Tag Archives: hacking

A new iOS 6.1 hack

As seen on the Hacker news, there is currently a way to bypass the iPhone lock screen (iPad with SIM too?) running iOS 6.1.x

I had to change the steps listed in “The Hacker news” slightly for it to work:
-Go to emergency call, push down the power button and tap cancel.
-Dial 112 and tap green and inmediately red.
-Go to lock screen, by pressing the power button
-Go to passcode screen, by pressing the home button
-Keep pushing down the power button …1…2…3…seconds and before showing the slider “turn off”…tap the emergency call button and …voilá!
-Then without releasing the power button press the home button and let go…

From there you gain full access to the phone application and can change/add/delete contact, as well as use the phone to make phone calls but you cannot stop a call you started with that technic.

YouTube Direkt

SANS 575: Mobile Device Ethical Hacking Review

In the last two years I have been to a few SANS training courses:

508: Advanced Forensic
617: Wireless Ethical Hacking
660: Advance PenTest

Last week I attended the SANS 575: Mobile Ethical Hacking course,
it is a nice complement to the 617 Wireless course and although there is some overlaps, especially around WIFI vector attacks, most of the content is different; and when it is not, you get another perspective for those attacks.

The course gave an overview of the different architectures surrounding the Android, iOS, Blackberry and Windows Mobile phones, how system and app updates are handled, how certificates are managed, attack technics against mobile apps communications as well as against the app code itself through leveraging jailbreaking.
As with most SANS courses your day is not limited to a 9 to 5 schedule and if you want to make the most of it you will end up attending after class presentations or the Netwars hacking contest during the last 2 evenings. Although this means you are most likely to finish your day at around 10pm, you also end up learning a lot more than what is just taught in your course.
Finally, the last day there is a Capture The Flag event in your class where you compete against your fellow students in teams of 3 or 4. It is a great way to apply all what you learnt during the week. It is very similar to Netwars but tailored to the topics you have just been studying .

Below are my key takeaways from that course:
1. History keeps repeating itself.
I will go into more details in a future post, but all the security issues we have had when Internet first appeared in the corporate world, then with WIFI networks are just repeating themselves with the use of mobile devices. Examples?
Mobile devices are more and more like computers yet we tend to only use simple and short passwords to protect how we are accessing them, there are no antivirus or firewalls in most platforms.
What drives mobile devices’ roadmaps is the user experience rather than its security.

2. Jailbreaking as a security tool
Jailbreaking a phone can be very useful, and sometimes the only way, to really understand what data an application is accessing and sending.

3. MDM alone, is not enough
MDM is just one component of what a mobile device strategy should be. Reviewing the security of apps being developed internally as well as the most commonly used 3rd party ones should be core to that strategy. Failing to do so equate to having an open desktop policy where users can install any applications they want, with no firewall/anti-virus.

4. Apps manipulation through HTTP intercept
The majority of mobile device applications uses HTTP as their communication transport protocol.
It often compromises the security model implemented with their counterpart desktop/web portal solutions.
Users often wrongly assume that an application is secure, because there are no visible signs as to how secure its communication is.
An example studied in class showed easily it is to manipulate stock option prices from the built-in iOS Stocks app.

5. 4 PIN on iOS is bad very bad.
I was amazed at the speed it takes to crack a 4 PIN protected iPhone (up to iPhone 4) and iPad (up to iPad 2).
In class we looked at how one needs just 15 minutes to a) take a locked iOS device, jailbreak it in memory, crack the PIN, dump all data, reboot the iDevice and the owner would never know you have just stolen all its data.
Although this is not currently possible on iPhone 4s+ and iPad 3+, this could change if new jailbreaking methods are found.
You would also be amazed as all the potential sensitive information is available in clear text, from WIFI to Emails passwords.

6. Certificate (mis) management
HTTPS certificates are very poorly managed on mobile devices currently and if a user is subjected to an HTTPS Man in the Middle attack, the warnings signs (if any!) could be at best confusing and at worse misleading! (i.e.: Hackers can pretend their certificate is from a valid and known CA).

6. Devices Emulator, Developer Programs and Mobile lab
Device emulators, although not as good as the real handsets, are very useful to do security assessments.
Being part of the major vendors developer programs does not cost much money and gives you access to exclusive tools and upcoming beta versions.
Lastly, having some kind of mobile device lab is useful for your security assessments and combining real handset with emulators should be relatively cheap to setup whilst still giving you enough handset coverage.

What this course has highlighted is how immature the security around Mobile Devices is, and that securing mobile devices in a corporate environment does not stop with MDM.

A very good course I would recommend to anyone involved with Mobile Device security, this will be an eye opener!

An interesting timeline representation of the CloudFlare’s hack

CloudFlare is an interesting young company, a few years old, as introduced in this Bloomberg article. Although it is tempting to just describe it as being similar to Akamai because it provides web acceleration and DOS protection through the use of a Content Distributed Network (CDN), it is also different. As explained by its founder, Matthew Price, it can understand, analyse and protect all requests to a website, not just a subset. It also has a different price model starting with a free offering and generally being much less expensive than the competition even with its pro/business/enterprise options.

In a nutshell, CloudFlare appears to be a service that can help optimise and protect any websites for no or little money.

What actually prompted me to look into that company, is a recent hacking incident they were the victim of. One that saw its founder’s gmail account compromised through a Google password recovery bypass, using a flawed AT&T voicemail redirection. This was used to leverage a Gmail Enterprise Account flaw in its dual Factor Authentication which resulted in the compromise of one of CloudFlare customer account. Although the hacker had a bit of luck as it needed a phone call to reset Google Mail account password to go to Matthew’s voicemail, it was a fairly sophisticated attack.

But what impressed me the most, and the reason why I see CloudFlare in a very positive light even after this successful hack, is how this company responded and how it disclosed the details of the attack. I really think the timeline as shown below (taken from the CloudFlare website) is a very effective way of representing an attack, its reasons of success and the countermeasures taken. You can read more details about this attack on the company’s blog.


Smile, you are being recorded!

The BBC has recently ran an article about a hacker who has published details on how to hack a certain type of webcam. This story is interesting for several reasons.

First, it further highlights how fragile our privacy has become since we live in a digital world with details of our life being kept on the internet: personal blogs, twitter feeds, Facebook or Government/Health records, etc. All this data is available online if you have the right access to the system it is held on. But it is not just still photos or lines of texts, it can also be live pictures through personal webcams or state surveillance cameras. Again, that data is available if you have the right credentials. In this case, hundreds of Trendnet webcam users thought/thinks their live video feed was protected through the use of a userid and password, but a bug in its firmware allows anyone to access it by adding a simple “/anony/mjpg.cgi” at the end of the webcam IP address. If you think about the number of devices around you that have a built-in camera, from computer screens to mobile phones, it is a scary thought if they were to be compromised in such manner. A quick google around will report many different ways to remotely access those cameras, and although they require user intervention, meaning the outcome is what is intended or for the “victim” to be a willing participant, couldn’t a worm be created to exploit those video streams and invade many people’s privacy?

Secondly, it shows how long it can take before such story makes the headline. It took a month from the vulnerability to be exposed and for most security websites to write about it. If means many Trendnet users had their privacy exposed for a long period of time!

Finally, Shodan. It is a website referenced in the original hacking article as a way to quickly identified vulnerable webcams out there (and many other things). I must admit I overlooked that website when I first heard of it on the Register over a year ago. It seems like a great resource but I am not sure if it serves Good or Evil.

It is maybe time to put that sticky tape on your built-in webcam when not using it :)

Koobface, The dangerous game of naming and shaming

There has been wide coverage of the naming and shaming of the supposedly perpetrators behind the Koobface botnet that has affected Facebook and other social sites for a few years.

The gang leader was first named on Dancho Danchev’s blog, then the Facebook’s security team threaten and did reveal the gang’s real identity, the New York times even ran an article on it and finally Sophos published another in-depth look at how they also discovered their identity. In between, many other sites jumped in to share that information.

I am slightly uncomfortable with this approach.

It appeared to have worked in this instance as the bonnet Command & Centre has been turned off, and it also appears they named the right persons; but what if all those blogs/researchers made a mistake!? It would have been nothing more than a smear campaign that could have affected the lives of some innocent internet users.

This tactic is used by the police in some countries, so they can catch “real” criminals on the run. They name and shame, appealing for help from the public and thus making it more difficult for them to cary on with their illegal activities.
By “real” I mean criminals in the traditional sense of the term, who have broken the law physically as opposed to virtually. But as our lives become more and more entangled with the virtual world, criminal activities “there” can and do have an impact “here”.

Where I think there is a difference, is that the police conducts a thorough investigation before naming and shaming, more importantly they follow an established, documented and legally sound process to conduct such investigation. Although those security researchers are experts in their own right (pun intended), it is a dangerous game to become a vigilante…

To conclude, I am not fundamentally against this practise but I am concern it could spiral out of control. It also highlights how difficult it is to bring hackers to stop their activities as, this, is some kind of last resort solution.

My take on SANS 660, The HexFactor and Netwars

I have just attended the SANS 660 course in London, it is one of the most advanced course SANS has to offer and it did not disappoint!

Its bootcamp format means you will start your day at 9am and finish it at 7pm! The last two hours being called a “bootcamp”, basically 2 hours of exercises linked to the content of the day that really helps understanding the different techniques that were discussed.

Speaking about content, although they state that previous programming experience is “recommended”, it is not, is it mandatory!

And for the last 2 days you really need some understanding of x86 assembly to get a chance to follow the fast pace. I have to admit that the last day I was lost after lunch!

But what do you get if you buckle up and go on the ride? You get an incredible amount of information as it goes into a great level of details on how to identify and write your own exploits. But it also allows you to get a better appreciation of what to look for when reviewing the security of a network, an application, a website or a system. This is not just a “hacking” course, and the “ethical” at the end of the full course name is there for a reason.

The lecturer, Stephen Sims, is quite inspiring. Of all the lecturers I have met in the different courses I have taken those last 15 years, he is probably the one who knew his subject the most! It is also great that he is always willing to help his students understand what they are doing wrong during exercises. And it is apparently not just computer hacking that he is good at, being a core member of a signed music band going by the name of a modern hard-disk.

The highlights of the course for me were:

  • The different techniques to attack a network with the consequences of badly, or shall I say commonly, configured routers;
  • Ways to get out of a locked down desktop;
  • What to do with a buffer overflow, how to locate/change/utilise those different address pointers and defeat canaries and use gadgets.

Although at the end it will feel like you need a larger brain and many more weeks to assimilate this new information, you will also get a sense that you have only barely touched the surface of all those techniques…

Then of course, after each of those hard days working you can relax at the next door pub… and if you didn’t have enough, this is where you can take part in a hacking challenge, the Hex Factor challenge. It is basically a “capture the flag” contest where you setup a team, or go at it solo, and are faced with a number of different challenges:

  • 2 quizzes
  • 3 hacking challenges (i.e.: breaking into a network, a server, etc)
  • 3 reverse engineering challenges (i.e.: bypassing a password in an executable)
  • 3 forensic challenges (i.e.: recovering data hidden somewhere)

This is really a great environment, not only to meet like minded people (although some may say it is a bad thing! ;), but also to actually practise your newly acquired skills. It is also good that each of those challenges have different level, allowing anyone to participate, from the manager to the engineer! This event takes place in a number of conferences and is organised by volunteers. So I’d like to congratulate everyone who was involved to make it such an entertaining event!

Finally, this year there was the Netwars challenge. It has a similar format as the HexFactor one and ran for 2 days (after the Hexfactor was finished). It is an individual hacking contest with increasingly more difficult challenges. The fact you see the top 10 scores on a big screen live, the buzz of having a large room full of people hacking away, the organisers making sure everything is going smoothly and that everyone feels confortable really made those 2 nights special.

To conclude I will say that, again, SANS did not disappoint. It was a top quality course part of a great conference with huge opportunities to network and practice your skills. So I can happily recommend for anyone to attend the 660 class, and also, if you really want to make the most of it you have to stay in a close by hotel, be ready not to sleep too much and embrace the geekiness around you :)

SANS, Stephen, Thank you very much!

Carrier IQ, an interesting story of deception or what we could call the Facebook syndrome

It all started with some findings published by Trevor Exkhart on his website a few weeks ago.

He found that a Californian based company called Carrier IQ (CIQ) had develop a software that was acting as a *key logger* and was installed by default on many different mobile devices: Android, Blackberry, Nokia Phones, iPhones (iOS 3.x to 5.x), and also tablets.

The important point here, is that this software is intentionally installed/provided by the devices manufacturers or network carriers. It is quite amazing how widespread the use of that spying software is (the BBC reported 140 Million devices). This is not limited to only one type of device or provider. What they collect might be different (apparently much less on iOS than Android), but it shows a systemic desire from companies who make and sell those devices to gather usage and user information.

This is what I would call, the Facebook syndrome!

The official stance from CIQ was that their software was only used for improving the “network experience” by providing some information back to carrier and phone manufacturer such as signal strength, network information, etc.
They explicitly stated that they “do not and cannot look at the contents of messages, photos, videos, etc., using this tool”.

This is not what you would say from a software that logs all the key pressed on your device…

Again, it is important to note that by default their software is not hidden (there is a visible check-mark in the status bar) but this can be modified by 3rd parties. And it is being modified!

One example given by Trevor is Verizon in the US, although you can opt out, by default the phones they sell will record and transmit (?) the following personal user information: any URL accessed, including potential search queries and the location of the device. This is what could be considered as a significant personal privacy invasion.

So how did CIQ reacted to Trevor’s post?
By sending him a Cease and Desist letter on the 16th of November!

They claimed Trevor was in copyright infringement (because of some of their publicly available training material having been referenced) and making false allegations.

As reported on The Register on the 24th of November, they eventually withdrew their legal threats thanks to the legal help of the EFF, who nicely summarizes the case on their website, and also to a new post showing exactly what Trevor meant by calling CIQ software a “root kit” (I called it a “key logger earlier”, but root kit is more accurate and also has wider security implications).

Trevor’s second CIQ article, goes into details as to why CIQ software is indeed a root-kit. With a video showing the different steps required to reproduce his tests. It also describes how the data is collected even if you are off the network and, at least on an HTC phone, the data is not really anonymised.

Since then, another mobile phone hacker has published some findings about CIQ, this time confirming that Apple has included CIQ software in all its iOS version from iOS3 to the latest iOS5. However, it seems that the information logged on the Apple devices is much less than what is logged on Androids': no URL nor SMS and the location is only sent if you have allowed for it to be, furthermore, that information is not transmitted by default but only if the user manually choose to send diagnostic information to Apple.

All this has generated an increasing level of noise and attention:

As pointed out in a ViaForensics article, it is not clear when and if the data CIQ logs on the phone is always transmitted or just remains on it. And if transmitted, to where? But if it is being transmitted, I have a little story for you…

A few years ago I went on holiday and decided to take an international data plan, I had an iPhone 3G at the time, and I did monitor my data consumption every day with the built-in iOS bandwidth statistics. I stopped using data on my phone when I reached 90% of my allowed and pre paid consumption.

I was therefore very surprised when I was charged for going over my data allowance by a good margin! How could I have miscalculated my data consumption by so much!? After complaining to my provider they eventually claimed that the built-in iOS bandwidth statistics were only showing average figures and were not accurate. I also read in some forum at the time, that Apple claimed their figures should be taken as an estimate only. With that in mind, I decided not to pursue further, accepted to pay the extra fee and promised myself never to use data roaming again.

Now, it would be interesting to know if all the network data generated by CIQ is counted in those mobile OS network bandwidth statistics or if, like the information it gathers, they are also hidden from view.
After all, if the provider goes at length to hide the data they collect from you, they probably don’t want you to see that sealed fat envelop leaving your phone!

If that’s that case, how legal is this?! not only spying/gathering user information is questionable but doing so could be at the expense of the user! Couldn’t it be considered as a hidden cost to their service? could it explain the unexplainable extra fee I had to pay?

So I have three final comments to make:

  1. Mobile device companies are like any others, they want users’ personal information, but unlike others, they have full control of the device you discuss you life on.
  2. Opting for usage statistics, should be just that, an optional choice! and it should be made clear that it could result in extra cost, especially when roaming!
  3. If CIQ data consumption is also hidden from mobile OS(es) statistics then this is an extra hidden cost to the user
Now, where have I kept my 10 years old beloved Nokia 8210?
UPDATE, 12th of December 2011: CarrierIQ has responded to the issues discovered by Trevor through a 19 pages document. Not sure I find it very convincing.

I used to have one password…

I used to have one password. It was the password to my Unix student account and it was in the mid nineties!

Since then, I must have dozens of passwords for work/home computers, websites, files, etc. Having a truly different password each time is almost impossible unless you use some kind of password safe application. Or you could use some kind of clever formula, I do emphasise on the “clever” because if your formula is to generate the same password with a simple variant at the end of it, a hacker who has access to more than one of your password could find out what that formula is quite easily.

Another issue is the username. Most security warnings are related to users having the same password, although it is indeed true, there is also an issue with using the same username everywhere. I would argue it is more important to start with a known username than a known password.

The recent attack against Sony shows that credentials stolen from other companies/websites can be re-used to mount generic brute force attacks. This is echoed in another recent article about the increasing danger of consoles and their online credentials that can sometimes be the same as those used for corporate use, especially with Windows live ID. I would again argue that it isn’t just an issue with consoles as many people when registering to new websites re-use the username they use the most, their work or home username.

There is however the need for a tradeoff between the highest level security of having a random username and password for each of your login, and something you can use without having to think/consult for/every 5 minutes.

I would start with a different password for every login… and to change them from time to time.

Attack on Quantum Cryptography

There is a recent BBC article on a new attack against a key component of Quantum Cryptography: Key Transportation.

There are 3 main components to a cryptographic system:
– The strength of the algorithms used (close/open, random generator, collision, etc)
– The integrity of the system (implementation, key storage, devices security, etc)
– The transportation of keys (no full or partial interception of the keys, etc)

Quantum Cryptography has for some been seen as the future for ensuring the integrity and detection of any interception attempts during key transportation.

I am not a Quantum Physic expert, but what I understand is that key transportation is done through light, where photons of light are sent to the receiver who will inspect the states of those photons to reconstruct the key. It is similar of sending a stream of bits which make the key, apart from the fact that in Quantum Physics a photon has not just a binary state (0/1 or -/+) but multiple values at the same time.
One of the key Quantum property useful for cryptography is that once a stream of photons is inspected, it is “destroyed” or changed. Therefore if someone was trying to evesdrop the receiver would know.

As a side comment, there are a few things that still puzzle me how this can only be a good thing. What about repeaters? you would need those to exchange keys to very far distances? So even if you can guarantee the key hasn’t been intercepted you cannot apply the same “quantum” guarantees to the repeaters (ref Integrity of the System). Furthermore, this could lead to a Denial of Service attack, I don’t see how Quantum Physic Key Exchange infrastructure could be as resilient as today’s internet. You would need specific “light tunnels”, if it gets damaged or if someone tries to intercept the key exchange even in the sole goal of disrupting the exchange process, then keys cannot be exchanged and the communication cannot take place…

Anyway, I would hope they must have thought about all this and have an answer. But what a team of scientists has just done, is to prove they could intercept the key and “blind” both ends into believing the exchange had been successful.

However some scientists have replied it was just a “configuration” problem with the system implementation and that it was possible to detect that attack after all.

Nonetheless, this adds weight to those who believe Quantum Cryptography is not the Saint Graal some claim it is, and that similar implementation issues there are today in “standard” cryptography also exist in “Quantum” Cryptography.

The BBC Article (Summary)
The Norwegian University Article where the paper came from (Original Article)
The Quantum Hacking Group responsible for the discovery (More info)

Below is a great video from the Quantum Hacking Group Website explaining the attack:

YouTube Direkt

GPU Password Cracking

Brute force password cracking has been around for a while but in the last few years a new way to use your brand new graphic card has emerged which brings high performance attacks against passwords much cheaper and easier.

This is because the “brain” of those graphical card, The Graphical Processing Unit or GPU, is designed to handle mathematical and repetitive tasks very efficiently.

There is a very good article about this topic on the ERRATA SECURITY blog with some interesting facts:

– Although GPU are now found in most electronic devices (i.e.: phones), dedicated PC cards are obviously better

– Radeon is better than GeForce

– Although you can use more than one GPU, the benefits are not exponential and most people only need 1 or 2 GPU.

– This is because past 8 Characters, a password become near impossible to brute force. It would take too long, regardless of the number of GPU you use!

– Some people actually slow the speed of the computer memory to reduce voltage and thus heat. All that matters is the GPU!

– What you would use a GPU against:

  • Bitcoin hashes match calculation (Bitcoin is a digital currency)
  • WPA Passwords, as you cannot really use Rainbow tables, brute force can be useful! in fact this is true for any “salted’ passwords.
  • Protected documents: ZIP, Office, etc

Some of the software you need if you want to experiment yourself can be found on the Golubev website.

Update 28/06:
It looks like you can even now have external powerful GPU cards for your notebook, and it is a Radeon!