Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org
- Главная
- Разное
- Дизайн
- Бизнес и предпринимательство
- Аналитика
- Образование
- Развлечения
- Красота и здоровье
- Финансы
- Государство
- Путешествия
- Спорт
- Недвижимость
- Армия
- Графика
- Культурология
- Еда и кулинария
- Лингвистика
- Английский язык
- Астрономия
- Алгебра
- Биология
- География
- Детские презентации
- Информатика
- История
- Литература
- Маркетинг
- Математика
- Медицина
- Менеджмент
- Музыка
- МХК
- Немецкий язык
- ОБЖ
- Обществознание
- Окружающий мир
- Педагогика
- Русский язык
- Технология
- Физика
- Философия
- Химия
- Шаблоны, картинки для презентаций
- Экология
- Экономика
- Юриспруденция
Mobile Phone Hacking: A lucrative, but largely hidden history презентация
Содержание
- 1. Mobile Phone Hacking: A lucrative, but largely hidden history
- 2. Car Radio Hacking – 1990s / 2000s
- 3. Some Phone Terms: SIMlock & IMEI SIMlock:
- 4. ‘Unlocking’ and IMEI changing What is ‘unlocking?
- 5. INTERNET Historic
- 6. INTERNET EMBEDDED
- 7. Examples of Hacking Hardware Standard service repair
- 8. Mass Manufacture of Hacking Hardware
- 9. Examples of Hacking Hardware (2)
- 10. Hardware Hacking Methods EEPROM cloning or ‘Chipping’
- 11. In-line PIC Between SIM and Device
- 12. Software Hacking Methods Direct change Breaking a
- 13. Typical (Old) Software Hack Methodology MARKETING LAUNCH
- 14. Use of Hardware Clips – 5 Second
- 15. “Logs” Used as a method of continually
- 16. Some manufacturers and ODMs used symmetric algorithms
- 17. De-capping and Focused Ion Beam Equipment Mobile
- 18. Newer Hardware and System Level Attacks George
- 19. Newer Motivations Main targets / motivations recently
- 20. 2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012 EICTA / GSMA 9 Principles OMTP
- 21. Evad3rs, i0n1c, geohot, RedSn0w – iOS6 &
- 22. May 2014 – Root Bounty for Verizon
- 23. Kill Switch / Anti-Theft Mechanism Targeting? Obvious
- 24. Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved. Car Radio Hacking - 2014
- 25. Questions? david.rogers
Car Radio Hacking – 1990s / 2000s PIN locks to deter and remove value of theft Hacking tools reset / calculate / remove security codes Copyright © 2014 Copper Horse Solutions
Слайд 1Mobile Phone Hacking:
A lucrative, but largely hidden history
DC4420
David Rogers
27th May
2014
Слайд 2Car Radio Hacking – 1990s / 2000s
PIN locks to deter and
remove value of theft
Hacking tools reset / calculate / remove security codes
Hacking tools reset / calculate / remove security codes
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 3Some Phone Terms: SIMlock & IMEI
SIMlock:
used to secure the device to
a particular network during the period of the subsidy, can be unlocked with CK codes by calling operator
Different variants of locks
Recent court case in the US over legality (and lots of other previous fights)
IMEI :
the International Mobile Equipment Identity number
unique to each device
can be blocked if device is stolen
Other interesting information on device that would be hacked
E.g. to change language packs, phone lock removal, text etc.
Big battle between mobile industry and hacking groups between c.1999 and now – has evolved to jailbreak / root community
Different variants of locks
Recent court case in the US over legality (and lots of other previous fights)
IMEI :
the International Mobile Equipment Identity number
unique to each device
can be blocked if device is stolen
Other interesting information on device that would be hacked
E.g. to change language packs, phone lock removal, text etc.
Big battle between mobile industry and hacking groups between c.1999 and now – has evolved to jailbreak / root community
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 4‘Unlocking’ and IMEI changing
What is ‘unlocking?
SIMlocks
Most hacking used to be aimed
at the SIMlock area
The security area in the handset would protect all sensitive data – including IMEI and SIMlock
What is a dirty hack?
Hacks targeted against the security area would often cause corruption to data – including the IMEI.
Data such as RF calibration settings would often be wiped out
Hacking tools usually dual-use (SIMlock and IMEI)
Causes problems in countries where IMEI changing is illegal – difficult and costly to get direct proof
The security area in the handset would protect all sensitive data – including IMEI and SIMlock
What is a dirty hack?
Hacks targeted against the security area would often cause corruption to data – including the IMEI.
Data such as RF calibration settings would often be wiped out
Hacking tools usually dual-use (SIMlock and IMEI)
Causes problems in countries where IMEI changing is illegal – difficult and costly to get direct proof
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 5
INTERNET
Historic Criminal
Structure
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
HACKER
ORGANISED
CRIME
RE-SELLER
END-USER
THIEF
DRUG
DEALER
MASS THEFT
SUBSCRIPTION
FRAUD
STREET CRIME
BLACK MARKET
EXPORTER
(UNLOCKING / IMEI CHANGING)
EBAY
COUNTERFEITING
IP THEFT
‘USER’ CRIMES
MURDER
ETC.
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 6
INTERNET
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
HACKER
ORGANISED
CRIME
RE-SELLER
FREE SOFTWARE
END-USER
THIEF
DRUG
DEALER
VALUE METHOD
£10 - £30 CASH
DEBIT / CREDIT CARD
£50 - £500 WESTERN UNION
PAYPAL
POSTAL
ORDER
£500 - £5000 WESTERN UNION
£5000+ WESTERN UNION
Mobile Phone Security - David Rogers
Historic Financial
Structure
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 7Examples of Hacking Hardware
Standard service repair equipment
Fraudulent purchasing of manufacturer’s equipment
Mass
produced hardware by hacking groups
Griffin Box
UFS-3 (Twister)
Blazer
Clips
Evolution
New equipment was constantly developed as new models were released
New technologies and hardware security to ensure revenue
Griffin Box
UFS-3 (Twister)
Blazer
Clips
Evolution
New equipment was constantly developed as new models were released
New technologies and hardware security to ensure revenue
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 8Mass Manufacture of Hacking Hardware
Mobile Phone Security - David Rogers
Copyright
© 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 9Examples of Hacking Hardware (2)
Most hacks steal their solutions from already
existing hacks
May seem to be 22 hacks available – just old hacks re-packaged.
Different front-end to software
Different hardware
the ‘golden’ part of the source code is from 1 hack
Lots of ‘ghost’ hacks that are aimed at defrauding people
same in 2012 with jailbreaking on iOS6
May seem to be 22 hacks available – just old hacks re-packaged.
Different front-end to software
Different hardware
the ‘golden’ part of the source code is from 1 hack
Lots of ‘ghost’ hacks that are aimed at defrauding people
same in 2012 with jailbreaking on iOS6
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 10Hardware Hacking Methods
EEPROM cloning or ‘Chipping’
Old method
Copied EEPROM with basic equipment
Main
aim to put EEPROM with no SIMlock on
Result: IMEI number was cloned
PIC’s (Programmable Integrated Circuits)
Execute small sequences of commands
Placed in-line to ‘snatch’ or modify data
Flash device hot-swapping (almost impossible now)
Exploitation of boundary scan ports
External clips and dongles
Note: less economical than software hacks
Result: IMEI number was cloned
PIC’s (Programmable Integrated Circuits)
Execute small sequences of commands
Placed in-line to ‘snatch’ or modify data
Flash device hot-swapping (almost impossible now)
Exploitation of boundary scan ports
External clips and dongles
Note: less economical than software hacks
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 11In-line PIC Between SIM and Device
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 12Software Hacking Methods
Direct change
Breaking a programming algorithm
Finding the correct test interface
protocol command
Still used(!) serial communications / USB monitoring equipment
Modifying binary files (software download files)
Inserting jump code
Hijacking other functions in the code to subvert security
Taking advantage of software design flaws
Abuse of boundary scan to monitor phone processes
‘Dumping’ to logs of data from secure areas
Brute force cracking of algorithms
Theft of information from Design Centres / Factories / Service Centres
“Voodoo Galaxy SIII SIM unlock” tool required device to be rooted…
Still used(!) serial communications / USB monitoring equipment
Modifying binary files (software download files)
Inserting jump code
Hijacking other functions in the code to subvert security
Taking advantage of software design flaws
Abuse of boundary scan to monitor phone processes
‘Dumping’ to logs of data from secure areas
Brute force cracking of algorithms
Theft of information from Design Centres / Factories / Service Centres
“Voodoo Galaxy SIII SIM unlock” tool required device to be rooted…
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 13Typical (Old) Software Hack Methodology
MARKETING
LAUNCH AT
TRADE SHOW
PHONE
RELEASED
TO MARKET
RESEARCH
THEFT OF
EARLY MODEL
NETWORK
OPERATOR
SAMPLES
MANUFACTURER
HACKER
OPEN SOURCE
INFO
AND HACKING TOOLS
AND HACKING TOOLS
TIMESCALE
0 MONTHS
6 - 12 MONTHS
HACKING
SOLUTION
DISTRIBUTE
APPLICATION
PROTECT
APPLICATION
APPLICATION
PROTECTION
TOOLS
PRODUCT
SECURITY
DETECTION
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 14Use of Hardware Clips – 5 Second Unlocking!
Simple to use, takes
it’s power from the handset
Contains a Programmable Integrated Circuit
Bombards the handset with commands in a repetitive sequence
The handset eventually gives up and resets itself – unfortunately resetting the SIMlock!
This type of attack was used on many different makes of handsets
Clips have now evolved and the term is usually used in reference to dongles
Contains a Programmable Integrated Circuit
Bombards the handset with commands in a repetitive sequence
The handset eventually gives up and resets itself – unfortunately resetting the SIMlock!
This type of attack was used on many different makes of handsets
Clips have now evolved and the term is usually used in reference to dongles
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 15“Logs”
Used as a method of continually generating revenue for the real
hackers and re-sellers at the top of the food chain – a historical issues for hackers
Original concept by 3 Nokia hackers and dealers from Serbia:
George, Boban (Slobodan Andrics) and Dejan (Dejan Kaljevic)
How do logs work?
Encrypted by hackers to avoid cracking by other hackers
An example:
Crack the master security locks -> generate an encrypted log of security area information -> close the security lock on the handset again!
‘Logs’ will be available only if the hacking solution is two part
‘Dumb’ client application to communicate with handset
Data is sent to hacker / re-seller
Corresponding data to unlock / change IMEI received from hacker / re-seller
Original concept by 3 Nokia hackers and dealers from Serbia:
George, Boban (Slobodan Andrics) and Dejan (Dejan Kaljevic)
How do logs work?
Encrypted by hackers to avoid cracking by other hackers
An example:
Crack the master security locks -> generate an encrypted log of security area information -> close the security lock on the handset again!
‘Logs’ will be available only if the hacking solution is two part
‘Dumb’ client application to communicate with handset
Data is sent to hacker / re-seller
Corresponding data to unlock / change IMEI received from hacker / re-seller
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 16Some manufacturers and ODMs used symmetric algorithms based on the IMEI
number to generate CK codes
Broken and every possible iteration for each IMEI available
Later versions cracked the factory / service tools because they were leaked rather than cracking the handset
Down to poor manufacturer security and breaking principle of no stored, shared secrets!
Broken and every possible iteration for each IMEI available
Later versions cracked the factory / service tools because they were leaked rather than cracking the handset
Down to poor manufacturer security and breaking principle of no stored, shared secrets!
CK Algorithm Breaches
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 17De-capping and Focused Ion Beam Equipment
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 18Newer Hardware and System Level Attacks
George Hotz – original iPhone jailbreak
Used
hardware flaw to XOR data address and insert jump code to empty memory where he could execute his own bootloader
Allegedly assisted by European Infineon hacking teams
Rooting
Various methods, exploiting vulnerabilities
Usually used as a staging area for other attacks (e.g. malware)
Examples:
RageAgainstTheCage, uboot, zergRush, gingerbreak
Other private exploits
Some manufacturers providing it as a service in order to prevent people hacking
Legal battles around this area (e.g. US copyright office 2010, 2012)
OK to remove SIMlocks and root devices
Allegedly assisted by European Infineon hacking teams
Rooting
Various methods, exploiting vulnerabilities
Usually used as a staging area for other attacks (e.g. malware)
Examples:
RageAgainstTheCage, uboot, zergRush, gingerbreak
Other private exploits
Some manufacturers providing it as a service in order to prevent people hacking
Legal battles around this area (e.g. US copyright office 2010, 2012)
OK to remove SIMlocks and root devices
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 19Newer Motivations
Main targets / motivations recently have been:
Rooting / jailbreak device
– for piracy / other apps / custom OS / spyware
SIM unlocking – break out of subsidy (cheap device) / fraud / export of stolen devices
IMEI changing – re-enable stolen handsets in same country
Launchpad attacks – spyware / malware / anti-theft tools / in-app billing
Fixing issues – e.g. old SIMlocked device, can’t contact operator
SIM unlocking – break out of subsidy (cheap device) / fraud / export of stolen devices
IMEI changing – re-enable stolen handsets in same country
Launchpad attacks – spyware / malware / anti-theft tools / in-app billing
Fixing issues – e.g. old SIMlocked device, can’t contact operator
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 202002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012
EICTA / GSMA 9 Principles
OMTP Trusted Environment: OMTP TR0
OMTP Advanced Trusted
Environment: OMTP TR1
TCG MPWG Specification
GSMA Pay-Buy-Mobile
Fragmented Security
Handset Embedded Security Evolution (to 2012)
Google / Apple Proprietary hardware security features
Banking / film industry
requirements
WAC
RIM / Nokia proprietary security features
webinos
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 21Evad3rs, i0n1c, geohot, RedSn0w – iOS6 & iOS7
iOS6 hack “used more
zero-days than stuxnet”*
Millions of downloads – huge market
Evasi0n iOS7 jailbreak rushed out due to competition (and 7.1 release), packaged with Chinese app store (Taig)
Rumoured to be $1million
Rumours of dirty tricks / questionable sources for some holes
Strategic and tactical thinking, all ‘untethered’
Some holes allegedly held back by various teams for future cracks on iOS8
Teams still reverse and hack each others tools (like SIMlock)
George Hotz tried to sell to a Chinese team (via a broker) for $350,000
Audio clip released with negotiation discussions
Millions of downloads – huge market
Evasi0n iOS7 jailbreak rushed out due to competition (and 7.1 release), packaged with Chinese app store (Taig)
Rumoured to be $1million
Rumours of dirty tricks / questionable sources for some holes
Strategic and tactical thinking, all ‘untethered’
Some holes allegedly held back by various teams for future cracks on iOS8
Teams still reverse and hack each others tools (like SIMlock)
George Hotz tried to sell to a Chinese team (via a broker) for $350,000
Audio clip released with negotiation discussions
* Ref: http://www.forbes.com/sites/andygreenberg/2013/02/05/inside-evasi0n-the-most-elaborate-jailbreak-to-ever-hack-your-iphone/
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Слайд 22May 2014 – Root Bounty for Verizon & AT&T
Copyright © 2014
Copper Horse Solutions Ltd. All rights reserved.
Слайд 23Kill Switch / Anti-Theft Mechanism Targeting?
Obvious this would happen
Copyright © 2014
Copper Horse Solutions Ltd. All rights reserved.
Слайд 25Questions?
david.rogers {@} copperhorse.co.uk
@drogersuk
Mobile Systems Security course: http://www.cs.ox.ac.uk/softeng/subjects/MSS.html
Mobile Security: A Guide
for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-guide-for-users/paperback/product-21197551.html
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org
