Archive for the ‘Android’ Category

DEFCON 31 notes.

Wednesday, August 9th, 2023

The Black Hat Briefings in Las Vegas started today.

DEFCON 31 starts tomorrow, though it seems like Friday is when things pick up.

Despite the recent, and much appreciated, shout-out from Borepatch, I’m feeling kind of ambivalent about trying to keep up with DEFCON this year.

My recent trip (write-up coming in the next few days, promise) blew a pretty big hole in my schedule. I haven’t had any time to do prep work for DEFCON/Black Hat. And I have a whole bunch of things I want to do, and so little time to do them in.

I also rely heavily on Twitter for links to presentations. And the current state of Twitter makes that almost impossible.

It also feels like DEFCON has moved past me. It used to feel like a gathering of one of my tribes. Now it feels like…something else. I note that DEFCON admission is now $460. And you don’t get free admission, or even a discount, if you go to Black Hat.

Still, tradition is tradition. So let’s see how badly I can do this.

(more…)

Please refrain from tasting the KNOB.

Friday, August 16th, 2019

As a Bluetooth guy, and as someone who just posted a bunch of DEFCON 27 stuff, I feel compelled to say something about the Key Negotiation of Bluetooth Attack (aka KNOB) which has been getting a lot of attention the past few days.

Here’s the actual paper from the USENIX Security Symposium.

The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time). The attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected. [Emphasis in the original – DB]

Here’s a higher level overview of how the attack works.

Also of interest, also from USENIX, also getting some media attention: “Please Pay Inside: Evaluating Bluetooth-based Detection of Gas Pump Skimmers“. What’s cool about this is that the authors have developed Bluetana, an Android app that scans for Bluetooth devices in the area (every five seconds), displays a list of devices it found, and highlights ones that show characteristics similar to those of Bluetooth skimmers.

First, the app checks the device’s class. All skimmers studied within this work, whether discovered by Bluetana or not, had a device class of Uncategorized. If the device class is not uncategorized, the data is saved for later analysis. The device’s MAC prefix is then compared against a “hitlist” of prefixes used in skimming devices recovered by law enforcement. If the device has a MAC that is not on this hitlist, it is unlikely to be a skimmer, and the app highlights the record yellow. Next, if the device name matches a common product using the same MAC prefix, the record highlights in orange. If all three fields (MAC prefix, Class-of-Device, and Device Name) indicate the device is likely to be a skimmer, Bluetana highlights the record in red. The highlighting procedure is the result of a year of refinements based on our experience finding skimmers in the field, and Bluetana includes a remote update procedure to account for these incremental changes.

I’m fascinated by both of these papers, just based on a preliminary skimming. I’m hoping to do a detailed reading at that mythical point in the future when I have more free time…

Quote of the day.

Tuesday, August 21st, 2018

(This whole thread is gold, Jerry, comedy gold.)

Here in my car…

Thursday, July 5th, 2018

I bought a new to me car last Saturday. It’s a 2006 Honda Accord EX-L that had 82,000 miles on it (not bad, in my opinion, for a 12 year old car) and has quite few features I like: leather interior, sun roof, cabin air filter, power seats, and even seat heaters for that one month a year when those are actually useful in Texas. (Also ABS. I’m not clear on whether it has traction control or not. I checked the Honda-Tech VIN decoder and while it is useful, it doesn’t talk about traction control.)

Now that I have the car, I splurged on a couple of things. I got a dashcam for it: the Papago GoSafe 535, which is what the Wirecutter currently recommends. That one has gone up by about $13 in the couple of days since I ordered it, and it really wasn’t my first choice. I wanted the Spy Tec G1W-C, which was a previous Wirecutter choice that I bought for my mother’s car and have been happy with. But by the time I was ready to order, Amazon had sold out of the Spy Tec.

My other splurge item was a LELink Bluetooth Low Energy BLE OBD-II car diagnostic tool. Why? Several reasons:

(more…)

Is safe! Is not safe!

Monday, December 11th, 2017

Another thing I haven’t had a chance to blog before now:

Vaultek makes gun safes. Among their models is the VT20i, which has a fingerprint reader and Bluetooth. You can use Bluetooth and an app to unlock the safe.

And, yes, you already know where this is going, don’t you?

In this case, the responsible party is Two Six Labs. This is a pretty fascinating takedown.

High points:

  • “The manufacturer’s Android application allows for unlimited pairing attempts with the safe. The pairing pin code is the same as the unlocking pin code. This allows for an attacker to identify the shared pincode by repeated brute force pairing attempts to the safe.”
  • “There is no encryption between the Android phone app and the safe. The application transmits the safe’s pin code in clear text after successfully pairing.”
  • “An attacker can remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the pin code…the safe does not verify the pin code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the pin code.”

Even if you aren’t into guns, or safes, or gun safes, I think this is a pretty good “how do I go about banging on a Bluetooth device” primer.

Somewhat to their credit, Vaultek says they are offering a patch, though it looks like you’ll have to send your safe back to get it. (Vaultek says they’ll cover shipping both ways, which can’t be cheap.)

Edited to add: something from Vaultek’s site on this issue:

Either of these methods are not easily captured and require several factors to execute including time, the right equipment, and close proximity to the safe.

They also refer to the attack as requiring “special equipment”. The “special equipment” is an Ubertooth, which you can get here and here, among other places.

As for proximity, that’s a good question that Two Six Labs didn’t address: with the right antenna and Bluetooth adapter, how far away can you be to make a successful attack? Does anyone remember the “Picking Bluetooth Low Energy Locks from a Quarter Mile Away” talk from DEFCON 24?

(Yes, door locks have to be accessible from the outside, while your gun safe is almost certainly inside. Modern construction almost certainly attenuates the signal some. But how much? Could I drive through the neighborhood with a Sena UD100 or something very much like it, just sniffing for Vaultek safes? And then come back later to attack them?)

DEFCON 25/Black Hat updates: July 28, 2017.

Friday, July 28th, 2017

Round 2:

  • The white paper for “Free-Fall: Hacking Tesla from Wireless to CAN Bus” (Ling Liu, Sen Nie, Yuefeng Du) is here. Slides here.
  • Slides for “Exploiting Network Printers” (Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk) are here.
  • Found slides for “Breaking Electronic Door Locks Like You’re on CSI: Cyber” here. (I called this one wrong: no Bluetooth. Not a complaint, just an observation.)
  • This is one that I saw, overlooked, and now am intrigued by: “All Your SMS & Contacts Belong to ADUPS & Others“. “Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China – without disclosure or the users’ consent.” Slides. White paper.
  • Slides for Vlad Gostomelsky’s “Hunting GPS Jammers”. I think this is one that really needs video, too.
  • “Intercepting iCloud Keychain” (Alex Radocea) slides.
  • And “The Future of ApplePwn – How to Save Your Money” (Timur Yunusov) slides.
  • And (hattip to Mr. Yunusov) “Jailbreaking Apple Watch” (Max Bazaliy). I haven’t compared these slides to the onea on the presentations server, just FYI.

Okay, lunch time is almost over, and I feel like I’ve done enough damage to the security community today. I’ll try to have more updates later today or tonight.

Actually, they can read your poker face.

Wednesday, October 26th, 2016

Or at least your cards.

This is a presentation that I overlooked from DEFCON 24, but the authors have now been blogging.

For somewhere between $1,300 and $5,000, you can buy a device that helps you cheat at poker.

The technology is quite interesting. It isn’t just “disguised” as a phone: the device is actually a fully functional Android phone, with a custom ROM and app that controls the cheating portion.

Ironically, there is a hardcoded backdoor password in the app, which makes this security measure pointless if you know the backdoor password.

How does it work? Hidden camera, concealed infrared LEDs, and…

What makes the whole thing work is the use of a special deck in which the four edges of each card are marked with IR-absorbing ink. As a result, when this marked deck is illuminated by the IR LEDs, the spots of ink absorb the IR, creating a sequence of black spots…
The sequence of black spots created by the IR illumination, illustrated in the photo above, is read remotely by the cheating device to infer a card’s suit and value. You can think of those markings as invisible barcodes.

So yes, you do need to slip in a marked deck. But the people who will sell you the phone will also sell you pre-marked decks, which are designed to look like they haven’t been messed with. And apparently the phone will pair with Bluetooth based audio and haptic feedback devices, so you don’t even have to be looking at the display.

And yes, because it is based on marked cards, it will work with card games other than poker, too. (High-end bridge cheating? Chris Christie, call your office, please. Sorry, little joke there.)

The post that’s up now is just the first one in a promised series: I’ll try to link to the other ones as they go up.

DEFCON 24: 0-day notes.

Wednesday, August 3rd, 2016

Another year observing DEFCON remotely. Maybe next year, if I get lucky, or the year after that.

The schedule is here. If I were going, what would I go to? What gets me excited? What do I think you should look for if you are lucky enough to go?

(As a side note, one of my cow-orkers was lucky enough to get a company paid trip to Black Hat this year. I’m hoping he’ll let me make archival copies of the handouts.)

(more…)

Random thought.

Friday, September 11th, 2015

Sensors included on the iPad Air 2 and iPad Pro:

  • Touch ID
  • Three-axis gyro
  • Accelerometer
  • Barometer
  • Ambient light sensor

Not included: GPS, unless you purchase one of the cellular models. It looks like “assisted GPS and GLONASS” are built into the cellular chipset or something?

I keep thinking about getting an iPad or some other sort of tablet to supplement my first generation Kindle Fire. But it always comes back to this: I want GPS, and can’t get it. Okay, I could if I bought a cellular model, but:

  1. The cellular iPad 2 is $130 more than the Wi-Fi equivalents in every memory configuration. Same with the iPad Pro. Except the Pro only has one cellular/Wi-fi memory config, and that’s over $1,000.
  2. I don’t want cellular data. I don’t have the $60 to $85 a month it would take to add a device to my plan. $60 to $85 a month is at least one good Smith and Wesson a year. I’d be perfectly happy with a device that just does Wi-fi, as long as it has GPS. If I desperately needed data in non-Wi-fi areas, I’d enable the hotspot feature on my phone – at least that’s only $30 a month, I think.

It isn’t just Apple, though. I’ve looked at Android tablets too. I’ve heard that Android gives you lower-level access to GPS data than iOS, but I haven’t been all that impressed by the Android tablets I’ve seen. The price/memory ratio just seems out of whack to me.

Best Buy, for example, is selling a Nexus 9 with 32GB of memory (which to me is a hard minimum; I’d prefer 64GB) for $432. I can get a Mini 2 for $319 from Apple, or a Mini 4 with 64GB for $499. Decisions, decisions. Do I want an Apple device that doesn’t have GPS, but that I can trust to be updated regularly and work for a while? (I’m still using a MacBook I bought in 2007 as my main computer.) Or do I want to buy another shoddy piece of crap Android thing that’s going to stop getting updates in 18 months, but does have GPS?

Or does it? The specs on Google’s site show the Nexus 9 does, but they also show it has a cellular chipset. Does the Wi-Fi only version do GPS? Can I buy a cellular tablet and use GPS on it without a carrier? Who knows? I can’t find that on Google’s site, the specs on Best Buy’s site don’t mention GPS, and asking a Best Buy employee seems like a good way to invoke the customer appreciation bat.

Am I making this too hard? Am I asking too much? All I want is a reasonably priced tablet that does GPS and doesn’t require a cellular data plan. Why is this so hard?

DEFCON 23 notes: August 7, 2015.

Friday, August 7th, 2015

I kind of skipped over yesterday, because Thursday is traditionally slow. And it is a little early for stuff to be up today, plus many of the good presentations are scheduled for tomorrow.

But! BlackHat 2015! Not everything from BlackHat gets duplicated at DEFCON, and vice versa, but there’s always some overlap. Some things that are already up:

There are a couple of other overlaps I’ve found (specifically the Josh Drake presentation on Stagefright and the Valasek/Miller car exploit) but those don’t have any slides or other material attached yet.

More links and stuff as and when I find it and am able to post.

Edited to add: Just noticed this on the DEFCON 23 site. Download the conference CD optical disc here. Woo hoo woo hoo hoo. (The .rar file is 419 MB. Good thing I work for a networking company.)

DEFCON 23: -2 day notes

Tuesday, August 4th, 2015

DEFCON 23 starts Thursday. Black Hat USA 2015 starts tomorrow.

Once again, it doesn’t look like I’m going to make it out to Vegas. Once again, I’m going to try to cover things from 1,500 miles away. It isn’t completely clear to me that anyone other than me is getting any benefit from this, but I’ve been doing this for long enough that I have a hard time stopping now.

Here’s the schedule. There are several presentations that are already getting media attention:

So what would I go see if I was there? What sounds interesting to me?

(more…)

Changing the face of dining.

Friday, January 31st, 2014

We have a noodle truck at the office on Thursdays.

The Forbidden. Beef stewed for four hours in an Indonesian-style red curry. DFG Noodles, Austin, Texas.

The Forbidden. Beef stewed for four hours in an Indonesian-style red curry. DFG Noodles, Austin, Texas.

And it is pretty damn good.

And they take credit/debt cards. You’ve seen it before, haven’t you? iPad with a credit card swiper, pick your tip, sign, have your receipt emailed to you?

This observation isn’t original to me, and I’m not sure it is terribly profound, but: services like Square have revolutionized credit card processing. I remember the old days, when setting up a merchant account was hard to do, and you needed a phone line, and you needed bulky equipment, and the credit card processors charged enormous fees. Now? I’m kind of far from retail, so I’m not sure if Square has resulted in downward pressure on fees (though I suspect it has).

Someone I know who is in retail and takes credit cards reviewed an early draft of this post and provided this information: they pay 2.61% for credit card processing, but each month’s statement also contains a laundry list of “cryptic inexplicable fees” that they have to pay as well. Square claims to charge a flat 2.75% for swiped transactions (Visa, MC, AmEx, Discover) with no additional fees. (I say “claims” because I have not used Square and can’t verify that for myself.)

Square also claims to deliver your money in one to two business days, no matter what type of card it is. The retail person I know says that AmEx fees depend on how long you let AmEx keep your money: they let AmEx hold their money for 15 days, and pay between 2% and 3%.

But fees aside, anyone who has a bank account can take credit cards these days, and all you need is an iPhone or iPad (or a supported Android device, though frankly that looks a little painful). Little to no bulk, no landline, and the money goes into your linked bank account.

The big thing, as I see it, isn’t the merchant charges: it is the portability. Your credit card machine is your phone or tablet, and it fits in a trailer. Or in a pocket. And you don’t need anything else – you don’t even need a printer, you can just email receipts to your customers. (Okay, you might want a charging cable, depending on how good battery life is on your device. But other than that, nothing.)

==

(more…)