really good to see everybody again at the end of the year. As the congress is getting bigger and bigger every year it is hard to see people more once and I even missed a bunch of you guys! The talks were pretty good this year and I saw quite a few of them. Here a short overview of the mobile related talks that I actually saw live at the conference. Recordings are available: here Slides of most talks are linked in the schedule: here.

The SS7 talks were super interesting. I actually only saw 2 of the 3 talks on SS7 but I'll watch the third one once I get home. The summary of all the talks is: once you get access to SS7 you can easily track phones as often shown on TV shows. Commercial products exist to do this via SS7 (but depending on the manufacturer you cannot use it against every country). SS7-based tracking can be implemented in various ways as Karsten Nohl showed. Very interesting is the fact that IMSI Catchers can benefit from SS7 access as it can be used to access to encryption keys. This basically allows building 3G IMSI catchers. Karsten Nohl showed this live on stage (he intercepted a SMS). SS7 access can be used to steal SMS messages by redirecting the delivery path in the HLR. All in all you can conclude that organizations with SS7 access can do a lot of interesting/bad things. Luckily all the German operators already block many of the security critical SS7 messages from entering their network. SRLabs also released and Android application that analyzes the debug messages from Qualcomm-based phones to determine if your phone is in an unfriendly cellular environment. The tool is called SnoopSnitch.

Slides: 1 2

I also really enjoyed the talk from Sylvain Munaut about GMR-based Sat-Phones (specifically the technology used by Thuraya). He presented the progress of the Osmocom project's implementation of an open GMR stack. One interesting detail was that you can break the GMR crypto within 500msec using a known plain text attack against the control traffic.

Slides: 1

The talk about pagers based on the Iridium satellite network was similar interesting. The presenters build an SDR-based Iridium receiver and sniffed some paging traffic as the satellite beam covers a large region they were able to receive quite a lot of interesting messages. Yes, the traffic is not encrypted! Their code is available here.

Slides: 1

The guys from @scadasl totally rocked the 31c3 as they also gave a lighting talk on their 4G modem research. No slides unfortunately.

The talk Ich sehe, also bin ich ... Du about biometrics vs. cameras by Starbug also looked into smartphone screen reflections in your eye. He showed that you can partially determine what your screen shows and what area you touched with your finger.

The guys from the 31c3 GSM network where playing with the Alert system while I was visiting them in their NOC. One of the results is this:

Links

Wednesday, December 10 2014

Mobile Security News Update December 2014

Conferences
    Kiwicon (going down right now) Wellington, NZ. MitMing GSM with criminal intent by William "AmmonRa" Turner

    31C3 Hamburg, Germany. (In)Security of Mobile Banking by Paul Irolla and Eric Filiol; Mobile self-defense by Karsten Nohl; osmo-gmr: What's new? by tnt; SS7: Locate. Track. Manipulate. by Tobias Engel; SS7map : mapping vulnerability of the international mobile roaming infrastructure by Laurent Ghigonis and Alexandre De Oliveira; Unlocking the bootloader of the BlackBerry 9900 by Alex

    ShmooCon Washington D.C., Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry by Kristen K. Greene, Joshua Franklin, and John Kelsey (not all talks posted yet).

31C3 has an impressive number of good mobile security related talks, in addition to a lot of other good looking security talks. This will be good!

We recently finished a research project on end-to-end encryption for mobile messaging apps. The idea was to have a universal "plugin" that encrypts messages before they are handed over to the messaging app. This way you can use any messaging app with the add-on of end-to-end encryption (providing the other end has the same tool installed too). The result was BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications a joint project with my co-researchers and interns at NEU SecLab. The paper is going to be published in January 2015. A pre-print is available here: BabelCrypt.


News / Links

Word on the street is that all the cool kids are getting pagers again!

Sunday, November 23 2014

Mobile Security News Update November 2014

I'm still waiting for the 31C3 program to be released, but since I was reviewing the security submissions I can tell you that there will be a bunch of good mobile security related talks this year. As usual I will be in Hamburg to attend CCC.

So far there are no upcoming conferences that have released their program yet.

I've recently updated to Android 5.0. Overall I think it turned out quite nice. The changes related to notifications suck really badly. Apparently you cannot turn off audio and vibration but still get the visual notification (LED). I really liked the old way to set notifications: ring/vibrate/off. The extended battery time everybody is talking about I don't recognize (Nexus 5). The more tight integration with googles services sucks too. Why does it need to show my google account logo on the top right of my status bar? This is useful for what?

Links and Stories: Android bugs:

Thursday, October 23 2014

Mobile Security News Update October 2014

Time files, I've been super busy the last two month and will be busy until mid/end of November. I just relaized that I haven't posted anything in September at all.

Conferences
    Hack.Lu October 21-24: Stripping the controversial FinFisher application for Android phones by Attila Marosi; SherlockDroid, an Inspector for Android Marketplaces by Axelle Apvrille, Ludovic Apvrille

    PacSec Tokyo, Nov 12-13: An Infestation of Dragons: Exploring Vulnerabilities in the ARM TrustZone Architecture by Josh "m0nk" Thomas, Charles Holmes, Nathan Keltner; Hey, we catch you - dynamic analysis of Android applications by Wenjun Hu; Root via SMS: 4G access level security assessment by Sergey Gordeychik, Alexander Zaytsev; Blowing up the Celly - Building Your Own SMS/MMS Fuzzer by Brian Gorenc and Matt Molinyawe.

    DeepSec Vienna, Nov 18-21: Mobile SSL Failures by Tony Trummer & Tushar Dalvi; TextSecure and RedPhone-bring them to iOS by Christine Corbett; Creating a kewl and simple Cheating Platform on Android by Milan Gabor & Danijel Grah


There is again a new talk on SMS and MMS fuzzing. I really wonder what is going to be different from all the previous work?

Links

Saturday, August 30 2014

Mobile Security News Update August 2014

The Vegas week was as great as it can be as anybody knows who has this ongoing love hate relationship with the yearly pilgrimage.

The Blackphone kinda got rooted, ars on Blackphone root I had to laugh so hard when I saw Jon running around in his new t-shirt.

The SecurityCookies project was a lot of fun. I think people really liked it, likely Guillaume and I had the most fun. We will likely do this again at some point.

The iPhone is finally getting NFC iPhone 6 will reportedly feature NFC and Apple's own mobile payments platform. This should be a lot of fun cause everybody will scramble to actually build and deploy NFC now. I'm not really worried about NFC-payment insecurity but about all the other fun stuff that will be possible. Maybe I have to buy an iPhone 6 and continue my NFC work.

If I actually do get an iPhone I should also get the FLIR ONE an thermal camera case for iPhones. There are various articles about what you could do with this and I think this could be super interesting to play with.

My friend Ravi released darshak an Android app that notifies you if your phone receives silent SMS that are used for tracking your phone. It further displays current network security settings. This can be an indicator about your phone being connected to an IMSI-catcher. So far you need to have a Samsung Galaxy S3 to use this tool, but the S3 is fairly popular. I would like to see vendors providing information about phone network security parameters to the user.

Conferences
    44con September 10-11 London, UK: GreedyBTS: Hacking Adventures in GSM by Hacker Fantastic; Researching Android Device Security with the Help of a Droid Army by Joshua J. Drake (jduck); Manna from Heaven; Improving the state of wireless rogue AP attacks by Dominic White; On Her Majesty's Secret Service: GRX and a Spy Agencyby Stephen Kho; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar & Swapnil Udar

    SEC-T September 18-19 Stockholm, Sweden: Attacking Mobile Broadband Modems Like A Criminal by Andreas Lind

    T2 October 23-24, Helsinki, Finland: Style over Substance - how OEMs are breaking Android security by Robert Miller; Reversing iOS Apps - a Practical Approach by Patrick Wardle; Darshak: how to turn your phone into a low cost IMSI catcher device by Ravishankar Borgaonkar and Swapnil Udar

    BruCON September 25-26 in Ghent, Belgium: Stealing a Mobile Identity Using Wormholes by Markus Vervier.
Links

August so far was my busiest month of the year, so I guess I missed a lot of what was going on.

Wednesday, July 30 2014

Mobile Security News Update July 2014

Not much to say about conferences in this post since in early August everybody will be in Las Vegas. I'll post an update after the show is over.

The one thing I over read was the round tables that are going down at Black Hat. Specifically: EMBEDDED DEVICES ROUNDTABLE: EMBEDDING THE MODERN WORLD, WHERE DO WE GO FROM HERE? hosted by Don Bailey & Zach Lanier, MOBILE SECURITY ROUNDTABLE: WHAT DOES MOBILE SECURITY LOOK LIKE TODAY? WHAT WILL IT LOOK LIKE TOMORROW? hosted by Vincenzo Iozzo & Peiter Zatko and RESPONSIBLE DISCLOSURE ROUNDTABLE: YOU MAD BRO? hosted by Trey Ford look interesting.

There was a lot of fuzz about iOS backdoors. I didn't have time to go into all details but the basic facts seem to be that iOS has capabilities to exfiltrate data to paired computers. The danger seems to lie in that fact that you can steal/copy the paring from a computer. The initial slide deck from Jonathan Zdziarski are available here. There was a huge follow up discussion on twitter. Roundup from the Jonathan: 1 counter side from Violet Blue: 2 also see Dino Dai Zovi's post: 3

Links

Tuesday, June 24 2014

Mobile Security News Update June 2014

Conferences
    SyScan 360 Play With an Unpublished Kernel Vulnerability for iOS 7.0.x by windknown and dm557; Be cautious, there is an attack window in your android app by pLL; Click and Dagger: Denial and Deception on Android Smartphones by The Grugq; Advanced Bootkit Techniques on Android by Chen Zhangqi and Shen Di; Mobile Browsers Security: iOS by Lukasz Pilor and Pawel Wylecial

    Defcon Detecting Bluetooth Surveillance Systems by Grant Bugher; Android Hacker Protection Level 0 by Tim Strazzere and Jon Sawyer; Shellcodes for ARM: Your Pills Don't Work on Me, x86 by Svetlana Gaivoronski and Ivan Petrov; Blowing up the Celly - Building Your Own SMS/MMS Fuzzer by Brian Gorenc and Matt Molinyawe; Burner Phone DDOS 2 dollars a day : 70 Calls a Minute by Weston Hecker; NSA Playset : GSM Sniffing by Pierce and Loki


So people are still building SMS and MMS fuzzers in 2014. I'm really interested to see what new techniques the ZDI guys came up with.

Links

Thursday, May 29 2014

Mobile Security News Update May 2014

Conferences
    Recon A Bedtime Tale for Sleepless Nights: Josh "m0nk" Thomas and Nathan Keltner; The Making of the Kosher Phone: Assaf Nativ

    ShakaconResearching Android Device Security with the Help of a Droid Army: Joshua Drake - Accuvant; Practical OpSec for Android Devices: The Grugq

    ToorCamp Collin Mulliner: Hacking Android Apps with Dynamic Instrumentation

    Black Hat ABUSING PERFORMANCE OPTIMIZATION WEAKNESSES TO BYPASS ASLR: Byoungyoung Lee & Yeongjin Jang & Tielei Wang; ANDROID FAKEID VULNERABILITY WALKTHROUGH: Jeff Forristal; ATTACKING MOBILE BROADBAND MODEMS LIKE A CRIMINAL WOULD: Andreas Lindh; CELLULAR EXPLOITATION ON A GLOBAL SCALE: THE RISE AND FALL OF THE CONTROL PROTOCOL: Mathew Solnik & Marc Blanchou; IT JUST (NET)WORKS: THE TRUTH ABOUT IOS 7'S MULTIPEER CONNECTIVITY FRAMEWORK: Alban Diquet; MOBILE DEVICE MISMANAGEMENT: Stephen Breen; REFLECTIONS ON TRUSTING TRUSTZONE: Dan Rosenberg; RESEARCHING ANDROID DEVICE SECURITY WITH THE HELP OF A DROID ARMY: Joshua Drake; SIDEWINDER TARGETED ATTACK AGAINST ANDROID IN THE GOLDEN AGE OF AD LIBS: Tao Wei & Yulong Zhang; STATIC DETECTION AND AUTOMATIC EXPLOITATION OF INTENT MESSAGE VULNERABILITIES IN ANDROID APPLICATIONS: Daniele Gallingani; UNDERSTANDING IMSI PRIVACY: Ravishankar Borgaonkar & Swapnil Udar; UNWRAPPING THE TRUTH: ANALYSIS OF MOBILE APPLICATION WRAPPING SOLUTIONS: Ron Gutierrez & Stephen Komal

    Defcon NSA Playset - GSM Sniffing: Pierce and Loki; more upcoming but they are not listed yet.


I'm really happy to see two talks accepted at Black Hat that investigate Mobile Device Management (MDM) systems and app wrapping security solutions. This should be quite interesting since this is more or less the state of the art when it comes to third-party mobile security applications.

Links

I've been super busy in the last weeks mostly work and travel and more traveling coming up in a few days. Summer will be pretty awesome again. My talk on GUI security was accepted at Black Hat so did the talks of many of my friends. This should be a pretty epic year. Also I'm finally making it out to ToorCamp. More updates after I return from ASIA CCS.

Tuesday, April 22 2014

Mobile Security News Update April 2014

Conferences
    Infiltrate has Joshua J. Drake: Researching Android Device Security with the Help of a Droid Army

    IEEE Security and Privacy (academic) has a number of papers: Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating; The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations; From Zygote to Morula: Fortifying Weakened ASLR on Android

    ReCon has The Making of the Kosher Phone by Assaf Nativ (CFP not complete yet)

    Hack in the Box Amsterdam has Shellcodes for ARM: Your Pills Don't Work on Me, x86; Exploring and Exploiting iOS Web Browsers; State of the ART: Exploring the New Android KitKat Runtime; On Her Majesty's Secret Service: GRX and a Spy Agency (HITB folks fix your website, finding talks and speakers is sooo hard I almost do not bother to do it - worst conference website I know!!)

    ASIA CCS (academic) has a number of papers: Timothy Vidas, Nicolas Christin: Evading Android Runtime Analysis via Sandbox Detection; Collin Mulliner, William Robertson, Engin Kirda: VirtualSwindle: An Automated Attack Against In-App Billing on Android; Min Zheng, Mingshen Sun, John C.S. Lui: DroidRay: A Security Evaluation System for Customized Android Firmwares; Wenbo Yang, Juanru Li, Yuanyuan Zhang, Yong Li, Junliang Shu, Dawu Gu: APKLancet: Tumor Payload Diagnosis and Purification for Android Applications



Heartbleed and Mobile
    Heartbleed and Android [1] I couldn't find any detailed discussion of Android itself or Android apps being vulnerable to the heartbleed attack. Sure some apps are linked against vulnerable versions of OpenSSL but I couldn't find any attack description. If you know anything specific please email me!

    Checkout reverseheartbleed.com a heartbleed testing service for clients software (e.g., web browsers).


    SMS bulk operators vulnerable to heartbleed, leak 2FA tokens see heise.de (in German)


Links
Personal notes
    I'll be speaking at Duo Tech Talks in Ann Abor, MI (this will be a IoT related talk).

    I'm on a panel about Internet of Things security at The Security of Things Forum in Cambridge, MA.

    Mid-End of May I'll spent some time in the Bay Area for IEEE S&P, with plenty of time afterward to hangout.

    I'm also planning to go to ToorCamp, who else is going?

Thursday, April 17 2014

TOR Bleed

Update 2:
    I scanned Tor starting Friday April 11th and ended Sunday April 13th. I stopped cause I got enough evidence on leaked plain text. I wasn't sure what to do with the data so I was sitting on it for a couple of days but than decided to just blog about it.


Update:
    Tor doesn't have too many exitnodes, the nodes I was testing are Tor nodes in general not only exitnodes. Never the less I found a number of vulnerable exitnodes that leak plain text data.

    The Tor Project has started to black list vulnerable nodes.


Tuesday April 7th I started my own investigations of the Heartbleed issue. In this blog post I want to talk about one of the things I've been looking into that is the effect heartbleed has on TOR. TOR heavily uses SSL to encrypt traffic between the various TOR nodes. TOR was obviously vulnerable as reported by the TOR project.

For my investigation I pulled a list of about 5000 TOR nodes using dan.me.uk. Using one of the many proof-of-concept exploits I scanned the TOR nodes to determine if they are vulnerable. I found 1045 of the 5000 nodes to be vulnerable to the heartbleed bug, that is about 20%.

I briefly checked the leaked memory to determine if plain text is leaked that is related to TOR user traffic. Yes, TOR exitnodes that are vulnerable to heartbleed leak plain text user traffic. You can find anything ranging from hostnames, downloaded web content, to session IDs, etc.

The majority of the vulnerable TOR nodes are located in Germany, Russia, France, Netherlands, United Kingdom, and Japan. The TOR network has more than 5000 nodes so this is not a complete picture but it provides a good overview of the possible number of vulnerable exitnodes.

The heartbleed bug basically allows any one to obtain traffic coming in and out of TOR exitnodes (given that the actual connection that is run over TOR is not encrypted itself). Of course a malicious party could run a TOR exitnode and inspect all the traffic that passes thru it, but this requires running a TOR node in the first place. Using the heartbleed bug anyone can query vulnerable exitnodes to obtain TOR exit traffic.

There are a number of possible solutions for this problem. 1) update vulnerable TOR nodes (hopefully in progress), 2) create a blacklist of vulnerable TOR nodes and avoid them, 3) stop using TOR until all nodes are updated.

Further Steps:
    Scan all TOR exitnodes to create a black list of vulnerable nodes so users can avoid them.


Notes:
    One interesting thing I found is the large number of requests that seem to be originating from malware due to the domain names looking like the output of a DGA.


Links:

Wednesday, March 26 2014

Android Hardening Tools

A few weeks ago I upgraded from a Galaxy Nexus to a Nexus 5. I therefore took the chance and investigated lightweight and practical device hardening tools. I didn't have anything specific in mind I just wanted to improve my overall situation. Here is what I came up with.

Basics:
    File system encryption, of course, using the build-in functionality of Android. To improve the security and usability I use Cyrptfs Password to have a separate passphrase for the file system encryption and the screen lock. This tool requires root.

    Encrypted SMS and messaging using TextSecure. The application is very user friendly and a nice replacement for Google Hangout.

Network:
    I started using SSHTunnel and ProxyDroid to secure network traffic while traveling. In combination both tools provide the ability to tunnel all network traffic of your device through any box you have a SSH access on. Both apps require root.

    I'm trying out Pry-fi a Wifi privacy tool.

App Security:
    This category is a little hard to describe. I was looking for an app to vet APK, but without using any AV software. I found Checksum, this app calculates a checksum for each APK and compares it with a global repository that is feed with checksums from other users.

    I further using my own tool TelStop to inspect TEL Uri to determine if the contain MMI codes.

    If I was using an older Android device I would also install: ReKey to patch Master Key and X-Ray to scan for vulnerabilities.

Rooting:
    Many of the hardening apps I use require root access. Rooting is a tricky business and you should only do it if you know what you are getting into. If you want to encrypt and root, first root then encrypt. Rooting a Nexus device is straightforward, unlock the bootloader, install su + superSU. One thing todo is install a recovery image that can handle encrypted file systems like TWRP. A decent guide is posted here.

    You should also consider re-locking your bootloader after rooting, see What's the security implication of having an unlocked boot loader?. This is a lot of work and pretty painful when installing firmware patches, but you likely don't want to run around with a unlocked bootloader.


All together I'm pretty happy with this limited set of security applications. If you think I'm missing something important please let me know.

Monday, March 03 2014

Mobile Security News Update March 2014

Conferences
    InfoSecSouthWest April 4-6 Austin Texas. jduck: Android Security Research and Testing at Scale. Thomas Wang: Breaking through the bottleneck: Mobile malware is outbreak spreading like wildfire.


CFPs
TextSecure: secure and easy to use text (SMS) for Android (and soon iOS)
    I'm not really into advertising for stuff here but the recent update of TextSecure made a gigantic impression on me. The application works well, is uber user friendly, and looks just great. They further added IM like functionality (using IP rather then SMS), see here: The New TextSecure: Privacy Beyond SMS. Further there is the possibility to run your own server for TextSecure IP backend, see here.

    I switched to TextSecure for a number of reasons: transparent encrypted SMS, super usable application (I can finally stop using the Hangout app - worst thing so far on my Nexus 5), TextSecure source code is available, and did I mention that the UI looks really great? All in all this is good quality security software that even looks better then the less secure competitors, YES!


WebViews and Security on Android
    The security (insecurity) of WebView lately got a lot of attention. There has been some early academic work such as A View to A Kill: WebView Exploitation by Matthias Neugschwandtner et al. Then there was Dave Hartley's blog post on ad-network security. Most recently Joshua 'jduck' Drake wrote a very detailed blog post about the WebView addJavaScriptInterface Saga. All in all the WebView story is not over for sure as WebViews are a widely used framework feature of Android. I'll keep following this issue for sure.

Links

Saturday, January 25 2014

Mobile Security News Update for February 2014

This is an early update for February. Two reasons, I have stuff to write about right now, second I'm going to be super busy in February.

This year I attended ShmooCon for the first time. I liked it a lot and plan to go again. I didn't know ShmooCon was running for 10 years already. They seem to have a good grip on the conference and don't let it explode in size.

Conferences
    CanSecWest one of my favorite cons (maybe my #1). Talks: No Apology Required: Deconstructing Blackberry10 - Zach Lanier, Ben Nei ; Duo Security & Accuvant. Outsmarting Bluetooth Smart - Mike Ryan ; iSEC Partners. The Real Deal of Android Device Security: the Third Party - Colin Mulliner, Jon Oberheide ; Northwestern University, Duo Security.

    Troopers (Heidelberg, Germany). There is one mobile talk in the main conference but there in addition they have TelSecDay (invite only) that focuses on Telecommunication security. The main conference talk is: Modern smartphone forensics: Apple iOS: from logical and physical acquisition to iCloud backups, document storage and keychain; encrypted BlackBerry backups (BB 10 and Olympia Service) by Vladimir Katalov.

    nullcon (Goa, India) has a mobile talk this year: Modern smartphone forensics: Apple iCloud, encrypted BlackBerry backups, Windows Phone 8 cloud backup - by Vladimir Katalov.

    SyScan 2014 looks super awesome this year. Josh "Monk" Thomas : "How to train your Snapdragon: Exploring Power Regulation Frameworks on Android". Dr Thaddeus (The) Grugq : "Click and Dragger: Denial and Deception on Android Smartphones". Alex Plaskett & Nick Walker "Navigating a sea of Pwn? : Windows Phone 8 AppSec".

    Black Hat Asia THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES by Simon Roses Femerling.

    HITB Amsterdam Shellcodes for ARM: Your Pills Don't Work on Me, x86 by SVETLANA GAIVORONSKI and IVAN PETROV.

    RootedCON (Spain) talks: Raul Siles - iOS: Regreso al futuro, Pau Oliva - Bypassing wifi pay-walls with Android. Some talks look like they are mobile talks too :) (my Spanish is kinda bad)


Links

There are a lot of interesting talks in the next month. I'm working on (and finished) some interesting projects that I can hopefully talk about soon.

Our Android book is finalized and thus should be available in April.

The Defcon CFP is already open so make sure you submit your talks early. Also checkout Area 41 a fine security conference in Switzerland, the CFP is still open.

This year I'm co-chairing ARES an academic security conference. Please consider submitting your papers.

If you are interested in NFC (Near Field Communication) check out the current draft of the Web NFC API. The standard defines how a "web page" can interact with NFC devices.

Sunday, January 05 2014

Mobile Security News Update January 2014

30C3 was awesome. A lot of good talks, many friendly people, and an awesome location. The recordings of all talks can be found here.

The slides and source for my talk Android DDI are available here: slides and source.

I was super busy so I guess I missed a lot that was going on in the 2nd half of December. I will start posting stuff again later this month.

I'm going to ShmooCon in mid January and to Troopers in March.


Advertisement: If you are a computer science student and are interested in security and want to spent some time in the US, please contact me. I'm always looking for motivated people to do research with.

Thursday, November 21 2013

Mobile Security News Update November 2013

Conferences
    30c3 did not announce the program yet but I know a bunch of people who got their talks accepted. It is going to be a good conference. I will talk about my Dynamic Dalvik Instrumentation framework for Android (more about this soon).

    ShmooCon has announced a number of talks. Armor For Your Android Apps by Roman Faynberg, Apple iOS Certificate Tomfoolery by Tim Medin, How Smart Is Bluetooth Smart? by Mike Ryan, Protecting Sensitive Information on iOS Devices by David Schuetz


News and Links
I bet I missed a lot of stuff that happened in the last weeks.

I'm going to be at 30c3 in Hamburg, Germany between Christmas an New Years.

Friday, October 11 2013

Mobile Security News Update October 2013

September was a busy month, but the monthly update is back!

Conferences
    HACK.LU Debugging and Reversing the HTC Android Bootloader by Cedric Halbronn and Nicolas Hureau, Grand Theft Android: Phishing with permission by Joany Boutet and Tom Leclerc, Abusing Dalvik Beyond Recognition by Jurriaan Bremer, Playing Hide and Seek with Dalvik executables by Axelle Apvrille. So Hack.Lu has a lot of Android talks this year, but most of the other talks look super interesting too. I would love to go, but can't.

    PacSec Tokyo, November 2013. "Android games + free Wi-Fi = Privacy leak" Takayuki Sugiura & Yosuke Hasegawa, NetAgent, @hasegawayosuke, "Defeating the protection mechanism on Android platform" Tim Xia, Baidu, "Mobile Phone Baseband Exploitation in 2013: Hexagon challenges" Dr. Ralf-Philipp Weinmann, Affiliation, @esizkur, "Deeper than ever before: Exploring, Subverting, Breaking and Pivoting with NAND Flash Memory" Josh m0nk Thomas. The PacSec program kicks ass!


Missed conferences: ekopart 2013 they had a bunch of mobile (mostly Android) talks.

Links

Friday, August 30 2013

Mobile Security News Update September 2013

Conferences:
    DeepSec Cracking And Analyzing Apple iCloud Protocols: iCloud Backups, Find My iPhone, Document Storage: Vladimir Katalov (ElcomSoft Co. Ltd.), Bypassing Security Controls with Mobile Devices: Georgia Weidman (Bulb Security LLC), Using memory, filesystems, and runtime to app pen iOS and Android: Andre Gironda, Mobile Fail: Cracking Open "Secure" Android Containers: Chris John Riley (c22.cc), Building the first Android IDS on Network Level: Jaime Sánche

    Hack in the Box - Kuala Lumpur Tales from iOS 6 Exploitation and iOS 7 Security Changes: Stefan Esser, Cracking and Analyzing Apple's iCloud Protocols: Vladimir Katalov, Android DDI: Dynamic Dalvik Instrumentation of Android Applications and Framework: Collin Mulliner

    BreackPoint Ruxcon A TALE OF TWO ANDROIDS: Jon Oberheide, ADVANCED IOS KERNEL DEBUGGING FOR EXPLOIT DEVELOPERS: Stefan Esser

    BruCON Jake Valletta - CobraDroid, David Perez/Jose Pico - Geolocation of GSM mobile devices, even if they do not want to be found., Stephan Chenette - Building Custom Android Malware for Penetration Testing

    Hackers2Hackers Android: Game of Obfuscation: Bremer & Chiossi, At ARMs length yet so far away: Brad Spengler

Links:
Android PRNG Stuff:
    So I guess everybody knows about the Android PRNG issue. See Some SecureRandom Thoughts Google confirms critical Android crypto flaw used in $5,700 Bitcoin heist OpenSSL PRNG Is Not Really Fork-safe Upcoming paper at CCS'13: Soo Hyeon Kim (The Attached Institute of ETRI and KOREA Unisversity), Daewan Han (The Attached Institute of ETRI), Dong Hoon Lee (KOREA University) Predictability of Android OpenSSL's Pseudo Random Number Generator (those guys also got credited with reporting some issues about Android's OpenSSL PRNG usage). So they know about this for some time since the submission deadline for CCS was early in May. I wonder if the bitcoin heist could have been avoided if they notified the devs of the Android bitcoin wallet apps instead of Google.

Monday, August 12 2013

Mobile Security News Update August 2013

Conferences:
    SyScan 360 Tales from iOS 6 Exploitation and iOS 7 Security Changes by Stefan Esser; Mr. Big-dumb or Mr. Big-data: How smart is your mobile security intelligent system by Wayne Yan; Android Forensic Analysis Deep Dive by Bradley Schatz; Detecting Advanced Android Malware by Data Flow Analysis Engine by pLL and Zu Hao

    HITB does not have a program yet.
I'm going to speak at HITB in Kuala Lumpur in October. My talk will be about Dynamic Dalvik Instrumentation. I will release all my code after the talk.

CfP
    30c3 in Hamburg Germany (awesome location!)


Black Hat USA slides are available here.

News

Make sure to check out the first release of POC||GTFO

Tuesday, July 16 2013

ReKey

today we finally release ReKey our hotpatching service for fixing Android's Master Key bug. We have a press release here.

ReKey was joint work of: Collin Mulliner, Jon Oberheide, William Robertson, and Engin Kirda.

more soon!

Tuesday, June 25 2013

Mobile Security News Update June 2013 part 2

Conferences
    Defcon has more talks: Do-It-Yourself Cellular IDS
CfP
Here my REcon review. I must say REcon became my favorite conference together with CanSecWest. There were to bunch of really cool talks. I always enjoy REcon talks out side of my main work area. One such talk was about old video game cabinet security: Just keep trying ! Unorthodox ways to hack an old-school hardware. I didn't find the link to the slides anymore. But pretty much 90% of the talks were good. REcon also had mobile talks. jduck's talk on Reversing and Auditing Android's Proprietary Bits was pretty good. I especially liked Wardriving from your pocket: Reversing the Broadcom chipset with Wireshark the talk was about reversing the Broadcom Wifi firmware to enable monitor mode. Their website is here: bcmon.blogspot.com. Super interesting as well was Hiding @ Depth Exploring & Subverting NAND Flash memory and Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to Ericsson. Altogether if you missed REcon you missed out!

Links

I actually decided to go to Defcon after all.

Wednesday, June 12 2013

Mobile Security News Update June 2013

Conferences
    Black Hat USA has the following talks: A PRACTICAL ATTACK AGAINST MDM SOLUTIONS, ANDROID: ONE ROOT TO OWN THEM ALL, BLACKBERRYOS 10 FROM A SECURITY PERSPECTIVE, HIDING @ DEPTH - EXPLORING: SUBVERTING AND BREAKING NAND FLASH MEMORY, HOW TO BUILD A SPYPHONE, I CAN HEAR YOU NOW: TRAFFIC INTERCEPTION AND REMOTE MOBILE PHONE CLONING WITH A COMPROMISED CDMA FEMTOCELL, MACTANS: INJECTING MALWARE INTO IOS DEVICES VIA MALICIOUS CHARGERS, MOBILE ROOTKITS: EXPLOITING AND ROOTKITTING ARM TRUSTZONE, ROOTING SIM CARDS, ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS, and LTE BOOMS WITH VULNERABILITIES.

    Defcon has: I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell, Defeating SEAndroid, and Inside The Strange World Of Java Cards SIM Card Apps And Over-The-Air Updates

    BreakPoint has: A TALE OF TWO ANDROIDS

    BruCON has: CobraDroid, Geolocation of GSM mobile devices, even if they do not want to be found


Stuff

Wednesday, May 08 2013

Countering SMS/mTAN Trojans

Together with my former colleagues Ravi, Patrick, Jean-Pierre from TU Berlin / SecT I have been working on an enhancement for mobile phones in order to protect SMS messages especially mTANs against trojans.

We investigated several ways to improve mTAN security and finally came to the conclusion that we just need to change the SMS routing on the mobile phone itself.

Basically we remove SMS messages that contain mTANs from the normal delivery queue and only deliver them to a special application. This way no other program (including trojans) can access the SMS message.

We implemented and tested our idea on Android. The paper SMS-based One-Time Passwords: Attacks and Defense will be presented at DIMVA 2013 in July in Berlin, Germany.

A demo video of the prototype is shown below:

Tuesday, May 07 2013

Mobile Security News Update May 2013

Conferences
    NoSuchCon finally released their agenda.They have an interesting lineup but no mobile talk.

    SourceDublin Android application reverse engineering & defensesi by Patrick Schulz & Felix Matenaar.

    SummerCon has posted it's schedule. I'll present some work I've done on Dynamic Dalvik Instrumentation.

    REcon has stared to post talks. Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to Ericsson by Philippe Langlois. Reversing and Auditing Android's Proprietary Bits by Joshua J. Drake.

    Shakacon Deviant Ollam - Android Phones Can Do That?!? Custom Tweaking for Power Security Users. Max Sobell - Android 4.0: Ice Cream "Sudo Make Me a" Sandwich. Andreas Kutz - Pentesting iOS Apps - Runtime Analysis & Manipulation.

Some interesting upcoming talks! I guess everybody else an their moms are waiting to hear back from the Black Hat USA CfP.


SyScan'13 review
    SyScan was a totally awesome event. Really good talks and lots of them. My favorite talk was: Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns by Mateusz Jurczyk and Gynvael Coldwind.


News

Links

Thursday, April 11 2013

Mobile Security News Update April 2013

Conferences:
    HackCon No.8 10-11 April in Oslo Norway. First time I hear about this conference. Mobile talks: Leveraging Mobile Devices on Penetration Tests and Want to control smart phones?

Call for Papers: News:
    Unlocking the Motorola Bootloader (Android phones) by Dan Rosenberg. A real nice read. Most interesting part is that the unlock is via attacking a vulnerability in code running in TrustZone.



I have been super busy with work so I might missed a few things here and there. Right now I'm waiting to here back from SummerCon and Black Hat USA about talks I submitted. I'm still thinking about submitting to ReCON ;)

Thursday, March 14 2013

Mobile Security News Update March 2013 part 2

CanSecWest was pretty good this year. My favorite talks were (no order): Desktop Insecurity - Ilja van Sprundel & Shane "K2" Macaulay, Smart TV Security - SeungJin Lee, Godel's Gourd - Fuzzing for Logic Issues - Mike "dd" Eddington, and Reflecting on Reflection - Exploiting Reflection Vulnerabilities in Managed Languages - James Forshaw. I can't wait to get the slides.

Call for Papers:
I totally missed Black Hat Europe, it had some interesting talks: The M2M Risk Assessment Guide, A Cyber Fast Track Project - Don A. Bailey, Practical Attacks Against MDM Solutions - Daniel Brodie + Michael Shaulov, Off Grid Communications With Android- Meshing The Mobile World - Josh Thomas + Jeff Robble, Next Generation Mobile Rootkits - Thomas Roth.

An interesting looking paper from TROOPERS13 UI Redressing Attacks on Android Devices (apparently it was released at Black Hat Abu Dhabi last year).

News Fun find by my former co-worker Matthias: Lost connection to Battery ... WTF!?!

Monday, March 04 2013

Mobile Security Update March 2013

Review RSA
    Last week I attend the RSA Conference for the first timer ever. I always had the impression that it is not worth going but this year I went anyway. The plan was to just hang around at the various side events that take place during RSAC. Meeting with people etc. That part is totally worth it if you can spent the day doing actual work. I ended up going to the conference to speak on the Mobile Security Battle Royale panel (as a replacement for Jon Oberheide). So I got a conference pass and could checkout the actual conference and expo. The expo was pretty standard if you are used to attend events like CeBIT or maybe CES. Just smaller and security companies only. I didn't have the chance to attend other talks besides Big Brother's Greek Tragedy State-Deployed Malware & Trojans so I can't really make my mind up if it is worth the money or not.

    SC Magazine wrote an article about the panel I spoke on. Here are some comments: Android certainly does support remote updates. But the problem really is that manufacturers and mobile carriers stop supporting devices after 12-18 month.

Conferences
    Infiltrate posted a few more talks. The one I'm really interested in is: Josh "m0nk" Thomas - NAND-Xplore -> Bad Blocks = Well Hidden.

    Troopers in Heidelberg Germany (March). They have a few interesting talks: UI Redressing Attacks on Android Devices by Marcus Niemietz, Malicious Pixels: QR-Codes as attack vectors by Peter Kieseberg, Corporate Espionage via Mobile Compromise: A Technical Deep Dive by David Weinstein and a few other non mobile talks that look really interesting.

    Hack in the Box Amsterdam LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements, SMS To Meterpreter: Fuzzing USB Internet Modems. I really need to go to HITB some day.

New Conferences
    NSC - NoSuchCon is a new conference held in May in Paris, France. The organizers seek strong (only) technical content.

News
    HTC Settles Privacy Case Over Flaws in Phones Interesting read, quote: The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device's microphone to record the user's phone calls.

Personal note:

Thursday, January 31 2013

Mobile Security News Update February 2013

Conferences:
    CanSecWest coming up in March has started posting talks: Doug DePerry @dugdep & Tom Ritter @TomRittervg - CDMA Femptocell Traffic Interception and Remote Mobile Phone Cloning, Rahul Sasi @fb1h2s - SMS to Meterpreter, Fuzzing USB Modems, Stephan Esser @i0n1c will be talking about iOS, Joshua J. Drake @jduck1337i - Tackling the Android Challenge. In addition to mobile security there is another super interesting talk about embedded system security: @beist will be talking about Samsung SmartTVs.

    SyScan Singapore is coming up in April and also posted talks. There are not too many mobile talks but all talks sound pretty good. Stefan Esser ( @i0n1c ) - Mountain Lion / iOS Vulnerability Garage Sale. I will also show some stuff I've been working on in the past month during a lightning talk, all brand new!

    SourceBoston also in April: Protecting sensitive information on iOS devices David Schuetz, Attacking NFC Mobile Wallets: Where Trust Breaks Down Max Sobell.

    Infiltrate Matias Soler - The Chameleon: A cellphone-based USB impersonator, Stephen Lawler & Stephen Ridley - Advanced Exploitation of Mobile/Embedded Devices: The ARM Microprocessor.

News:

Personal notes: I'm going to be in San Francisco during RSA, ping me if you want to chat. I'm also going to be at CanSecWest, just attending this year. Further I'm going to SyScan. I also plan to be around SourceBoston but unfortunately not attending (ticket prices vs. university etc, I'm not complaining).

Friday, January 04 2013

Mobile Security News Update January 2013

Conferences:
    Shmoocon 2013 has posted their schedule. Mobile talks are: Armor for your Android Apps by Roman Faynberg, Protecting Sensitive Information on iOS Devices by David Schuetz, Apple iOS Certificate Tomfoolery by Tim Medin.
All other upcoming conferences (SyScan, CanSecWest, SourceBoston, Infiltrate) haven't posted any talks yet.

My 29c3 conference review. The new location CCH in Hamburg is really nice. There is a lot of space and the space was used very well. Due to the space the conference was much more relaxed. This also counted for the talks. Most of the time everybody had a place to sit. One small downside of this years conference the schedule, sometimes three tech talks were running in parallel in different rooms. But all together I don't think anybody could complain about 29c3. For me personally one of the best congresses I ever attended. The recordings of the talks can be downloaded from here.

Happy New Year.

Wednesday, December 12 2012

Mobile Security News Update December 2012

Conferences:
    29c3 end of December in Hamburg, Germany. They have a few mobile talks: Small footprint inspection techniques for Android - Reverse engineering on Android platforms by Pierre Jaury, Setting mobile phones free by Mark van Cuijk. there should be more mobile talks, that are not announced yet.

News:
Random stuff:
    For a side project I'm looking for original ROMs of Android devices. So far I only have found one site that has a collection of some devices: Shipped-Roms.com. I know it is likely not legal to host stuff like this but I would be interested in getting roms for other devices.

    Android SMS Spoofer is a PoC for a well known Android bug that enables malware to trick the user into believing an SMS has been received.

Friday, November 30 2012

Android DBI v0.2 (BreakPoint version)

I finally managed to release v0.2 of my Android DBI framework. The version I announced at BreakPoint and RuxCon.

New in this version: actually working Thumb support, nfc card emulation code for fuzzing.

Slides
collin_android_dbi_v02.zip

Happy hacking! Feedback is welcome!

Wednesday, November 21 2012

Mobile Security News Update November 2012

The last weeks were pretty crazy for me in terms of work, but stuff got done so I have some new stuff to show next year.

Last month I've travelled to Melbourne Australia to speak at BreakPoint and RuxCon. This was my first time travelling to Australia and I must say it was good fun. BreakPoint was a good conference with some good talks and many interesting people. RuxCon was great fun too, good talks, nice friendly people. The trip was just too short.

Conferences
    Black Hat Abu Dhabi Advanced Exploitation of ARM-based Mobile and Embedded Devices by Stephen Ridley , Droid Exploitation Saga by Aditya Gupta and Subho Halder, Inspection of Windows Phone applications by Dmitriy Evdokimov and Andrey Chasovskikh, Over-the-Air Cross-platform Infection for Breaking mTAN-based Online Banking Authentication by Alexandra Dmitrienko and Ahmad Sadeghi and Christopher Liebchen and Lucas Davi, Practical Security Testing for LTE Networks by Martyn Ruks and Nils, UI Redressing Attacks on Android Devices by Marcus Niemietz

    BayThreat in Sunnyvale has a mobile talk. Daniel Peck - "Dynamic Analysis and Exploration of Android Apps". Some of the other talks look good to.

    29c3 Chaos Communication Congress didn't publish a schedule yet. But some talks should be very interesting, such as Nico's.

Other upcoming conferences are: ShmooCon in February, CanSecWest in March, Infiltrate in April, and Source Boston also in April.

As I said, crazy weeks behind me. So I didn't see much of what happened in the mobile security space.

Monday, October 29 2012

DIMVA 2013

I'm the Publicity Chair for the upcoming 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013), thus I'm taking the liberty to announce the opening of our Call for Papers here. The conference is in July 2013 in Berlin, Germany. A good chance to travel to Berlin next summer.

DIMVA 2013 main site.
DIMVA 2013 CFP

Tuesday, September 25 2012

Mobile Security News Update September 2012 part 2

First I want to talk about Ravi's awesome findings on USSD and TEL URIs (RFC 2806). Ravi was working on USSD security in general and found that on Android phones you can inject USSD codes into the phone dialer via the TEL URI handler without user interaction. Meaning you don't have to press the call button (aka the green button) to activate the USSD code. Using this he showed howto brick SIM cards and howto wipe Samsung made Android phones. The beauty about TEL URIs is that it is super easy to have them activated on a mobile phone. In 2010 I did a talk on this at CanSecWest (Random tales from a mobile phone hacker skip to the end of the talk for the TEL/SMS URI stuff). The basic technique used for this kind of attack are iframes but very well can be any other kind of URI activation method (redirects, img tag, etc.).

A video of Ravi's demo from Ekoparty is here Demo Dirty use of USSD Codes in Cellular Network en Ekoparty 2012.

Further infos: This is a super fun bug class also a little bit sad that stuff like this works at all.

Second, more cool NFC/RFID mobile hacking from the good guys at Intrepidus. They investigated RFID based transit passed and wrote an Android application that can reset the pass. While the actual basic idea is not new I really like the phone as the attack tool since you always carry it around with you. Some guy could stand one the corner next to the subway entry and sell you the service of resetting your transit pass. Check out their writeup: UltraReset - Bypassing NFC access control with your smartphone

On the topic of NFC and security. The guy(s) behind RadioWarCN released an Android toolkit for messing with RFID/NFC tags. Check it out here: Radiowar Release NFC-WAR Preview. I didn't had the time to try it myself.

Conferences:
    ToorCon in mid October (damn I can't go) so far has mobile talks lined up: Mobile Device attack graphs for fun and profit - Jimmy Shah. {Malandroid} The Crux of Android Infections - Aditya K Sood. When Cell Towers Become Too Smart For Their Own Good - Drew "RedShift" Porter. Also my former co-worker Dmitry (hwsec.net) seems to be giving a talk, my bet is one hardware security.

That is it for now. I'm super busy working one a new Android security project. This will kick ass.

Monday, September 10 2012

Mobile Security News Update September 2012

Conferences:
    Ekoparty in Buenos Aires September 19-21. Alfredo Ortega & Sebastian "topo" Muniz - Satellite baseband mods: Taking control of the InmarSat GMR-2 phone terminal, Ravishankar Bhaskarrao Borgaonkar - Dirty use of USSD Codes in Cellular Network. Ravi's talk will be awesome - this will hurt a lot.

    EuSecWest Dragos keeps adding mobile talks! Way to go!

    SEC-T also added a few talks since my last blog entry.

    Hashdays end of October in Lucern Switzerland (the place to get a bank account ;) Ben April - NFC: I don't think it means what you think it means; Martin Rutishauser - Satellite Hacking: An Introduction. Ilja van Sprundel - The Security (or Insecurity) of 3rd Party iOS Applications.
Links:

Monday, August 20 2012

Mobile Security News Update August 2012 part

More conferences!
    DeepSec taking place end of November in Vienna has published their schedule. They have a number of mobile talks as usual but unfortunately they also have THE one talk that every conference has this year :-( The talks are: Introducing the Smartphone Pentesting Framework Georgia Weidman (Bulb Security LLC), Pentesting iOS Apps - Runtime Analysis and Manipulation Andreas Kurtz (NESO Security Labs / University of Erlangen-Nuremberg), Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz (BT (formerly known as British Telecom)), The Security (or Insecurity) of 3rd Party iOS Applications Ilja van Sprundel (IOActive, Inc.).

    EuSecWest happening in late September in Amsterdam. Dragos always had this love for mobile security and this year he is showing this at EuSec. Basically EuSec is a mobile security event this year, especially because of the mobile pwn2own! Talks so far: Mapping and Evolution of Android Permissions - Andrew Reiter & Zach Lanier, APK Infection on Android - Robert McArdle & Bob Pan, NFC For Free Rides and Rooms (on your phone) - Corey Benninger & Max Sobell, Using HTTP headers pollution for mobile networks attacks - Bogdan Alecu , iOS Application Auditing - Julien Bachmann.

    Hack.LU in October also has a mobile talk. Benedikt Driessen -Satellite phone - an analysis of the GMR-1 and GMR-2 standards.

    Hack in The Box Malaysia seems to have a bunch of mobile stuff. But their conference website is so ugly that it is hard to find details :-(

    SEC-T takes place in September in Stockholm - one of my favorit cons!. So far they have: Dead Addict - Mobile PKI UX: the state of shit, Torbjörn Lofterud - iPhone raw NAND recovery and forensics.

T2 does not seem to have any mobile stuff this year.

More upcoming CFPs should include ToorCon in San Diego but sadly it overlaps with BreakPoint. I would really like to go to ToorCon once.

It looks like I will come to NYC in November to give a talk at an event at NY-Poly. It is also likely that I will come to SF early in December.


News:
By now I arrived in Boston and started working at my new job at Northeastern University. So far I haven't done much in the city. I'm still looking for an apartment so if you have good pointers shoot me an email.

Tuesday, August 07 2012

Mobile Security News Update August 2012

This really is the first update since May, wow I have been really busy.

Conferences:
    Toorcamp (takes place as you read) has a few interesting talks on Android. I originally planed to go but didn't have time, very said about it :-(

    Nordic Security Conference is a new event that takes place end of August. Nordic Sec seems to be a very mixed conference but they have some mobile related talks.

    BruCON at the end of September is one of those cons I always wanted to attend once, never made it. They also have just a few mobile related talks. Mobile talks seem to overlap with Nordic Sec :-(

    BreakPoint is also a new event taking place in Melbourne, Australia. This event will have more then a few mobile talks due to the people who are scheduled to speak there. Including myself ;-)

    Source Seattle has a mobile talk.


Open CFPs: 29c3 this year in Hamburg not Berlin, a real bummer. hashdays in Lucerne, Switzerland.

General News:
    Zeus now supports Black Berry in addition to WinMo, Android, and Symbian.

    This is really interesting. I was working on countermeasures against this threat with two of my co-workers at SecT in Berlin. Hopefully our paper gets accepted. I really hope we can help to defend against this threat.


Personal news: I will move to Boston, MA in August to work as a Postdoctoral researcher at Northeastern University. I will continue doing mostly mobile security related work. Please ping me if you are doing similar work and are in the area. It seems like I know a bunch of people but don't actually know where they live.

I hope from now one to continue my biweekly mobile security news update.

Tuesday, June 19 2012

Android DBI Framework Source!

I just uploaded my Android Dynamic Binary Instrumentation (DBI) framework. As I wrote before the framework is very simple. It supports hooking function entry points only. The source includes the shared library (.so) injector and the hooking/patching functionality. I also included one simple example instrument to sniff the UART communication between com.android.nfc and the NFC chip on a Galaxy Nexus.

I plan to further enhance this toolset and welcome everybody to submit patches. If there is a lot of interest I will move the source to a public archive like github.

The first release is available here: collin_android_dbi_v01.zip

To use this tool you need a Linux ARM gcc compiler such as included in the Android NDK.

Monday, June 11 2012

Binary Instrumentation on Android

Last weekend I attended SummerCon in Brooklyn NYC and presented my take at doing binary instrumentation on Android. My way of doing instrumentation is very simple compared with other instrumentation frameworks but so far nobody build and released anything for Android / ARM so I had to build my own. Have said that I will for sure release my framework I just need a few days to do this! Please feel free to bug me about this!

So why did I start with binary instrumentation? Well I wanted to continue my NFC security research on Android. Since NFC involves extra hardware it also includes a bunch of native code and thus I started instrumenting that. The result so far was that I build an instrument that acts as an emulation layer inside com.android.nfc. This emulation layer allows me to inject payloads of RFID tags into the nfc process as if they where read from an actually tag. This is of course build for fuzzing ;-) I haven't done any real fuzzing using this so far because I just finished the tool before SummerCon. A demo video that shows tag read emulation can be seen here: nfcemuvideo.mp4

More updates on both subjects will follow soon!


SummerCon was totally awesome, many thanks to the organizers! The conference was small enough to speak to all presenters and to many of the attendees. I met like half of the US people I follow on twitter for the first time in person. How awesome is this!

Wednesday, May 23 2012

Mobile Security News Update May 2012 part 2

Conferences:
    Black Hat USA has more or less publish the speaker list. Very mixed but some mobile stuff as always.

    Defcon started to publish some talks. So far one talk on mobile spyware.
Papers: Security week in Europe, we have: HITB in Amsterdam, Confidence in Krakow, BerlinSides in Berlin lets hope all the people who fly out for HITB and Confidence make it over to Berlin for the weekend.

Wednesday, May 09 2012

Mobile Security News Update May 2012

Conferences:
    Hack in The Box Amsterdam has a number mobile talks this year

    SummerCon has some Android related talks by Jon, Charlie, and myself :)

    Recon looks pretty good this year: GPUs for Mobile Malware, Mitigation and More Thinking outside-the-CPU by Jared Carlson. Baseband debugging by Ralf-Philipp Weinmann. The other talks also look quite interesting. Happy to attend this year!

    Black Hat USA is starting to post talks: most interesting so far is the Windows Phone 7 talk by Tuskasa Oi

    Nordic Security Conference seem to be a new conference out in Reykjavik Iceland. They also seem to have some mobile talks.

So I will be going to SummerCon this year after all! I'm staying in NYC for a few days even after SummerCon. Ping me if you want to meet.

Other news:
    20 years of SMS I for sure had a lot of fun with SMS over the last years :)

Links:
Some fun:
EOF

Thursday, April 12 2012

Mobile Security News Update April 2012

It has been a while but I was travelling a lot for work and fun so I really didn't have time.

Conferences:
    Hackito Ergo Sum in Paris just started today. This seems to be one of the cool new European Security Cons. I actually wanted to attend but after almost 7 weeks of travelling no chance. The program looks very mixed but they have a few mobile talks: Hacking the NFC credit cards for fun and debit by Renaud Lifchitz, TBD (Android Exploitation) by Georg Wicherski.

    SyScan Singapore iOS Kernel Heap Armageddon by Stefan Esser, iOS Applications - Different Developers, Same Mistakes by Paul Craig, and Exploiting the Linux Kernel: Measures and Countermeasures (not a mobile talk but sounds interesting) by Jon Oberheide.
Upcoming in June without program yet: SummerCon in NYC (sadly I can't make it), Recon in Montreal (which I try to make).

On the academic front please consider submitting to WOOT one of my favorite workshops!

Friday, February 10 2012

Mobile Security News Update February 2012 update

More conferences, and a lot of mobile stuff :-)
    Source Boston in April. Reverse Engineering Mobile Applications, Adam Meyers, Security Researcher; Mobile Snitch - Devices telling the world about you, Luiz Eduardo, Director, SpiderLabs LAC, Trustwave (@effffn) & Rodrigo Montoro, Security Researcher, Trustwave's SpiderLabs, rmontoro@trustwave.com (@spookerlabs); Android Modding for the Security Practitioner, Dan Rosenberg, Senior Security Consultant, VSR (@djrbliss) ; Privacy at the Border: A Guide for Traveling with Devices, Marcia Hofmann, Senior Staff Attorney & Seth Schoen, Senior Staff Technologist, Electronic Frontier Foundation

    So SourceBoston actually has some interesting stuff for us mobile people.

    Black Hat Europe in Amsterdam. Axelle Apvrille - Guillaume Lovet An Attacker's Day into Virology: Human vs Computer; Don A. Bailey War Texting: Weaponizing Machine to Machine Systems; Tyrone Erasmus The Heavy Metal That Poisoned the Droid; Eric Fulton Workshop: Mobile Network Forensics Workshop ; Dan Guido - Mike Arpaia The Mobile Exploit Intelligence Project; Felix Lindner Apple vs. Google Client Platforms; Simon Roses Femerling Smartphones Apps Are Not That Smart: Insecure Development Practices;

Thursday, February 09 2012

Mobile Security News Update February 2012

Conferences:
    CanSecWest: OS5 - An Exploitation Nightmare? - Stefan Esser; Probing Mobile Operator Networks - myself; Legal Issues in Mobile Security Research - Marcia Hofmann, EFF; Unveiling LTE Security - Dr. Galina D. Pildush, Juniper; Intro to Near Field Communication (NFC) Mobile Security - Corey Benninger and Max Sobell, Intrepidus Group; Root-Proof Smartphones, and Other Myths and Legends - Scott G. Kelly, Netflix

    Interesting lineup for mobile stuff, and the rest looks pretty good too.

    SyScan Singapore: iOS Kernel Heap Armageddon - Stefan Esser; iOS Applications - Different Developers, Same Mistakes - Paul Craig

    Troopers (Germany): Welcome to Bluetooth Smart - Mike Ossmann


Links:

An analysis of the GMR-1 and GMR-2 standards for satellite telephony. Really interesting work.

In other news. I'm done with my work in Berlin and looking to move to the US for a postdoc in the near future (location is not yet decided).

Monday, January 16 2012

Mobile Security News Update January 2012 part 2

Conferences:
    Infiltrate already passed. But they only had two mobile talk anyway. Secrets in Your Pocket: Analysis of [Your] Wireless Data by Mark Wuergler. Don't Hassle The Hoff: Breaking iOS Code Signing by Charlie Miller.

    Shmoocon which I miss again, this is way to early in the year so every year so far I totally miss it. Talks: Building Measurement and Signature Intelligence (MASINT) Capabilities on a Hackers Budget: Tracking and Fingerprinting RF Devices for Fun and Profit by Brad Bowers. Intro to Near Field Communication (NFC) Mobile Security by Corey Benninger and Max Sobell. Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility by Joe Sylve. Whack-a-Mobile: Getting a Handle on Mobile Testing with MobiSec Live Environment by Tony DeLaGrange and Kevin Johnson. Credit Card Fraud: The Contactless Generation by Chris Paget.

    CanSecWest is upcoming. So far no talks have been posted but I'm going speak on "Probing Mobile Operator Networks". This is a long ongoing side project of mine.


Links: Infographics: Mobile Security Android vs. iOS

The video recordings from 28c3 are online. Check out Harald's talk Cellular protocol stacks for Internet, Luca's and Karsten's talk Defending mobile phones, Sylvain's talk Introducing Osmo-GMR.

Monday, January 02 2012

Mobile Security News Update January 2012

so 2011 is history, it was a fun year for us mobile people. Many things happened many things got hacked - just great.

In the last few days I have been reading some of those security predictions for 2012 (this year!). Most of them 1 2 3 4 5 are kinda boring since these are things that are already happening. Never the less these will very likely become reality.

In the mobile area these seem to be:

Android as the target for mobile malware attacks. This is already happening as Android became the major smartphone platform last year.

Mobile Markets such as the AppStore and Android Market as a key issue problem solver in the mobile field.

More Monetization as mobile malware evolves we will see more monetization of it. This is especially interesting for everything that involves spending money using a smartphone. Not only SMS, but advertisement, in-App payment, the phone as a credit card, etc..


Happy mobile security research 2012 to everybody!

Tuesday, December 20 2011

Mobile Security News Update December 2011 part 2

There was an awesome SMS bug in Windows Phone 7. This is exactly the bug class I have been looking into in the last two years. Too bad that I didn't have the time to look into Windows Phone 7.

Corrections to a news article about my research. NFC mobile threats on the horizon: What happens when we wave our wallets to pay? The article says ...malicious code could be 'injected' into the device.... I want to say that I never claimed I can do code injection through NFC. They probably misunderstood me when I said that this could be possible in the future.

It is really great to see how NFC security research is taking of this year. If I remember back to early 2008 when I did my research everybody was kinda laughing.

In other news mobile (in)security is further on the rise. So we all never loose our jobs!

Thursday, December 01 2011

Mobile Security News Update December 2011

Android root exploit for 2.3.5 and older by the Jons levitator.c

I don't get this whole Carrier IQ thing 1 2.

The people from the Intrepidus Group seem to really get into RFID and NFC. They just posted an article about using a USRP for NFC. Hopefully they release their code after they are done with their research.

In other news: I wont attend the CCC / 28c3 this year due to multiple reasons. I will stick around for the other events outside the congress. So ping we if you want to chat and/or have beers.

Friday, November 18 2011

Mobile Security News Update November 2011

Security Mobile and RFID by Nick von Dadelszen at KiwiCon. Interesting talk on RFID attacks using the Nexus S. This does not cover NFC but is a good read. Unfortunately not many details in the slides.

Axelle Apvrille did some nice work on how to utilize OpenBTS for mobile malware analysis. Both, paper and slides, make a nice read.

Ruxcon is already on, I found one possibly interesting talk Mobile and Contactless Payment Security by Peter Fillmore. But since the con is not done yet slides are not available at the time.

SyScan Taipei has a bunch of mobile stuff. Charlie Miller on iOS code signing. Stefan Esser on iOS kernel exploitation. I'm waiting for slides as the con is just over today.

New Academic Workshop MoST on Mobile Security Technologies at IEEE S&P in May 2012.

Saturday, August 20 2011

Mobile Security News Update August 2011

I'm finally back from my two weeks in the US of A where I attended Black Hat and Defcon (19) in Vegas. This was very exhausting as always, no surprise there. But I must say the talk quality was not that high and again too many parallel tracks at Black Hat. As I see it now I will probably skip Black Hat and Defcon in the near future. After Vegas I travelled to USENIX Security in San Francisco to finally present our paper on SMS insecurity on feature phones. USENIX was quite okay - but I didn't get to enjoy it in full due to the one week of Las Vegas before :-/ To compensate for the stressful travel I attended the last two days of the CCCamp outside of Berlin. Also I only attended the lasts days the CCCamp rocked! Still one of the best events ever!


News:
    So Palm is finally dead now that HP killed their WebOS devices. Although I've read something about HP wanting to continue with developing WebOS as a platform but this is kinda useless if they don't intend to sell devices running WebOS. Sad sad thing.
Conferences:
    DeepSec that takes place in Vienna in November has a bunch of mobile related talks. Intelligent Bluetooth fuzzing - Why bother? by Tommi Mäkilä (Codenomico; Windows Pwn 7 OEM - Owned Every Mobile? by Alex Plaskett (MWR InfoSecurity); SMS Fuzzing - SIM Toolkit Attack by Bogdan Alecu (Independent security researcher); Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks by Laurent 'kabel' Weber (Ruhr Uni Bochum); Attack vectors on mobile devices by Tam Hanna (Tamoggemon Limited); Defeating BlackBerry Malware & Forensic Analysis by Sheran A. Gunasekera (ZenConsult Pte. Ltd.)

    T2 in October in Helsinki. Sofar they have only one talk on mobile security. Windows Pwn 7 OEM - Owned Every Mobile? by Alex Plaskett (MWR InfoSecurity).

    Hack.lu in September in Luxenburg. They seem to have a few interesting talks. Project Ubertooth: Building a Better Bluetooth Adapter by Michael Ossmann. Extending Scapy by a GSM Air Interface and Validating the implementation Using Classical and Novel Attacks by Laurent Weber. Locating a GSM phone in a given area without user consent by Iosif Androulidakis.Weaponizing the Smartphone: Deploying the Perfect WMD by Kizz Myanthia.

    Hack in the Box Malaysia in October. Some talks: Packets in the Dark - Pwning a 4G Device for the Lulz by biatch0 & RuFI0. Satellite Telephony Security: What is and What Will Never Be by Jim Geovedi. Femtocells: A Poisonous Needle in the Operator's Hay Stack by Kevin, Ravi, and Nico (SecT - TU Berlin). All Your Base Stations are Belong to Us: Extending Scapy with a GSM Air Interface - Laurent 'Kabel' Weber. Blackbox Android: Breaking "Enterprise Clas" Applications and Secure Containers by Marc Blanchou, Justine Osborne & Mathew Solnik (Security Consultants, iSEC Partners). Attacking The GPRS Roaming eXchange (GRX) by Philippe Langlois. Hacking Androids for Profit by Riley Hassell. iPhone Exploitation: One ROPe to Bind Them All? by Stefen Esser.

    hashdays in October. Talks: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy.


Thats this for now. I guess I missed a bunch of things during the last three weeks (two weeks of travel and one week of recovery!). If something major had happened in the mobile sec world I guess I would have heard about it ;-)

Monday, July 18 2011

Mobile Security News Update July 2011 part 2

Not much to tell in this update since I was kinda busy with non work stuff ;-)

Conferences:
    Chaos Communication Camp has a few mobile related talks: Applied Research on security of TETRA radio by Harald Welte, GPRS Intercept by Karsten Nohl, iOS application security by Ilja van Sprundel, Machine-to-machine (M2M) security by hunz, Open-source 4G radio by Alexander Chemeris, The blackbox in your phone (about SIM cards) by hunz and some more closely related talks. The camp talks look really good this year.

    Defcon Cellular Privacy: A Forensic Analysis of Android Network Traffic by Eric Fulton, Seven Ways to Hang Yourself with Google Android by Jacob West and Yekaterina Tsipenyuk ONeil.

    BruCon iOS Data Protection Internals (Andrey Belenko), Smart Phones - The Weak Link in the Security Chain (Nick Walker - tel0seh)

Links:

Monday, July 11 2011

Mobile Security News Update July 2011

ZIMTO (Zeus in the Mobile) hits Android. This was long overdue since Android now more or less is the strongest smartphone platform. See Axelle Apvrille blog post on Zimto for Android.

Android malware is really a rising trend (no secret there) but the malware gets more and more interesting. Mark Balanz discovered a malware that acts as an SMS relay. Such malware has interesting possibilities to say the least.

JailBreakMe 3.0 was released a couple of days ago, again a nice user-level jailbreak for all iOS devices ;-) There is a nice article from the people of the intrepidus group on how the jailbreak works. Reversing Jailbreakme.com 4.3.3.

Conferences are all covered as far as I know.

Monday, June 20 2011

Mobile Security News Update June 2011 part 2

Not too much happened or I just missed it because I'm way to busy these days. I'll just update my mobile conference monitor.

Conference:
    Black Hat USA has way more mobile talks then last year. Hacking Androids for Profit by Riley Hassell. ARM exploitation ROPmap by Long Le. War Texting: Identifying and Interacting with Devices on the Telephone Network by Done Bailey. Mobile Malware Madness, and How To Cap the Mad Hatters by Neil Daswani. The Law of Mobile Privacy and Security by Jennifer Granick.

    Defcon is a little weak on mobile stuff this year. Only very few talks, one of the being: Mobile App Moolah: Profit taking with Mobile Malware by Jimmy Shah.

Wednesday, June 08 2011

Mobile Security News Update June 2011

There seems to be a massive rise in Android malware. Mostly modified versions of legit applications. Again one piece of malware [1] contains a root exploit - the one already used by DroidDream. Many of the new trojans will try sending SMS messages to premium numbers. Other SMS trojans are just funny [2] as they send jokes to every entry in the phonebook.

Conferences:
    BlackHat USA: Ravishankar Borgaonkar + Kevin Redon + Nico Golde: Femtocells: A poisonous needle in the operator's hay stack. Dino Dai Zovi: Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption. Stefan Esser: Exploiting the iOS Kernel. Anthony Lineberry: Don't Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle. Tyler Shields: Owning Your Phone at Every Layer - A Mobile Security Panel.

    Don Bailey will do something on mobile infrastructure security.

    Brucon: iOS Data Protection Internals by Andrey Belenko. Smart Phones - The Weak Link in the Security Chain, Hacking a network through an Android device by Nick Walker.

    NinjaCon / BSides vienna: Hacking NFC and NDEF, why I go and look at it again (by myself). A Midsummer Droid's Dream (grab a drink, come around, let's reverse some malware) by Manuel Acanthephyra.

    ToorCon Seattle: Scott Dunlop, Reverse Engineering Using the Android Emulator. Joshua Brashars, Owning the phone system (and why it still matters).

    Defcon: This is REALLY not the droid you're looking for... Nicholas J. Percoco + Sean Schulte.


Every since Google announced Google wallet I'm getting hammered with requests regarding NFC security. Funny part about that I just was getting back working on NFC security because of the Nexus S. First bug reports already filed ;-). Due to the new rising interest in NFC and NFC security I'll decided to give a NFC security talk at NinjaCon / BSides Vienna on June 18th.

Tuesday, May 10 2011

Mobile Security News Update May 2011

So Foursquare has started to use NFC: Foursquare NFC checkin. This sounds like fun :-) I guess you can't seriously do harm but pranks sound possible.

Moxie is really cracking out cool Android stuff lately. He just released WhisperMonitor a personal firewall for Android.

Slides for the Android Attacks talk from Infiltrate. Really really good and complete talk on Android security.

Academic papers:
    Usenix Security 2011 has a few interesting looking papers: Forensic Triage for Mobile Phones with DEC0DE by Robert J. Walls, Erik Learned-Miller, and Brian Neil Levine, University of Massachusetts Amherst. Secure In-Band Wireless Pairing by Shyamnath Gollakota, Nabeel Ahmed, Nickolai Zeldovich, and Dina Katabi, MIT. A Study of Android Application Security by William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri, Pennsylvania State University. Permission Re-Delegation: Attacks and Defenses by Adrienne Porter Felt, University of California, Berkeley; Helen J. Wang and Alexander Moshchuk, Microsoft Research; Steve Hanna and Erika Chin, University of California, Berkeley. QUIRE: Lightweight Provenance for Smart Phone Operating Systems by Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach, Rice University.

Conferences:
That is it for May I guess. Since I'll be either traveling or writing papers ;)


Tuesday, April 26 2011

Mobile Security News Update April 2011 (part 2)

A nice blog post by Frank Rieger on the iPhone location logging: Was the iPhone location logging put in by quiet law-enforcement / intelligence agency request?

The talk A Million Little Tracking Devices by Don Bailey is really worth reading if you are in to GSM and GSM equipped hardware.

Whisper Systems (Moxie) released their Android FDE image for the Nexus One. Try it out and go full disk crypto on your Android phone. Whispercore.

News:
Conferences:
    Recon has one mobile talk so far: AndBug -- A Scriptable Debugger for Android's Dalvik Virtual Machine by Scott Dunlop of IOActive


In other news. I'll be in SF for Oakland 2011. I'll be there a few days before the conference so ping me if you want to meet up.

Thursday, April 14 2011

Mobile Security News Update April 2011

Conferences:
    SyScan Singapore Mobile Money is not a Ringtonea by The Grugq COSEINC; Targeting the iOS Kernel by Stefan Esser SektionEins; I'm going hunting, I'm the Hunter by Don Bailey iSEC Partners;Telecom Signaling attacks on 3G and LTE networks from SS7 to all-IP, all open by Philippe Langlois P1 Security inc.;

    Infiltrate Rock'm Sock'm Robots: Exploiting the Android Attack Surface by Bas Alberts and Massimiliano Oldani;

    SourceBosten Secure Development Lifecycle in the Mobile World by Marc French and Iron Mountain; Secure Development for iOS by David Thiel iSEC Partners; Tinker, Tailor, Soldier, A-GPS: How Cost Turns Security Devices Into Weapons by Don Bailey iSEC Partners.

    Hack in The Box Amsterdam Attacking 3G and 4G Telecommunication Networks by Enno Ray; I'm Going Hunting. I'm the Hunter. by Don Bailey; Popping Shell On A(ndroid)RM Devices by Itzhak Avrah; iPhone Data Protection in-Depth by Jean-Baptiste Bédrun; iNception Planting and Extracting Sensitive Data From Your iPhone's Subconscious by Laurent Oudot; Antid0te 2.0 - ASLR in iOS by Stefan Esser

    Looks quite okay, I never attended any SourceConference but the speakers are the usual suspects :-) Infiltrate is new. I would be mostly interested to hear Don Bailey's talk but judging from the number of talks he does on the subject I guess I'll catch it at BlackHat or Defcon in summer.


The mTAN trojan problem finally spread over to Europe and Germany. This version is called SpyEye and comes as a developer signed Symbian application.

Nico and myself finally released our Tech Report on SMS filtering recommendations. It's available here: Countering SMS Attacks: Filter Recommendations. Feedback is welcome.

I guess I missed a bunch of stuff but right now I'm kinda busy with work ;-)

Thursday, March 17 2011

Mobile Security News Update March 2011 part 2

The BlackBerry pwnage seems to cause some trouble as RIM seems to not tell the truth (1 2) in their advisory. Lets see what happens here.

Finally the first Android mod with encrypted storage was released by Whisper Systems. This is really really cool. Now they just need to support more Android devices besides the Nexus S. But moxie told me they are adding support for more soon :-)

For those of you interested in NFC there are two interesting papers from this years NFC Conference 1) Security Vulnerabilities of the NDEF Signature Record Type 2) Practical Attacks on NFC Enabled Cell Phones.

Wednesday, March 02 2011

Mobile Security News Update March 2011 (part 1 continued)

March looks busy for mobile security people ;-)

Android Malware becomes serious: The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor. This malware contains a root exploit. Yea, after you install the APK it roots your device.

Interesting papers (from ACM Hotmobile 2011)

Tuesday, March 01 2011

Mobile Security News Update March 2011

Very brief update, but I'm quite busy at the moment.

News:
Conferences:
    LEET'11 has two interesting papers on mobile malware: Why Mobile-to-Mobile Wireless Malware Won't Cause a Storm and Andbot: Towards Advanced Mobile Botnets. I'm looking forward to actually read them.

Monday, February 21 2011

Mobile Security News Update February 2011 part 2

As I wrote in my last blog entry last week I attended the Mobile World Congress in Barcelona. Over all it was quite interesting, meeting old friends and people so far I knew only through email.

I also had a nice chat with Elinor Mills from CNET about Visa's NFC payment stuff at the Visa booth at MWC. Her article is here: Mobile phone e-wallets get closer to reality

In two weeks Nico and I am going to speak at CanSecWest about our feature phone SMS research. I'm really looking forward to Vancouver again.

Conferences:
    BlackHat Europe (Barcelone): Nitesh Dhanjani talks about New Age Attacks Against Apple's iOS (and Countermeasures)

    CanSecWest: iPhone and iPad Hacking by Ilja van Sprundel, IOActive, Project Ubertooth: Building a Better Bluetooth Adapter by Michael Ossmann, U.S. Department of Commerce and Great Scott Gadgets and Nico and myself on SMS-o-Death.

Here a collection of some ShmooCon 2011 video recordings.

Wednesday, February 02 2011

Mobile Security News Update February 2011

Some comments on smartphone botnet C&C over SMS from Shmoocon 2011: this is basically a redo of my iBots paper. The only difference is the implementation for Android in place of our iPhone implementation.

Also from ShmooCon: Attacking 3G and 4G mobile telecommunications networks looks quite interesting.

Sadly I didn't find the slides for the other interesting talks, especially for TEAM JOCH and the mTan talk. Also what about the video streams from ShmooCon, were they recorded?

Interesting story: Would-Be Suicide Bomber Killed by Unexpected SMS From Mobile Carrier if this is true...
Flattr this

Monday, January 24 2011

Mobile Security News Update January 2011 Part 2

Funny story on stealing SIM cards from traffic lights, Schneier has a few nice pointers on the story: here.

Don't Sacrifice Security on Mobile Devices by Chris Palmer (@ EFF) makes a nice read. Spontaneous idea: what about something like hardened android?

A story on mobile phone forensics.

A Android trojan with botnet-like features?

Conferences:
    The ShmooCon schedule. The BlackHat DC slides. A few notes to some slides. A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications this is what every serious GSM hacker/security research has in his lab - no rocket science - but nice roundup for noobs and beginners. Exploiting Smart-Phone USB Connectivity For Fun And Profit fun read, good job.

Upcoming events for myself: Mobile World Congress, I'll be there for all four days. Catch me at Hall: 2 Booth: H04 (City of Berlin -> Technische Universitaet Berlin and others)

Monday, January 10 2011

Mobile Security News Update January 2011

Happy new year mobile phone security enthusiasts!

Conferences:
    Black Hat DC Itzhak Avraham's talk: Popping Shell on A(ndroid)RM Devices; Rob Havelt, Bruno Goncalves de Oliveira: Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE (not directly mobile phones); David Perez, Jose Pico talk about: A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications; Angelos Stavrou, Zhaohui Wang talk on: Exploiting Smart-Phone USB Connectivity For Fun And Profit; Ralf-Philipp Weinmann's talk on: The Baseband Apocalypse (exploiting baseband software)

    Shmoocon as a number of talks but sadly no abstracts online. Also I wont be able to attend. Here are some talks that have interesting titles: Defeating mTANs for profit by Axelle Apvrille and Kyle Yang, something about smart phone botnets (the news part of the site gone now).
Bugs: Finds:

Friday, December 24 2010

SMS-o-Death @ 27c3

Finally our (Nico and myself) talk SMS-o-Death is in the 27c3 schedule. The talk will be kick ass.

Wednesday, December 22 2010

Antid0te - ASLR for the iPhone

Stefan Esser of PHP Security fame released a tool called Antid0te to add ASLR to jailbroken iPhones.

This looks like really awesome work, very interesting slides.

Mobile Security News Update December 2010

I will give a talk at the 27th Chaos Communication Congress together with my student/colleague Nico Golde The title of our talk is SMS-o-Death: from analyzing to attacking mobile phones on a large scale. The talk is about attacking feature phones. This should be very interesting for everybody since we put quite some effort into this research and prepared a good talk. This will be on Day-1 in Saal 1. (We are still not listed yet).

I hope to see many of you guys at the congress!

TAC Database needed for research...
    recently I (and a friend of me too) was looking for a open TAC database but we could not find one. Does anybody have a hint? If nothing exists what about a TAC database around the OpenBSC/osmocom projects?
Smartphone security paper by enisa Past conferences:
    POC2010 had two mobile related talks. 1) Stefan Esser, "iPhone Hacking and Security(Adding ASLR to Jailbroken iPhones)" and 2) Silverbug, "Android Application Hacking & Security Threat". Unfortunately no slides are available yet.
Fun:

Thursday, December 02 2010

Mobile Security News Update November 2010 part 2

DeepSec was real good and a lot of fun this year. Especially putting faces to email/twitter accounts. The mobile talks were really good and there was a lot to learn and spark new project ideas ;)

Quickies:

Spoof your geolocation

Android Data Stealing Vulnerability thru the web browser.

Tuesday, November 09 2010

Mobile Security News Update November 2010

Kinda happy about my iBots paper, since I got two non-academic reviews about it. 1 and 2.

Conferences: It is fixed that I will go to DeepSec in late November. It's kind of a must since they have a strong mobile security program this year.

Unfortunately I missed hashdays in Lucerne. This seems to be a nice event and I'll try to go next year. This reminds me once again that we have many cool Cons here in Europe.

Bugs: once again Safari on the iPhone starts voice calls without user interaction this time powered by Skype. See here. Very similar to the bug I found last year. Nice catch.

In the news: Hackers take control of 1 million mobile phones apparently some trojan (user installed) sent out a lot of SMS spam.

Flattr this

Sunday, October 31 2010

Mobile Security News Update October 2010

I got mentioned on the McAfee blog iBots? Mobile phone network 0wnage for my work on smartphone botnet C&C.

Ralf published is awesome work on mobile/smart phone baseband attacks. The slides to his talk All Your Baseband are Belong to Us are available here.

Travel / Cons:

In late November I plan to go to Vienna for DeepSec, who else is coming?

In December I will be speaking at Cisco Expo Germany (in Berlin). Hit me up if your coming.

Friday, September 24 2010

Mobile Security News Update September 2010 part 2

So from now on I will include academic publications to my news updates. I screen the stuff anyway so why keep it only for me.

ACM CCS
    (7) A Methodology for Empirical Analysis of the Permission-Based Security Models and its Application to Android David Barrera, H. Gunes Kayacik, Paul C. van Oorschot, Anil Somayaji
    (8) Mobile Location Tracking in Metropolitan Areas: malnets and others Nathanial Husted, Steve Myers
    (9) On Pairing Constrained Wireless Devices Based on Secrecy of Auxiliary Channels: The Case of Acoustic Eavesdropping Tzipora Halevi, Nitesh Saxena
    (10) PinDr0p: Using Single-Ended Audio Features to Determine Call Provenance Vijay A. Balasubramaniyan, Aamir Poonawalla, Mustaque Ahamad, Michael T. Hunter, Patrick Traynor


A funny bug in the Nokia E72: Nokia E72 Keyboard Password bypass

Conferences: Upcoming is the 27C3 it's CFP runs until October 9th. I will try to also do a talk this year again.

Flattr this

Saturday, September 11 2010

c't 2010/20 Risiko Smartphone

Together with Daniel Bachfeld from heise I wrote the artikel Risiko Smartphone which will be published in the upcoming issue 20 of the c't magazin (German only). First time mass media publication :-)

Friday, September 10 2010

Mobile Security News September 2010

Mobile phone HTTP header privacy issue in Spain [1] xuf got them to fix it [2].

In October I will present two papers. First, Privacy Leaks in Mobile Phone Internet Access which is about mobile phone HTTP header leakage. Second, Rise of the iBots: 0wning a telco network a paper on smartphone botnet C&C.

The Osmocom people have added a security section to their wiki. One really interesting part is the section on Will my Phone Show An Unencrypted Connection?

Conferences: ToorCon has a nice lineup sofar. Real Men Carry Pink Pagers. The Carmen San Diego Project. iPhone Rootkit? There's an App for That. The Hidden Nemesis: Backdooring Embedded Controllers. Smartphone Ownage: The State of Mobile Botnets and Rootkits. Moving Target: Location-Based Threats and Mitigations. Black Hat Abu Dhabi Mobile Phony: Why You Can't Trust Mobile Phone Networks For Critical Infrastructure.

Need some hints
    I'm looking for a number of statistics. 1) How many people update their mobile phones (I don't care about smartphones such as iPhone or Android). 2) The most popular mobile phones around the world. There should be some sales stats on this, right? Any help will be very welcome. Email: collin[at]mulliner.org


The thing called a phone by Scott Adams. I almost never use it as a phone.


Wednesday, August 25 2010

Mobile Security News August Part 3

So since I have decided to use Flattr I also decided to put my own Thing for Mobile Security News on Flattr.

Flattr this

Tuesday, August 24 2010

Mobile Security News August 2010 Part 2

At T2 Nils talks about some WebOS and Android vulns this should be quite interesting since he likely will cover the bugs he recently found. T2 is really one of the European cons I want to go to, very high priority! Especially since I can't go to SEC-T this year. hacking the RKF ticket system and How to stay invisible (while still using cellphones) sounds quite interesting.

The BruCON schedule looks quite interesting. GSM Security: Fact and Fiction NFC Malicious Content sharing, the abstract sounds like something I've done some years ago - I wonder what kind of new stuff they found. The Monkey Steals the Berries: The State of Mobile Security So BruCON actually looks quite good, another CON I need to go to at some point.

At SecTor there seems to be a single mobile talk: Black Berry Security FUD Free.

Thats it for August as far as I can see.

Update: I totallty forgot DeepSec. This year it seems like a mobile only security conference. Talks are: Pentesting Internet Handheld Devices Debugging GSM Targeted DOS Attack and various fun with GSM Um Mobile VoIP Steganography: From Framework to Implementation Mobile privacy: Tor on the iPhone and other unusual devices OsmocomBB: A tool for GSM protocol level security analysis of GSM networks Malicious applications for Smartphones All your baseband are belong to us Android: Reverse Engineering and Forensics LTE Radio Interface structure and its security mechanism

Friday, August 13 2010

Mobile Security News August 2010

So the PalmPre seems to have a small problem with vCards? Pwn20wn Nils found a nice little bug that seems to be exploitable. Nice find!

Then we got the first Android trojan that sends premium SMS messages. Jon did a nice decode of the trojan over here.

Since this is now on a public website I want to mention it once: Decrypting GSM phone calls by Karsten and other from the Security Research Labs (Berlin)

Monday, July 12 2010

More Mobile Security News (in July 2010)

A short overview of the talk How to stay invisible (still using cellphones) from PlumberCon. No slides unfortunately.

Some Vulnerable setuid binaries on 4G and HTC Hero (Android phones).

Latest version of Hijacking Mobile Data Connections from the Mobile Security Lab guys this time with iPhone and Android. This was shown at HITB Amsterdam.

Tuesday, July 06 2010

Mobile Security News Update July 2010 Part 2

The final schedule for Defcon is out - with a few more talks that should be interesting for us mobile guys. Also I kind of forgot to post some stuff because of my feature phone rant.

Defcon talks: These Aren't the Permissions You're Looking For by some guys from Lookout. This is about Android security. App Attack: Surviving the Mobile Application Explosion by the CXO guys from Lookout.

Unrelated by cool: Advanced Format String Attacks by Paul Haas who was an undergrad student in the RSL at UCSB while I was there, nice!

Android vs. Jon Oberheide :)

Jon recently did a few cool things with Android. His slides from SummerCon 2010. Two interesting blog posts about Remote Kill and Install possibilities on Android and some insides on the GTalkService Connection that is always active between your Android phone and Google. Nice reads!

PS: I organized that I will be able to attend Black Hat :-) So I will get the full Vegas experience once again.

Tuesday, June 29 2010

Mobile Security News Update July 2010

Most important thing: I will travel to Defcon this year. Really looking forward to meet some people again. Ping me if you want to meet up!

More and more Defcon talks show up: Exploitation on ARM - Technique and Bypassing Defense Mechanisms by Itzhak "Zuk" Avraham. This is a must see for me.And wow a new Bluetooth security talk, I've been waiting for this. Breaking Bluetooth By Being Bored by JP Dunning. Practical Cellphone Spying by Chris Paget also looks interesting. It looks like there are some more talks in the pipe that are interesting for us mobile guys.

A small rant on feature phones. So we are playing with feature phones, and many of those phones don't support a full hard reset were you can erase all data. WTF??!?! Some manufactures have a PC program to flash those phones in order to restore them. But then they check the software version and don't allow you to reflash the same version. WTF!??!?!

Wednesday, June 09 2010

Mobile Security News Update June 2010

Vegas update: Carmen Sandiego is On the Run! by Don Bailey & Nick DePetrillo. They seem to have updated their talk for Black Hat. Very interesting for me but not related to mobile phones: How to Hack Millions of Routers by Craig Heffner. He is talking at both Black Hat and Defcon. So far only one mobile talk at Defcon: This is not the droid you're looking for... by Nicholas J. Percoco and Christian Papathanasiou.

SyScan Singapore has one talk on GSM security by the Grugq (the same one he will give in Vegas).

I'm still looking for a new Android device. The device closest to my needs is a Motorola Milestone (I want a keyboard). But I really don't want to buy a device with a closed bootloader. For sometime I considered a Nexus One even without a keyboard, but the price is a little to high in my opinion.

Tuesday, May 25 2010

Mobile Security News May 2010 Part 2

A paper on mobile phones as bugging devices: Roving Bugnet: Distributed Surveillance Threat and Mitigation.

Black Hat USA 2010 talks: Base Jumping: Attacking GSM Base Station Systems and mobile phone Base Bands by The Grugq. I'm really wondering about this talk. You will be billed $90,000 for this call by Mikko Hypponen. This talk sounds like fun. More Bugs In More Places: Secure Development On Moble Platforms by David Kane-Parry. Attacking phone privacy by Karsten Nohl.

Too bad that I decided to skip most cons this year. But PH-Neutral coming up this weekend. See u guys there!

Tuesday, May 18 2010

Mobile Security News Update May 2010

EuSecWest moved to June and to Amsterdam but still looks promising. So far two talks look interesting: Immature Femtocels by Ravishankar Borgaonkar & Kevin Redon, Technical University of Berlin and BlackBerry Proof-of-Concept malicious applications by Mayank Aggarwal, SMobile Systems. I hope to see more mobile stuff at EuSec. I would really like to go but I have too many other stuff todo.

Somebody claims to have found a iPhone data protection vulnerability . I haven't checked it out myself.

Waiting to see some of you at Ph-Neutral. Only 2 weeks to go!

Wednesday, April 28 2010

Mobile Security News April 2010 Part 2

Confidence in Krakow has a few interesting talks. Especially the GSM/Cell Networks and telephony security by Don Bailey and Nick DePetrillo - this should be the stuff from SourceBoston. Android Reverse Engineering - Workshop by Jesse Burns. Mobile attacks and preventions - how security will change the mobile market by Tam Hanna. And The Four Horsemen - Malware for mobile by Axelle Apvrille.

I'm seriously considering going there.

Friday, April 23 2010

Mobile Security News April 2010

while going through my morning RSS feeds I stumbled across this simple but cool SMS-based attacks against WebOS (Palm's PRE). The attacks are based on simple SMS text messages that contain iframes. The bugs where found in WebOS 1.3.5 and are fixed in the current version. Read the full details on the blog of /intrepidus group the researchers who found these bugs. I especially like the phone dialing stuff where they inject so-call GSM codes in order to switch of the GSM radio. Nice. Too bad I was a little behind with WebOS :-(

Conferences: SourceBoston 2010: Attacking WebOS by Chris Clark and Blackberry Mobile Spyware - The Monkey Steals the Berries (Part Deux) by Tyler Shields.

As usual I call for hints and tips on interesting papers/slides/website on mobile security.

Update:

There seems to be another mobile security related talk at SourceBoston. We Found Carmen San Diego by Don Bailey, iSec Partners & Nick DePetrillo. Reading the abstract this looks like Locating Mobile Phones using Signalling System #7 by Tobias Engel at 25C3 in 2008. He also didn't have direct access to SS7 but used a web-based interface to some parts of SS7.

Update 2:

I just got an email from Michael he discovered that WindowsMobile 6.5 is also vulnerable to SMS messages that contain HTML and JavaScript. He posted a small advisory yesterday after reading about the Palm Pre stuff. His advisory is here: XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp.

Saturday, March 27 2010

Random Tales of a Mobile Phone Hacker

CanSecWest is just over - it was a real nice conference and I'm looking forward to come here again.

The slides for my talk Random tales of a mobile phone hacker are available here. The most interesting part should be my mobile phone HTTP header logging and analysis. See also this story.

I've put up a test page where you can check if your operator leaks your private data such as your mobile phone number (MSISDN), IMSI (SIM card ID), or IMEI (phone hardware ID). The test page is here: www.mulliner.org/pc.cgi. I promise that I don't log any data when visiting this page.

Tuesday, March 09 2010

Mobile Security News March 2010

Two stories I want to comment on:

FatSkunk software-based attestation as a solution to mobile malware. Article by the German Technology Review. They promise a lot. I don't think this will work as advertised (I haven't seen this at work - also I can't really find a paper about it).

Smartphone Weather App Builds A Mobile Botnet. So these guys created a classic trojan application (does something very simple and useful but has a malicious part too). Of course people will download the application from some trusted website - nothing to wonder about.

Just found another mobile security talk that will be held at CanSecWest: Stuff we don't want on our Phones: On mobile spyware and PUPs - Jimmy Shah, McAfee, Inc


Update March 9th:

Tuesday, February 23 2010

Mobile Security News February 2010 Part 2

Just links...

Gartner Says Worldwide Mobile Phone Sales to End Users Grew 8 Per Cent in Fourth Quarter 2009; Market Remained Flat in 2009 so you know what OS/platform you want to PWN this year :-)

NeoPwn = BackTrack Mobile NeoPwn Merges with BackTrack. Produces BT Mobile for #N900 it seems that WiFi driver for the nokia N900 (wl1251) was patched for RFMON and injection.

Android link collection mostly OS and security stuff

...thats it!

Wednesday, February 17 2010

CanSecWest 2010

Yea I will be going to CanSecWest for the first time this year. I'll have a talk on my favorite subject: Mobile Phone Security (Random tales from a mobile phone hacker). I'm really looking forward to this!

Second, there will be a mobile phone PWN2OWN again this year. They increased the cash pool for mobile devices to $60K, this looks like a statement! The devices/platforms are: iPhone (of course), BlackBerry, S60 (Nokia), Android.

Tuesday, February 02 2010

Mobile Security News February 2010

SecurStar did it again in 2006 there was RexSpy and in 2010 we have this mobile phone crypto comparison. But the knowledgeable community is big enough to identify and point out this kind of advertising/scam fast enough.

Conferences, the only interesting talk I found is: iPhone Privacy by Nicolas Seriot at Black Hat DC this week.

In other news, I still need a Nexus One. It is still not available to buy out side of the US. *ARG*

Updated (Feb 2nd):

Friday, January 15 2010

Mobile Security News January 2010

I have been busy as hell from mid December to now, this was due to the Chaos Communication Congress (26C3), the fact that I turned 30, and some work stuff. I guess I have missed some interesting stuff in this time. So once again if you have interesting things on mobile security tell me!

Conferences, ShmooCon taks place in February (I always wanted to go - still haven't made it). The New World of Smartphone Security - What Your iPhone Disclosed About You by Trevor Hawthorn. Karsten is doing his GSM: srsly talk again. Bluetooth Keyboards: Who Owns Your Keystrokes? by Michael Ossmann, for some time I did a lot with Bluetooth keyboards so I would really like to see what they show here - especially since Michael Ossmann is one of the guys who really knows about Bluetooth. honeyM: A Framework For Virtual Mobile Device Honeyclients by whole bunch of Military guys (SCNR). Blackberry Mobile Spyware - The Monkey Steals the Berries by Tyler Shields. So it really looks like ShmooCon has some mobile security content this year.

Random news:
Fun find:
    Abhoersichers Handy (Anti eavesdropping Mobile Phone) apparently this should cost 4800 Euros. The screen shots look interesting. If anyone has any details on this device please tell me.

Friday, December 18 2009

Mobile Security News December 2009

very short update...

SRI published an analysis of Ikee.B here: www.csl.sri.com/users/porras/iPhone-Bot.

I wrote about this stuff about a year ago here ;-)

Monday, December 07 2009

Mobile Security News November 2009

so I was quite busy with various projects therefore this update is really really late.

The most interesting thing that happened recently was the jailbroken iPhone SSH fuck up. See: 1 and 2. There are many other stories on this all over the net, also by now this is kind of old. The interesting thing actually is that I investigated this jailbroken iPhone SSH problem in August of this year. Including a nice statistic and some measurement. I'm planning to show this stuff together with some other work at some conference (academic and hacker) next year (talks/papers are submitted).

Conferences, I attended DeepSec in mid November, this was great fun. Including some good mobile phone security talks. At the upcoming 26C3 there will also be a bunch of talks on mobile phone security. Location tracking does scale up, GSM: SRSLY?, Playing with the GSM RF Interface, Using OpenBSC for fuzzing of GSM handsets, and SCCP hacking, attacking the SS7 & SIGTRAN applications one step further and mapping the phone system.

I actually planed to not attend 26C3 because last year kind of sucked, especially because there were way too many people. So this year I will go to some talks but not hangout at the conference. If you want to hangout during CCC give me a call or write me an email. Although my talk on SMS fuzzing was rejected I recently was asked if I would do it if they find a spot in the schedule. Of course, I would do it.

Recent papers: iPhonePrivacy.pdf shows some privacy issue with the iPhone platform. Nothing really surprising, but a good read.

I know I missed several things in this post but I kind of have info overkill in the last weeks. Please send me hints hints hints!!!

Monday, October 19 2009

Mobile Security News Update October 2009 part 2

Conferences: PacSec 2009 Charlie Miller is giving a talk on iPhone SMS Fuzzing and Exploitation, Rich Cannings & Alex Stamos are giving titled The Android Security Story: Challenges and Solutions for Secure Open Systems, and Yves Younan is giving a talk on Filter Resistant Code Injection on ARM (this sounds interesting). So PacSec seems to be filled with some good mobile security related talks.


Btw. the CanSecWest CfP is open now. I have something to submit but it will be complicated because of some academic conference. Let's see what happens.

Bug watch: Links:

Tuesday, October 06 2009

Mobile Security News October 2009

the guys from the Mobile Security Lab seem to have a lot of time recently a couple of days ago they released a short study on SSL on mobile phones: Tricks for Defeating SSL: effectiveness test on mobile phones.

Tomorrow (7th of October) Hack-in-the-Box 2009 takes place in Malaysia for some reason I always forget HITB. I can't remember ever reading a CFP or anything. They seem to have a few mobile security related talks. Here is the Agenda. Bugs and Kisses: Spying on BlackBerry Users for Fun by Sheran Gunasekera, Side Channel Analysis on Embedded Systems by Job De Haas.

Bug watch:
Palm Pre WebOS <=1.1 Remote File Access Vulnerability The short description is: The Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on the mobile device. Things get more and more interesting with web stuff on smartphones.


On October 9th the CFP ends for:
26C3: Here Be Dragons (26th Chaos Communication Congress)
December 27th to 30th, 2009 in Berlin, Germany

They always like mobile phone related talks, so go and submit something interesting.

Thursday, September 17 2009

Mobile Security News September 2009 p2

Lets start with conferences again. I'll be speaking at the 5th Annual Mobile Device Management and Security Forum this is a more high level non-technical conference, haven't been to stuff like this so it should be interesting. Another speaking event will be at the TelekomForum - Mobilfunktrends 2010 in Bonn, lets see how this goes.

Michael Mueller of silentservices.de found some nice SMS/MMS/Wap Push bugs in various smart phones. The bugs allow to spoof/obfuscate the sender address/number of MMS messages. This could be used for spam or social engineering I guess. The advisories are here and here.

The guys from the Mobile Security Lab published a primer on Service Load (SL) attacks. I haven't had time to read it yet. You can find it: here

So stuff happens in the mobile security world.

Sunday, September 13 2009

SEC-T was real good!

SEC-T was a nice event, I had a good time. The location was nice, the talks were good and I talked to some interesting people.

Some highlights: a reverse engineering challenge, a Wifi antenna building contest, and a bar quiz (a nerdy one). The best part, the team I was on won the quiz *G*

Bonus. I had the chance to play with a Nokia N900 (the Nokia Linux smart phone). This is a sweet device.

Monday, September 07 2009

The latest shit from me :-)

Vorsicht - ansteckend! (in German) something about mobile phone malware, this was even printed *G*

Researchers discuss iPhone, SMS bug Interview done by NetworkWorld at Black Hat this year.

I rather should be doing slides but I don't want to right now.

Wednesday, September 02 2009

Mobile Security News September 2009

Upcoming conferences:

#T2 in Helsinki October 29-30 will have a two talks first Forensics on GSM phones by David Batanero and second Spying via Bluetooth by Jamo Niemela. Especially the talk on phone forensics would be very interesting for me since lately the subject was brought to my attention by multiple people. David Batanero was also scheduled to talk at SEC-T in September but his talk was cancelled, too bad since I'm going to SEC-T but not #T2. As far as I can see my talk is the only mobile security talk at SEC-T this year.

DeepSec in Vienna on November 19-20 will have two mobile security talks. First Hijacking Mobile Data Connections 2.0: Automated and Improved by Roberto Piccirillo and Roberto Gassir (Mobile Security Lab) and second A practical DOS attack to the GSM network by Dieter Spaar.

Btw. I'll actually attend DeepSec this year. I'm looking forward to it since it will be my first time at DeepSec, and Vienna is a fun city.

Other interesting developments:

The various GSM cracking projects seem to be taking off this time around. The people behind AirProbe and Creating A5/1 Rainbow Tables seem to really want to build something that is easy usable. I really wait for the day this stuff is done and anybody with a old GSM phone has to be worried that someone with hardware for about 100 Euros can listen to his/her phone calls and can read his/her text messages (SMS).

I recently I had a fun idea for this idea I want/need a list of hardware that has a build-in mobile phone or GSM modem. If you know of such hardware please tell me (collin[AT]mulliner.org or comment on this post). Please don't tell me about laptop/netbook X with a build in modem but rather about your fridge or microwave that can call or text. So this is a call for hardware with embedded mobile phones!

Thursday, August 27 2009

Mobile Security News August 2009

this blog post is long overdue, but due to traveling and catching up on work this had to wait.

Black Hat USA had quite a few mobile security related talks, the slides are here: Exploratory Android Surgery by Jesse Burns (haven't read this yet), Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone by Vincenzo Iozzo and Charlie Miller. Attacking SMS by Zane Lackey and Luis Miras, Is Your Phone Pwned? Auditing, Attacking and Defending Mobile Devices (only the white paper - no slides so far) by Kevin Mahaffey and Anthony Lineberry and John Hering. The stuff for our talk Fuzzing the Phone in your Phone by Charlie Miller and myself is here.

It was nice to see that Zane and Luis took my MMS research and followed some ideas I had and made them work. Especially the part about running a your own MMSC (MMS Server). At the point in time where I tested this it did not work because the WAP-gateway that is configured in the MMS profile only connects to the MMSC of the mobile operator. I tested this with multiple US providers and some German providers in 2005/2006. I guess I have to do some testing here in Germany to see if anything changed for our local operators.

HAR2009 had a few interesting talks too. In no particular order: Cracking A5 GSM encryption by Karsten Nohl, Public transport SMS ticket hacking by Pavol Luptak, OpenBSC - running your own GSM network by Harald Welte (the slides are the same as the 25C3 slides), Airprobe - Monitoring GSM traffic with USRP by Harald Welte (could not find any slides, somebody took notes and put them here).

Did anything else happen in August? I think there was something but I can't remember. Hints welcome!

Thursday, August 20 2009

Speaking at SEC-T

It looks like I'm going to speak at SEC-T in Stockholm (Sweden). I'll talk about the SMS Security Research I've done together with Charlie Miller.

I'm really looking forward to go to Stockholm since I love both Sweden and Stockholm!

Thursday, August 13 2009

USENIX Security 2009

currently I'm hanging out at USENIX Security in Montreal. Talks are quite good and Montreal is a nice city to visit.

I just found out that our paper Injecting SMS Messages into Smart Phones for Security Analysis is already available for download. I also uploaded my slides for the talk. It is available on my SMS Security Research page.

Friday, August 07 2009

SMS Security Research

I just created the SMS security research page in order to publish the slides from our (Charlie and myself) talk at Black Hat USA 2009 titled: Fuzzing the Phone in your Phone.

The injection frameworks for the iPhone, for Android, and for Windows Mobile are available for download just now. Charlie provided his Sulley fuzzing test cases. The page is far from complete as we have more tools and scripts to share. But since I'm on vacation/business trip (depending on the actual day) I didn't find time to sort it all out.

I also updated my iPhone Security page with the link to Apple's security advisory for the vulnerability we reported. iPhone OS 3.0.1 fixes this vulnerability.

Sunday, July 19 2009

Mobile Security News July 2009

SexyView a Symbian Virus/Worm or bot(net)? I really don't care too much about viruses, so until this thing has a real control channel and can auto-update it is nothing. The one thing that I find interesting about it is the fact that it seems to be signed. This more or less proofs that signatures don't buy you any security. One can always somehow obtain a signature for a piece of malware. This is as good as having no signatures at all - well not exactly it still puts the bar a little higher.

The Windows Mobile HTC OBEX path traversal bug is interesting. Not because it is new but rather that this kind of bug made it once again into a device. So I guess no quality control at HTC. Alberto, the guy who found and reported the bug, told me that HTC was not really interested in communicating with him. This is sad since HTC will also be building their own Android devices soon. I just read that HTC seems to offer a hotfix for the issue.

On a personal note. As I wrote before I'll be going to Black Hat and Defcon in Vegas. Directly after Vegas I'll travel to the Valley (Los Altos and Mountain View). Before going to Montreal for USENIX I will spend some time around Santa Barbara. So if anybody is up for some mobile phone security stuff contact me.

Otherwise see you in VEGAS!

Monday, July 06 2009

Pwning Nokia phones (and other Symbian based smartphones)

Bernhard Mueller from SEC Consult posted this fine work on Symbian security to the full disclosure list. His white paper Pwning Symbian looks interesting (I haven't actually read it completely yet).

Friday, July 03 2009

Mobile Security News June/July 2009

I guess it is time again for a news update. I actually wanted to write one for June but I somehow forgot.

Let's start with the most recent stuff. Charlie Miller partially disclosed what we are going to talk about at Black Hat at the end of the month. Sadly some reporter over hyped his story. This sucked btw! Here are the original (over hyped) and the actual facts stories.

The HAR2009 program is out and there will be some mobile phone security related talks. Public transport SMS ticket hacking seems to talk about how to hack a SMS-based ticketing systems. cracking a5 gsm encryption will do a state of the art talk. There will also be a OpenBSC talk that will show how to build and run a GSM network based on opensource software an hardware everybody can buy. All in all HAR seems to be quite some fun. Sadly I wont be able to go due to time conflicts.

Fun find on BugTraq: Multiple Flaws in Huawei D100. The Huawei D100 is a small home 3G router (product page) that seems to be given out by some ISPs.

A personal side note: I now own/have-full-access-to a BS-11 Abis GSM base station and will soon start to play around with it. Happy happy fun fun.

Thursday, June 18 2009

Two NewOld Mobile Phone Advisories Posted

I've been waiting for quite some time to publish the full details of the iPhone Safari Phone-auto-Dial vulnerability. But since Apple included it again in the just published security fixes for iPhone OS 3.0 I decided to finally go ahead and publish the details. The examples in the advisory show only the original bug also we found some variations of it, we didn't put any examples in the advisory.

iPhone Safari Phone Auto-dial Vulnerability also see my iPhone page.

I'm also credited, together with many others, for reporting the issue that Mail loads remote images when displaying HTML emails. The problem is actually a little bit bigger since also iframes are loaded. I actually showed them a demo where I can start QuickTime from Mail without user interaction. Do I need to say more?

The second advisory is about the Nokia 6212 classic an Near Field Communication mobile phone. I did a full disclosure of the bugs at 25C3 in late December 2008 but I never published an actual advisory. I do this now.

Nokia 6212 Classic URI Spoofing and DoS vulnerabilities also see my NFC page.

Sunday, May 24 2009

Mobile Security News May 2009

First of all conferences. EUSecWest is taking place the coming week in London. It will feature multiple mobile security related presentations. First Charlie Miller and Vincent Iozzo each have a iPhone related talk. Second Petr Matousek will speak about rootkits on Windows Mobile/Embedded and third Ralf-Philipp Weinmann will talk about DECT decryption. Looks like EUSecWest will be an interesting place to be this coming week.

Right after EUSecWest PH-Neutral is taking place in Berlin where I will be showing of a small side project on mobile phones and web usage. Many other interesting talks will be held as usual.

Black Hat USA started to announce the speaker lineup for this year and yes I'm one of the speakers. Together with Charlie Miller we will talk about SMS Fuzzing. So far Black Hat seems to become very strong on mobile phone security this year. Jesse Burns will talk about Android, Zane Lackey and Luis Miras will also have a talk on SMS but from the description they took a different angle than Charlie and myself. John Hering from Flexilis also seems to have gotten accepted with a mobile phone related talk that sounds very interesting Is your phone pwned? Auditing, attacking, and defending mobile devices. Last but not least Charlie Miller and Vincent Iozzo will do an iPhone talk. I actually hope for more mobile phone related talks, lets wait and see.

The Nokia 1100 story is getting more and more annoying. In this article it is reported that this company called Ultrascan replicated the SMS interception. No technical details of course. So now I'm looking for people who are interested in the topic and who would also like to understand this and possibly replicate it.

See you at PH-Neutral this weekend!

Update:
    So it seems Google/HTC pushes Android security updates without publishing a change log. WTF?!? Any rumors about what this is about?

Tuesday, April 28 2009

Mobile Security News April 2009 part 2

just a quickie, the slides from BlackHat Europe are up for a few days. Here are the slides for Hijacking Mobile Data Connections and for Passports Reloaded Goes Mobile (clone a RFID passport using an NFC mobile phone). So far Charlie Miller and Vincenzo Iozzo only put up a whitepaper of their OS X and iPhone talk.

If you can understand German (spoken word) you might want to listen to Chaosradio Express episode 120 which is about OpenBSC and generally about building GSM networks or actually the software to run a network in your cellar/garage.

In the last week there was a short buzz about a old Nokia phone (Nokia 1100) that could be reprogrammed to sniff SMS messages. The story really sounds like a hoax since the whole subscriber ID stuff is handled through the SIM card rather then through the phone itself. There are not many details just the story. F-Secure has something in their blog about this too.

Yesterday the new Android version cupcake was released for developer phones, get your cupcake while its still warm :-) Get it from here.

Btw the Technology Review article citing me is only in the next issue (06.2009).

Saturday, April 18 2009

Mobile Security News April 2009

BlackHat Europe brought some new stuff:

First the guys from the Mobile Security Lab showed us that the OMA provisioning functionality can be easily abused to reconfigure the Internet connection settings on many mobile phones. Although the attack requires some user interaction and therefore some social engineering the attack is quite cool. Technology Review has an article on their work. Nice Work guys!

The second mobile device related piece from BlackHat Europe is that Charlie Miller showed a workaround for the non-executable memory of the iPhone. I haven't see the slides of his talk but NetworkWorld has an article on Charlie's iPhone find.

I was interviewed by the German version of Technology Review on the subject of smart phone security and malware. As far as I know the article citing me should be in the current issue (05.2009).

Otherwise not much happened in the world of mobile device security.

Thursday, March 26 2009

Mobile Security News March 2009

few things happened besides Pwn2Own. One thing I missed about the mobile pwn2own is that Sergio Alvarez apparently tried to own a BlackBerry device but failed due to device/software mismatch. Hey at least he seems to have a exploitable bug for BlackBerry, nice!

Since today the slides for CanSecWest are online. The mobile security stuff is here: 1 2 3 4

At the upcoming BlackHat Europe some guys from the Mobile Security Lab will give a talk on Hijacking Mobile Data Connections . This sounds interesting too bad I can't go.

Feedback is welcome, any good sources to recommend? Any mailing lists?

Saturday, March 21 2009

Some notes on Pwn2Own Mobile

so it looks like Pwn2Own mobile failed the first time it was around. This is a surprise for me. I would have guessed that the iPhone would be have been taken even it's Non-Exec-Memory since many more people try to break it in comparison with the other mobile platforms.

Symbian was the only mobile platform somebody tried to pwn? This is a bigger surprise to me. Especially since Pwn2Own only offers a Nokia N95, a device that has Non-Exec memory. I tried to closely follow Pwn2Own mobile so when I first saw that Symbian was in the game I thought this will be uninteresting since they will take a brand new device with Non-Exec memory. When I read about the Nokia E61 in this announcement I was really happy since this device doesn't have Non-Exec memory. In the latest announcement the E61 seems to have been removed. Possible because the figured out that it was way to old, bummer.

I actually predicted that somebody will own the Windows Mobile device and the Android G1 but they all survived. Maybe all the bugs were already reported to the manufacturers before mobile pwn2own was announced so they could not be cashed (I at least know about one case). So I guess people will hold on to their (mobile) bugs until next year's CanSecWest/Pwn2Own. Especially now that some well known people called for their no more free bugs campaign. One last point that I found nice was that for mobile pwn2own the goal was not necessary code execution but 1) loss of information (user data) OR 2) incur financial cost. My iPhone phone call bug would probably have counted, so I guess I should also keep bugs for myself now.

Tuesday, February 24 2009

Mobile Security News February 2009 Part 2

SIMKO2 is the new super secure smart phone for German government officials. According to heise.de the device is based on HTC touch pro and runs a hardened version of Windows Mobile. The device and all it's communication with the outside is going to be encrypted using a micro-sd smartcard (see here). Also the SIMKO2 devices seem far from being deployed since they seem to have some performance issues with the encryption, see here, also heise.de reports that the SIMKO2 devices are faster then the original touch pro. If you can read german you should check out these three links: 1 2 3.

Sexy View is the first signed Symbian worm (makes it the first effective worm for S60 3rd edition). The worm spreads through simple social engineering, it sends a SMS to every contact in the contact list of an infected phone. The SMS simply contains a URL to the worm's SIS file on the internet. What I find interesting is the payload of the worm, since it doesn't seem to send any premium rate SMS or MMS but collects information about the phone (IMEI) and the SIM card (probably IMSI and MSISDN). This makes me wonder what these information are being used for or maybe used for in the future. Fortinet thinks that the worm could be the first step of a mobile botnet, also there is no proof yet that the worm contains any update or remote control mechanism. This could be a really interesting thing in the near future.

The mobile bug of the week is a XSS attack against a HSDPA router using SMS, see here. Like most routers the Huawei E960 is controlled via a web interface. The interesting feature of the E960 seems to be that it displays un-escaped SMS messages in the web interface and therefore can be exploited through SMS messages containing HTML and JavaScript. The attack is really funny, also I think it is quite impractical since the victim would need to load the router configuration page in his web browser in order to trigger the attack. Never the less this is a great attack!

Thursday, February 12 2009

Mobile Security News February 2009

This year's CanSecWest will have a good amount of smart phone security related talks besides the earlier announced mobile pwn2own contest. Talks seem to be focused on the iPhone and the Android platform. 1) Alfredo Ortega and Nico Economou - Multiplatform Iphone/Android Shellcode, and other smart phone insecurities 2) Jon Oberheide - A Look at a Modern Mobile Security Model: Google's Android and 3) Sergio 'shadown' Alvarez - The Smart-Phones Nightmare. I suppose Sergio Alvarez is also going to talk about the iPhone since Apple fixed multiple bugs that he submitted in the iPhone 2.2 update. I'm a bit sad that I can't attend CanSecWest.

At BlackHat Europe Jeroen van Beek will show his NFC-phone-based e-Passport cloning tools. Maybe there is even more mobile security stuff going on there since the speaker list is not yet complete.

Done with conferences for this post. The guys from the Mobile Security Lab just launched their poc site where people can test their phones using exploits developed by the mobile security lab. Nice idea!

Last weekend at ShmooCon Charlie Miller released details on a vulnerability in Android's audio player. Some links: 1 2

Related news: Palm has finally killed PalmOS. I really waited a long time for this to happen. PalmOS was just way past its time. This a good and sad thing but now its over.

Did I miss anything?

Saturday, January 24 2009

Mobile Security News January 2009

I just read that CanSecWest's Pwn2Own is going mobile this year. It looks like they are going to have an iPhone, a Android (should be a G1), a Symbian, and a Windows Mobile device too pwn and own. I wonder how the rules are going to be for these devices. via twitter

Second part. There seems to be the first mobile phone banking micro payment trojan out in the wild according to Kaspersky Labs. The trojan targets a micro payment service that allows transfer of money and minutes between users of the service using SMS. Another interesting part of the story is that the trojan is just a modified version of an existing premium SMS trojan. Stories: 1 2.

Thursday, January 15 2009

NFC/NDEF Tool Update (from 25c3)

I've just uploaded the latest version of my NFC/NDEF tools. This is the version that I presented at my talk at 25C3. I mainly added some parsers for the new NDEF records supported by the Nokia 6212 Classic. Also included are some bug fixes and a small fix to talk to the BtNfcAdapter running on the Nokia 6212. I further included some more attack samples and an updated version of my ndef_mifare reader/writer tool.

At 25C3 I had the chance to take a look at Motorola's L7 NFC phone that is used by Deutsche Bahn Touch and Travel. The phone is not a real NFC phone, Motorola just replaced the battery lid with a lid that also contains the NFC hardware (or maybe only the antenna). The only NFC functionality the phone supports is the Touch and Travel application. What is really bad is that the user first needs to start the application and then hold the phone up to the Touch Point. WTF? How is this going to be a good user experience? The Nokia phones constantly scan for NFC tags and start the appropriate application as soon as one holds the phone up to a tag.

Finally I have noticed that RMV ConTags are starting to appear all over the place out side Frankfurt/Main. Also they only seem to be placed at big stations like the Darmstadt main station (Hauptbahnhof) but not inside the city. As always I like to know about interesting new NFC services around Europe and especially Germany.

Friday, December 19 2008

HTC Touch vCard over IP Denial of Service

here is another nice Windows Mobile (HTC) security bug that is related to WAP push. The vulnerability can be triggered by sending vCards to port 9204/UDP over either WiFi or GPRS/UMTS. The effect seems to be significant device slow down and/or device freezing that requires battery removal. This again reminds me of my good all MMS Notification DoS attack.

The bug was discovered by the Mobile Security Lab (who ever this is). I hope we will see more interesting discoveries from them, they just seem to have setup their site in October.

The Danger of Jailbroken iPhones (not really news)

first, I known I'm not the first one to write/warn about this so don't flame me for it.

I recently jailbroken my iPhone so I could take a closer look at the iPhone and it's OS. As most people I just used the PwnageTool from the iPhone Dev-Team. It is easy, fast and just works. So what most people forget is that the jailbroken iPhone OS comes with an ssh server and that the root and mobile users have their password set to alpine (mobile password is dottie). This basically means that everybody can log into every jailbroken iPhone as user root. When I jailbroke my iPhone I didn't change my password right away since I was too busy playing with the new features and I strongly believe that many other people never changed the password of their jailbroken iPhone.

Again the danger lies in public Wifi hotspots or any other situation where you share Wifi with people you don't know. A good example is the upcoming Chaos Communication Congress which has one of the most hostile (wireless) networks I know.

So what can happen if you leave your iPhone's password unchanged? That is what I cooked up the last few nights.

The Basics:
  • Anyone can log into your iPhone as user root and/or mobile
  • Anyone can copy files to and from your iPhone using scp
In further detail this means all your private data is gone, just like this:
SSH_PARAMS="-q -o NumberOfPasswordPrompts=1 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
scp $SSH_PARAMS root@$IP:/var/mobile/Library/AddressBook/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/SMS/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Notes/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Calendar/* /tmp/yourdata/
The code shown above simply copies your Addressbook, SMS, Notes, and Calendar from your iPhone using scp (secure copy - part of ssh). I know there is much more to steal like: photos, email, or vpn configuration. This attack is so simple everybody can do it without any special knowledge or tools.

Getting your personal data stolen can happen to you anywhere but there is another threat that is more likely at events like the Chaos Communication Congress, defcon, and any other conference with a high number of jailbroken iPhones: a worm.

A worm that simply spreads using ssh/scp and the default root/mobile password can be written in bash (which is installed on all jailbroken iPhones) in about 4 hours. The worm just (tries to) copies itself (a bash script) to every host on the local wifi network in the background. Background tasks can be easily setup using launchd. Just add a new task that runs the worm shell script every couple of minutes. This is no big deal for anyone with just basic understanding of ssh,scp,bash, and launchd/launchctl. I was able to do this in an evening mainly using Google to get the appropriate launchd plist syntax.

Don't get me wrong, I don't want to encourage anyone to do all this. I just show you how damn easy this is. So please change your root/mobile password on your jailbroken iPhone - or somebody else will do it for you.

Btw. if you are looking for the images that the iPhone takes about anything you do some of these are located here: /var/mobile/Library/Caches/Snapshots (of course this is not new either see here).

Friday, December 12 2008

NFC Paper @ ARES 2009

today I submitted the camera ready version of my paper Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones to the Workshop on Sensor Security at ARES 2009. Finally a academic publication again. Done this now I'm official on Christmas vacation until 25C3.

Thursday, November 20 2008

iPhone Safari Phone Call Bug

Today we published a small security bug present in the iPhone OS until version 2.1. The bug is small but has big impact in the way that it can be used to call arbitrary phone numbers from visiting a website.

More details including a video (but not full-disclosure) can be found here (German only): www.sit.fraunhofer.de/pressedownloads/pressemitteilungen/iPhoneHack.jsp

We will do a full-disclosure as soon as the update is out and people had time to install it. Details will be available here.

Tuesday, November 04 2008

NIST Guidelines on Cell Phone and PDA Security

NIST just released their Guidelines on Cell Phone and PDA Security here are some comments from my side.

Overall I think the document is quite good covering the field well. My main point of critic is the way they present their references. The document cites many news sites instead of the original publisher's site/document. Therefore some of the references are more or less useless since they don't provide the path to more detailed information. I not only write this because they quote theregister on my MMS vulnerability but also because of quoting zdnet on various other vulnerabilities rather than the original advisories. To make it clear I don't think the articles by these news sites are bad or wrong, I just think people reading NIST publications expect a little more detail.

Tuesday, October 21 2008

WindowsMobile Vulnerable to WAPPush Attacks

This post in the XDA-Developers forum shows that Windows Mobile 6 on HTC devices is vulnerable to malicious WAP Push SI (Service Indication) and SL (Service Load) messages. An attacker can send a message containing a URL to an executable, the executable will be automatically downloaded and executed WITHOUT any user interaction. The problem is that HTC disabled the security settings for these kinds of WAPPush messages, normally a device should only accept these kinds of messages from trusted originators (e.g. your service provider - don't know if I want this either).

The fix to this problem is very easy as it just requires modification of a few keys in the mobile phones registry (yes Windows Mobile has a registry). (The steps to do this modification is described in the original advisory.)

The bug is kind of similar to one of the MMS-based bugs I discovered 2 years ago where the Windows Mobile devices would accept WAPPush messages over UDP (WiFi).

This WAPPush auto execute configuration bug is really bad since it would allow anybody to write a very simple worm that only needs to send WAPPush messages (SMSs) to spread. The victim device than downloads and executes the worm binary from the Internet.

They even made a demo video, also you don't see too much.

Some open questions from my side:
  • Is it really only HTC devices?
  • Is it only Windows Mobile 6?
  • Does this work via WiFi (like my notiflood tool)?


Slientservices.de Author's website
The Advisory

Monday, October 13 2008

Slides for Exploiting Symbian

Here are my slides for my BlackHat Japan talk Exploiting Symbian. This work was done as part of my research at Fraunhofer SIT. If you have any questions please contact me through my website at Fraunhofer SIT.

Wednesday, September 10 2008

PPTP VPN for my iPhone

I just setup pptpd for my iPhone. Since I don't really trust all the application developers to think about my passwords and my privacy.

I know PPTP is not the best VPN solution but it works and was easy to setup.

@Joe du auch wolle?

Tuesday, September 09 2008

Mifare ID Spoofer

Alex recently got a Mifare (RFID) ID spoofing device. Last weekend at the MRMCD111b we got to play with it. I'm looking forward to try it against some real targets.

Saturday, September 06 2008

Exploiting Symbian Talk @ BlackHat Japan

so looks like I'm going to BlackHat Japan in October to talk about my latest project SymbianOS Exploitation. I'm really looking forward to it since I never been to Japan and BlackHat before.

BlackHat Japan speakers page

Saturday, August 16 2008

Nokia 6131 NFC URI Spoofing and DoS Advisory

I finally came to post the official advisory Nokia 6131 NFC URI Spoofing and DoS Advisory to the usual mailing lists in order for this thing to get into the vulnerability archives.

Friday, August 08 2008

Slides for BlackHat/DefCon 2008

slides for for BlackHat and DefCon 2008 are already available online.

Get them here and here

Monday, May 26 2008

NFC Phone Tools

here are my NFC security tools this time for your Nokia 6131 NFC. The tool set consists out of: BtNfcAdapter (a simple NDEF reader/writer that is controllable via Bluetooth - basically turns your 6131 NFC into a lightweight tag reader/writer), BtNfcAdapterRaw (Mifare Classic raw reading version of BtNfcAdapter), and MfStt (the Mifare Sector Trailer tool, a very basic tag security checker).

All the tools are for educational purposes only! They are not stable! Especially take care when using the writing features of MfStt).

Feedback is welcome as always. I also accept dumps of cool NFC tags (only including a picture of that very tag).

Saturday, May 24 2008

Python NDEF Library

I just uploaded the first version of my Python NDEF library.The library supports all types standardized by the NFC-Forum until now. I also implemented support for Nokia's Bluetooth Imaging tag and added a parser for the RMV ConTag.

I also uploaded some tag samples (dumps of the tag data). The dumps also include the Mifare sector trailers (if this is of interest for you).

Feedback is very welcome!

Friday, May 23 2008

Slides for Attacking NFC Mobile Phones

here are the slides for my talk Attacking NFC Mobile Phones that I gave at EUSecWest2008. The tools, libraries, examples and data dumps will be uploaded soon.

Wednesday, April 23 2008

Attacking NFC Mobile Phones @EUSecWest08

looks like I've been selected to give a talk at EUSecWest this year. The subject will be the security of NFC (Near Field Communication) mobile phones.

My friend Alech also seems to have a talk there. This should be some fun.

Tuesday, March 18 2008

RaidSonic NAS-4220 telnet root login without password

another bug I found in the software of the NAS-4220-B is that you can use telnet to login to the NAS-4220-B as root without being ask for as password. This is possible right after boot of the device. The problem seems to originate from the fact that the software puts together the filesystem in ram during boot. The actual bug is that telnetd is started before /etc/passwd is populated with a root account that has a password set.

[1] raidsonic nas4220 disk crypt key leak

Sunday, March 16 2008

RaidSonic NAS-4220-B Disk Crypt Key Leaking...

Found while playing with my NAS-4220-B last Sunday. RaidSonic didn't answer my emails so here you go.

--- BEGIN ADVISORY ---

Manufacturer: RaidSonic (www.raidsonic.de)
Device:       NAS-4220-B
Firmware:     2.6.0-n(2007-10-11)
Device Type:  end user grade NAS box
OS:           Linux 2.6.15
Architecture: ARM 
Designed by:  Storm Semiconductor Inc (www.storlinksemi.com)


Problem: 
 Hard disk encryption key stored in plain on unencrypted partition.


Time line:
 Found: 09. March 2008
 Reported: 09. March 2008
 Disclosed: 16. March 2008 


Summary:
 The NAS-4220-B offers disk encryption through it's web interface. The key
 used for encrypting the disk(s) is stored on a unencrypted partition.
 Therefore one can extract the encryption key by removing the disk from
 the NAS and reading the value from the unencrypted partition. The key
 itself is stored in a file in plain (base64 encoded). Therefore the 
 NAS-4220 crypt disk support can not be considered secure.


Details:
 The NAS-4220-B can hold two SATA disks. Disk are encrypted through a 
 loop back device using AES128. The problem came to my attention when
 I could access the NAS after reboot without suppling the hard disk key.
 
 The key is stored in /system/.crypt, "/system" is a small configuration 
 partition on the same disk that holds the encrypted partition. The system
 partition is created by the system software running on the NAS-4220. The
 configuration partition of the second hard disk is not mounted by default
 but also contains the .crypt file holding the key for the encrypted 
 partition on the same disk.


 Accessing the key (key value is the example I used):
  $ cat /system/.crypt
  MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
 
  key in plain           key in base64
  12345678901234567890   MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=


 Base64 decode:
  #!/usr/bin/python
  from base64 import *
  print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")


Reported by:
 Collin Mulliner 

--- END ADVISORY ---



raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt

Thursday, February 21 2008

Breaking Disk Encryption

Some guys from Princeton found a way to defeat disk encryption systems by extracting the key from the memory of a computer/laptop. While this is not really new (other people did that before), their way is quite cool. They remove the RAM module from the computer and read it in a other computer in order to do this without loosing the content of the RAM module they freeze the RAM module and with freeze they really mean freeze.

Check out the demo video.



Their paper explains it in all details. Read it if you use disk encryption and feel safe.

[1] Cold Boot Attacks on Encryption Keys (paper, video, faq, ...)

Saturday, February 09 2008

iPhone Baseband Exploit!

Somebody or some group seems to have found a exploitable buffer overflow in the iPhone's baseband processor. The baseband processor is the subsystem of the phone that talks to the GSM network. The overflow seems to be in the SIM Toolkit manager.

The exploit lets one upload code into the baseband, so one could insert some application into your iPhones baseband. The this application would be mostly undetectable since the memory can not be read from the application processor.

Lets see what happens with this little thing...

Source:
From: steve 
To: gsm@lists.segfault.net
Subject: [gsm] JerrySIM -> Executing shellcode on the iPhone baseband

Hi,

JerrySIM leaked yesterday. It was posted here:
http://code.google.com/p/iphone-elite/wiki/JerrySim

The exploit code has been removed shortly after but google cached it
already :/ It's out.

The program exploits a bug in the SIM Toolkit manager (which is running
on the baseband) and thus enables the execution of shellcode directly
on the baseband.

This is good work.

This has the potential to turn the iPhone into a listening device.
It still requires a lot of work and I do not know if any of the iPhone
hackers is working on it. 

regards,

steve
[1] code.google.com/p/iphone-elite/wiki/JerrySim
[2] Exploit code from Google cache

Sunday, October 21 2007

Anti DNS Rebinding patch for Dnsmasq from 0sec

here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS rebinding attacks against private networks (192.168,10.,...). The patch basically adds a filter to the forward resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range. But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should offer sufficient protection.

dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)

To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line. I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and you still want to be able to resolve local IP addresses.


Feedback is welcome!

Links

Wednesday, September 12 2007

Crypt Everything!

Last week I moved my last computer to full disk encryption (FDE if you need an acronym). The last computer was my desktop/laptop therefore I thought it will be slightly more work since I wanted to have suspend to disk (aka. hibernation) - it turned out to be quite easy after all (see 1).

Previously I had setup my rented root server and my home server using a small hand build system you can ssh to in order to open the root partition and continue to boot the real system (see 2).

In the recent days I did some research on possible attacks against fully crypted computer systems. Basically there is only one attack (if we rule out a brute force attack against the encryption key) this is keylogging. Keylogging basically is trying to capture all key strokes in order to obtain the passphrase for the crypted disk. Keylogging can be be done in either soft- or hard-ware both have advantages and disadvantages for both the attacker and the victim (the owner of the crypted disk).

Hardware keyloggers basically are small devices that are plugged in between the computer and the keyboard. The device then just logs all key strokes that it sees. The big advantage (for the attacker) is that this is totally OS independent. The big disadvantage for attacker of course is that he needs physical access to the victims computer twice (once to install once to retrieve the logged data). Further the victim can more or less easily find a hardware key logger if he cares to look for one. Also there are PCI-card based keyloggers (see [3]) that are probably harder to find (the computer would need to be opened). There are also keyboards with build in keyloggers (see [4]) but I doubt that these are any good since most people would recognize if their keyboard has suddenly changed. Of course you could also open up the victims keyboard and place the keylogger there, but there is always a chance that you break the keyboard while doing this. The biggest disadvantage of hardware keyloggers is that these can't monitor remote login sessions which can also be used to decrypt and boot a computer, this is where software keyloggers come into play.

Software keyloggers come in two variants, the general kernel/driver based keylogger that just monitors all keyboards and terminal devices (e.g. a remote session) and the application based keylogger where a specific application is modified so that it logs some specific or all input (e.g. the decrypt command could be modified to log the passphrase). So software keyloggers have the advantage that they can log more data (local + remote sessions) but have the big disadvantage that the attacker needs system level access to the plain not encrypted part of the computer (e.g. the boot partition) in order to place the modified kernel or binaries. If the hardware is probably secured (e.g. not booting from external disk or cdrom) the software manipulation will take really long since the hard disk would need to be removed (or at least the PC would need to be opened). Also this might not be possible at all if the victim always boots the computer from an USB stick that he carries around with him at all times. In this case there wouldn't be a plain boot partition on the PC and therefore nothing to modify. If the victim still needs to type-in the crypto password a hardware keylogger could catch him.

Laptops seem special while searching for keyloggers I only found that laptops are harder to attack since they are relatively small and therefore don't have much space to hide a hardware keylogger. The only thing I found was a Mini-PCI card based keylogger (see [5]) but since most laptops have Mini-PCI wireless cards this looks quite strange? Of course you could always disassemble the laptop to add a keylogger but this also takes a lot of time and there is always the chance to break it. The best time to do this would be if you send your laptop in for repair.

PDAs I like my Palm Tungsten T5 because it supports complete filesystem encryption. Of course this encryption is not verifiable since the source is not open but at least it is a secure algorithm (AES).

Backups don't forget to encrypt your backups. Having a fully crypted PC and plain text backup is just stupid. Good backup software should support this. Otherwise PGP/GPG your ZIPs/tarballs/whatever.

I would say that keylogging is only feasible under certain conditions: the attacker is extremely knowledgeable and the victim is some how unaware. All other cases would involve a huge portion of luck for the attacker.

[1] good starting point for crypto suspend: howto completly encrypted harddisk including suspend to encrypted disk with ubuntu
[2] small howto on: build a crypted root server
[3] PCI-based keylogger
[4] Keyboard with built in keylogger
[5] Mini-PCI keylogger
[6] USB keylogger

Saturday, September 01 2007

Marko's RexSpy Article

Marko Rogge finally published his article on RexSpy (see my comments on RexSpy). Marko and I talked a lot about RexSpy in order to determine if a bug/attack like Hafner described is possible at all.

The article is available as Blog Entry and PDF

One actually funny part of the whole story is that after I published my comments on RexSpy I got tones of emails from various people of which some seem to hope that I know how it works. So folks tried to get more information from me (I didn't have any more information). One guy even had product ideas based on this technology. Just hilarious!

Wednesday, May 02 2007

Crypted Root Server

some time ago I setup a new root server for a new project of a friend and myself, this time I wanted to go full crypto. In the beginning I thought this might be a lot of work but as it turned out it is quite simple if you do some thinking.

There are many ways to do this, this is how I did it.

The setup works like this: the server boots into a minimal system starting only the SSH daemon. The you login and enter/upload the passphrase to unlock the disk(s). Finally you tell the system that you are done, after which you are kicked out and the system completes the boot by mouting the real root partition and executing init from there. At this point everything is as usual.

There are two basic parts in this setup: first building a good minimal system so you don't waste too much space and second build the init script for the minimal system.

The minimal system needs to contain stuff like: sshd, filesystem tools such as mkfs, fsck, fdisk, etc., cryptsetup, networking tools like ifconfig, route, ip, etc., mdadm (if you run raid), and of course all the required libraries. The easiest way to do this is using the recovery tool your hoster provides. Just setup a minimal system on one partition and strip it down before moving it to the boot partition.

The init script is quite simple, it needs to do three things: first, configure the network (ip address and route); second, start sshd; and third, start the actual system after the root partition has been unlocked. My script works as follows: after sshd has been started the script waits for a file to be created in the tmp directory. As soon as the file is created all ssh processes are killed, and the real system is booted.


Files:
    file list of my minimal system
    init script for minimal system (touch /tmp/READY_TO_BOOT after you unlocked the root partition)


Some notes:
    You need to encrypt your swap otherwise this is useless!
    If you upload a key to your minimal system only upload to key to a ram drive, never write it to disk. Otherwise all the work is useless!
    Remember your key! Remember your key! Remember your key!


Todo:
    Filesystem integrity check for the minimal system. This is a very hard task and I don't have a solution so far.

Tuesday, April 03 2007

Aircrack-ptw cracks WEP in 19 Seconds on my N800

I just benchmarked Aircrack-ptw on my Nokia N800 (ARMv6 320Mhz) and it finished in 19 seconds. Sadly enough the wireless packet injection doesn't work on the N800/770. 19 Seconds is quite impressive.

Breaking 104 bit WEP in less then 60 Seconds

Erik Tews with the help of two others published a new attack on WEP called: Breaking 104 bit WEP in less then 60 Seconds.

Like the older attacks on WEP this attack uses sniffed IVs in order to break/compute/crack the WEP key. The nice thing about this attack is that it only needs between 40.000 and 85.000 unique IVs (older attacks needed between 250.000 and 1.000.000 in order to succeed). This already reduces the overall attack time since one needs to capture less packages. But the attack also uses a new/other attack on RC4 which further improves the speed. The paper gives an average of 3 seconds on 1.7Ghz Pentium-M. The attack even works with 5000 keys.

Paper
Info and tool

Friday, March 16 2007

RexSpy Slides

here are the slides on RexSpy. They say nothing at all, I just post the link for completeness.

Thursday, March 15 2007

The RexSpy Phone Trojan

since I first heard about RexSpy in late February (I know it was announced in October 2006) I wanted to know how real it is and how it works.

    RexSpy is supposed to be the ultimate mobile phone trojan that allows one to monitor (listen to) all calls of the infected device. Also the Wilfrid Hafner (the author) claims that it works on every single mobile phone.

The German Focus (a mainstream non technical magazine) interviewed Hafner and did a trial using a SymbianOS and WinCE based phone. They claim that he could listen to calls made with both phones. Other websites like Techworld.com quote him saying that this attack also works against a Siemens C45 (which is a very simple phone with out a fancy smart phone OS).

I myself connected Hafner to find out if he is willing to release real technical information to the public about his findings, but he refused saying that he sold the RexSpy Technology and therefore no longer could publish any material. This is very bad especially because Hafner's company is selling a protection kit against mobile phone tapping. This makes you wonder if this is just a marketing thing.

Since I'm not a student anymore I don't have too much spare time on my hands so I only did some basic research. The basic operation of RexSpy as claimed by Hafner is: the trojan is install via a SMS (a Service-SMS to be precise). The trojan itself creates a kind of back channel by calling home as soon as the infected phone has an incoming or outgoing call, thereby the attacker can listen to the call. But how does this work? First idea was: a bug/feature in the GSM module or SIM card (or SIM Toolkit). A bug is kind of unlikely to be present on all platforms. A monitoring feature would be documented by someone, so this is also unlikely.

I searched a little more and found the recording of Hafner's talk at Systems, in his talk he kind of gives it away (if you know what you have too look for). He says he only implemented it for Windows Mobile (WinCE / PocketPC). That is very interesting since he first claims the RexSpy is universal across all platforms. The thing that keep me thinking is the Service-SMS which others (including myself) call binary-SMS, since I used binary-SMS for my MMS attack. Here you basically tell the device where to download a MMS message. But as far as I remember there are other binary-SMS messages (or actually WAPPush messages that are send via binary-SMS) that tell a mobile phone to go and download a WAP/WEB page. The URL could of course also point to a application binary, which could be downloaded and executed without user interaction. So maybe Hafner just found a small back door in the WAPPush handler that allows silent application installation, and writing a phone monitor tool for Windows Mobile and SymbianOS shouldn't be hard at all. For monitoring one could use the simple feature like a conference call, this way the trojan application would be very simplistic and small.

I'm still not 100% sure how it works (especially because he claims that it works with a old Siemens C45) but analyzing the Windows Mobile RexSpy Killer provided by SecurStar should bring me a step further (I haven't done this yet). I'll keep working on this and keep you updated.


I would really love to hear some comments on this.

Links:
Zone-H
Techworld (Hafner's talk at Systems in German language)
SecurStar

Sunday, December 31 2006

HID Attack Page

I just uploaded the web page I made for HID Attack. It explains how it all works. Enjoy.

Friday, December 29 2006

HID Attack - Attack Bluetooth Keyboards

Finally I released my HID attack kit I build over a year ago, get it here. Thanks to Thierry for including it in his talk!

Story on Heise.

Sunday, December 17 2006

The Silver Bullet Security Podcast

Gary McGraw's Silver Bullet Podcast is a real nice podcast on computer security. If you are a security person check it out!

Sunday, October 29 2006

New RSG Website

The Reliable Software Group (RSG) the lab I used to work for at UCSB finally put up the new website including all my Smart Phone Security research. I also put up my Master's Thesis titled Security of Smart Phones.

I also updated my Mobile Security Research website.

Monday, October 16 2006

Advanced Attacks Against PocketPC Phones @ 23c3

I'm going to do my 0wnd by an MMS talk at 23c3. The talk is more or less a redo from defcon-14, but I will try to fix it up a little. This will be my first talk at a Chaos Communication Congress and I'm already looking forward to it.

Thursday, September 28 2006

ACSAC paper: Vulnerability Analysis of MMS User Agents

my second scientific paper, this time at ACSAC. The topic is MMS again - actually the paper was done before DEFCON. For more infos see details for Session 2. The paper is the last one in the session.

PS: I also applied to 23c3 with the same topic aka the DEFCON talk.

Saturday, June 17 2006

Talk at Defcon 14

I'll be giving a talk at this years defcon (#14). My talk will be on Advanced Attacks Against PocketPC Phones and I will show some neat new stuff for/against PocketPC phones.
DC14

Thursday, May 25 2006

Trying greylisting

I've added greylisting to the list of spam countermeasures for our server project. It works surprisingly well and the amount of spam arriving at my inbox is reduced by a ratio of 20:1. While this is good there are of course downsides of greylisting such as an artificial delay for delivery of valid or good email. Also auto whitelisting should take care of regular contacts. Anyway I'm really interested in how many of our users will see the change in amount of spam vs. delivery delay, and if anyone of them will demand permanent whitelisting :-)

Wednesday, May 03 2006

Paper @ DIMVA2006

My (with others) first scientific paper: Using Labeling to Prevent Cross-Service Attacks Against Smart Phones


Tuesday, March 07 2006

MobileSecurity @ MUlliNER.ORG

just put up my mobile security research page. It will basically be a annotated link collection, since my stuff will mostly be PocketPC Security and I have a separate section for this. Feel free to send me additions and/or corrections.

Tuesday, February 07 2006

BSS - Bluetooth Stack Smasher (a L2CAP fuzzer)

Pierre Betouin wrote this nice little L2CAP fuzzer based on my psm_scan (l2cap port scanner). He also already discovered bugs in several phones with it.

The tool can be found at: www.secuobs.com

nice work!

Thursday, January 05 2006

Bluetooth Spam in Berlin

mh57 just pointed me to a Spiegel Online article about Bluetooth advertising or BlueSpam as I like to call it. Its about a German company which uses Bluetooth to beef up their billboards in Berlin. Apparently they just push images, videos, text ads and coupons to any Bluetooth device in range. This is annoying but you can of course just ignore/reject the transmission or turn of visibility. The actual security/privacy problem is that people maybe get used to accept connections from certain senders e.g. BlueSpam (of course you wouldn't name your system BlueSpam). So what keeps me from standing next to one of the billboards naming my laptop BlueSpam and instead of sending a coupon I send hello.jpg. And since some phones still don't show what the Bluetooth connection is for I just pull their phonebook etc., the user will just see Allow connection from BlueSpam? Sure I want that coupon.

This is not a good idea!

Btw. the company doing this stuff is: Wall AG

Monday, December 12 2005

UCSB iCTF '05

on Friday Dec. 09. another UCSB iCTF took place once again. As always I was just helping out (the main work is done by others Greg,Vika and Marco) writing services, placing backdoors and doing what ever is needed. Every time the event gets bigger and bigger, this time there were 22 teams with about 20 players each plus 2-5 admins for each team and about 10+ people at UCSB organizing - this is about 500 people!

In the last years teams from Italy dominated the CTF, but not this time! The winners are all German speaking #1 Aachen, #2 Vienna and #3 Darmstadt. The full scoreboard with all teams is here.

This was really fun, even for just watching the teams fighting each other :-)

Tuesday, August 30 2005

Crypto USB disk with dm_crypt and FreeOTFE

I all ways wanted to go crypto for my data storage but until now I never owned any big storage device. Now I have an external 250 gig USB disk which I want to secure.

The thing with crypted disk all ways comes down to where can I read the disk? Only on my computer, only with one specific OS, etc. For me it's basically Linux and from time to time Windows. The two solutions I found where BestCrypt which is commercial (at least for Windows) and dm_crypt/FreeOTFE which is free and has much more features.

I ended up using dm_crypt/FreeOTFE.

dm_crypt is the Linux part of the crypto solution and is in part of Linux Kernel since 2.6.4. With cryptsetup its super simple to setup. You can setup a partition or a file based crypto device. The device then can be formated with whatever filesystem you want. Of course you need one which is readable by Windows (e.g. vfat/fat32).

FreeOTFE is the Windows counterpart of dm_crypt and can mount whatever you created with dm_crypt. I guess multi-disk volumes don't work but I haven't tryed it. When mounting a filesystem use mount Linux... otherwise it doesn't work :)

For the external USB disk I have two partitions, one small partition which is not encrypted - this holds the Windows drivers (FreeOTFE), the second partition is the crypto filesystem. With this you can also take your disk to a friend without downloading drivers and stuff from the net. All in all a nice solution.

Wednesday, April 13 2005

MobileBugtraq

MobileBugtraq is a new bugtracking maillinglist dedicated to mobile device technology. The list is super new, so not many posts by now. I actually only saw two sofar and I couldn't find an archieve.

Anyway everybody who is into mobile and security (like myself) should check it out.

Monday, April 04 2005

Seizure tools

while doing some web research on PDA/phone security I found this company Paraben which sells special seizure equipment for PDAs and phones. They really sell a lot of crazy stuff. I especially like the StrongHold Tent (the image on the left).









Monday, December 27 2004

BluePrinting

today (at/for 21C3) Martin and I released our Bluetooth fingerprinting tool BluePrint.

It is a really nice and simple Perl script and just reads the output of sdptool (BlueZ). Please also check the Bluetooth Device Security Database.

Sunday, November 28 2004

Buffer Overflow

I just started learning how to write exploits utilizing buffer overflows. It is a real fun thing to do and the best part of all: it is a part of a homework for university :-) Now I know why many people write exploits it is a nice way to get around a rainy weekend day.