...stuff I do and things I like...

Conferences

toorcon san diego Aug 28th - Sep 3rd. Dig Deep into FlexiSpy for Android by Kai Lu(@k3vinlusec).

HITB Singapore August 21-25. The Original Elevat0r - History of a Private Jailbreak by Stefan Esser. The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.

Tencent Security Conference, August 30-31. Pointer Authentication by Robert James Turner. Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu. Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.

44con 13-15 September London, UK. Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.

BalCCon2k17 Novi Sad, Vojvodina, Serbia. September 15-17. Mobile phone surveillance with BladeRF by Nikola Rasovic.

T2 October 26-27 Helsinki, Finland. Breaking Tizen by Amihai Neiderman.

DeepSec Vienna 13-17 November. Normal permissions in Android: An Audiovisual Deception by Constantinos Patsakis. How secure are your VoLTE and VoWiFi calls? by Sreepriya Chalakkal.

Quick Conference Review

It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it was in the CanSecWest hotel. I link a few relevant papers below.

Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!


Ralf is on point as usual:

Exhibit A) Our communities are tribalized: https://t.co/e1uATFviYT (JTAG on iPhone 4S BB + exploitation of baseband vulns from SIM, in 2014)

— Ralf (RPW) (@esizkur) August 19, 2017

Pictures of the month:

Burner kiddies at defcon be like: pic.twitter.com/3QyPTuJwFg

— the grugq (@thegrugq) July 22, 2017

Some Chinese USB adapters have a hidden SIM that will send a text message with GPS coordinates to track an unknowing victim… https://t.co/PK5bpkaBmv

— Dimitri Bouniol (@dimitribouniol) August 9, 2017

中国のUSB充電アダプター型盗聴器が先進的すぎる。
充電器の上のふたを開けると、なんとSIMスロットがある。
SIMカードを挿入した状態で、このSIMカードの電話番号宛にSMSを送ると、コールバックし、これに出ると盗聴できる仕様。
もちろんGPS機能付きである。 pic.twitter.com/aMEF8sBdiL

— 若ちゃん (@wk_tyn) August 8, 2017

😂 accident happens #htc #privacy #security #Android pic.twitter.com/AJRAJRO1xK

— nixCraft (@nixcraft) July 19, 2017

Links

BootStomp: On the Security of Bootloaders in Mobile Devices (paper)

Fixes in iOS 10.3.3

Reviewing the Security of ASoC Drivers in Android Kernel

Hacking Cell Phone Embedded Systems

Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite

Seccomp filter in Android O

This source code was obtained by reversing a sample of SLocker. It's not the original source code

Trust Issues: Exploiting TrustZone TEEs

Universal Android SSL Pinning bypass with Frida

USING AN RTL-SDR AS A SIMPLE IMSI CATCHER

BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS

Surveillance: German police ready to hack WhatsApp messages

Google May Have Just Uncovered An Israeli Surveillance Start-Up Spying On Androids

Gas Pump Skimmer Sends Card Data Via Text

Defeating Samsung KNOX with zero privilege (slides)

Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices

Port(al) to the iOS Core

New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor

Ghost Telephonist Link Hijack Exploitations in 4G

OnePlus 2 Lack of SBL1 Validation Broken Secure Boot

iOS 10.3.2 XPC Userland Jailbreak Exploit Tutorial - CVE-2017-7047 by Ian Beer (Video)

Samsung: Trustonic t-base TEE does not perform revocation of trustlets

A (hopefully) generic unpacker for packed Android apps

The original elevat0r jailbreak exploit explained

Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstall apk.

Shattered Trust: When Replacement Smartphone Components Attack (paper)

Patch iOS Apps, The Easy Way, Without Jailbreak

Android Banking Trojan misuses accessibility services

Get details and download apps from https://play.google.com by emulating an Android (Nexus 5X) device by default.

vTZ: Virtualizing ARM TrustZone (paper)

objection - runtime mobile exploration

Xposed for Nougat & abforce Submodule Explained, and Why It's Worth Waiting for rovo89's Full Release

A Linux kernel IPC firewall and logger for Android and Binder

White-Stingray: Evaluating IMSI Catchers Detection Applications (paper)

BootStomp: a bootloader vulnerability finder

iOS 11 has a 'cop button' to temporarily disable Touch ID

Simple tool to dynamically discover hidden fastboot OEM commands based on static knowledge

Blue Pill for your Phone

Android Instant Apps: Best practices for managing download size (who has played with instant apps yet?)

Decrypt the iOS SEP

How much does your phone know about you?

Identifying and Evading Android Protections

Breaking Mobile App Protection Mechanisms

Isolation of HALs in Android O

ANTIVIRUS FOR ANDROID HAS A LONG, LONG WAY TO GO

PoC CVE-2016-3935

PoC CVE-2016-6738

Fake Snapchat in Google Play Store

Next-generation Dex Compiler Now in Preview

Detecting Android Root Exploits by Learning from Root Providers (paper)

Downgrade Attack on TrustZone (paper)

Testing Biometric Authentication

shadow v2 public release

Android O security changes

Magisk Documentations

SonicSpy: Over a thousand spyware apps discovered, some in Google Play

SMS touch sends customer information and SMS messages over a cleartext network

ZIMPERIUM blog post that describes how the Zero Packet Inspection (ZPI) approach is trained

Using Hover to Compromise the Confidentiality of User Input on Android (paper)

Various Scripts for Mobile Pen-testing with Frida

circuit board (PCB) schematics for 30-pin iPod serial debugging

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers' lives much harder on mobile networks (slides)