...stuff I do and things I like...

I'm back from SyScan (and Singapore). It was a lot of fun I and I met many interesting people. It was a really good time.

The slides for my talk are available here.

In early July I am giving my PocketPC MMS talk at SyScan in Singapore. Looking at the speakers list you will find another trifinite member and many guys from Germany :-)

This will be my first time to Asia and I'm really looking forward to it!

see the story in the F-Secure Labs blog here.

Very cool to have your own VirusScanner signature (without writing a virus) ;-)

here is a quick and easy way to protect yourself against NotiFlood (my MMS notification attack against PocketPC-based mobile phones, see my PocketPC Security Research).

As I explained, the PushRouter is the application that listens on port 2948 it basically gets all WAP push messages and routes them the destination application. If the PushRouter doesn't know which destination application to use it discards the WAP push message. So in order to protect us against a NotiFlood attack we simply need to remove the MMS mime type from the PushRouter configuration, after this the PushRouter will not be able to forward any WAP push messages to tmail.exe (the MMS application).

The PushRouter configuration for MMS is stored in the WinCE registry at:

\HKEY_LOCAL_MACHINE\Security\PushRouter\Registrations\ ByCTAndAppId\application/vnd.wap.mms-message;

The only value in this registry key is DEFAULT for me it is set to 80FBE375B731C701.

Now we have a couple of options: delete the complete key, delete the value, and modify the value. I for my part just modified the value (so I can easily switch MMS back on). I basically just added a underline (_) to the key value. Now since the value of the key is wrong the PushRouter can no longer forward the MMS message to tmail.exe.

Note, also these settings are from my IPAQ PocketPC 4.2 they should be the same on all 4.2x devices.

WARNING:

This modification disables receiving MMS all together! Don't do it if you still want to receive MMS messages.

Since there is no regedit on PocketPC you need to get a third party application. I used PHM RegEdit.

That is it! You're secure now ;-)

Lutz made a small video where he uses NotiFlood to crash his WinCE 5.x smart phone. It is quite fun to watch.

notiflood_wm5_dos.avi (80MB)

...get the proof-of-concept exploit here. I also updated the slides but just cosmetics.

Have fun and be responsible!

I posted some action shots of the PocketPC MMS / SMIL exploit on my PocketPC Security Research page. The screen shots are somewhat older (I think this might even be from the first day I got this to work). Anyway I just didn't want to keep these from you guys. Btw. as far as I remember I took the pictures with the camera of the i-mate PDA2k my only other test device next to the iPAQ h6315.

So I'm really wondering if all PocketPC-based phones are affected by the vulnerabilities I found and presented at defcon. Since I released a proof-of-concept tool for the M-Notification.ind/WapPush/UDP denial-of-service attack I would like to get some feedback from people who tested their device. I would especially like people to test WinCE5.0 devices.

So if you have tested any device besides the iPAQ h6315 or the i-mate PDA2k please send me an email at: collin[at]trifinite.org

All the info is here: My PocketPC Security Research site

so I finally got around to look for some decent podcasting software for PocketPC (for my h6315). Until now I just downloaded the stuff by hand and transfered it to a SD or MMC card, this was pretty annoying. Even if you have an automated download this sucks. The software I use now is smartfeed (free!). Its pretty simple, just select the feeds you want - choose the download directory (e.g. /Storage Card/ to use the SD card) and you're done. It nicely downloads the feeds and you can use what ever player you want.

I really like it this way, I just need to have a wireless connection and I'm good to go. I guess I will listen to more stuff then before, since its so easy now. Any show suggestions?

The slides from my talk on PocketPC exploits at What The Hack! can be downloaded from my PocketPC section.

...it really helps. I have much better reception (more bars) and the battery seems to live longer (could be due to the fact that the device is not constantly trying to connect to a cell tower). Now a general OS upgrade would be nice, I know it's unlikely to become true.

Also the Linux port seems to make some progress, this would be the better solution anyway.

Just got an SMS from T-Mobile which told me to get my update.
Get it TMO_SP29764_1_10_08.exe

I hope it's not a very bad April joke :-)

I just played with my h6315's registry (using PHM Registry Editor) and found this MinorClass key (in \HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BtConfig\General) which lets you (only!) change the MinorDeviceClass of your iPAQ. Now I have to find out how to change the MajorClass and the ServiceClass to build something like BtClass. I tried to add several keys like MajorClass or ServiceClass but non did work.

I will keep on working on this.