Tuesday, September 19 2017
Conferences
ekoparty Sep 27-29, Buenos Aires.
Blue Pill for your phone by Oleksandr Bazhaniuk.
Unbox Your Phone - Exploring and Breaking Samsung's TrustZone Sandboxes by Daniel Komaromy.
Inside Android's SafetyNet Attestation: Attack and Defense by Collin Mulliner.
How to cook Cisco: Exploit Development for Cisco IOS by George Nosenko.
Bypass Android Hack by Marcelo Romero.
Virus Bulletin 4-6 Oct, Madrid Span.
Last-minute paper: Publishing our malware stats by Jason Woloz (Google) [This is about Android Malware].
Android reverse engineering tools: not the usual suspects by Axelle Apvrille.
Some comments on BlueBorne: I've been involved with Bluetooth security
since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic
bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show
up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory
corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug
that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and
gives you kernel privileges (code exec in the kernel).
In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue.
Exploit mitigations and built variances help mitigating the risk.
Devices are not always visible therefore the attacker cannot easily find your device and attack it.
Also see: Hackers Could Silently Hack Your Cellphone And Computers Over Bluetooth.
FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics
so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.
Pics:
I agree ^^^
Links
Tuesday, August 22 2017
Conferences
toorcon san diego Aug 28th - Sep 3rd.
Dig Deep into FlexiSpy for Android by Kai Lu(@k3vinlusec).
HITB Singapore August 21-25.
The Original Elevat0r - History of a Private Jailbreak by Stefan Esser.
The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.
Tencent Security Conference, August 30-31.
Pointer Authentication by Robert James Turner.
Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu.
Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.
44con 13-15 September London, UK.
Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.
BalCCon2k17 Novi Sad, Vojvodina, Serbia. September 15-17.
Mobile phone surveillance with BladeRF by Nikola Rasovic.
T2 October 26-27 Helsinki, Finland.
Breaking Tizen by Amihai Neiderman.
DeepSec Vienna 13-17 November.
Normal permissions in Android: An Audiovisual Deception by Constantinos Patsakis.
How secure are your VoLTE and VoWiFi calls? by Sreepriya Chalakkal.
Quick Conference Review
It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet
for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it
was in the CanSecWest hotel. I link a few relevant papers below.
Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!
Ralf is on point as usual:
Pictures of the month:
Links
BootStomp: On the Security of Bootloaders in Mobile Devices (paper)
Fixes in iOS 10.3.3
Reviewing the Security of ASoC Drivers in Android Kernel
Hacking Cell Phone Embedded Systems
Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite
Seccomp filter in Android O
This source code was obtained by reversing a sample of SLocker. It's not the original source code
Trust Issues: Exploiting TrustZone TEEs
Universal Android SSL Pinning bypass with Frida
USING AN RTL-SDR AS A SIMPLE IMSI CATCHER
BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS
Surveillance: German police ready to hack WhatsApp messages
Google May Have Just Uncovered An Israeli Surveillance Start-Up Spying On Androids
Gas Pump Skimmer Sends Card Data Via Text
Defeating Samsung KNOX with zero privilege (slides)
Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices
Port(al) to the iOS Core
New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor
Ghost Telephonist Link Hijack Exploitations in 4G
OnePlus 2 Lack of SBL1 Validation Broken Secure Boot
iOS 10.3.2 XPC Userland Jailbreak Exploit Tutorial - CVE-2017-7047 by Ian Beer (Video)
Samsung: Trustonic t-base TEE does not perform revocation of trustlets
A (hopefully) generic unpacker for packed Android apps
The original elevat0r jailbreak exploit explained
Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstall apk.
Shattered Trust: When Replacement Smartphone Components Attack (paper)
Patch iOS Apps, The Easy Way, Without Jailbreak
Android Banking Trojan misuses accessibility services
Get details and download apps from https://play.google.com by emulating an Android (Nexus 5X) device by default.
vTZ: Virtualizing ARM TrustZone (paper)
objection - runtime mobile exploration
Xposed for Nougat & abforce Submodule Explained, and Why It's Worth Waiting for rovo89's Full Release
A Linux kernel IPC firewall and logger for Android and Binder
White-Stingray: Evaluating IMSI Catchers Detection Applications (paper)
BootStomp: a bootloader vulnerability finder
iOS 11 has a 'cop button' to temporarily disable Touch ID
Simple tool to dynamically discover hidden fastboot OEM commands based on static knowledge
Blue Pill for your Phone
Android Instant Apps: Best practices for managing download size (who has played with instant apps yet?)
Decrypt the iOS SEP
How much does your phone know about you?
Identifying and Evading Android Protections
Breaking Mobile App Protection Mechanisms
Isolation of HALs in Android O
ANTIVIRUS FOR ANDROID HAS A LONG, LONG WAY TO GO
PoC CVE-2016-3935
PoC CVE-2016-6738
Fake Snapchat in Google Play Store
Next-generation Dex Compiler Now in Preview
Detecting Android Root Exploits by Learning from Root Providers (paper)
Downgrade Attack on TrustZone (paper)
Testing Biometric Authentication
shadow v2 public release
Android O security changes
Magisk Documentations
SonicSpy: Over a thousand spyware apps discovered, some in Google Play
SMS touch sends customer information and SMS messages over a cleartext network
ZIMPERIUM blog post that describes how the Zero Packet Inspection (ZPI) approach is trained
Using Hover to Compromise the Confidentiality of User Input
on Android (paper)
Various Scripts for Mobile Pen-testing with Frida
circuit board (PCB) schematics for 30-pin iPod serial debugging
SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers' lives much harder on mobile networks (slides)
Saturday, August 05 2017
This blog post is to provide some more details about my idea that was mentioned on Risky Business #463 by Haroon Meer.
What are Canary Tokens (from Thinkst).
You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.
Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.
...
Canary tokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)
The idea: Embed Canary Tokens into binaries (or application data) to help identify reverse engineering of your software.
Every reverse engineer looks for unique information (often just strings) in the target binary to help understand it. The strings are thrown into Google (or other search engines) with the hope to get additional information. The returned information can be extremely helpful to determine what the software is, what other code is linked in, what versions, etc. Everybody who reverse engineers stuff does this! I personally don't reverse engineer for a living so I asked around to confirm that professionals actually do this (I already knew the answer anyway!).
The plan:
- Embed unique looking strings into the binary
- Stand-up web page that contains the string, log access to that page (alert on access)
- Make Google crawl that page (various tools for that)
- Ship software
This is pretty straight forward, right? But do you care about somebody who just ran strings on your binary?
Likely not! So what's next?
Many applications protect their code and other assets that come with it through different kinds of methods (called obfuscation techniques for this article - even not all of it will be actual obfuscation).
The next step for the RE-canaries is to generate canaries and embed them into each obfuscation layer.
If someone accesses a more obfuscated canary you know that a certain level of effort was put into reversing your app.
This part is really where the creativity of the RE-canary deployment comes into play. This will be highly depended on the
specific software, on the protection mechanisms used, the language and framework that app is written in and so on.
Mobile apps (I'm a mobile app guy, yeah!) contain API endpoints and URLs and maybe some hardcoded credentials (tokens of course). The URLs have the advantage that you wouldn't need to put up a website. You just make them accessible and add logging and alerting.
The final part of this is automation. You want to automate canary creation and embedding into your built process, so that you can generate unique canaries with each built or major release or whatever fits your software.
In the end it will likely happen that advanced REs are going to use an anonymization service such as TOR when searching for strings or trying out URLs (specifically for URLs!).
In this case at least you will know that someone is looking at your
stuff and passed a certain skill/time/effort threshold, which I guess in most cases is enough information.
That's it! This idea was inspired heavily by Haroon Meer's Canarytokens a great free service that I use once in awhile!
Comments and feedback is welcome via the usual channels.
Thursday, July 13 2017
Conferences
Black Hat USA Las Vegas, July 26-27.
ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson.
NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park.
SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois.
FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven.
GHOST TELEPHONIST LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng.
HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich.
DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen.
BLUE PILL FOR YOUR PHONE by Oleksandr Bazhaniuk, Yuriy Bulygin.
CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.
Defcon Las Vegas.
Jailbreaking Apple Watch by Max Bazaliy.
Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks by CINCVolFLT (Trey Forgety).
macOS/iOS Kernel Debugging and Heap Feng Shui by Min(Spark) Zheng & Xiangyu Liu.
Using GPS Spoofing to Control Time by David "Karit" Robinson.
Phone System Testing and Other Fun Tricks by "Snide" Owen.
Unboxing Android: Everything You Wanted To Know About Android Packers by Avi Bashan & Slava Makkaveev.
Ghost in the Droid: Possessing Android Applications with ParaSpectre by chaosdata.
Ghost Telephonist' Impersonates You Through LTE CSFB by Yuwei Zheng & Lin Huang.
Bypassing Android Password Manager Apps Without Root by Stephan Huber & Siegfried Rasthofer.
Man in the NFC by Haoqi Shan & Jian Yuan.
USENIX Workshop on Offensive Technologies (WOOT) Vancouver Canada, 14-15 August.
Shattered Trust: When Replacement Smartphone Components Attack by Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren.
White-Stingray: Evaluating IMSI Catchers Detection Applications by Shinjo Park and Altaf Shaik, Ravishankar Borgaonkar, Andrew Marti, Jean-Pierre Seifert.
fastboot oem vuln by Roee Hay.
Black Hat and Defcon have a really good number of mobile related talks this year.
It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August
Picture of month:
There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.
Links:
Tuesday, June 06 2017
Conferences
Black Hat USA July 26-27 Las Vegas.
'GHOST TELEPHONIST' LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng.
ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson.
BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein.
CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.
DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen.
FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven.
HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich.
NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR
by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park.
SONIC GUN TO SMART DEVICES: YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND
by Aimin Pan, Bo Yang, Shangyuan LI, Wang Kang, Zhengbo Wang.
SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois.
THE FUTURE OF APPLEPWN - HOW TO SAVE YOUR MONEY by Timur Yunusov.
(Black Hat has a very strong mobile security line up this year.)
Defcon July 27-30 Las Vegas.
Man in the NFC by Haoqi Shan & Jian Yuan.
(speaker selection not final)
MOSEC June, Shanghai added a bunch of talks (all mobile security related, obviously).
Recon June 16-18 Montreal, Canada.
FreeCalypso: a fully liberated GSM baseband by Mychaela Falconia.
Hacking Cell Phone Embedded Systems by Keegan Ryan.
This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on
a day to day basis currently.
The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!
I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.
So iOS will finally support NDEF tags.
This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction.
Pictures of the month:
Links
Wednesday, May 10 2017
In November 2016 I wrote a post about the iOS WebView Auto Dialer bug
specifically in the iOS Twitter and the iOS LinkedIn apps. Last weekend I finally had the time to retest those apps to see if the bug was fixed. Retests in December and January showed the bug was still present (as far as I remember). Both apps are fixed now!
Playing around with this a bit more I discovered a new security warning on iOS. There now seems to be a detection for the case where a website
automatically tries to open a TEL URL. The dialog doesn't always appear but when it does you first have to click allow before being presented with the actual Call/Cancel dialog. Neat!
The conclusion seems to be that the bug was fixed and that they added a new detection and warning dialog. Good!
Tuesday, April 25 2017
Conferences
Black Hat USA July 22-27 Las Vegas.
BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein.
(Program not complete)
SyScan360 May 30-31 Seattle.
Exploit iOS 9.x Userland with LLDB JIT by Wei Wang.
The wounded android WIFI driver New attack surface in cfg80211 by Hao Chen.
MOSEC June, Shanghai. Revisiting the Kernel Security Enhancements in iOS 10 AND Pwning Apple Watch. (Program still not complete)
Recordings for the first OsmoCon are available here. OsmoCon is,
of course, a conference about the OsmoCom projects!
Android O news: will prompt for pin/passcode before enabling developer options, further
Android O changes device identifiers and how to access them.
If you are interested in mobile backing Trojans you should follow Lukas Stefanko:
Somebody released the source code of FlexiSpy (mobile phone spyware) to the public. The release notes are
here: readme.txt.
The download is here: FlexiSpyOmni.zip, collection of all data is here: Source code and binaries of FlexiSpy from the Flexidie dump and a writeup of the dump is here: FlexSpy Application Analysis. I bet we will see more details in the coming weeks!
Does Blackberry give out review samples for the KEYone? I would really like one and give it a try (would post full review here of course!).
All Nokia phones ever made.
Yo Ralf where the slides at?
Links