Mobile related presentations at Blackhat and DEFCON 2013

Next week I’ll be heading over to Las Vegas for the world’s biggest security and hacking conferences; Blackhat and DEFCON. Here’s a short run-down of some presentations and briefings that are related to mobile. Obviously there are many others that may also be relevant to mobile (e.g. SSL attacks or HTML5). As you can see, mobile interest is again steadily going up, as well as in other embedded platforms such as automotive and in-home systems. It looks like it is going to be a pretty interesting, if slightly scary week!


Cyberbullying: Victims to unmask public perpetrators, but what about bullying in private?

I invited Matt Williams to write a guest post on cyber bullying. Thanks for a great article Matt!

Cyberbullying is a topic of discussion that is becoming increasingly mentioned in today’s electronic world. In a time where the Internet is a staple part of our everyday lives, the ability to communicate one’s feelings by the click of a button is often taken for granted. This is particularly the case when referring to the mobile arena, as thoughts and ideas can translate to an SMS, Tweet or Facebook post almost instantly. Whilst many welcome the advancement with open arms, such steps forward naturally arrive with significant disadvantages. Cyberbullying is one of the most profound, and after a recent case of the practice came to light in the media, the UK Government is now being put under pressure to increase its efforts in a bid to address the matter.

Unmasking trolls and cyberbullies

The consistent rise in pressure began to escalate last week, when a British woman successfully won a court order allowing the identities of the individualsharassing her online to be revealed. Nicola Brookes had suffered a barrage of abuse from other users of the popular social media website, Facebook. Having achieved the court order, the users who posted defamatory comments against Mrs Brookes will now have a select amount of their personal details made known. This includes the IP addresses of the devices used by the cyberbullies. It is hoped that the added threat of having parts of a person’s personal profile revealed will help in the fight to combat the ever-growing threat of cyberbullying.

However, some organisations have expressed great concern about having the ability to reveal the proposed information. Privacy International states its position on the matter, claiming that on an international scale, certain operators may become too lax on the ability given to them. They fear that such organisations are at risk of exposing personal details, even in the event that only an allegation has been made. Therefore, the appearance of this ability in the social media market comes with new considerations, in many other aspects and on a much wider scale. But how would this tie in to mobile devices?

Image by Adam Clarke

Well, the clear advantage of the portability of mobiles phones poses as a threat in itself, as it presents one of the best methods of allowing cyberbullying to take place. These days, it is difficult to find a person in the UK without some form of mobile device. For many, the simplicity of being able to communicate with another individual has never been greater, thanks to the mobile phone. It is for this reason that mobile devices can more easily act as a catalyst to such an act as cyberbullying.

Cyberbullying in Private via Mobile

Another reason why cyberbullies prefer to use mobile to carry out their attacks is because phones often come with a lack of parental interference. Considering that the issue is most common within the teenage demographic, parents of younger phone users tend to distance themselves from their child’s mobile communications and online lives. Likewise, it is common for adolescents to find a means of preventing their parents from accessing their messages. It is this separation that can pave the way for cyberbullying to take place on a more private scale. In many aspects, this is more significant than a public example of online harassment, as the issue can steadily manifest itself and worsen with time.

But it is important to remember that cyberbullying isn’t only exclusive to text communications. Photos, videos and audio recordings, that demonstrate offensive behavior, also contribute to the problem. In many situations offensive material of any form is deleted soon after having being sent, especially on mobiles. This is often the case for both the architect of such material and the victim themselves. As a result, a record of the exchange becomes difficult for parents, teachers and the Police to trace, as the evidence is no longer present on the front end.

Government pressure on cyberbullying should continue

However, this recent development enabling victims to unmask cyberbullies can ultimately be considered to be a significant step forward, when attempting to tackle online perpetrators. Consequently, it is a move by the Government that will be well received. But it is important to remember that the private side of cyberbullying will continue to take place, and the Government must maintain its interest in combating the matter in the long run.

Last night’s Channel 4 News in the UK carried a piece on cyberbullying and guidance on what to do if you are being bullied: 

About Matt Williams

Matt Williams has just completed his second year as a student at the University of Derby, pursuing an undergraduate degree in Computer Forensics and Security. He has a keen interest in up-and-coming mobile technologies, particularly in reference to mobile security.

Mobile Security dinner in Barcelona

As we head towards the annual descent to Barcelona for Mobile World Congress, I thought I’d tell you about my mobile security dinner. This event is open for people interested in any aspect of mobile or network security, to share ideas and hopefully solve all the world’s problems. It’ll be held on the Sunday night (the 26th) from 9pm onwards at a secret location in Barcelona…

This is not the dinner you’re looking for…

Use the contact form above to get in touch if you’re interested in coming along. An important point to note – we split the bill at the end, so this is not a free meal 🙂

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

I’ve been meaning to upload these slides for a little bit. The tipping point was today, when I saw the Daily Telegraph had tweeted a story about a Councillor in Ireland who thought cloud computing depended on rainy weather. It turns out this story was a hoax (taking in the Telegraph, apparently).

To get to the point, I gave a presentation at the Informa Cloud Mobility event in Amsterdam in September entitled “Dark Clouds and Rainy Days, the Bad Side of Cloud Computing”, which I’ve uploaded to slideshare for people to have a look at and comment on. I should say that, as with a lot of things in the technology world, things move quickly and events have superseded a couple of things in the slides. It’s a pretty negative slideset, interspersed with some lolcatz, but the idea of the presentation was to give an alternative view to the conference and to get people thinking. The attendees and presenters struggled even to define “cloud”; a marketing term, which is part of the problem of this topic.

For those of you who really need proper cloud security, you can buy a cloud security umbrella from my shop. 🙂

Mobile Security Week

This week is Carphone Warehouse’s Mobile Security Week. I worked with the guys there to create some advice on security for users which you can find on their site. An extended version is on this page. As part of their research, Carphone Warehouse conducted a survey of over 2000 people which highlighted a lack of awareness amongst users about the importance of protecting personal data. It is interesting that only about 54% of those surveyed think that data on their phone is secure. That is lower than I expected and shows that people are at least concerned about mobile phone security, but maybe aren’t sure what to do. The National Mobile Phone Crime Unit (NMPCU) have done some great work in the past few years behind the scenes to help prevent mobile phone theft and one of those is to create a database of property which you the user can use by registering at the link in the first tip. If your phone turns up, the Police can then easily identify it as yours. A lot of my readers are tech people, but most mobile users aren’t and they don’t necessarily want to be. Probably one of the most important messages I’d like to get across is for people to use their handset PIN lock – if you don’t want people getting access to your personal data, this is a simple way of preventing that.

It’s great to be able to get the message out this week to people to think about mobile security, so have a look at the tips and see if you and your family are safe and secure?

David’s Mobile Security Tips

As phones become more and more sophisticated, mobile security becomes increasingly important for users. Here are some tips on how to keep you safe and secure when using a mobile phone.

Record your phone’s identity number in case it is stolen

The International Mobile Equipment Identity (IMEI) is what identifies your phone to the network and is located on the back of your phone underneath the battery. Another way to get your IMEI number is to type *#06# into your phone keypad to display it. When you get your new phone, it should be also on the side of the box. Keep the box label in a drawer just in case you need it. If your phone is lost, report the IMEI number to your service provider and they can block your phone so it can’t be used to make calls. If it is stolen, you should also give the IMEI number to the Police.

You can also register your phone’s details and IMEI number on the UK National Property Register at: This helps the Police to return lost or stolen property to its correct owner.

Secure access to your device and voicemail

PINs and passwords can be a pain as they put a barrier in the way of things you do repeatedly. These days it can be difficult to remember all your different PINs and passwords or be very tempting to use the same password for everything. Firstly, voicemail. The recent phone hacking scandal in the UK showed how important it is to have a PIN on your voicemail to prevent people listening into your private messages. Ring your operator and make sure you have one setup, or alternatively have the service switched off entirely. Don’t choose obvious PINs e.g. 1111, 1234, dates of birth etc.

Make use of the handset locks to protect your data and messages. With touch-screen phones, these are often gesture based, meaning that a convenient swipe is all that is needed to unlock your phone, whilst still keeping your phone safe.

Learn how to manage your passwords without having to remember lots of complex details. You can do this by using password safes which can store lots and lots of different passwords and generate random ones for you. Make sure these are also backed up in a safe place.

Learn how to remotely lock and wipe your phone if you lose it

Losing your phone or having it stolen does happen and when it does, what do you do to prevent someone getting access to your work or personal data? This is where lock and wipe services come in. Many handsets are now capable of running applications which you can stop someone getting access to your data and if you’re sure you can’t recover it, to delete your data. It is a service that can give you invaluable peace of mind if the worst happens. Some services can even help you locate your lost phone by using the GPS function of the device to work out where it is.

Be very wary of WiFi hotspots

However tempting it may be to connect to free WiFi when you’re out and about, take a moment to consider who is providing that service and why. If they’re charging, who are you giving your credit card details to?

By connecting to an untrusted network, you could potentially allow an attacker to get into your accounts for social networking sites, your email and banking details. In general if you are connected to a public WiFi network, don’t do anything sensitive such as internet banking or making purchases.

Know what you are giving applications permission to do

Always think about what an application is supposed to be doing, where it came from and who made it. Simple internet searches can often verify the validity of an application if you suspect all is not well. Inspect the permissions that an application requests. Does this application really need access to your phonebook? Does it really need to send SMSs? If not, just don’t install it. It should be said that some phone permissions aren’t very well done and can be difficult to understand, so even a legitimate application can give a misleading impression of what it actually does. There are some tools available to help you manage your permissions, for example only giving one application the permission to get to your location.

A common practice amongst hackers is to create a fake copy of a genuine application. This might be free, to entice people to download it. Sadly, the free version is a “Trojan horse” and will do nasty things. Mobile malware is still at a very low level in comparison with the PC world, but is definitely on the rise in 2011 and you should be extremely careful with applications you download. Many hackers see mobiles as an increasingly juicy targe
t because your whole life is stored on there. You are putting yourself at increased risk if you ‘jailbreak’ your device or if you install untrusted applications. Anti-virus applications are now available for those people who want an added level of protection.

Be careful when clicking on web links and scanning 2D barcodes

Don’t be lured into clicking on an unknown link to a web page. A phone’s screen is much smaller and it is often more difficult to see a full link to a website and verify that it is what it says it is. Not only this, but links are often shortened so you can’t actually read the proper website it goes to. If you get messages or posts on facebook and twitter with links, stop and think. Do you know the sender? If you do, is this something that they would send you? If you do click, it is often too late once you realise that there is a problem. Don’t react to or reply to spam messages you may get over SMS or Bluetooth.

New technology allows barcode scanner applications to read 2D or Quick Response (QR) codes (kind of like square barcodes). These are often put in newspapers and on advertising boards. Be very careful – do you know and trust the source. Could the poster have been tampered with or be fake? The problem here is that you often can’t verify that the link is genuine or not, because you can’t decipher the barcodes with your own eyes. It could be linking to some very nasty stuff.

Always backup your data

This is something that is always on the to-do list but never quite gets done. Take a little time to think about what would happen if you lost your phone and phone numbers and how it would affect you. Then think about what you can do to mitigate that. There are lots of services and tools out there to help you do this on a regular basis without thinking about it. Choose one you trust, or if you decide to backup your data yourself, make sure you do it regularly and store it in more than one place just in case your backup fails.

Be careful when charging your phone on someone else’s computer or at a charge point

Be extra careful if you desperately need to charge your phone while out and about. A lot of phones combine a data connection with the charger so you could end up having your data stolen without realising it. Who is providing the service? Do you have to handover your phone to have it charged? Do you really need to connect to your friend’s laptop? At a recent hacking conference, a fake battery charging booth was setup offering free phone charge but then stole the data of the phones connected.

Protect your children whilst surfing

Kids often know more than their parents when it comes to new technology. Whilst a phone can give you peace of mind that your child is safe when out and about, it also has access to lots of functionality and content that you might not want to allow your child access to at home. There are some applications available that can be installed on mobiles to help you manage what your child can access or download. You can get a shop to set these up for you and set a password so that your settings can only be changed by you. Some great information on protecting your children online in The Carphone Warehouse’s Guide to Mobile Web Safety at:  and also CEOP’s website:

Be aware of your surroundings when using your phone

Phones are an attractive target to thieves and whilst they’re with us all the time, they can be snatched or stolen easily. Think about your surroundings when you’re about to use your phone. Do you really want to turn your phone on, just as you walk out of the tube, or can you do it further down the street? If you’re sat in a café or bar, don’t leave your phone on the table. It is a prime target for snatching or a distraction theft. Of course, make sure that any handbags or rucksacks are secured too; trapping a chair leg around a handle is a good way to prevent a bag being stolen.

When you’re walking along and browsing such that you haven’t noticed if someone is near you? You are particularly vulnerable if you’re tied up doing something else. Rather than walking home at night on the phone to a loved one, put the phone away so that you’re aware of everything going on around you.

QR code security tips for both consumers and advertisers

There’s a lot of interest around creating malicious QR codes for one simple reason – the user cannot easily see what the encoded link is. Here’s some basic advice for both consumers using QR codes and also for those companies creating them as part of marketing campaigns etc. For more detail on QR code security, see my earlier blog.

Tips for users of QR codes:

  • Get a good QR reader – one that allows you to review a link after you’ve scanned it and doesn’t randomly execute malicious stuff (I use Zebra Crossing’s ZXing Barcode Scanner for Android)
  • Be extremely careful, alert and wary when scanning a QR code, don’t just scan anything assuming it’ll be ok.
  • Don’t allow a QR code to dial a number or send an SMS unless you are absolutely sure you know that the number is legitimate. Otherwise you may end up with a very large phonebill!
  • If it looks too good to be true, it often is. If you’re handed a flyer or competition with a QR code, offering some fantastic offer think about whether it is legitimate or not – is it trying to just get your personal data or worse, trying to lure you into a security trap? A simple Google search is often enough to reveal scams.
  • Don’t give away information needlessly – if a site asks you to connect to Facebook or your bank, does it really need this? (extremely unlikely!) Remember you can always close the site and walk away. You do not have to enter your details and I wouldn’t recommend that you do.
  • Check to see if the QR code is physically the original if scanning a poster. Someone may have placed a sticker over the top of the original QR code to try and get you to download some malware or give away your details.
  • Always check the URI (the link) to be sure it is going where you expected it to. Check the address bar at the top of the page. Is the website unusual? Have you been redirected to another site? If your scanner software on your phone has shown you the URI for the website, is it the same?
Tips for companies planning on using QR codes:
  • Avoid link shortening services, these further confuse users as to who is providing the website – you probably don’t need the URI shortening anyway, you are using a QR code!
  • Always display the URI you are linking to in plain text near to the QR code in order that the user can see what website it is supposed to be going to, or at least choose to manually enter it if they don’t want to use the QR code.
  • Don’t use QR codes for anything that requires a user to divulge sensitive information such as credit card details. It’s irresponsible and customers won’t thank you for it.
  • For shops, if possible, display your QR code behind a window or counter rather than ‘outside’ so that it is difficult / obvious if people are trying to tamper with it.
  • Be conscious of defacement by people who may be opposed to your product or service. Remember, it only takes one code to be hijacked and reported in the press and your marketing campaign is wrecked. Think carefully about poster campaigns and where you place QR codes.
  • For newspapers and magazines, consider triaging adverts using QR codes to check they’re ok in advance.
For more marketing tips, have a look at this blog from Stephen D Poe

QR codes and security – my take

This blog details some of the risks and security issues of QR codes. If you’re a user looking for advice on how to protect yourself from bad stuff or a company looking to use a QR code in a consumer campaign, check out my tips here

Some background

QR codes, 2D barcodes, they’ve been around for a while. Essentially a barcode of old was just a string of numbers and letters, equating to ‘something’ (in the case of EAN and ISBN codes amongst others). I used to write software for some mobile phone stuff that used both EAN-13 and Code 128 but that’s an entirely different story. Anyway, there are lots of barcode standards around (if you’re interested have a look at the Wikipedia article). 2D barcodes have been around for a while but the QR (Quick Response) version has become the most popular, mainly because there aren’t major patent issues around using it – Denso Wave do not ‘exercise’ their right to it. As a result, it’s very popular and in the first few months of 2011 has become extremely popular in the marketing world. It’s mainly being used for quickly communicating web links (or URIs as they’re properly called) to people so they can get on and buy / see / do stuff, usually from their mobile phones.


A big supporter in the mobile world is my friend Terence Eden. He runs QRpedia which facilitates the reading of articles in multiple languages, for example in museums and tourist sites. His blog contains some great stories about QR codes and I fully recommend reading it.

QR codes have only become really popular in 2011 because of the rise in the number of smartphone users and the increasing popularity and usability of the mobile web. A raft of applications are available to read QR codes and in some handsets I understand this functionality is pre-installed.

One example of companies using it are the train company, First Great Western, who’ve recently started publishing train timetables as QR codes.

Another example, this time for voucher / marketing purposes is Bulmers for their Cider (see picture), although they’ve not quite got the user experience right – it takes you to a full (non-mobile) website and then once they’ve got all your details give you a printable voucher on your phone. If anyone can point me in the direction of a phone with a printer, I’ll let Bulmers off the hook.

The next picture shows estate agent Hamptons – which in theory looks like a good example – situated in the window of the estate agents (behind the glass so it is protected from tampering) and hopefully displaying the URI it takes the user to (at the bottom left).

Of course a well-designed site could then also take you to its mobile app if it has one (try the tripadvisor site on your mobile for a good example of this).


Where do I stand on QR codes? Well, generally I think they’re quite a good timesaver – they allow me to quickly input a website into a mobile browser, save a link for later perusal or even (as in the case of QRpedia) give me access to much more information on something than I would be able (or bothered) to get normally. I can even see the argument on the SMS and dial features. All good stuff, yet I’m concerned that we technologists are running ahead of the public with the technology (as usual).

It’s the old marketing v security problem. Of course marketing departments want to make use of this great (sort of new) technology, but they’re not paid to think about the security stuff and often they’re not required to do any consultation with a security department, even if it exists. Besides, what security can you actually add to a QR code?

So what’s the risk?

This is not such good example (as shown on Terence’s blog) . The Verrus paybyphone service takes you straight to a mobile site which asks you to enter your credit card details. This is so astonishingly easy to spoof that it is scary. There is no description whatsoever near the QR code about what it is supposed to do. I could therefore also quite easily perform a whole host of attacks (as described below).

There are a number of threats to the consumer from the misuse of QR codes. These aren’t usually because of a big security mistake by the company advertising its product or whatever with the QR code, however it could turn out to be quite a nasty PR experience for the company involved if they’re not careful with the way in which they do it.

  • QRjacking (not a good term – it is actually a form of Pharming) – This is the practice of putting stickers over existing QR codes which link to wherever the attacker wants them to go. Dan Wilkerson published this blog back in May 2011 which has some nice pictures.
  • Scanjacking (as opposed to clickjacking) Here’s a paper I like by App Sec labs which assesses some QR readers and how a payload can be inserted into a QR code if JavaScript is allowed to be randomly executed on the device. This post the other day talks about using QR codes to point to an evil server running metasploit to “attag” a target (I don’t like that term either).
  • Man-in-the-middle attack – This is where again, a sticker is placed over the legitmate QR code or is falsely advertised in a newspaper or magazine. The user has their credentials captured or bank details taken, then they are redirected back to the
    correct website with an error such as ‘you didn’t type your details correctly’. It is unlikely that the average user would pick up on what was going on. Colin Mulliner mentioned this kind of attack when he did some great work around NFC (Near Field Communications) a few years back. In fact many of the attacks he describes mirror in some ways the attacks possible on QR.
  • Phishing – Randomly posting QR codes that entice people to scan them but actually go to something malicious is highly tempting for attackers. You could probably even get people to attach to your fake WiFi network. You could imagine lots of places that could be targeted e.g. bars, bus stops etc. This could of course happen via email, asking you to scan and download an application to your phone. The QR code below was sent to me the other week by a friend, It isn’t malicious and I’m not sure it even works on mobiles, but I liked the potential!

  • Spear Phishing – Extending the Phishing method described above, but targeting a particular individual or a small group (imagine dropping a fake competition flyer around an extremely upscale bar).
  • Premium rate SMS fraud – One of the things that is supported with QR codes is the ability to make calls and send SMSs. I’m not going to explain exactly how here, but the information is pretty widely available. It would seem pretty trivial to do a premium rate fraud using fliers for a competition at a concert or sporting event. Less so for call fraud because of the time and hassle involved for the user, but depending on the social engineering aspects of the attack, it could be done.
  • Pre-registration fraud – Terence Eden found an incident where Nokia had failed to register a link on a QR code which could have quickly been hijacked by an opportunist, this would probably be technically classed as a pre-registration fraud although very rare.
  • False Advertising – This is a sophisticated attack on a company, perhaps by an activist group by putting fake QR codes in advertisements. It is obviously incumbent on magazines and newspaper to check adverts and their sources anyway, but I’m not sure how well this is done. Even if some form of checking did take place, it could be side-stepped by only putting the malicious content live once the target publication is in the shops.

Generally with all the attacks on QR codes, they have to be very well crafted and prepared to be successful. For the savvy attacker, it is a social engineering exercise. It all comes down to what logical next steps a user could expect to take. In general though, it is quite difficult to launch a traditional distributed attack without high cost. The chances of detection and therefore prosecution are higher than other types of attack. For example, the benefits of crafting an attack where you want to encourage the user to use their phone, scan the QR code from their computer with their device, download an application and therefore maliciously get access to their information is so complicated and difficult it almost isn’t worth doing. There’s too much other low hanging fruit out there in terms of attack success.

Is there anything that can be improved in terms of security? Well a lot comes down to the reader software applications themselves and how they present the data to the user once it has been scanned. This helps the user make a reasonably informed, intelligent decision. From a technical point of view though, it is difficult to defend QR URIs even by using blacklisting services such as Premium rate attacks seem also difficult to defend against as the numbers could be (and are) changed easily. The time window between a successful attack and the blacklisting is still attractive to an attacker. Some forms of URL redirection could potentially be ‘triaged’ by the barcode reader application with some helpful warnings to the user, but given the propensity for companies to use URI shortening services, it may have limited success as an effective security measure. Given all the other security scenarios that could happen (e.g. what if the QR code is situated in a hostile environment with a compromised WiFi router?), it does seem futile at the moment to introduce other measures which may actually just confuse the user further.

I do have some further ideas on this topic, but I’d welcome your comments and ideas, just add a comment to this blog.

Obviously what applies to QR codes applies to anything else, barcode or otherwise that you can’t decipher, such as ‘NFC’ tags which you ‘touch’ with your phone. I’ll be writing about this closely related and upcoming technology soon.

UMA – Unsafe Mobile Access?

I’ve been following Mobile Monday’s London chapter for a few years now and I know a few of the guys there, but I’ve never been able to get down to one of their events. I finally made it down to the April 2010 demo night and was suitably impressed by the number of attendees and the quality of the short 3 minute lightning presentations. I thought that I’d put a security spin on what I witnessed but ended up writing this blog on one particular presentation about ‘Smart Wi-Fi’.

Mark Powell from talked about offloading data to wifi from the mobile. Increases in data traffic have caused some big headaches for operators, so this is clearly an attractive proposition for them. It is pre-loaded on some devices, partly because there are some custom APIs involved. It uses 3GPP GAN (Generic Access Network) as the underlying technology to get access to the mobile network and is also known under UMA (Unlicensed Mobile Access). Kind of like a ‘soft’ femtocell (I might even go as far as to say a potential femtocell killer). This is being marketed by T-Mobile as ‘Wi-Fi calling’ and Orange as ‘signal boost’. You’re going to get charged for your normal call on top of your broadband fee, but in general the benefits of having a better signal in the house is probably going to be quite attractive to people and may become a standard offering in the future. Kineto also explained that it helps avoid international roaming because once going Wi-Fi it will be just as if you’re in your home country.

As a paranoid security person, I always get a bit concerned when operators rush to a new technology to solve their problems (in this case network load). Converged technologies bring completely new threat scenarios which can re-enable old attacks with new vectors for achieving them. From a security point of view – there are some pretty obvious initial questions that spring to mind:

  • What if you’re connected to a rogue router? Is any of my data going to be compromised?
  • Is a man-in-the-middle (MITM) attack possible on the access point?
  • Can fraud take place?

I searched around and found an interesting whitepaper from Motorola, produced back in 2006 which describes some high level threat scenarios: UMA Security – Beyond Technology . I also found Martin Eriksson’s thesis Security in Unlicensed Mobile Access . This states that the IMSI (International Mobile Subscriber Identity) is not secured well enough, leading to exposure of the subscriber who is attached to the router and therefore their physical location. Note that the thesis was written in 2005 and very much plays this issue down – in 2011 most readers would take a different view on this privacy breach. Issues with authentication and the potential for a MITM attack via the router allowing (fraudulent) free calls for other users of the access point all also seem to be areas of concern as the router would be open to data sniffing (particularly if it is a rogue access point in the first place). The problem here lies in the fact that the user is connecting to a less-trusted component than the normal mobile network, leaving them open to all sorts of potential attacks and manipulation.

Putting expensive hardware security into routers is not something I’ve seen and is difficult to protect – the problems with mobile device security often stem from the fact that you’re putting the device in the hands of your attacker to tamper and play with. There is already a healthy community for router hacking and modification around too such as DD-WRT .

UMA applications on phones need to use shared secrets which are stored on the UICC. It would be interesting to analyse how well protected this data is on the device and whether it would be possible to snatch that data or even whether other attacks could be created on the UICC.

Although some of the issues here may have been addressed by the mobile industry, it seems that UMA could be a bit of a risk for users. (I’d welcome any comments or updates by the way from those in the know). The technology is probably safe at the moment as it is in its infancy and hasn’t crossed the radar of most of the hacking community. However, I for one, will be steering clear for now.

Confused Users and Insecure Platforms – the Perfect Storm Approaches

(picture from:

The evolution of hacking against mobile devices has been as rapid as the evolution of the device technology itself. Traditionally, mobile phone hacking has centred around the ‘embedded’ part of the phone, that is the electronic hardware. The software and firmware within the device was proprietary to that particular manufacturer so hackers and hacking groups specialised in a particular area. The knowledge and expertise needed to crack devices was very high and technically complex. As a result, it was difficult to understand and even though there was a large grey and black market centred around SIMlock removal and IMEI number changing, the media didn’t ever report it. Large amounts of money were made with lots of this going directly up the chain to the top. As the hacking technology developed, protection techniques were established in order to ensure that the revenue chain was always going back to the originator of the tool. To the ordinary user, they just knew that they could take their handset to a market and get it unlocked. The perception was that hacking a phone was easy.

The first real main-stream attention that embedded hacking got was around the iPhone. Existing mainstream hardware hacking groups had been involved in assisting George Hotz, a 17 year old at the time to create a hardware crack which would enable the removal of the SIMlock and ‘jailbreak’ the device, allowing non-Apple approved applications to be installed.

The public perception of hacking is extremely confused. The recent “phone hacking” scandal in the UK was really unauthorised access to voicemails on the servers of the mobile operators. Users don’t really understand where they are with regard to their own phone security or what they need to do. The anti-virus vendors in particular are responsible for sabre-rattling with respect to the threat to mobile devices. They have repeatedly declared “20xx” (choose a year) as “the year of the mobile virus”. This is simply false and shows a complete lack of understanding of the technologies involved. Indeed in 2004 one anti-virus solution completely filled the application memory of a phone such that no other application could be installed. Perfect protection then! There has been no mass malware outbreak to-date. The only ‘major’ incident was various variants of ‘commwarrior’ which was an MMS virus which propagated via users’ phonebooks. The anti-virus vendors have now been so discredited in the mobile space that they have used up their opportunities for funding and convincing users that they need to purchase protection. Ironically, the year is upon us where anti-virus would provide real value-add to users.

The perfect storm is approaching. The unification of devices under common platforms such as Google’s Android, easy application and widget development on an insecure platform (the web) and weak application policy mechanisms (such as deferring key decisions on permissions to the user) are all leading users down a dangerous path. There are mitigating factors though. The inherited knowledge from the days of PC viruses has allowed the development of some good security defence technologies and processes. Apple, at one end of the scale has a very rigorous application inspection process, both automatically and manually, whereas Android’s is much more open and therefore open to attack by malware authors. Sideloading of non-digitally signed applications is also generally restricted. In early March 2011, DroidDream was identified in around 50 applications supplied by 3 developers to the Android Market. These applications were originally legitimate but had been cracked and dressed up as Trojan versions of the originals. They were only spotted because someone noticed that the author was different to the original. Immediate action was taken by Google to remove the apps and ban the developers, but the malware is still out in the field at the time of writing – an estimation of between 50,000 and 200,000 downloads for one of the applications is quite a severe incident. Other incidents that have taken place over the past couple of years include suspected phishing applications on Android, attempts at creating mobile botnets in China, malicious multi-part SMS messages which crash phones through to rogue ‘Hello Kitty’ wallpaper applications which suck out user data and upload them to IP addresses in China.

It is clear that hacking against mobile devices is a developing discipline. The fight seems to be being won in the hardware space, but much more work needs to be done to protect users in the application space – and now. And the bottom line for consumers? They just want to be secure, without any hassle.

The problem with facebook one-time passwords

I popped onto facebook this morning to see a former colleague @basexperience post the following:

‎#Facebook facerapers! Grab your friends’ phone and text “otp” to 32665 to get a password for their Facebook account for 20 mins!

Clearly, I was interested. I hadn’t really given much thought to the announcment made by facebook, but I assumed given the recent pressure on Facebook they would have thought about it a bit more.

Taking aside the obvious issues about the fact that most people will already be logged into facebook because their password has been ‘remembered’ (both mobile and desktop browsers), and, let’s not forget the fact that if you’ve got a facebook app on your phone you’re probably logged in too. Let’s put them to one side for a second.

So what facebook have basically done is create a mechanism for anyone to get into a facebook account by (in authentication terms) – “getting something you have”. That’s all. One factor authentication. If they added say a PIN – “something you know” – to the SMS you send to the short message number to get the one-time password that would at least prevent random people getting into your account if you leave your phone on your desk. I won’t go into some of the other issues about exactly how they’re identifying you – by your MSISDN? (phone number?)…

The more annoying thing for me about this is that it has happened before. In America. To a celebrity. To Paris Hilton no less (Register readers delight): . In that case, the password provided was a reminder to access the backed-up photos and numbers etc. on the sidekick servers.

Coming back briefly to the ‘remembered’ passwords, to launch my attack today, this helped me as when you first go in you have to enable mobile access for that device by linking the MSISDN to the facebook account.

Thanks to my mate @basexperience for the post.