SlideShare una empresa de Scribd logo

DefCon 2012 - Gaining Access to User Android Data

Michael Smith
Michael Smith
Tecnología
1 de 32
Descargar para leer sin conexión
Into The Droid Gaining Access to Android User Data DEF CON 20
Introduction • Why this talk is useful • Defend access / gain access • Device seizure, loss, border crossing, stop and search, espionage... • The company • viaForensics - Mobile security and digital forensics, strong R&D team, government agencies and corporations • The speaker • Thomas Cannon - Director of Breaking Things
Challenges • ADB off by default • Screen lock • Code signing for updates and boot images • Encryption • Variety of device hardware, software and configuration
Bootloader Essentials • How we use the bootloader • Accessing bootloader mode • Bootloader protocols • Bootloader protection
Defeat The Bootloader • S-ON vs S-OFF • @secuflag controlled in radio firmware • Gold Card - specially formatted MicroSD card can bypass carrier ID check when flashing ROMs • White Card - special SIM card used as an authentication token to control access to diagnostic mode HTC Example
Defeat The Bootloader • Emulate White Card with hardware, combine with Gold Card to enter diagnostics and clear S-ON HTC Example
Defeat The Bootloader • White Card not needed for CDMA phones • Once S-OFF, can RAM load a custom boot image • This technique wipes most devices! But not all. • Successfully used this technique to gain access to some locked stock HTC devices such as HTC Desire • Try it yourself with an XTC Clip HTC Example
Forensic Boot Image • Start early in the boot chain before the system loads • Provide ADB root shell over USB which can be used to image the device • Do not mount anything, including cache, to prevent any writes to partitions • Devices with raw NAND flash and wear levelling implemented in software (YAFFS2) can be prevented from overwriting deleted data
Build Boot Image $ abootimg -x stock-recovery.img $ abootimg-unpack-initrd $ cd ramdisk (edit ramdisk contents) $ cd .. $ abootimg-pack-initrd -f $ abootimg -u stock-recovery.img -r initrd.img
RAM Disk Contents /dev /proc /sbin adbd busybox (+ symlinks) nanddump (to dump partitions) /sys init default.prop (enable root shell, ro.secure=0) init.rc (do not mount partitions, just start adbd) ueventd.rc
Flash and RAM Load • Samsung • Dump partitions with ODIN <= 1.52 or Heimdall. Maybe. • Flashing with ODIN or Heimdall • heimdall flash --recovery recovery.bin (Epic 4G) • heimdall flash --kernel zImage (Galaxy S) • HTC • fastboot boot recovery.img (RAM Loading) • fastboot flash recovery recovery.img (flash partition) • Motorola • sbf_flash image name.sbf (make sure it only contains recovery)
JTAG Primer • How it works • Flasher Box • ORT • RiffBox • Medusa Box
Serial Debug Cable • Some devices have debug access via serial cables which can be used to gain access to data • On Samsung Galaxy SII / Galaxy Note this is activated by grounding ID pin of USB with a 523K ohm resistor • TTL serial access provided on D+ and D- pins of USB connector • Use a Bus Pirate and MicroUSB breakout board to connect Galaxy SII
Crack PIN or Password • Salt • /data/data/com.android.providers.settings/databases/ settings.db • SELECT * FROM secure WHERE name = 'lockscreen.password_salt' • PIN / password • /data/system/password.key • Salted SHA1 of password concatenated with salted MD5
Crack PIN or Password • Calculate the value of the salt in lowercase hex with no padding $ python -c "print '%x' % 720624377925219614" a002c0dbeb8351e • Copy the last 32 bytes of password.key (MD5 hash in hex), add a colon and then add the salt 5D8EC41CB1812AC0BD9CB6C4F2CD0122:a002c0dbeb8351e • Crack with software such as oclHashcat-lite 
HID Brute Force? Video
HID Brute Force • AVR ATMEGA32U4 emulates USB keyboard typing PINs • USB OTG cable for USB host • Devices usually rate limit attempts and wipe after too many incorrect passcodes
Android Encryption
Android Encryption • Supported since Android 3.0 • Based on dm-crypt • AES 128 CBC • Implementations may vary, e.g. Samsung has their own key management module
Android Encryption keylen=32 PBKDF2 Password/PIN Key+IV (32 bytes) x2000 Key (128 bit) IV (128 bit) /dev/urandom Salt (128 bit) AES 128 Master Key (128 bit) CBC Encrypted Master Key (128 bit)
Android Encryption IV (ESSIV:SHA256) dm-crypt Master Key (128 bit) Encrypted userdata partition AES 128 CBC userdata partition
Cracking Encryption • Encrypted Master Key + Salt stored in footer • Footer stored at end of partition or in a footer file on another partition or as a partition itself • Image device and locate footer + encrypted userdata partition
Cracking Encryption • Parse footer • Locate Salt and Encrypted Master Key • Run a password guess through PBKDF2 with salt, use resulting key and IV to decrypt master key, use resulting master key to decrypt first sector of encrypted image. • If password is correct, plain text will be revealed
• Cracking PINs takes seconds. Passwords are usually short or follow patterns due to being the same as the lock screen password
Evil Maid Attack • Load app onto system partition, wait for user to boot phone, get remote access to decrypted user data • Rootkits - easy to compile for Android • Evil USB charger
Reverse Shell • App with no permissions can create a reverse shell, giving remote access to attacker
Desperate Techniques • Hard reset - some devices prior to 3.0 did not wipe data properly. Wipe, boot, root and recover • Chip-off - de-solder NAND chips • Screen smudges
More Techniques! • Custom update.zip - can you get one signed? • Race condition on updates via SD cards - fixed • Own a CA? Who doesn't these days? MITM connection, push app, update or exploit • Entry via Google Play, if credentials cached on desktop
Santoku Linux • Free and open bootable Linux distribution full of tools • Project is a collaboration with other mobile security pros • Mobile Forensics • Mobile App Security Testing • Mobile Malware Analysis Check out the Alpha release at https://santoku-linux.com
k yo u! Th an Thomas Cannon @thomas_cannon github.com/thomascannon tcannon@viaforensics.com For the latest versions of our presentations visit: https://viaforensics.com/resources/presentations

Recomendados

Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectionAndrey Belenko
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in DepthSeguridad Apple
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 

Recomendados

Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectionAndrey Belenko
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in DepthSeguridad Apple
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaAndy Shutka
 
Diskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive DatasheetDiskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive DatasheetKingfin Enterprises Limited
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Veduruparthy Bharat
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1Charles Klondike
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Rivetz Corp. - Building the hardware protected wallet
Rivetz Corp. - Building the hardware protected walletRivetz Corp. - Building the hardware protected wallet
Rivetz Corp. - Building the hardware protected walletSteven Sprague
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreakingVarun Luthra
 
Gregynog2011 swis lite - gareth ayres (1)
Gregynog2011 swis lite - gareth ayres (1)Gregynog2011 swis lite - gareth ayres (1)
Gregynog2011 swis lite - gareth ayres (1)gregynog
 
Ios file management
Ios file managementIos file management
Ios file managementRajeev Venkata
 
4SO customer presentation
4SO customer presentation4SO customer presentation
4SO customer presentationDedi Ben-Natan
 
Windows IoT
Windows IoTWindows IoT
Windows IoTSameer Sapra
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101veerababu penugonda(Mr-IoT)
 
Comparative study of security mechanism differentiation between windows 2000...
Comparative study of security mechanism differentiation between windows 2000... Comparative study of security mechanism differentiation between windows 2000...
Comparative study of security mechanism differentiation between windows 2000...Alexander Decker
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Starting Raspberry Pi
Starting Raspberry PiStarting Raspberry Pi
Starting Raspberry PiLloydMoore
 

Más contenido relacionado

La actualidad más candente

IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaAndy Shutka
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Veduruparthy Bharat
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Rivetz Corp. - Building the hardware protected wallet
Rivetz Corp. - Building the hardware protected walletRivetz Corp. - Building the hardware protected wallet
Rivetz Corp. - Building the hardware protected walletSteven Sprague
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
Gregynog2011 swis lite - gareth ayres (1)
Gregynog2011 swis lite - gareth ayres (1)Gregynog2011 swis lite - gareth ayres (1)
Gregynog2011 swis lite - gareth ayres (1)gregynog
 
4SO customer presentation
4SO customer presentation4SO customer presentation
4SO customer presentationDedi Ben-Natan
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Comparative study of security mechanism differentiation between windows 2000...
Comparative study of security mechanism differentiation between windows 2000... Comparative study of security mechanism differentiation between windows 2000...
Comparative study of security mechanism differentiation between windows 2000...Alexander Decker
 

La actualidad más candente (19)

IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 
Diskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive DatasheetDiskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive Datasheet
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !
 
Mobile security
Mobile securityMobile security
Mobile security
 
NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Rivetz Corp. - Building the hardware protected wallet
Rivetz Corp. - Building the hardware protected walletRivetz Corp. - Building the hardware protected wallet
Rivetz Corp. - Building the hardware protected wallet
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
 
Gregynog2011 swis lite - gareth ayres (1)
Gregynog2011 swis lite - gareth ayres (1)Gregynog2011 swis lite - gareth ayres (1)
Gregynog2011 swis lite - gareth ayres (1)
 
Ios file management
Ios file managementIos file management
Ios file management
 
4SO customer presentation
4SO customer presentation4SO customer presentation
4SO customer presentation
 
Windows IoT
Windows IoTWindows IoT
Windows IoT
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101
 
Comparative study of security mechanism differentiation between windows 2000...
Comparative study of security mechanism differentiation between windows 2000... Comparative study of security mechanism differentiation between windows 2000...
Comparative study of security mechanism differentiation between windows 2000...
 

Similar a DefCon 2012 - Gaining Access to User Android Data

Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Starting Raspberry Pi
Starting Raspberry PiStarting Raspberry Pi
Starting Raspberry PiLloydMoore
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015CSO_Presentations
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesPriyanka Aash
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...nooralmousa
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Device inspection to remote root
Device inspection to remote rootDevice inspection to remote root
Device inspection to remote rootTim N
 
6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone softwareIevgenii Katsan
 

Similar a DefCon 2012 - Gaining Access to User Android Data (20)

Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Starting Raspberry Pi
Starting Raspberry PiStarting Raspberry Pi
Starting Raspberry Pi
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabled
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Device inspection to remote root
Device inspection to remote rootDevice inspection to remote root
Device inspection to remote root
 
6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 

Más de Michael Smith

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsMichael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)Michael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)Michael Smith
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...Michael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeMichael Smith
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)Michael Smith
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKMichael Smith
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersMichael Smith
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesMichael Smith
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksMichael Smith
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYMichael Smith
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingMichael Smith
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersMichael Smith
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesMichael Smith
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingMichael Smith
 

Más de Michael Smith (20)

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water Meters
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM Attacks
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware Vulnerabilities
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter Hacking
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

DefCon 2012 - Gaining Access to User Android Data

  • 1. Into The Droid Gaining Access to Android User Data DEF CON 20
  • 2. Introduction • Why this talk is useful • Defend access / gain access • Device seizure, loss, border crossing, stop and search, espionage... • The company • viaForensics - Mobile security and digital forensics, strong R&D team, government agencies and corporations • The speaker • Thomas Cannon - Director of Breaking Things
  • 3. Challenges • ADB off by default • Screen lock • Code signing for updates and boot images • Encryption • Variety of device hardware, software and configuration
  • 4. Bootloader Essentials • How we use the bootloader • Accessing bootloader mode • Bootloader protocols • Bootloader protection
  • 5. Defeat The Bootloader • S-ON vs S-OFF • @secuflag controlled in radio firmware • Gold Card - specially formatted MicroSD card can bypass carrier ID check when flashing ROMs • White Card - special SIM card used as an authentication token to control access to diagnostic mode HTC Example
  • 6. Defeat The Bootloader • Emulate White Card with hardware, combine with Gold Card to enter diagnostics and clear S-ON HTC Example
  • 7. Defeat The Bootloader • White Card not needed for CDMA phones • Once S-OFF, can RAM load a custom boot image • This technique wipes most devices! But not all. • Successfully used this technique to gain access to some locked stock HTC devices such as HTC Desire • Try it yourself with an XTC Clip HTC Example
  • 8. Forensic Boot Image • Start early in the boot chain before the system loads • Provide ADB root shell over USB which can be used to image the device • Do not mount anything, including cache, to prevent any writes to partitions • Devices with raw NAND flash and wear levelling implemented in software (YAFFS2) can be prevented from overwriting deleted data
  • 9. Build Boot Image $ abootimg -x stock-recovery.img $ abootimg-unpack-initrd $ cd ramdisk (edit ramdisk contents) $ cd .. $ abootimg-pack-initrd -f $ abootimg -u stock-recovery.img -r initrd.img
  • 10. RAM Disk Contents /dev /proc /sbin adbd busybox (+ symlinks) nanddump (to dump partitions) /sys init default.prop (enable root shell, ro.secure=0) init.rc (do not mount partitions, just start adbd) ueventd.rc
  • 11. Flash and RAM Load • Samsung • Dump partitions with ODIN <= 1.52 or Heimdall. Maybe. • Flashing with ODIN or Heimdall • heimdall flash --recovery recovery.bin (Epic 4G) • heimdall flash --kernel zImage (Galaxy S) • HTC • fastboot boot recovery.img (RAM Loading) • fastboot flash recovery recovery.img (flash partition) • Motorola • sbf_flash image name.sbf (make sure it only contains recovery)
  • 12. JTAG Primer • How it works • Flasher Box • ORT • RiffBox • Medusa Box
  • 13. Serial Debug Cable • Some devices have debug access via serial cables which can be used to gain access to data • On Samsung Galaxy SII / Galaxy Note this is activated by grounding ID pin of USB with a 523K ohm resistor • TTL serial access provided on D+ and D- pins of USB connector • Use a Bus Pirate and MicroUSB breakout board to connect Galaxy SII
  • 14. Crack PIN or Password • Salt • /data/data/com.android.providers.settings/databases/ settings.db • SELECT * FROM secure WHERE name = 'lockscreen.password_salt' • PIN / password • /data/system/password.key • Salted SHA1 of password concatenated with salted MD5
  • 15. Crack PIN or Password • Calculate the value of the salt in lowercase hex with no padding $ python -c "print '%x' % 720624377925219614" a002c0dbeb8351e • Copy the last 32 bytes of password.key (MD5 hash in hex), add a colon and then add the salt 5D8EC41CB1812AC0BD9CB6C4F2CD0122:a002c0dbeb8351e • Crack with software such as oclHashcat-lite 
  • 16.
  • 17.
  • 19. HID Brute Force • AVR ATMEGA32U4 emulates USB keyboard typing PINs • USB OTG cable for USB host • Devices usually rate limit attempts and wipe after too many incorrect passcodes
  • 21. Android Encryption • Supported since Android 3.0 • Based on dm-crypt • AES 128 CBC • Implementations may vary, e.g. Samsung has their own key management module
  • 22. Android Encryption keylen=32 PBKDF2 Password/PIN Key+IV (32 bytes) x2000 Key (128 bit) IV (128 bit) /dev/urandom Salt (128 bit) AES 128 Master Key (128 bit) CBC Encrypted Master Key (128 bit)
  • 23. Android Encryption IV (ESSIV:SHA256) dm-crypt Master Key (128 bit) Encrypted userdata partition AES 128 CBC userdata partition
  • 24. Cracking Encryption • Encrypted Master Key + Salt stored in footer • Footer stored at end of partition or in a footer file on another partition or as a partition itself • Image device and locate footer + encrypted userdata partition
  • 25. Cracking Encryption • Parse footer • Locate Salt and Encrypted Master Key • Run a password guess through PBKDF2 with salt, use resulting key and IV to decrypt master key, use resulting master key to decrypt first sector of encrypted image. • If password is correct, plain text will be revealed
  • 26. • Cracking PINs takes seconds. Passwords are usually short or follow patterns due to being the same as the lock screen password
  • 27. Evil Maid Attack • Load app onto system partition, wait for user to boot phone, get remote access to decrypted user data • Rootkits - easy to compile for Android • Evil USB charger
  • 28. Reverse Shell • App with no permissions can create a reverse shell, giving remote access to attacker
  • 29. Desperate Techniques • Hard reset - some devices prior to 3.0 did not wipe data properly. Wipe, boot, root and recover • Chip-off - de-solder NAND chips • Screen smudges
  • 30. More Techniques! • Custom update.zip - can you get one signed? • Race condition on updates via SD cards - fixed • Own a CA? Who doesn't these days? MITM connection, push app, update or exploit • Entry via Google Play, if credentials cached on desktop
  • 31. Santoku Linux • Free and open bootable Linux distribution full of tools • Project is a collaboration with other mobile security pros • Mobile Forensics • Mobile App Security Testing • Mobile Malware Analysis Check out the Alpha release at https://santoku-linux.com
  • 32. k yo u! Th an Thomas Cannon @thomas_cannon github.com/thomascannon tcannon@viaforensics.com For the latest versions of our presentations visit: https://viaforensics.com/resources/presentations