SlideShare una empresa de Scribd logo

No Apology Required: Deconstructing BB10

Duo Security
Duo Security
Tecnología
1 de 79
Descargar para leer sin conexión
No Apology Required Deconstructing BB10 CanSecWest 2014
Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
Introduction Ben Nell
 bNull
 Sr. Security Consultant
 Accuvant Labs Zach Lanier
 quine
 Sr. Security Researcher
 Duo Security Presentation foul:
 <--- mixing memes --->
Why this matters
Why this matters
Why this matters You’re an appsec consultant and your customer asks you if BlackBerry Balance solves BYOD
Agenda • Previous Research • Platform Overview • Methodology • Attack Surface • Future Work
Previous Research
Our PlayBook stuff • Targeted predecessor of BB10 — TabletOS on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...
Our PlayBook stuff (cont’d) • Discovered that native apps can exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service
Others • Julio Cesar Fort’s QNX research • SEC Consult BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works
Platform Overview
Overview • ARM-based SoCs (Z10, Q10, and Z30 all Snapdragon S4 SoC) • BB10 (based on QNX Neutrino RTOS 8.0.0) • Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, corporate PIM)
QNX • Microkernel, only truly trusted component • Userspace kernel and process manager - procnto • Separation of network,
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others
Security Controls / Mitigations • OpenBSD NetBSD pf • POSIX (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO
QDE/Momentics default build options
Security Features • Blackberry Balance • Encrypted, FACL’d “container” • a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these
authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together
authman & permissions • /dev/authman: resource manager “dispatch” path (QNX IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type
authman & permissions • Controls access to app permissions (allow, prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)
authman & pf • authman handles setting up (app) GID:rule mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2
Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control “Capabilities” based on permissions ACLs based on permissions pf rule(s) output from sloginfo (tool to print system log)
PPS • “Persistent Publish / Subscribe” • Implemented by pps manager process • Simple interface for sharing data, notifications/eventing via filesystem objects
IPC • IPC is key in QNX • “Message passing” & signals implemented in microkernel • Other IPC (POSIX-compatible) mechanisms implemented by manager processes Message passing Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory Signals Kernel Kernel External process/manager
Application Model • Native • WebWorks / Cordova • Adobe AIR • Android C/C++ Flash/AS/ HTML/JS HTML/JS Java/DEX 20 app perms documented 340 unique app & sys perms observed
Application Model • App processes run with same UIDs, but separate GIDs (incl. supplemental GIDs) ! ! • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server
Our Approach to the Platform meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/( )
Testing Limitations
Testing Limitations • General lack of enthusiasm for BB10 as a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box
OSINT Just ask the internet!
OSINT Existing previous work • Our PlayBook work • SEC Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
OSINT QNX Foundry • Man pages for QNXisms • Downloads • Forums • Wiki • Google dorks are golden…
OSINT Speaking of Google dorks…
OSINT Some random RIM employee’s file dump? Upcoming product feature assessment hardware code names Upcoming project effort estimations/ release dates
OSINT • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level Five Some random RIM employee’s file dump? Internal bug tracker internal URL
OSINT Some random RIM employee’s file dump? Pre-release BB10 developer image for Winchester/PlayBook
Dynamic Analysis Watch it work and try to understand “why”
Dynamic Analysis RIM wants to get your hacking^Wdevelopment
 projects up and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation
Dynamic Analysis Development Tools Sample code
Dynamic Analysis Momentics target navigator Proc/thread mem info FS nav, etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator
Dynamic Analysis • Momentics provides QNX-specific versions/ builds of the typical toolchain • gdb • also objdump, nm, readelf, gcc, etc.
Dynamic Analysis Blackberry Simulator QNX Software Dev Platform (SDP) • Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work
Dynamic Analysis Just another box on the network • Testing harness • Wireshark • Proxy (Burp and friends) • nmap • Various fizzers • Custom stuff
Dynamic Analysis There are lots of network services BB10 network services
Dynamic Analysis • Unsurprisingly, logs => info • slogger (app event logger) and slogger2 (system event logger) • Readable on simulator with sloginfo and slog2info • slog* devices not readable on device :( Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4 ! Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts ! Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0
Dynamic Analysis Debugging is a breeze
Target Host
Fuzzing…
Static Analysis For the things that can’t be watched
Static Analysis Installation bundles • BAR format (hurr durr) • De-facto standard for any non-factory packages • META-INF directory • Code signatures and app info • “assets” % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index
Static Analysis MANIFEST.MF: Package Meta Info
Static Analysis MANIFEST.MF: Application Meta Info
Static Analysis MANIFEST.MF: Entry Point Info
Static Analysis MANIFEST.MF: Entry Point Info
Static Analysis Getting Firmware • MITM the CDN downloads • The “community” has built some good tools http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/
Static Analysis Getting Into the Firmware • “pbtools” • Mount the firmware in Simulator or SDP • SCP the files back out https://github.com/intrepidusgroup/pbtools
Static Analysis Shell Scripts • /base/scripts/ • Easy to read • grep-fu for great success! from “startup.sh”
Static Analysis Python: For everything important on BB10 that isn’t written in bash • Most of it is compiled Python (bytecode; *.pyc) • unpyc3.py https://code.google.com/p/unpyc3/
Static Analysis ActionScript • Decompile with Sothink / whatever • Most ActionScript apps handle front-end stuff qnx.AIRServices.ota.OtaUpdate
Static Analysis Compiled binaries • IDA cleanly disassembles • ARM / x86 • Without a public root, disassembly might be your best/only bet for dorking with many network services
Attack Surface http://www.harkavagrant.com/?id=250
Entry Points Where the device accepts data
IPC • Numerous IPC endpoints available • QNX channels particularly caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')n c x01x00x00x00x00x00x00x00x03x00x00x00x02x0 0x00x00Ox00x00x00sx16x00x00x00|x01x00| x00x00_x00x00|x02x00|x00x00_x01x00d x00x00S(x01x00x00x00N(x02x00x00x00u x04x00x00x00argsux06x00x00x00…
Network Services • Samba! • WWW! • WebDAV! • Proxies! • SSH! • Other stuff!
Network Services Local-hosted CGI scripts are used for device management “stuff” • Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc
WiFi • Many device management functions happen over HTTP/ SMB with the option of operating over WiFi • Handset acts as an UPnP gateway • There are some real problematic areas observable over WiFi
USB • Mass storage? Nay, Ethernet! • Similar to WiFi (WWW/SMB), with additional capabilities
Bluetooth • Tether your handset to your tablet • SapphireProxy (get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference
NFC It works and there are no security problems? • Haven’t really explored this ourselves. • Biggest concern likely bad NDEF message parsing by 3rd party native apps
Local Application • Malware / Client- side attacks • Insufficient controls on sensitive local file and network resources • Privilege escalations are like gold
Balance • An attempt at solving BYOD • “Perimeters” manage the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally
Balance Concerned Consumer: Sounds great. How does it work? I am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.
Balance RIM: I don’t want to say that it’s all based on file permissions… …but it’s all based on file permissions
Future Work
TODO • Further (re-)exploration of... • authman • system IPC endpoints • Balance • Android support • Radio (NFC, Cell/BB, BT) • HDMI, USB
Conclusion
Questions / Contact • https://twitter.com/quine
 zach@n0where.org
 zach@duosecurity.com
 • https://twitter.com/bnull
 [NO_EMAIL_PROVIDED] <--shameless plug

Recomendados

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 

Recomendados

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
RPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesRPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesCal Leeming
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
ASERT's DDoS Malware Corral, Volume 2
ASERT's DDoS Malware Corral, Volume 2ASERT's DDoS Malware Corral, Volume 2
ASERT's DDoS Malware Corral, Volume 2dschwarz_arbor
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Troubleshooting K1000
Troubleshooting K1000Troubleshooting K1000
Troubleshooting K1000Dell World
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & TricksDell World
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopPriyanka Aash
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Afichesdecineecuatorianomc00
Afichesdecineecuatorianomc00Afichesdecineecuatorianomc00
Afichesdecineecuatorianomc00Juan Diego Pazmiño
 
Combinar correspondencia
Combinar correspondenciaCombinar correspondencia
Combinar correspondenciaBsantiagoAC
 
Unternehmen & Social Media. Schluss mit lustig.
Unternehmen & Social Media. Schluss mit lustig.Unternehmen & Social Media. Schluss mit lustig.
Unternehmen & Social Media. Schluss mit lustig.Barbara Scholtysik
 
Hvvhed tuwt surgalt
Hvvhed tuwt surgaltHvvhed tuwt surgalt
Hvvhed tuwt surgaltShijir Com
 
grupo6
grupo6grupo6
grupo6Jimmy Pizarro
 
Presentación empresa Junio 2007
Presentación empresa Junio 2007Presentación empresa Junio 2007
Presentación empresa Junio 2007cues7a
 

Más contenido relacionado

La actualidad más candente

HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
RPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesRPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesCal Leeming
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
ASERT's DDoS Malware Corral, Volume 2
ASERT's DDoS Malware Corral, Volume 2ASERT's DDoS Malware Corral, Volume 2
ASERT's DDoS Malware Corral, Volume 2dschwarz_arbor
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Troubleshooting K1000
Troubleshooting K1000Troubleshooting K1000
Troubleshooting K1000Dell World
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & TricksDell World
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopPriyanka Aash
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 

La actualidad más candente (16)

HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
RPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesRPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slides
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
ASERT's DDoS Malware Corral, Volume 2
ASERT's DDoS Malware Corral, Volume 2ASERT's DDoS Malware Corral, Volume 2
ASERT's DDoS Malware Corral, Volume 2
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Troubleshooting K1000
Troubleshooting K1000Troubleshooting K1000
Troubleshooting K1000
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & Tricks
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 

Destacado

Combinar correspondencia
Combinar correspondenciaCombinar correspondencia
Combinar correspondenciaBsantiagoAC
 
Unternehmen & Social Media. Schluss mit lustig.
Unternehmen & Social Media. Schluss mit lustig.Unternehmen & Social Media. Schluss mit lustig.
Unternehmen & Social Media. Schluss mit lustig.Barbara Scholtysik
 
Hvvhed tuwt surgalt
Hvvhed tuwt surgaltHvvhed tuwt surgalt
Hvvhed tuwt surgaltShijir Com
 
Presentación empresa Junio 2007
Presentación empresa Junio 2007Presentación empresa Junio 2007
Presentación empresa Junio 2007cues7a
 
Koller Dekorative Graphik Auktion - Old Master Prints Auction
Koller Dekorative Graphik Auktion - Old Master Prints Auction Koller Dekorative Graphik Auktion - Old Master Prints Auction
Koller Dekorative Graphik Auktion - Old Master Prints Auction Koller Auctions
 
Whipepaper Open Educational Resources in Ausbildung und Weiterbildung
Whipepaper Open Educational Resources in Ausbildung und WeiterbildungWhipepaper Open Educational Resources in Ausbildung und Weiterbildung
Whipepaper Open Educational Resources in Ausbildung und WeiterbildungBertelsmann Stiftung
 
Anuncios y gas bolivia
Anuncios y gas boliviaAnuncios y gas bolivia
Anuncios y gas boliviamiq_77
 
Bank und Zukunft: Ergebnisse einer Studie
Bank und Zukunft: Ergebnisse einer StudieBank und Zukunft: Ergebnisse einer Studie
Bank und Zukunft: Ergebnisse einer StudieMartina Goehring
 
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012Burton Lee
 
Pastelería la flor
Pastelería la florPastelería la flor
Pastelería la florbrihuega12
 
Patma agropecuario de urubamba 2014
Patma agropecuario de urubamba 2014Patma agropecuario de urubamba 2014
Patma agropecuario de urubamba 20142hermelinda
 
Epigenetic and Environmental Influences on the Shellfish Immune Response
Epigenetic and Environmental Influences on the Shellfish Immune ResponseEpigenetic and Environmental Influences on the Shellfish Immune Response
Epigenetic and Environmental Influences on the Shellfish Immune Responsesr320
 
Comentario de la ménade de scopas
Comentario de la ménade de scopasComentario de la ménade de scopas
Comentario de la ménade de scopasjoseluisjuansanchezv
 
Salvador Diaz Miron y Jose Marti
Salvador Diaz Miron y Jose MartiSalvador Diaz Miron y Jose Marti
Salvador Diaz Miron y Jose MartiJeff Flores Ferrer
 
Personal Training Konzept
Personal Training KonzeptPersonal Training Konzept
Personal Training KonzeptChristin Just
 
Wie man aus langweiligen 
Logdateien Gold gewinnen kann
Wie man aus langweiligen 
Logdateien Gold gewinnen kannWie man aus langweiligen 
Logdateien Gold gewinnen kann
Wie man aus langweiligen 
Logdateien Gold gewinnen kannKlaus Bild
 
Dossier IMAT 2016
Dossier IMAT 2016Dossier IMAT 2016
Dossier IMAT 2016ESICImat
 

Destacado (20)

Afichesdecineecuatorianomc00
Afichesdecineecuatorianomc00Afichesdecineecuatorianomc00
Afichesdecineecuatorianomc00
 
Combinar correspondencia
Combinar correspondenciaCombinar correspondencia
Combinar correspondencia
 
Unternehmen & Social Media. Schluss mit lustig.
Unternehmen & Social Media. Schluss mit lustig.Unternehmen & Social Media. Schluss mit lustig.
Unternehmen & Social Media. Schluss mit lustig.
 
Hvvhed tuwt surgalt
Hvvhed tuwt surgaltHvvhed tuwt surgalt
Hvvhed tuwt surgalt
 
grupo6
grupo6grupo6
grupo6
 
Presentación empresa Junio 2007
Presentación empresa Junio 2007Presentación empresa Junio 2007
Presentación empresa Junio 2007
 
Koller Dekorative Graphik Auktion - Old Master Prints Auction
Koller Dekorative Graphik Auktion - Old Master Prints Auction Koller Dekorative Graphik Auktion - Old Master Prints Auction
Koller Dekorative Graphik Auktion - Old Master Prints Auction
 
Whipepaper Open Educational Resources in Ausbildung und Weiterbildung
Whipepaper Open Educational Resources in Ausbildung und WeiterbildungWhipepaper Open Educational Resources in Ausbildung und Weiterbildung
Whipepaper Open Educational Resources in Ausbildung und Weiterbildung
 
Anuncios y gas bolivia
Anuncios y gas boliviaAnuncios y gas bolivia
Anuncios y gas bolivia
 
Bank und Zukunft: Ergebnisse einer Studie
Bank und Zukunft: Ergebnisse einer StudieBank und Zukunft: Ergebnisse einer Studie
Bank und Zukunft: Ergebnisse einer Studie
 
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012
 
Pastelería la flor
Pastelería la florPastelería la flor
Pastelería la flor
 
Patma agropecuario de urubamba 2014
Patma agropecuario de urubamba 2014Patma agropecuario de urubamba 2014
Patma agropecuario de urubamba 2014
 
Epigenetic and Environmental Influences on the Shellfish Immune Response
Epigenetic and Environmental Influences on the Shellfish Immune ResponseEpigenetic and Environmental Influences on the Shellfish Immune Response
Epigenetic and Environmental Influences on the Shellfish Immune Response
 
Comentario de la ménade de scopas
Comentario de la ménade de scopasComentario de la ménade de scopas
Comentario de la ménade de scopas
 
Hiponatremia
HiponatremiaHiponatremia
Hiponatremia
 
Salvador Diaz Miron y Jose Marti
Salvador Diaz Miron y Jose MartiSalvador Diaz Miron y Jose Marti
Salvador Diaz Miron y Jose Marti
 
Personal Training Konzept
Personal Training KonzeptPersonal Training Konzept
Personal Training Konzept
 
Wie man aus langweiligen 
Logdateien Gold gewinnen kann
Wie man aus langweiligen 
Logdateien Gold gewinnen kannWie man aus langweiligen 
Logdateien Gold gewinnen kann
Wie man aus langweiligen 
Logdateien Gold gewinnen kann
 
Dossier IMAT 2016
Dossier IMAT 2016Dossier IMAT 2016
Dossier IMAT 2016
 

Similar a No Apology Required: Deconstructing BB10

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
Cont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-postCont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-postDipto Chakravarty
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Synopsys Software Integrity Group
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 

Similar a No Apology Required: Deconstructing BB10 (20)

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
Cont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-postCont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-post
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
 
Lange
LangeLange
Lange
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
 

Más de Duo Security

Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerDuo Security
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyDuo Security
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 

Más de Duo Security (11)

Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin Mulliner
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third Party
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 

Último

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

No Apology Required: Deconstructing BB10

  • 1. No Apology Required Deconstructing BB10 CanSecWest 2014
  • 2. Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
  • 3. Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
  • 4. Introduction Ben Nell
 bNull
 Sr. Security Consultant
 Accuvant Labs Zach Lanier
 quine
 Sr. Security Researcher
 Duo Security Presentation foul:
 <--- mixing memes --->
  • 7. Why this matters You’re an appsec consultant and your customer asks you if BlackBerry Balance solves BYOD
  • 8. Agenda • Previous Research • Platform Overview • Methodology • Attack Surface • Future Work
  • 10. Our PlayBook stuff • Targeted predecessor of BB10 — TabletOS on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...
  • 11. Our PlayBook stuff (cont’d) • Discovered that native apps can exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service
  • 12. Others • Julio Cesar Fort’s QNX research • SEC Consult BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works
  • 14. Overview • ARM-based SoCs (Z10, Q10, and Z30 all Snapdragon S4 SoC) • BB10 (based on QNX Neutrino RTOS 8.0.0) • Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, corporate PIM)
  • 15. QNX • Microkernel, only truly trusted component • Userspace kernel and process manager - procnto • Separation of network,
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others
  • 16. Security Controls / Mitigations • OpenBSD NetBSD pf • POSIX (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO
  • 18. Security Features • Blackberry Balance • Encrypted, FACL’d “container” • a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these
  • 19. authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together
  • 20. authman & permissions • /dev/authman: resource manager “dispatch” path (QNX IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type
  • 21. authman & permissions • Controls access to app permissions (allow, prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)
  • 22. authman & pf • authman handles setting up (app) GID:rule mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2
  • 23. Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control “Capabilities” based on permissions ACLs based on permissions pf rule(s) output from sloginfo (tool to print system log)
  • 24. PPS • “Persistent Publish / Subscribe” • Implemented by pps manager process • Simple interface for sharing data, notifications/eventing via filesystem objects
  • 25. IPC • IPC is key in QNX • “Message passing” & signals implemented in microkernel • Other IPC (POSIX-compatible) mechanisms implemented by manager processes Message passing Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory Signals Kernel Kernel External process/manager
  • 26. Application Model • Native • WebWorks / Cordova • Adobe AIR • Android C/C++ Flash/AS/ HTML/JS HTML/JS Java/DEX 20 app perms documented 340 unique app & sys perms observed
  • 27. Application Model • App processes run with same UIDs, but separate GIDs (incl. supplemental GIDs) ! ! • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server
  • 28. Our Approach to the Platform meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/( )
  • 30. Testing Limitations • General lack of enthusiasm for BB10 as a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box
  • 31. OSINT Just ask the internet!
  • 32. OSINT Existing previous work • Our PlayBook work • SEC Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
  • 33. OSINT QNX Foundry • Man pages for QNXisms • Downloads • Forums • Wiki • Google dorks are golden…
  • 35. OSINT Some random RIM employee’s file dump? Upcoming product feature assessment hardware code names Upcoming project effort estimations/ release dates
  • 36. OSINT • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level Five Some random RIM employee’s file dump? Internal bug tracker internal URL
  • 37. OSINT Some random RIM employee’s file dump? Pre-release BB10 developer image for Winchester/PlayBook
  • 38. Dynamic Analysis Watch it work and try to understand “why”
  • 39. Dynamic Analysis RIM wants to get your hacking^Wdevelopment
 projects up and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation
  • 41. Dynamic Analysis Momentics target navigator Proc/thread mem info FS nav, etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator
  • 42. Dynamic Analysis • Momentics provides QNX-specific versions/ builds of the typical toolchain • gdb • also objdump, nm, readelf, gcc, etc.
  • 43. Dynamic Analysis Blackberry Simulator QNX Software Dev Platform (SDP) • Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work
  • 44. Dynamic Analysis Just another box on the network • Testing harness • Wireshark • Proxy (Burp and friends) • nmap • Various fizzers • Custom stuff
  • 45. Dynamic Analysis There are lots of network services BB10 network services
  • 46.
  • 47. Dynamic Analysis • Unsurprisingly, logs => info • slogger (app event logger) and slogger2 (system event logger) • Readable on simulator with sloginfo and slog2info • slog* devices not readable on device :( Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4 ! Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts ! Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0
  • 51. Static Analysis For the things that can’t be watched
  • 52. Static Analysis Installation bundles • BAR format (hurr durr) • De-facto standard for any non-factory packages • META-INF directory • Code signatures and app info • “assets” % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index
  • 57. Static Analysis Getting Firmware • MITM the CDN downloads • The “community” has built some good tools http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/
  • 58. Static Analysis Getting Into the Firmware • “pbtools” • Mount the firmware in Simulator or SDP • SCP the files back out https://github.com/intrepidusgroup/pbtools
  • 59. Static Analysis Shell Scripts • /base/scripts/ • Easy to read • grep-fu for great success! from “startup.sh”
  • 60. Static Analysis Python: For everything important on BB10 that isn’t written in bash • Most of it is compiled Python (bytecode; *.pyc) • unpyc3.py https://code.google.com/p/unpyc3/
  • 61. Static Analysis ActionScript • Decompile with Sothink / whatever • Most ActionScript apps handle front-end stuff qnx.AIRServices.ota.OtaUpdate
  • 62. Static Analysis Compiled binaries • IDA cleanly disassembles • ARM / x86 • Without a public root, disassembly might be your best/only bet for dorking with many network services
  • 64. Entry Points Where the device accepts data
  • 65. IPC • Numerous IPC endpoints available • QNX channels particularly caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')n c x01x00x00x00x00x00x00x00x03x00x00x00x02x0 0x00x00Ox00x00x00sx16x00x00x00|x01x00| x00x00_x00x00|x02x00|x00x00_x01x00d x00x00S(x01x00x00x00N(x02x00x00x00u x04x00x00x00argsux06x00x00x00…
  • 66. Network Services • Samba! • WWW! • WebDAV! • Proxies! • SSH! • Other stuff!
  • 67. Network Services Local-hosted CGI scripts are used for device management “stuff” • Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc
  • 68. WiFi • Many device management functions happen over HTTP/ SMB with the option of operating over WiFi • Handset acts as an UPnP gateway • There are some real problematic areas observable over WiFi
  • 69. USB • Mass storage? Nay, Ethernet! • Similar to WiFi (WWW/SMB), with additional capabilities
  • 70. Bluetooth • Tether your handset to your tablet • SapphireProxy (get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference
  • 71. NFC It works and there are no security problems? • Haven’t really explored this ourselves. • Biggest concern likely bad NDEF message parsing by 3rd party native apps
  • 72. Local Application • Malware / Client- side attacks • Insufficient controls on sensitive local file and network resources • Privilege escalations are like gold
  • 73. Balance • An attempt at solving BYOD • “Perimeters” manage the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally
  • 74. Balance Concerned Consumer: Sounds great. How does it work? I am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.
  • 75. Balance RIM: I don’t want to say that it’s all based on file permissions… …but it’s all based on file permissions
  • 77. TODO • Further (re-)exploration of... • authman • system IPC endpoints • Balance • Android support • Radio (NFC, Cell/BB, BT) • HDMI, USB
  • 79. Questions / Contact • https://twitter.com/quine
 zach@n0where.org
 zach@duosecurity.com
 • https://twitter.com/bnull
 [NO_EMAIL_PROVIDED] <--shameless plug