SlideShare a Scribd company logo
1 of 167
Download to read offline
Mobile, IoT, Clouds…
It’s time to hire a Risk Manager!
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
CJSC ADVANCED MONITORING
YURY CHEMERKIN
I have ten+ years of experience in information
security. I‘m a multi-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
I published many papers on mobile and cloud
security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: YURY.S@CHEMERKIN.COM
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
UNDERSTANDING THINGS
IoT TAXONOMY & FRAGMENTATION
Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
IoT TAXONOMY
 Wearable Tech
 Connected Home
 Building Blocks & Platforms
 Industrial Internet
 Healthcare
 In-store Retail
 Connected Car
 Venture Capital Firms
 Corporate Investors
 Angel Investors
 Crowdfunding
 Accelerators/Incubators
 IoT Acquirers
 Notable acquisitions
NARROW THINGS
Wearable Tech
Connected Home
Healthcare
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
WATCHES
WEARABLE TECH
SMARTWATCHES – APPLE WATCH
MITM
Jailbreak
Backup
APPLE WATCH
MITM
The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If
this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple
servers and the iPhone.
Online communication (over Wi-Fi)
 [iPhone apps  iCloud] – prevents MITM, SSL Pinning
 [Apple Watch iCloud] – prevents MITM , SSL Pinning
 No way to install SSL to Apple Watch
APPLE WATCH
BREAKING THE LOCKSCREEN
Remove the Passcode Using Your iPhone
Go to a “Settings->General->Reset”
“Erase Apple Watch Content & Settings”
“Keep Plan” if iWatch has a Cellular Plan
Otherwise just “Erase All Content & Settings”
Pair it again
APPLE WATCH
BREAKING THE LOCKSCREEN
Removing Your Passcode Without an iPhone
Power Menu  Press & hold the side button
Instead of sliding "Power Off", press on it
Tap "Erase all content and settings,"
Tap the green checkmark to confirm
Pair it again
APPLE WATCH
BREAKING THE LOCKSCREEN
Unpair iWatch via Apple Watch app & Apple Password
Keep your Apple Watch and iPhone close together.
Open the Apple Watch app on iPhone
Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch”
Press “Keep Plan” for a cellular iWatches
Enter your Apple ID password and tap confirm
APPLE WATCH
JAILBREAKS
Jailbreaks for USB
 Apple Watch series 1- 4 & watchOS 5 – no jailbreak
 watchOS 4.0 - 4.1
 v0rtex jailbreak for developers only
https://github.com/tihmstar/jelbrekTime
 Apple Watch series 1- 2 & watchOS 3.0 – 3.2.3
 OverCl0ck jailbreak – still in development
https://github.com/PsychoTea/OverCl0ck
Jail & Bluetooth Connection over SSH
 https://speakerdeck.com/mbazaliy/jailbreaking-apple-watch
APPLE WATCH - BACKUP
 /mobile/Library/DeviceRegistry.state
/properties.bin
 Binary Plist File – Contains Paired Apple
Watch Specifics incl: Watch Name, Make,
Model, OS, GUID
 Synced Data Path with GUID, date, local
 Serial Number, UDID, WiFi MAC, SEID
(Secure Element ID), Bluetooth MAC
APPLE WATCH - BACKUP
 Plist contained installed apps on Apple
Watch (2 places)
 /mobile/Library/DeviceRegistry/<GUID>/Na
noPreferencesSync/NanoDomains/com.apple.C
arousel
 /mobile/Library/DeviceRegistry/<GUID>
 Example:
/mobile/Library/DeviceRegistry/<GUID>/
AddressBook/
APPLE WATCH
BACKUP
 Email -
/mobile/Library/DeviceRegistry/<
GUID>/NanoMail/registry.sqlite
 Voicemails -
/mobile/Library/DeviceRegistry/<
GUID>/PreferencesSync/NanoDo
mains/com.apple.mobilephone
 Records containing Phone
Numbers and paths to synced
voicemail files
APPLE WATCH
BACKUP - PASSBOOK
/mobile/Library/DeviceRegistry/<
GUID>/NanoPasses/nanopasses.sqli
te3
Pass table
Unique_ID
Type_ID (boarding pass, loyalty
pass)
Encoded pass (value/data)
APPLE WATCH – BACKUP
APPLE HEALTH
 Encrypted (.hfd) in password-protected
/ encrypted backups only
 No data out of non-encrypted backup
 Export in raw/plaintext
 But take a time, we will back to Health
app soon 
APPLE WATCH
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE WATCH
SUMMARY
Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available
Online communication (over Wi-Fi)
 [iPhone apps  iCloud] – prevents MITM, SSL Pinning
 [Apple Watch iCloud] – prevents MITM , SSL Pinning
 No way to install SSL to Apple Watch
Local data
 Not many but jailbreaks are available
 Backup still works to access the data
 Wallet contains booking, card and other info
 Apple Health app
 Contains a lot of medical user data
 Encrypted if backup is password-protected and out of backup otherwise
 Contains non-encrypted basic medical user data and list of app-sources
WEARABLE TECH
SMARTWATCHES – ANDROID WATCH
Forensics: Physical, Logical, Network Acquisition
Screen Lock Bypassing Techniques
Root opportunities
Android wear app
ANDROID WATCH
FORENSICS OF WEARABLE TECH
Physical Acquisition
Logical Acquisition
Network Acquisition (omitted here)
ANDROID WATCH
IMAGING A SMARTWATCH DEVICE
 The ADB tool should be used to image and explore the Android
smartwatch.
 The dd command, dd if=/dev/block/mmcblk0p12
of=/sdcard/tmp.image can be used to copy the entire device to an
inserted SD card.
 If time is a factor, investigators can copy specific directories by utilizing
the following commands:
DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd
DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd
DD if = /dev/block/mmcblk0p3/efs of = /storage/extSdCard/efs.dd
DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd
ANDROID WATCH
BREACHING A LOCK SCREEN
 Google account credentials is known  remote unlock of connected watches via Google’s
Android Device Manager
 Deleting / altering the gesture.key & settings.db files  to remove the lock screen entirely
 adb.exe shell; cd /data/system; rm gesture.key
 The “settings.db” file contains system settings and can cause system wide changes if modified
 update system set value =0
 Flashing a modified ROM / a reboot in safe mode - to leverage a third-party lock screen
 Utilize adbkey and adbkey.pub files from other computers that have been previously
synchronized with the examined device to create a trust relationship with a new device
 /.android/<ADB keys> - those files are an SSH key-pair that allow me to mark my
computer as "trusted" to my phone.
 Copy of ADB keys stored on synchronized devices in users/<user name>/.android
folders
ANDROID WATCHES
ROOT
Root:
 5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1
 6.0.1 - SuperSU-6.0.1.zip https://supersu.apk.gold/android-6.0.1
 Wear 2.0 - SuperSU-Wear
 Wear-SuperSU 2.4 -
https://androidfilehost.com/?fid=24269982086990060
Recovery:
 TWRP - https://eu.dl.twrp.me/bass/
 5.1.1 twrp-3.1.0-0.img
 6.0.1 и Wear 2.0 twrp-3.0.0-0.img
ANDROID WATCH
WEAR OS
 Tizen OS - Samsung
 Android Wear OS
 Asus Zenwatch, Huawei Watch, LG
Watch and many other
 Many root tools & images for
Android Wear up to 2.0
 Lack of tools for 2.1 and beyond
 Wear app to access data
Android Wear Version Android base version Release date
4.4W1 4.4 June 2014
4.4W2 4.4 October 2014
1.0 5.0.1 December 2014
1.1 5.1.1 May 2015
1.3 5.1.1 August 2015
1.4 6.0.1 February 2016
1.5 6.0.1 June 2016
2.0 7.1.1 Feb 2017
2.6 7.1.1 Nov 2017
2.6 7.1.1/8.0.0 Dec 2017
2.7 7.1.1/8.0.0 Dec 2017
2.8 7.1.1/8.0.0 Jan 2018
2.9 7.1.1/8.0.0 Feb 2018
Wear OS Version Android base version Release date
1.0 7.1.1/8.0.0 Mar 2018
1.1 7.1.1/8.0.0 April 2018
1.2 7.1.1/8.0.0 May 2018
1.3 7.1.1/8.0.0 June 2018
1.4 7.1.1/8.0.0 July 2018
1.5 7.1.1/8.0.0 August 2018
1.6 7.1.1/8.0.0 September 2018
1.7 7.1.1/8.0.0 October 2018
2.0 7.1.1/8.0.0 August 2018
2.1 7.1.1/9.0.0 September 2018
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM (TIZEN)
Tizen OS, Bluetooth, USB, No Wi-Fi, Optional Password
Protection
#1 Gain root:
 turn on SDB ‘Smart Development Bridge‘,
 find a ROM, uses Odin,
 reboot to ‘download’ mode – hold down the main button through the
turn off prompt
Sdb shell, sdb root
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image the watches, like a Toybox http://landley.net/toybox/
 adb push toybox /sdcard/download
 adb shell; su
 mv /sdcard/download/toybox /dev/
 chown root:root toybox;
 chmod 755 toybox
 cd /dev/block/platform/msm_sdcc; ls -al by-name
 /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
 dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
 /* Port number being listened to on the watch displayed for user */
 44477 port displayed
 adb forward tcp:44867 tcp:44867
 /* Send request to watch on port number 44867 and send it to image file */
 nc 127.0.0.1 44867 > Samsung.IMG
Here is a user partition
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#3 Results:
 Messages - apps.com.samsung.message.data.dbspace/msg-
consumer-server.db
 Health/Fitness Data - apps.com.samsung.shealth/shealth.db
 Email - apps.com.samsung.wemail.data.dbspace/wemail.db
 Contacts/Address book - dbspace/contacts-svc.db
ANDROID WATCHES
LG WATCH – ALL OF THEM
Android Wear, USB, Bluetooth, No Wi-Fi
#1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to
bootloader & unlock it, and push image
adb reboot-bootloader
fastboot oem unlock
adb push <SuperSU>.zip /sdcard/download
adb reboot-bootloader
fastboot boot <twrp>.img
Install <SuperSu>.zip, wait for reboot
ANDROID WATCHES
LG WATCH – ALL OF THEM
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image the watches, like a Toybox http://landley.net/toybox/
 adb push toybox /sdcard/download
 adb shell; su
 mv /sdcard/download/toybox /dev/
 chown root:root toybox;
 chmod 755 toybox
 cd /dev/block/platform/msm_sdcc; ls -al by-name
 /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
 dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
 /* Port number being listened to on the watch displayed for user */
 44477 port displayed
 adb forward tcp:44867 tcp:44867
 /* Send request to watch on port number 44867 and send it to image file */
 nc 127.0.0.1 44867 > LG.img
Here is a user partition
ANDROID WATCHES
LG WATCH – ALL OF THEM
Results:
 Events/Notifications -
data.com.android.providers.calendar.databases/calendar.db
 Contacts/Address book -
data.com.android.providers.contacts.databases/contacts2.db
 Health/Fitness Data -
data.com.google.android.apps.fitness.databases/pedometer.db
ANDROID WATCHES
ANDROID WEAR
Mobile device paired with all watches in this app
/com.samsung.android.app.watchmanager
/auto_update.xml - a timestamp of the day the Samsung Gear was last
updated.
/com.samsung.android.app.watchmanagerstub/shared
preferences/hmonlinehelppref.xml
/data/com.google.android.wearable.app/databases/devices.db
list of devices using Android wear which listed the LG G Watch.
ANDROID SMARTWATCHES
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
ANDROID WATCH
SUMMARY
 Forensics
 No forensics tools are NOT available for devices, such as Elcomsoft, Cellebrite
 Forensics techniques are still available for devices
 Forensics of wear-apps works too but no many useful data
 Known techniques of breaking Android screenlock works
 OS
 Tizen OS - Samsung
 Android Wear OS - Asus Zenwatch, Huawei Watch, LG Watch and many other
 Root & Recovery
 Many root tools & images for Android Wear up to 2.0
 Lack of tools for 2.1 and beyond
 SDB, ADB, Fastbook, OEM Unlock
 Data
 Contacts, Fitness, Health, Email – in the device
HUAWEI WEAR & HONOR BAND 3-9C7
• Фотки браслета и приложения (ссылки на магазины)
• Картинки на списки в круглые формы вставить??
FITNESS TRACKERS
HUAWEI WEAR. HONOR BAND 3-9C7
Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/<crash>,<log>
Last Wear’s values: sleep (many params), wakeup (many params), distance (steps, ride, climb,…), heart rate,
calories
Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options
Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude
User Info: Picture, Name, Birthday, Height, Weight, Gender, Age
Account Details: UDID, Security Token, UserID, SessionID
Bluetooth Keys
CRASH LOG: DEVINFO, DEBUG INFO -
/DOCUMENTS/HMS/OCLOG/CRASH
CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond
bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c
<redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw +
56 2 CoreFoundation 0x000000018346bc9c _CFArgv + 0 3
CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear
0x0000000100319064 HuaweiWear + 315492 5 HuaweiWear
0x000000010030ffdc HuaweiWear + 278492 6 libdispatch.dylib
0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib
0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib
0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation
0x000000018347b344 <redacted> + 12 10 CoreFoundation
0x0000000183478f20 <redacted> + 2012 11 CoreFoundation
0x0000000183398c58 CFRunLoopRunSpecific + 436 12 GraphicsServices
0x0000000185244f84 GSEventRunModal + 100 13 UIKit 0x000000018caf15c4
UIApplicationMain + 236 14 HuaweiWear 0x00000001005b13f8 HuaweiWear +
3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4
ClientVersion:21.0.12 OSVersion:11.2.6
HUAWEI WEAR – LAST VALUES
/DOCUMENTS/<*.ARCHIVER> FILES
<string>{
"sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":0,"deepSlee
pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim
e":0},
"distance":3940,"lastHeartRate":0,"steps":4623,"lastHRTimeStamp":0,"
calories":216,"date":1537867958.8875299,"totalClimb":0,"daySport
Info":[]
}</string>
HUAWEI WEAR: FIRMWARE
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
 {"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath":
"Nyx_1.5.35.bin.apk","identify":"38:37:8B:B8:C9:C7","firmWareSize":1410023,"deviceTyp
e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",
 "firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199-342F-4897-
9577-59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",
 "changeLogContent":"[Optimizations]nOptimizes calorie counting accuracy while
swimming.nFixes an issue where exercise sessions would suddenly exit due to accidental
touches.nFixes an issue where fitness data would be occasionally cleared.nOptimizes the
TrusleepTM data syncing speed on IOS.n[Notes]n1. New features require that Huawei
Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for
Android.n2. Before updating, make sure the band is charged to at least 20%.n","status":1,
 "baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1
55123/f1/"}
</string>
HUAWEI WEAR: GEO, SPEED
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"speed":0.63999998569488525,"timestamp":"2018-06-
09T05:12:19+0300",
"longitude":41.512356810310401,"latitude":52.571571199272356,
"totalDistance":0,"verticalAccuracy":4,
"course":10.546875,"duration":0,"distance":0,
"altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5
}
</string>
HUAWEI WEAR: USER INFO
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"headImgLocal":"/var/mobile/Containers/Data/Application/
9B666199-342F-4897-9577-
59B68F5CF40F/Documents/temp_user/temp_user.jpg",
"age":29,"unitType":0,"nameIsNil":false,"isDefault":true,
"weight":78,"userName":"Yury Chemerkin","walkStepLen":77.28,
"birthday":19880605,"height":184,"modifyTime":0,"runStepLen":92.7
36,"gender":0}
</string>
HUAWEI WEAR:
/DOCUMENTS/<*.ARCHIVER> FILES
Account
 Account details stored in protected way
Device Mac Address
<string>deviceMacAddress</string>
<string>38:37:8B:B8:C9:C7</string>
Bluetooth Keys
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User goals
Device details
User measures
 m_7_DataSourceTable_temp_user
 m_7_FitnessMergedDataTable_temp_user
 m_14_FineSleepDayMergeTable_temp_user
 m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
 m_14_HeartRateByDay_temp_user
 m_14_SportDataByDay_temp_user
 m_133_MotionPathDetail_temp_user
 m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
 m_133_SingleMovementStatistic_temp_user
 m_133_SingleMovement_temp_user
HUAWEI HONOR
SUMMARY
Local data
 Credentials is protected
 Personal and medical info – plaintext / as it
Communication
 Local – encrypted
 Online – SSL Pinning for all possible connections, registration,
login and synchronization
XIAOMI MI BAND 2 & MI FIT
Online communication
 AWS storages in Ireland (EU) mainly, secondary US
 TLS 1.2, No SSL Pinning
Local data
 Action Log with details incl. URLs
 https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t=1512648130831
 https://api-
mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848
 https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t=1512648130805
FITNESS APPS
ROAD BIKE, MOUNTAIN BIKE, …
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg & max
speed, upward/downward, heartZone values (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday
FITNESS APPS
DOCUMENTSDATABASE.SQLITE3
Where to search data:
 GPS & location
 HeartRate (requires special devices)
 Session Data
 Speed
 User Data
FITNESS APPS
LOCATION, MAPS AND USER INFO
 Location and geo snapshots -
DocumentsMapOpenCycleMap.sqlite
 User info - Documentsdatabase.sqlite3
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
FITNESS TRACKERS
SUMMARY AMONG TRACKERS & APPS
Local data
 Credentials is usually protected
 Personal and medical info – plaintext / as it
Communication
 Local – encrypted
 Online – SSL Pinning for all possible connections
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home 5. Security & Tips
6. Risk
Management
APPLE HEALTH СЮДА КАРТИНКИ
УСТРОЙСТВ
HEALTHCARE
APPLE HEALTH
Valuable data encrypted and no public cracks is known
Small amount of data not encrypted in backup
List of app-sources (look here for non-encrypted original data)
However, secure built-in app-aggregator does not mean other app is a
secure in the same way  ofc not 
APPLE HEALTH
WHERE TO FIND DATA?
HealthDomainMedicalIDMedicalIDData.archive
HealthDomainHealthhealthdb.sqlite
HealthDomainHealthhealthdb_secure.sqlite
HealthDomainHealthhealthdb_secure.hfd
Exported Raw Data – any place chosen by user
APPLE HEALTH
DATA IN DETAILS
Name, User Pic, height (in cm), and mass (in kg)
Geo Tracking (Mainland/City), iOS version
Device Info: UDID, Name, Last connection time
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Medical implants
APPLE HEALTH
HEALTHDOMAINMEDICALIDMEDICALIDDA
TA.ARCHIVE
 Name  Height  Weight  Medical implants
APPLE HEALTH
HEALTHDOMAINHEALTHHEALTHDB.SQLITE
 Bundle_id, app_name
 Device name, device model, vendor, hardware and software, timestamp
APPLE HEALTH
HEALTHDOMAINHEALTHHEALTHDB_SE
CURE.SQLITE
APPLE HEALTH
RAW EXPORT
Recorded by the any Apple Devices & accessed through the Health App.
Detailed activity log with timestamps
Data can be exported in .xml file format without encryption (!) and
even without encrypting of zip file
Extracted data can be stored anywhere
APPLE HEALTH - RAW EXPORT
PERSONAL, FITNESS, MEDICAL INFO
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Heart rate data (in count/min) or beats-per-minute (BPM)
Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins)
Blood Pressure Diastolic, Systolic
The exact activity log time (creationDate), and activity start and end times (startDate, endDate)
XML Parser (Free): https://github.com/tdda/applehealthdata
APPLE HEALTH - RAW EXPORT
IN EXAMPLES & DETAILS
APPLE HEALTH - RAW EXPORT
IN EXAMPLES & DETAILS
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
HEALTHCARE
SUMMARY
Apple Health App is good protected
Basic info - Date of birth, sex, blood group, skin type,
height (in cm), and mass (in kg)
Exported data is not protected at all
List of app sources & these app’s data is not
protected well
PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
• Vertical fat index, body fat
Fat indexes
• Body weight, bone mass, muscle, skeletal muscle
Mass
• BMR, body water, protein, Metabolic Age
Productivity
• Tracking changes, charts, reports
Delta
PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scaler)
Body scale values: body, muscles, productivity, date & time, device mac
Dev Info: Mac, model name, user ID, Device Picture
Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users)
User Info: nick name , userID, height, age, sex, race, type
Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language
Preferences: Local Password, Unlocking method, last active day
PICOOC BT LOGS
PICOOCDOCUMENTSBLUETOOTHLOG.TEXT
 DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE 
 扫描到设备 – means “Device scanning”
 04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV]
Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-
45F9DDB731D6 ---- .
 04-14 13:31:36:453 .扫描到设备 name:Peripheral Info:Name: honor band
A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3-0099CF82DF96 ---- .
 04-14 13:31:37:408 .扫描到设备 name:Peripheral Info:Name: PICOOC-CQ
RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ---- .
 info.macAddress = D0:49:00:1D:87:8A
PICOOC BT LOGS
PICOOCDOCUMENTSBLUETOOTHLOG.TEXT
04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6
Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-45F9DDB731D6 ----
Connect a Galaxy S7 to your Samsung TV with Bluetooth to have a fun and
spread your content 
 TV with enabled Bluetooth & Samsung Galaxy S7
 Open the notification pane on your handset.
 Select Quick Connect and then Scan for nearby devices
 Select Register TV, Tap the new icon with a TV and an arrow
 Tap the Share button and then Smart View to play any media you play
on your phone on the TV
BODY VALUES
PICOOCDOCUMENTSPICOOC.SQLITE
CREATE TABLE `body_indexs` (
`id`
`weight`
`body_fat`
`visceral_fat_level`
`muscle_race`
`body_age`
`bone_mass`
`basic_metabolism`
`bmi`
`local_time`
`water_race`
`abnormal`
`day_intValue`
`time_period`
`electric_resistance`
`mac`
`body_fat_reference_value`
`skeletal_muscle`);
PICOOC
DEVICE AND PREFERENCES
Dev Info - picoocdocumentspicooc.sqlite
Preferences - picoocLibraryPreferences com.picooc.international.plist
 <key>PasswordLockType</key>
 <integer>2</integer>
 <key>PasswordNumherLockContnet</key>
 <string>7124</string>
 <key>currendDay</key>
 <string>20180922</string>
 <key>kStartupUserIdKey</key>
 <integer>4611483</integer>
USER BASIC INFO – MAIN USER
PICOOCDOCUMENTSPLISTFILEUSERINFO.PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>nickName</key>
<string>Yury Chemerkin</string>
</dict>
</plist>
USER EXTENDED INFO – LAST ADDED USER ONLY
PICOOCLIBRARYSENSORSANALYTICS-
SUPER_PROPERTIES.PLIST
 current_age_characteristic
 current_role_is_athlete
 current_role_height
 current_language
 current_role_age
 current_role_sex
 app_type
 time_zone
 current_role_race
 current_role_type
 3
 false
 178
 英语
 58
 男
 PICOOC国际版
 Europe/Moscow
 白
 使用者
 As is
 As is
 As is
 English
 As is
  Man
  PICOOC Worldwide
Version
 As is
  White
  User
PICOOC SENSOR VALUES
PICOOCLIBRARYSENSORSANALYTICS-
MESSAGE-V2.PLIST.DB
• {"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144
339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白
","current_role_type":"主角色
","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6.
1","current_age_characteristic":3,"$is_first_day":false,"$model":"iPhone8,4","$device_id":"E
C640161-EC87-4A90-AD99-5B29A3F86700","$network_type":"WIFI","$carrier":"Mobile
TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren
t_language":"英语","$screen_height":568,"app_type":"PICOOC国际版
","time_zone":"Europe/Moscow","$lib_version":"1.9.3","$os_version":"12.0","$is_first_time":
false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男
","current_role_id":"9144339"},"type":"track","lib":{"$lib_version":"1.9.3","$lib":"iOS","$app
_version":"3.6.1","$lib_method":"code"}}
PICOOC
MITM - NOT SSL-PINNED
• Profile URL (public accessible)
https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png
• Request URL - https://api2.picooc-
int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque
st=https://api2.picooc-
int.com/v1/api&roleId=9144339&timestamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re
questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to
ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi
ce_id=EC640161-EC87-4A90-AD99-5B29A3F86700&device_mac=&method=update_role&
• Same URL (public accessible) https://picoocheadportrait.oss-cn-
beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png
• Request URL - https://picoocheadportrait.oss-cn-beijing.aliyuncs.com
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-int.com
GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token=iOS%3A%3AEC640161-
EC87-4A90-AD99-
5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe
/Moscow&timestamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6
HTTP/1.1
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap
i2.picooc-
int.com/v1/api&roleId=9144339&timestamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT
hread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b
e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&method=update_role&
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/account/updateUserPa
ssword?sign=41EE8B396970992A85E
9259B134B96BE&urlOfGetRequest=ht
tps://api2.picooc-
int.com/v1/api&roleId=9144339&tim
estamp=1538581202&version=i3.6.1
&appver=i3.6.1.0&requestByChildThre
ad=0&os=iOS&userId=4611483&lan
g=en&timezone=Europe/Moscow&pus
h_token=iOS::019290ade677be79f5f
bded930b2435fa81eef103d893471
08e265c0cd984cf2&device_id=EC64
0161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&metho
d=update_user_password&
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
PICOOC
SUMMARY
Body indexes and changes day-by-day
 Fat indexes, Mass
 Productivity, Delta
Dev Info, Friends results, User data
Network
 Data stored on Alibaba servers
 Profile, Device Info, Credentials, additionally passw on pass-change tab
 Bonus: Bluetooth scanner of near located devices
Preferences: Local Password, Unlocking method, last active day
~30 mHEALTH APPS
 Google Fit
 MyFitnessPal
 RunKeeper - GPS
 Nike+ Running
 WebMD
 Blood Pressure (BP) Watch
 Water Your Body
 Instant Heart Rate
 Drugs.com Medication Guide
 Runtastic Pedometer
 Noom Walk Pedometer: Fitness
 Strava Running and Cycling GPS
 Bleep Fitness Test
 Fitness Buddy: 300+ Exercises
 BodySpace- Social Fitness
 Walk with Map My Walk
 Endomondo Running Cycling Walking
 FitNotes – gym Workout Log
 Period Calendar
 Period Tracker
 My Pregnancy Today
 My Baby Today
 Calorie Counter by FatSecret
 MyNetDiary Calorie Counter PRO
 My Diet Diary Calorie Counter
 Calories! Basic – cal counter
 Calorie Counter
 Lifesum- Calorie Counter
 User credentials and pins
 Personal details of users
 User activities
 User location
 Activity timestamps
 Images
~30 mHEALTH APPS
MYFITNESSPAL
User profile Pics  com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard/
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
 User details including time zone, gender, date of birth and email
- in tables <user_properties, users> - see a pic
 User profile pictures - in table <images>
 User personal notes - in table <diary_notes>
 User records of exercises, food habits and personal measurements - in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
 User last synched items with the server - in table <last_sync_pointers>
 User food search history - in table <search_history>
~30 mHEALTH APPS
RUNKEEPER
 User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
 / fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
 User details including activities, trips
 Trips deleted by user - in table <deleted_trips>
 Activities posted by user - in table <feed>
 List of user’s friends - in table <friends>
 Images uploaded during trips by user - in table <status_updates>
 User settings for each trip - in table <trip_settings>
 Places visited during all the trips - in table <points>
 Information about each trip - in table <trips>
 More tables
 The points table is to locate the map coordinates of a user’s route
~30 mHEALTH APPS
PERIOD CALENDAR
• Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC.db. Tables
• User - List of the users with passwords (Plaintext passwords, secret questions
and answers )
• Period - Period start time and length of users
• Note - Diary notes inserted by users
• Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC_PILL.db. Tables
• pill - Pills used by users including date and time
• pill_record - Details about the pills
~30 MEDICAL/FITNESS/HEALTH APPS
 User credentials: Apps may require users to login using their user credentials (e.g. username and
password, PIN, and authentication tokens) in order to use the apps. Therefore, user credentials should be
an artefact that forensic investigators seek to locate during the app forensic process (e.g. determine
whether the credentials are stored in and can be recovered from the app’s databases).
 User personal details: User personal details include name, gender, date of birth, email address, height,
weight and other personal data would be helpful for forensic investigators to positively identify the app
or device users.
 User activities: The mHealth apps require users to enter their day-to-day food habit, health conditions,
activity or exercise details, diagnosis details, medication details and symptom details, etc.
 User location: Fitness apps allow users to keep track of their exercise, running, jogging, cycling and other
activities. These apps generally store the geographical coordinates of the user location during these
activities which can provide useful evidence to the investigators.
 Activity timestamps: Another important artefact is the timestamp of the user activity. For example, linking
activity timestamps with corresponding user locations (e.g. geographical coordinates) and other relevant
information (e.g. CCTV feeds) would provide useful information in an investigation.
 Images: This artefact includes profile images, and images taken and posted from a location.
~30 MEDICAL/FITNESS/HEALTH APPS
App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
Google Fit N N P N F N
MyFitnessPal P F F N F F
RunKeeper - GPS N N F F F N
Nike+ Running N F F N F F
WebMD N N P N N N
Blood Pressure (BP) Watch N P F N F N
Water Your Body N N F N N N
Instant Heart Rate N N N N N N
Drugs.com Medication
Guide
N F N N P N
Runtastic Pedometer N N F N F N
~30 MEDICAL/FITNESS/HEALTH APPS
App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
Noom Walk Pedometer:
Fitness
N N F N F F
Strava Running and Cycling
GPS
N F F F F N
Bleep Fitness Test N F F N P N
Fitness Buddy: 300+
Exercises
N N F N F N
BodySpace- Social Fitness N F F N P F
Walk with Map My Walk N F F F F P
Endomondo Running Cycling
Walking
N N F F F F
FitNotes – gym Workout
Log
N N F N P N
Period Calendar F F F N P N
Period Tracker N N F N P N
My Pregnancy Today P N N N N F
My Baby Today N F N N P N
~30 MEDICAL/FITNESS/HEALTH APPS
App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
Calorie Counter by
FatSecret
N N F N P N
MyNetDiary Calorie
Counter PRO
N N N N N F
My Diet Diary Calorie
Counter
N P F N F N
Calories! Basic – cal counter N N P N F N
Calorie Counter N F F N F N
Lifesum- Calorie Counter N P F N F F
~30 MEDICAL/FITNESS/HEALTH APPS
THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY)
3
9
6
8
1
5
2
0
3
4
6
8
5
4
7
9
8
3
7
3 3 3 3
2
5
3
6
7
0
1
2
3
4
5
6
7
8
9
10
Average Issue Index
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
HEALTHCARE
SUMMARY
Native Health App is good protected, however not a basic information
 Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
 Exported data is not protected at all
Source apps (medical, fitness, health, …)
 Data contains everything with GPS, timestamp and lot of day-by-day changes
 Usually stores data locally, but basic activity over network is intercepted and
credentials gained
Pseudo health apps – usually requires user to handle all data by himself
 Friend list, Credentials, secret questions & answers
 Body values, timestamp, visited places & geo
 Medical periods, schedule, pills and so on
 Preferences, searches
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE TV – FIVES GENERATIONS
MacOS X, iOS, tvOS
Common ways to break into
Jailbreak tools
Password management
USB Acquisition
Backup
Jailbroken acquisition
Profiling
APPLE TV – I GENERATION
EASILY TO BREAK
First edition of TV, Mac OS X & HDD makes breaking much easier
All possible ways to break into the first Apple TV 8 years ago:
 “Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and
Randy Robbins, Def Con 2009
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-
kevin_estis-apple_tv.pdf
https://www.youtube.com/watch?v=z-WCy3Bdzkc
APPLE TV – II-V GENERATION
EASILY TO BREAK TOO
 Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)
 Backup contains valuable data (forensics tool works too)
 Find a jailbreak to obtain the whole OS
 Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube
 Get access to App’s data and reveal credentials, card – depend on application
 Why Apple TV can be jailbroken (why men jail it)?
Outdated compromised TV 2 with OpenSSH and default password
https://www.tvaddons.co/appletv2-jailbreak-threat/
Direct access to filesystem and file management beyond the backups & cloud
Stream media from devices beyond AirPlay or iOS devices
Sideloading 3rd party tools
 Kodi, Hulu, LastFM, XBMC, Nito TV, , Pandora Radio, and other apps.
 Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies
APPLE TV
DATA EXAMINATION & FORENSICS
 Apple TV jailbreak support https://pangu8.com/appletv.html
 Apple TV 1 – scripts, ssh, HD extraction and other way
 Apple TV 2 – Seas0npass jail for TV running tvOS 4.3 - tvOS 5.3 (untethered) & tvOS 6.1.2
(tethered)
 Apple TV 3 – No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1,
and not beyond 5.0.2
 Apple TV 4
 Pangu9 jail for TV running tvOS 9.0 - tvOS 9.0.1
 LiberTV jail for TV running tvOS 9.1 - tvOS 10.1
 GreenG0blin jail for TV running tvOS 10.2.2
 Apple TV 4 / 5
 LiberTV jail for TV running tvOS 11.0 and 11.1
 Apple TV 4 / 5 – Electra jail for TV running tvOS 11.2 - tvOS 11.3
APPLE TV
DATA EXAMINATION & FORENSICS
 USB port is reserved for “service and support” purpose
Vanished since Apple 5th Gen (4k)
 No password management – we trust you, breakers 
 Seriously, No Password or Passcode protection at all ! Restrictions instead:
Use Restrictions on your Apple TV https://support.apple.com/en-md/HT200198
Allow all by default
Restrict blocks by passcode purchases, apps, content, settings and remote pairing
(no one blocks pairing usually)
Account-Password requires for purchases in a way like any Apple device
(https://support.apple.com/en-us/HT204030)
APPLE TV – 2TH – 4TH GEN
USB ACQUISITION (USB, MICRO, USB-C)
5TH GEN IS OUT OF SCOPE (NO USB)
AFC (Apple File Conduit) service works here
 /private/var/mobile/Media
USB Acquisition gives:
 Basic device information
 Real Time Log (Syslog), Crash Logs
 Part of the file system (“Media” folder)
Device information
 MAC – WiFi, Bluetooth, Ethernet
 Name, Timezone, Serial ID, Model
Ideviceinfo, idevicesyslog http://www.libimobiledevice.org/
APPLE TV
BACKUP
 Real Time Log
 Crash Log
 MediaLibrary.sqlitedb
 iCloud Account Name
 iCloud ID
 Wi-Fi networks
 Device usage timeline
 Shopping database
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Timezone
 /private/var/db/timezone/localtime
Network tcp/ip lease
 /private/var/db/dhcpclient/leases/
Network wi-fi history
 /private/var/preferences/com.apple.wifi.plist
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Keyboard dictionary
 /private/var/mobile/library/keyboard/dynamic-
text.dat
Accounts
 /private/var/mobile/library/accounts/
 /private/var/mobile/library/preferences/com.apple.ids
.service.com
User email
User info: email + phone
yury.chemerkin@icloud.com
+79851719122
Network
APPLE TV – 2TH – 5TH GEN
JAILBREAK
iCloud synced preferences
 /var/mobile/Library/SyncedPreferences/
Wi-Fi Access Points
 com.apple.wifid.plist
Weather Cities
 com.apple.nanoweatherprefsd.plist
Moskva, Lianozovo Dictrict
55.800149, 37.565483
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Headboard
 /private/var/mobile/library/com.apple.headboard
/apporder.plist
 /private/var/mobile/library/caches/com.apple.tvic
onscache/com.apple.headboard
 /private/var/mobile/library/caches/com.apple.hea
dboard/fscacheddata
APPLE TV – 2TH – 5TH GEN
JAILBREAK
App snapshots
 /private/var/mobile/library/caches/com.app
le.pineboard/assetlibrary/snapshots/
Cached video
 /private/var/mobile/library/caches/appletv
/video/
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Installed applications
 /private/var/db/lsd/com.apple.lsdidentifiers.plist
Installed applications
 /private/var/mobile/containers/bundle/
Installed applications
 /private/var/mobile/containers/data/application/
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Country, last activity
App snapshots
Youtube
APPLE TV – ANY GEN
PROFILING AS A KIND OF PROTECTION
TV Remote Payload
The TV Remote payload is designated by specifying com.apple.tvremote as the
PayloadType value. If not present, or the list is empty, any device will be allowed
to connect.
Availability: Available in tvOS 11.3 and iOS 11.3 and later
 AllowedRemotes
 AllowedTVs
 RemoteDeviceID
 TVDeviceID
https://developer.apple.com/enterprise/documentation/Configuration-
Profile-Reference.pdf
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE TV
SUMMARY
Lot of jailbreaks
 Except Apple TV 3
 Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac
Password management
 No password
 No restrictions by default
 Restrictions handle the content only
Apple TV 2 – 5
 Apple TV 2 – 4 equipped with USB that gives dev info, timelog, crashlog, media folder
 Apple TV 5 does not have USB ports
Jailbroken TV
 Timezone, Network Info & History, Keyboard & Account Info
 iCloud preferences, Wi-Fi Accent Point, Weather cities (list) easy to remap geo
 TVs - Headboard, App snapshots, Cached video
 App List, App Data, App Snapshots
AMAZON TV: PREREQUISITE
Amazon Fire TV Stick
Amazon account plus other accounts per app
MITM is out of scope, but wait for Amazon Dot 
Forensics tools (no support atm)
Known ways to break into
Root
Data acquisition (streaming, photo, app, sideloaded Android app)
AMAZON TV
BREAK OPPORTUNITIES
No support of Forensics tools
Sideloading is allowed, ADB exists and is off by default
Rooting
many root-apps (like KingRoot) is around of outdated FireOS
such as 5.0.5 but not limited it
The rooting requires a keyboard, no support for TV remote
devices
Use dd command to obtain an image of Fire TV
AMAZON TV
ROOT, BOOTLOADER, SIDELOADING
Non-root things
 Sideloading is allowed without root like on Android
 Bootloader: 51.1.x.x – non-locked, 5.x.x.x – locked but 5.0.x are unlockable (no info about
older versions)
 Downgrading might be possible
Roots
 Fire TV 1 – rootable for 51.1.0.0 - 51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 -
5.2.6.3
 Fire TV 2 – rootable for 5.0.0 – 5.2.1.1, no root for 5.2.4.0 – 5.2.6.3
 Fire TV 2 – 5.2.6.6 – pre-rooted ROM (http://www.aftvnews.com/pre-rooted-5-2-6-6-rom-
is-now-available-for-the-fire-tv-2/)
 Fire TV 3, Fire TV Cube – no root or pre-rooted ROM
 Fire TV Stick 1 – rootable for 5.0.0 - 5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 -
5.2.6.3
 Fire TV Stick 2 – no root, except hardware rooting to direct access to the device eMMC
storage (http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)
 Fire TV Edition television – rootable for 5.2.5.0 and no root for 5.2.5.1 - 5.2.6.3
AMAZON TV
ROOTED TV
 browser.db – Browser History & navigating to websites using
Mozilla Firefox
 [root]/data/com.amazon.bueller.photos/files/cmsimages – Pictures
from Amazon cloud drive but formatted for better viewing up to
Fire TV Stick
 [root]/data/com.amazon.device.controllermanager/
databases/devices – Bluetooth Devices and their names, MAC
paired with Fire TV (such as, keyboard mouse, Amazon Fire TV
remote)
 [root]/data/com.amazon.device.logmanager/files – Amazon Logs
including Log.amazonmain
AMAZON TV
ROOTED TV
 /data/data/ = All application data is stored in this directory
 com.amazon.venezia/ = Amazon appstore data
/cache/ = thumbnails & previews for appstore apps
/databases/ = sqlite files in each folder
/contentProvider = Table "Apps" contains app-names("key") with relation
thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory
/locker = workflow, orders, wishlist, applications, cache, content tokens.
/logging = logs for appstore application
 com.android.cloud9/ = Amazon browser data
/cache/webviewcache/ = any cache data
/databases/ = sqlite files in each folder
/webview.db = webview cookies & form data.
/webviewCache.db = association of files in ../cache/webviewcache/ directory to urls.
/browser.db = history & bookmarks also have path to page previews and thumbnails stored in ../files
/files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above)
/shared_prefs = preferences for a cross-access
 com.amazon.provid ers.contacts/databases/conta cts2.db = All contacts
FORENSIC ANALYSIS METHOD FOR
THE AMAZON FIRE TV STICK
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
AMAZON TV: SUMMARY
 Several older firmwares are affected by rooting tools
 Rooting requires BT-keyboard that’s is not a big deal for TV
 Sideloading is allowed without root
 ADB is possible
 Downgrading the Fire TV Stick software/firmware might possible
 Personal data is revealed
 Credentials of streaming services is found
Netflix, NHL, NBA, Vimeo, … Kodi to get access to hundreds, of music, TV, movies
 No way to restrict connection and bind TV and device to themselves only
 FireOS ver 5.x is based on Android 5.1.1 Lollipop, ver 6.x is based on
Android 7.1 Nougat
AMAZON ECHO DOT
• Картинки и спецификацию
AMAZON ECHO DOT
Local access
Bootloader
MITM: SSL, MITM, Firmware MITM
Credentials breaks
AMAZON ECHO DOT
LOCAL ACCESS, LACK OF ROOT
 Alexa doesn’t have ADB, but have a MTK
 bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx Preloader
 However a SP Flash Tool does not work atm
 Bootloader – press and keep ‘Uber’ while it is loading, but bootloader is locked
and no unlocking key is available
 Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 /
Magic / Tattoo
 # fastboot devices
fastboot
 # fastboot getvar all
lk_build_desc: c1…..
prod: 1
unlock_status: false
serialno: […..]
product: BISCUIT
version-preloader: 0.1.00
version: 0.5
AMAZON ECHO DOT
MITM. WHAT ABOUT SSL?
Self signed certificates is allowed on Alexa for devs
 https://developer.amazon.com/docs/custom-
skills/configure-web-service-self-signed-certificate.html
 https://www.amazon.com/gp/help/customer/display.ht
ml?nodeId=201589180
Change endpoint configuration and region
Make your Alexa installs a SSL from Intercepting tools
 No lack, Alexa Echo Dot as a device prevents this shit 
 Try with Alex app that comes installed by default on the
Kindle Fire Tablets, or download for Android or iOS
devices even (!)
AMAZON ECHO DOT
MITM. FIRST TIME SETUP
 Navigate via browser https://alexa.amazon.com
 Up to end of 2017 a redirect to Alexa setup was a http
URL (!)
 Expected credentials stolen in plaintext & expiring in
2036 like before, but no lack
before
 POST
/ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx&
pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x
xxxx&pf_rd_s=signin-slot HTTP/1.1
 Host: www.amazon.com
 Content-Length: 1349
 “name”: “Set-Cookie”,
 “value”: “session-token=”xx/y//zz==”; Version=1;
Domain=.amazon.com; Max-Age=630720000; Expires=Sat,
01-Nov-2036 22:39:37 GMT; Path=/”
Now
 HTTPS, prevents MITM attack
 Certificate expires every 2 years
AMAZON ECHO DOT
MITM. FIRMWARE
Intercepting firmware updates is possible
Here is a bin-firware http request
 GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin
HTTP/1.1
 Host: amzdigitaldownloads.edgesuite.net
 Connection: close
 User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC
Build/LVY48F)
Firmware contains build.prop = designed as a Android & have .APKs
 ro.build.version.fireos=5.5.0.3
 ro.build.version.fireos.sdk=4
Non-Encrypted bin-firmware
-rw-r--r-- boot.img; file_contexts
drwxr-xr-x images; META-INF
-rw-r--r-- ota.prop
drwxr-xr-x system
-rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list
AMAZON ALEXA APP
Alexa app has a good a solid protection
No sensitive data stored locally
Well encrypted communication (online, internal) and used the TLS 1.2
However, MITM is possible, because no SSL Pinning used
 Credentials and all communication compromised
AMAZON ECHO DOT
ALEXA APP – MITM, NOT PINNED
Credentials
 {"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS
x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}
 Email, Password from POST action ‘https://www.amazon.com/ap/signin’
 Device Info plus token
Metrics - https://device-metrics-us-2.amazon.com/metricsBatch
 HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"
 CountryCode RU"
Profile
 Name, Billing Address, Shipping Address
 Device IDs, types, Account ID, Device capabilities
First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
AMAZON ALEXA APP
LOCAL
 LibraryApplication Supportdevice.sqlite – device list with
ID, serials
 LibraryMETRICS_NORMAL* - Logs &
MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM
2W81,iOS/12.0,Alexa//2.2.233205,DCM)
 LibraryPreferencescom.amazon.echo.plist – Account Info
 DocumentsLocalData.sqlite – settings of devices
AMAZON ECHO DOT
ALEXA APP
Alexa and Echo allow many users to manage devices
 Echo has no voice differentiation capabilities nor protection against non-human or repeated speech
Each device locks by 4 digit PIN
 The Set of PINs is ~10k values
 Two attempts and have to restart but no limit the number of total attempts
 Bruteforce it for 2 days
How to break
1. Computer says “wake word” followed by the command to order an Amazon Echo Dot
2. Alexa responds with top Amazon search for and asks if user wants to place the order
3. Computer confirms order
4. Alexa asks for 4-digit PIN
5. Computer guesses next PIN in numerical order
6. Alexa accepts or rejects PIN
7. Computer guesses next PIN in numerical order
Repeat until you break it  take up to 48h max
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
AMAZON ECHO DOT & ALEXA APP
SUMMARY
Intercepting firmware updates is possible
Alexa allows to use self-signed SSLs but not accepts Burp/Charles certificate?
 True for Alexa Echo Dot
 Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert
Not everything is HTTPS
FireOS is based on Android - https://en.wikipedia.org/wiki/Fire_OS
 ver 5.x – Android 5.1.1 Lollipop. Alexa is still on 5.x
 ver 6.x – Android 7.1 Nougat
Even hardware root is possible
https://vanderpot.com/Clinton_Cook_Paper.pdf
READYFORSKY - ???
a
CONNECTED HOME
READYFORSKY
Backup
MITM: Hub, Remote
BT MITM: out of scope
READYFORSKY
DOCUMENTSR4S.SQLITE
Device list, models, pairing text
Receipts per device (how to cook, basic details &
requirements)
Username, email
User devices & Mac
READYFORSKY
MITM
 Firmware version – 2.29 -
http://service2.readyforsky.com/firmware/list/148/["2.29"]
 Device Pic - http://image-
server.readyforsky.com/i/1899/200x200.png
 Recipes – BlackTea, GreenTea, Others
 Do smth with a Kettle
 https://content.readyforsky.com/api/program/catalog/id:IN:90,9
7?locale=en
 "id": 90,
 "protocol_id": 0,
 "value": "BOILING", / HEATING
 "value": "40", | "value": "55", | "value": "70", | "value": "85", |
"value": "95",
READYFORSKY
MITM
Credentials, password, tokens
 https://content.readyforsky.com/headless/change-password
 {"current_password": "1", "plainPassword": "1"}
 { "error": "invalid_grant", "error_description": "The access token provided is
invalid."}
 { "access_token":
"YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN
GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",
 "expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token":
"YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4
ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }
READYFORSKY
MITM
User details - https://content.readyforsky.com/api/user/current
 "username": "yurychemerkin",
 "username_canonical": "yurychemerkin",
 "email": "yury.chemerkin@gmail.com",
 "last_login": null,
 "enabled": true,
 "locked": false,
 "expired": false,
 "id": 527679
Client Address 192.168.1.38:50654 | this port changes
Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
READYFORSKY
MITM
Device details
 https://content.readyforsky.com/
api/device/user
 “name": "RK-G200S",
 "address": "E7:7F:BC:60:C2:2A",
 "name": "Gateway XIAOMI
Redmi 4X",
 "address": "77d3efcf-f627-
402e-bbed-4ee0c8290417",
Client Address 192.168.1.38:50654 | this port changes
Remote
Address
content.readyforsky.com/178.62.194.132:443 |
fixed port
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
REDMOND
SUMMARY
Communications & MITM
 App, Hub, Device IP, Ports including internal info, Device info (name,
model, network info)
 Actions, receipts, to-do
 Credentials, password, tokens
 User details & Login details
Local
 Device list, models, pairing text
 Receipts per device (how to cook, basic details & requirements)
 Username, email
 User devices & Mac
LIGHTNING
Lightify
IKEA TRÅDFRI
Philips HUE
LIGHTIFY
 Lightify is the IoT platform with a simplest integration of wireless lighting.
 Need to have an Lightify-account
 Online communication uses QUIC-protocol with encryption over UDP
 Wireshark does not support QUIC decryption at the moment. The drafts
at tools.ietf.org/wg/quic are also not really detailed on the ciphers.
 Lightify Gateway communicates over TCP completely unencrypted locally,
but via a binary protocol https://github.com/noctarius/lightify-binary-
protocol#basics-about-the-protocol and here a plugin to manage the
light https://github.com/tfriedel/python-lightify
 Credentials stored in a local folder – shared preferences
IKEA TRADFRI
Smart lightning and assistant to control it
No online communications except firmware requests in plaintext
 GET http://fw.ota.homesmart.ikea.net/feed/version_info.json
 User-Agent: HertzClient/1.0
 Host: fm.ota.homesmart.ikea.net
 Connection: close
 Response : No response
Local communication is DTLS (SSL over UDP)
 Pairing via QR code
(Serial Number = Mac Address, Security Code/ pre-shared key)
 QR code can be revealed for further decryption
Locally stored data
 Encrypted QR-code and store in keystore – need root to get an access
 Keystore doesn’t work for outdated Android (< 4.3)
 AES encryption alg for outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”
 The Issue here is a patched APK file with a removed strong encryption
PHILIPS HUE
 HUE light, lamps and other with a smart assistant and bridge to works over Philips servers
 The list of paired Apps and services with timestamp sent across Hue apps
 Online communication
 [BridgeServers] works over HTTP with additional layer of AES-encryption. Guess they store secret key somewhere
but no lack to find it
 [AppServers] works over HTTPS with SSL Pinning
 Local communication works over HTTP
 PUT http://192.168.1.38/api/Ds7KfNjjYtC8uN
mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action
 Host http://192.168.1.38
 Accept *.*
 Content-Type: application-json
 Content-Length: 11
 Json {“on:true”}
 Loading malicious firmware over-the-air http://iotworm.eyalro.net/
 In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters
http://iotworm.eyalro.net/iotworm.pdf
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
LIGHTNING
SUMMARY
IoT platforms: Lightify, IFTTT
 One account to access all tokens & credentials to manage services, devices
and data
Communication
 Online – usually encrypted, MITM sometimes possible
 Local – non-protected, custom protocols & encryption – usually analyzed
 Firmware – plaintext usually, malicious attacks are possible
Local
 Credentials, log, data
CONNECTED HOME
SUMMARY
Jailbreaks & roots
 Available for popular devices
 Sideloading apps are possible
 New in-house manager devices, such as Alexa Dot doesn’t have root tools
Backup & Data
 Works for many devices
 Works for synchronizing apps, like Alexa
In-house smart manageable things works over app-manager that, in turn
 Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content
 Doesn’t have a good protection and available over Internet
 Has a firmware issues with malicious over-air-attacks
 Locally stored lot of data in app installed on the mobile device
 Moved in an user’s pocket everywhere
IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
IoT
HOW TO SECURE
Risk Management
 Device Profiling – divide your devices according to a critical info & risk score
 Use cases – define where and what for are you going to use devices
 Compatibility - use devices that are compatible with existing technology stack, and security equipment and
software
 Lost of smartphones – avoid devices to be lost or left unattended
In-home Secured Network
 Obscure name – NOT for vendor & model names or revealing user identity e.g. personal
 Encryption – use up-to-date devices with the latest & strongest encryption schemes
 Guest network – setup it if you’re sure but better to Disable guest network access entirely
 Two or more different Wi-Fi networks (logically or physically) – one for typical activities (networking,
messaging, etc.), second for IoT, third for critical banking, shopping
 Firewall - a stand-alone software or shipped with the router, allow traffic on those specific ports & no others
 Limit of public network usage – avoid pairing device or using device apps over public network due to lack
of encryption of data
Password Management
 Default credentials – change it for router’s , IoT devices’ password
 Unique passwords - use unique, complex passwords made up of letters, numbers, and symbols
IoT
HOW TO SECURE
Software Management
 Settings – change it to default privacy policies & security settings
 Features – disable features you don’t need, such as a remote access
 Apps – avoid use apps that don’t encrypt data locally or while it’s transferring
 Patches – keep all devices & software up-to-date
 VPN – stand alone software or shipped with router to protect connections of IoT device that working over Internet
 Multifactor & Hubs – use all security settings that require additional actions before it’s being easily hacked
Data
 Data Analysis - analyzing data generated by IoT devices to understand what data might be monetized
 Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked
Breaking tools
 Risky app – avoid apps out of store, junk apps from app store
 Broken - don’t break any device in a chain of devices, rely on supported vendor ROMs
 Flashed – flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs
Cloud & third party tools
 IoT clouds – audit it before using for your personal/business need
 Third party services – there are many automation tools to manage IoT devices. Use secured and audited and be
informed
MOBILE, IoT, CLOUDS…
IT’S TIME TO HIRE A RISK MANAGER!
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN
SEND A MAIL TO: YURY.S@CHEMERKIN.COM

More Related Content

Similar to Mobile, IoT, Clouds… It’s time to hire your own risk manager!

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Tomek Cejner
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And SecurityJames Wernicke
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetAnthony Jose
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
Your smartphone can help protect itself – and
Your smartphone can help protect itself – andYour smartphone can help protect itself – and
Your smartphone can help protect itself – andRandyBett
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Webrazzi
 
iPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsMariano Amartino
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedKim Jensen
 

Similar to Mobile, IoT, Clouds… It’s time to hire your own risk manager! (20)

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalists
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H Meet
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
Your smartphone can help protect itself – and
Your smartphone can help protect itself – andYour smartphone can help protect itself – and
Your smartphone can help protect itself – and
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
 
iPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanisms
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applications
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updated
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

Recently uploaded

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Mobile, IoT, Clouds… It’s time to hire your own risk manager!

  • 1. Mobile, IoT, Clouds… It’s time to hire a Risk Manager! YURY CHEMERKIN MULTI-SKILLED SECURITY EXPERT CJSC ADVANCED MONITORING
  • 2. YURY CHEMERKIN I have ten+ years of experience in information security. I‘m a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile &, Cloud Computing, IAM, Forensics & Compliance. I published many papers on mobile and cloud security, regularly appears at conferences such as CyberCrimeForum, HackerHalted, DefCamp, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence-Sec, InfoSec NetSysAdmins, etc. LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN TWITTER: @YURYCHEMERKIN EMAIL: YURY.S@CHEMERKIN.COM
  • 3. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 4. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 6. IoT TAXONOMY & FRAGMENTATION Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
  • 7. IoT TAXONOMY  Wearable Tech  Connected Home  Building Blocks & Platforms  Industrial Internet  Healthcare  In-store Retail  Connected Car  Venture Capital Firms  Corporate Investors  Angel Investors  Crowdfunding  Accelerators/Incubators  IoT Acquirers  Notable acquisitions
  • 9. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 11.
  • 12. WEARABLE TECH SMARTWATCHES – APPLE WATCH MITM Jailbreak Backup
  • 13. APPLE WATCH MITM The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple servers and the iPhone. Online communication (over Wi-Fi)  [iPhone apps  iCloud] – prevents MITM, SSL Pinning  [Apple Watch iCloud] – prevents MITM , SSL Pinning  No way to install SSL to Apple Watch
  • 14. APPLE WATCH BREAKING THE LOCKSCREEN Remove the Passcode Using Your iPhone Go to a “Settings->General->Reset” “Erase Apple Watch Content & Settings” “Keep Plan” if iWatch has a Cellular Plan Otherwise just “Erase All Content & Settings” Pair it again
  • 15. APPLE WATCH BREAKING THE LOCKSCREEN Removing Your Passcode Without an iPhone Power Menu  Press & hold the side button Instead of sliding "Power Off", press on it Tap "Erase all content and settings," Tap the green checkmark to confirm Pair it again
  • 16. APPLE WATCH BREAKING THE LOCKSCREEN Unpair iWatch via Apple Watch app & Apple Password Keep your Apple Watch and iPhone close together. Open the Apple Watch app on iPhone Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch” Press “Keep Plan” for a cellular iWatches Enter your Apple ID password and tap confirm
  • 17. APPLE WATCH JAILBREAKS Jailbreaks for USB  Apple Watch series 1- 4 & watchOS 5 – no jailbreak  watchOS 4.0 - 4.1  v0rtex jailbreak for developers only https://github.com/tihmstar/jelbrekTime  Apple Watch series 1- 2 & watchOS 3.0 – 3.2.3  OverCl0ck jailbreak – still in development https://github.com/PsychoTea/OverCl0ck Jail & Bluetooth Connection over SSH  https://speakerdeck.com/mbazaliy/jailbreaking-apple-watch
  • 18. APPLE WATCH - BACKUP  /mobile/Library/DeviceRegistry.state /properties.bin  Binary Plist File – Contains Paired Apple Watch Specifics incl: Watch Name, Make, Model, OS, GUID  Synced Data Path with GUID, date, local  Serial Number, UDID, WiFi MAC, SEID (Secure Element ID), Bluetooth MAC
  • 19. APPLE WATCH - BACKUP  Plist contained installed apps on Apple Watch (2 places)  /mobile/Library/DeviceRegistry/<GUID>/Na noPreferencesSync/NanoDomains/com.apple.C arousel  /mobile/Library/DeviceRegistry/<GUID>  Example: /mobile/Library/DeviceRegistry/<GUID>/ AddressBook/
  • 20. APPLE WATCH BACKUP  Email - /mobile/Library/DeviceRegistry/< GUID>/NanoMail/registry.sqlite  Voicemails - /mobile/Library/DeviceRegistry/< GUID>/PreferencesSync/NanoDo mains/com.apple.mobilephone  Records containing Phone Numbers and paths to synced voicemail files
  • 21. APPLE WATCH BACKUP - PASSBOOK /mobile/Library/DeviceRegistry/< GUID>/NanoPasses/nanopasses.sqli te3 Pass table Unique_ID Type_ID (boarding pass, loyalty pass) Encoded pass (value/data)
  • 22. APPLE WATCH – BACKUP APPLE HEALTH  Encrypted (.hfd) in password-protected / encrypted backups only  No data out of non-encrypted backup  Export in raw/plaintext  But take a time, we will back to Health app soon 
  • 24. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 25. APPLE WATCH SUMMARY Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available Online communication (over Wi-Fi)  [iPhone apps  iCloud] – prevents MITM, SSL Pinning  [Apple Watch iCloud] – prevents MITM , SSL Pinning  No way to install SSL to Apple Watch Local data  Not many but jailbreaks are available  Backup still works to access the data  Wallet contains booking, card and other info  Apple Health app  Contains a lot of medical user data  Encrypted if backup is password-protected and out of backup otherwise  Contains non-encrypted basic medical user data and list of app-sources
  • 26.
  • 27. WEARABLE TECH SMARTWATCHES – ANDROID WATCH Forensics: Physical, Logical, Network Acquisition Screen Lock Bypassing Techniques Root opportunities Android wear app
  • 28. ANDROID WATCH FORENSICS OF WEARABLE TECH Physical Acquisition Logical Acquisition Network Acquisition (omitted here)
  • 29. ANDROID WATCH IMAGING A SMARTWATCH DEVICE  The ADB tool should be used to image and explore the Android smartwatch.  The dd command, dd if=/dev/block/mmcblk0p12 of=/sdcard/tmp.image can be used to copy the entire device to an inserted SD card.  If time is a factor, investigators can copy specific directories by utilizing the following commands: DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd DD if = /dev/block/mmcblk0p3/efs of = /storage/extSdCard/efs.dd DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd
  • 30. ANDROID WATCH BREACHING A LOCK SCREEN  Google account credentials is known  remote unlock of connected watches via Google’s Android Device Manager  Deleting / altering the gesture.key & settings.db files  to remove the lock screen entirely  adb.exe shell; cd /data/system; rm gesture.key  The “settings.db” file contains system settings and can cause system wide changes if modified  update system set value =0  Flashing a modified ROM / a reboot in safe mode - to leverage a third-party lock screen  Utilize adbkey and adbkey.pub files from other computers that have been previously synchronized with the examined device to create a trust relationship with a new device  /.android/<ADB keys> - those files are an SSH key-pair that allow me to mark my computer as "trusted" to my phone.  Copy of ADB keys stored on synchronized devices in users/<user name>/.android folders
  • 31. ANDROID WATCHES ROOT Root:  5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1  6.0.1 - SuperSU-6.0.1.zip https://supersu.apk.gold/android-6.0.1  Wear 2.0 - SuperSU-Wear  Wear-SuperSU 2.4 - https://androidfilehost.com/?fid=24269982086990060 Recovery:  TWRP - https://eu.dl.twrp.me/bass/  5.1.1 twrp-3.1.0-0.img  6.0.1 и Wear 2.0 twrp-3.0.0-0.img
  • 32. ANDROID WATCH WEAR OS  Tizen OS - Samsung  Android Wear OS  Asus Zenwatch, Huawei Watch, LG Watch and many other  Many root tools & images for Android Wear up to 2.0  Lack of tools for 2.1 and beyond  Wear app to access data Android Wear Version Android base version Release date 4.4W1 4.4 June 2014 4.4W2 4.4 October 2014 1.0 5.0.1 December 2014 1.1 5.1.1 May 2015 1.3 5.1.1 August 2015 1.4 6.0.1 February 2016 1.5 6.0.1 June 2016 2.0 7.1.1 Feb 2017 2.6 7.1.1 Nov 2017 2.6 7.1.1/8.0.0 Dec 2017 2.7 7.1.1/8.0.0 Dec 2017 2.8 7.1.1/8.0.0 Jan 2018 2.9 7.1.1/8.0.0 Feb 2018 Wear OS Version Android base version Release date 1.0 7.1.1/8.0.0 Mar 2018 1.1 7.1.1/8.0.0 April 2018 1.2 7.1.1/8.0.0 May 2018 1.3 7.1.1/8.0.0 June 2018 1.4 7.1.1/8.0.0 July 2018 1.5 7.1.1/8.0.0 August 2018 1.6 7.1.1/8.0.0 September 2018 1.7 7.1.1/8.0.0 October 2018 2.0 7.1.1/8.0.0 August 2018 2.1 7.1.1/9.0.0 September 2018
  • 33. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM (TIZEN) Tizen OS, Bluetooth, USB, No Wi-Fi, Optional Password Protection #1 Gain root:  turn on SDB ‘Smart Development Bridge‘,  find a ROM, uses Odin,  reboot to ‘download’ mode – hold down the main button through the turn off prompt Sdb shell, sdb root
  • 34. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM #2 Get Data as an image:  Requires root (see step #1)  Use anything to image the watches, like a Toybox http://landley.net/toybox/  adb push toybox /sdcard/download  adb shell; su  mv /sdcard/download/toybox /dev/  chown root:root toybox;  chmod 755 toybox  cd /dev/block/platform/msm_sdcc; ls -al by-name  /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */  dd if=/dev/block/mmcblk0p21 | ./toybox nc -L  /* Port number being listened to on the watch displayed for user */  44477 port displayed  adb forward tcp:44867 tcp:44867  /* Send request to watch on port number 44867 and send it to image file */  nc 127.0.0.1 44867 > Samsung.IMG Here is a user partition
  • 35. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM #3 Results:  Messages - apps.com.samsung.message.data.dbspace/msg- consumer-server.db  Health/Fitness Data - apps.com.samsung.shealth/shealth.db  Email - apps.com.samsung.wemail.data.dbspace/wemail.db  Contacts/Address book - dbspace/contacts-svc.db
  • 36. ANDROID WATCHES LG WATCH – ALL OF THEM Android Wear, USB, Bluetooth, No Wi-Fi #1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to bootloader & unlock it, and push image adb reboot-bootloader fastboot oem unlock adb push <SuperSU>.zip /sdcard/download adb reboot-bootloader fastboot boot <twrp>.img Install <SuperSu>.zip, wait for reboot
  • 37. ANDROID WATCHES LG WATCH – ALL OF THEM #2 Get Data as an image:  Requires root (see step #1)  Use anything to image the watches, like a Toybox http://landley.net/toybox/  adb push toybox /sdcard/download  adb shell; su  mv /sdcard/download/toybox /dev/  chown root:root toybox;  chmod 755 toybox  cd /dev/block/platform/msm_sdcc; ls -al by-name  /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */  dd if=/dev/block/mmcblk0p21 | ./toybox nc -L  /* Port number being listened to on the watch displayed for user */  44477 port displayed  adb forward tcp:44867 tcp:44867  /* Send request to watch on port number 44867 and send it to image file */  nc 127.0.0.1 44867 > LG.img Here is a user partition
  • 38. ANDROID WATCHES LG WATCH – ALL OF THEM Results:  Events/Notifications - data.com.android.providers.calendar.databases/calendar.db  Contacts/Address book - data.com.android.providers.contacts.databases/contacts2.db  Health/Fitness Data - data.com.google.android.apps.fitness.databases/pedometer.db
  • 39. ANDROID WATCHES ANDROID WEAR Mobile device paired with all watches in this app /com.samsung.android.app.watchmanager /auto_update.xml - a timestamp of the day the Samsung Gear was last updated. /com.samsung.android.app.watchmanagerstub/shared preferences/hmonlinehelppref.xml /data/com.google.android.wearable.app/databases/devices.db list of devices using Android wear which listed the LG G Watch.
  • 41. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 42. ANDROID WATCH SUMMARY  Forensics  No forensics tools are NOT available for devices, such as Elcomsoft, Cellebrite  Forensics techniques are still available for devices  Forensics of wear-apps works too but no many useful data  Known techniques of breaking Android screenlock works  OS  Tizen OS - Samsung  Android Wear OS - Asus Zenwatch, Huawei Watch, LG Watch and many other  Root & Recovery  Many root tools & images for Android Wear up to 2.0  Lack of tools for 2.1 and beyond  SDB, ADB, Fastbook, OEM Unlock  Data  Contacts, Fitness, Health, Email – in the device
  • 43.
  • 44. HUAWEI WEAR & HONOR BAND 3-9C7 • Фотки браслета и приложения (ссылки на магазины) • Картинки на списки в круглые формы вставить??
  • 45. FITNESS TRACKERS HUAWEI WEAR. HONOR BAND 3-9C7 Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/<crash>,<log> Last Wear’s values: sleep (many params), wakeup (many params), distance (steps, ride, climb,…), heart rate, calories Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude User Info: Picture, Name, Birthday, Height, Weight, Gender, Age Account Details: UDID, Security Token, UserID, SessionID Bluetooth Keys
  • 46. CRASH LOG: DEVINFO, DEBUG INFO - /DOCUMENTS/HMS/OCLOG/CRASH CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c <redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw + 56 2 CoreFoundation 0x000000018346bc9c _CFArgv + 0 3 CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear 0x0000000100319064 HuaweiWear + 315492 5 HuaweiWear 0x000000010030ffdc HuaweiWear + 278492 6 libdispatch.dylib 0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib 0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib 0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation 0x000000018347b344 <redacted> + 12 10 CoreFoundation 0x0000000183478f20 <redacted> + 2012 11 CoreFoundation 0x0000000183398c58 CFRunLoopRunSpecific + 436 12 GraphicsServices 0x0000000185244f84 GSEventRunModal + 100 13 UIKit 0x000000018caf15c4 UIApplicationMain + 236 14 HuaweiWear 0x00000001005b13f8 HuaweiWear + 3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4 ClientVersion:21.0.12 OSVersion:11.2.6
  • 47. HUAWEI WEAR – LAST VALUES /DOCUMENTS/<*.ARCHIVER> FILES <string>{ "sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":0,"deepSlee pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim e":0}, "distance":3940,"lastHeartRate":0,"steps":4623,"lastHRTimeStamp":0," calories":216,"date":1537867958.8875299,"totalClimb":0,"daySport Info":[] }</string>
  • 48. HUAWEI WEAR: FIRMWARE /DOCUMENTS/<*.ARCHIVER> FILES <string>  {"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath": "Nyx_1.5.35.bin.apk","identify":"38:37:8B:B8:C9:C7","firmWareSize":1410023,"deviceTyp e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",  "firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199-342F-4897- 9577-59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",  "changeLogContent":"[Optimizations]nOptimizes calorie counting accuracy while swimming.nFixes an issue where exercise sessions would suddenly exit due to accidental touches.nFixes an issue where fitness data would be occasionally cleared.nOptimizes the TrusleepTM data syncing speed on IOS.n[Notes]n1. New features require that Huawei Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for Android.n2. Before updating, make sure the band is charged to at least 20%.n","status":1,  "baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1 55123/f1/"} </string>
  • 49. HUAWEI WEAR: GEO, SPEED /DOCUMENTS/<*.ARCHIVER> FILES <string> {"speed":0.63999998569488525,"timestamp":"2018-06- 09T05:12:19+0300", "longitude":41.512356810310401,"latitude":52.571571199272356, "totalDistance":0,"verticalAccuracy":4, "course":10.546875,"duration":0,"distance":0, "altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5 } </string>
  • 50. HUAWEI WEAR: USER INFO /DOCUMENTS/<*.ARCHIVER> FILES <string> {"headImgLocal":"/var/mobile/Containers/Data/Application/ 9B666199-342F-4897-9577- 59B68F5CF40F/Documents/temp_user/temp_user.jpg", "age":29,"unitType":0,"nameIsNil":false,"isDefault":true, "weight":78,"userName":"Yury Chemerkin","walkStepLen":77.28, "birthday":19880605,"height":184,"modifyTime":0,"runStepLen":92.7 36,"gender":0} </string>
  • 51. HUAWEI WEAR: /DOCUMENTS/<*.ARCHIVER> FILES Account  Account details stored in protected way Device Mac Address <string>deviceMacAddress</string> <string>38:37:8B:B8:C9:C7</string> Bluetooth Keys
  • 52. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User goals Device details User measures  m_7_DataSourceTable_temp_user  m_7_FitnessMergedDataTable_temp_user  m_14_FineSleepDayMergeTable_temp_user  m_7_MotionGoalTable_temp_user
  • 53. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User measures  m_14_HeartRateByDay_temp_user  m_14_SportDataByDay_temp_user  m_133_MotionPathDetail_temp_user  m_7_MotionGoalTable_temp_user
  • 54. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User measures  m_133_SingleMovementStatistic_temp_user  m_133_SingleMovement_temp_user
  • 55. HUAWEI HONOR SUMMARY Local data  Credentials is protected  Personal and medical info – plaintext / as it Communication  Local – encrypted  Online – SSL Pinning for all possible connections, registration, login and synchronization
  • 56.
  • 57. XIAOMI MI BAND 2 & MI FIT Online communication  AWS storages in Ireland (EU) mainly, secondary US  TLS 1.2, No SSL Pinning Local data  Action Log with details incl. URLs  https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t=1512648130831  https://api- mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848  https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t=1512648130805
  • 58. FITNESS APPS ROAD BIKE, MOUNTAIN BIKE, … GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter, upward/downward (meters), timestamp local, timestamp gps Session Data: timestamp (start, end), distance, duration, avg & max speed, upward/downward, heartZone values (need special device) Speed Data: timestamp, speed, duration, distance User Data: email, password, weight, height, gender, name, birthday
  • 59. FITNESS APPS DOCUMENTSDATABASE.SQLITE3 Where to search data:  GPS & location  HeartRate (requires special devices)  Session Data  Speed  User Data
  • 60. FITNESS APPS LOCATION, MAPS AND USER INFO  Location and geo snapshots - DocumentsMapOpenCycleMap.sqlite  User info - Documentsdatabase.sqlite3
  • 61. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 62. FITNESS TRACKERS SUMMARY AMONG TRACKERS & APPS Local data  Credentials is usually protected  Personal and medical info – plaintext / as it Communication  Local – encrypted  Online – SSL Pinning for all possible connections
  • 63. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 64.
  • 65. APPLE HEALTH СЮДА КАРТИНКИ УСТРОЙСТВ
  • 66. HEALTHCARE APPLE HEALTH Valuable data encrypted and no public cracks is known Small amount of data not encrypted in backup List of app-sources (look here for non-encrypted original data) However, secure built-in app-aggregator does not mean other app is a secure in the same way  ofc not 
  • 67. APPLE HEALTH WHERE TO FIND DATA? HealthDomainMedicalIDMedicalIDData.archive HealthDomainHealthhealthdb.sqlite HealthDomainHealthhealthdb_secure.sqlite HealthDomainHealthhealthdb_secure.hfd Exported Raw Data – any place chosen by user
  • 68. APPLE HEALTH DATA IN DETAILS Name, User Pic, height (in cm), and mass (in kg) Geo Tracking (Mainland/City), iOS version Device Info: UDID, Name, Last connection time Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Medical implants
  • 69. APPLE HEALTH HEALTHDOMAINMEDICALIDMEDICALIDDA TA.ARCHIVE  Name  Height  Weight  Medical implants
  • 70. APPLE HEALTH HEALTHDOMAINHEALTHHEALTHDB.SQLITE  Bundle_id, app_name  Device name, device model, vendor, hardware and software, timestamp
  • 72. APPLE HEALTH RAW EXPORT Recorded by the any Apple Devices & accessed through the Health App. Detailed activity log with timestamps Data can be exported in .xml file format without encryption (!) and even without encrypting of zip file Extracted data can be stored anywhere
  • 73. APPLE HEALTH - RAW EXPORT PERSONAL, FITNESS, MEDICAL INFO Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Heart rate data (in count/min) or beats-per-minute (BPM) Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins) Blood Pressure Diastolic, Systolic The exact activity log time (creationDate), and activity start and end times (startDate, endDate) XML Parser (Free): https://github.com/tdda/applehealthdata
  • 74. APPLE HEALTH - RAW EXPORT IN EXAMPLES & DETAILS
  • 75. APPLE HEALTH - RAW EXPORT IN EXAMPLES & DETAILS
  • 76. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 77. HEALTHCARE SUMMARY Apple Health App is good protected Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Exported data is not protected at all List of app sources & these app’s data is not protected well
  • 78. PICOOC MINI (BT) – BODY COMPOSITION SMART SCALE • Vertical fat index, body fat Fat indexes • Body weight, bone mass, muscle, skeletal muscle Mass • BMR, body water, protein, Metabolic Age Productivity • Tracking changes, charts, reports Delta
  • 79. PICOOC MINI (BT) – BODY COMPOSITION SMART SCALE BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scaler) Body scale values: body, muscles, productivity, date & time, device mac Dev Info: Mac, model name, user ID, Device Picture Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users) User Info: nick name , userID, height, age, sex, race, type Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language Preferences: Local Password, Unlocking method, last active day
  • 80. PICOOC BT LOGS PICOOCDOCUMENTSBLUETOOTHLOG.TEXT  DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE   扫描到设备 – means “Device scanning”  04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A- 45F9DDB731D6 ---- .  04-14 13:31:36:453 .扫描到设备 name:Peripheral Info:Name: honor band A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3-0099CF82DF96 ---- .  04-14 13:31:37:408 .扫描到设备 name:Peripheral Info:Name: PICOOC-CQ RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ---- .  info.macAddress = D0:49:00:1D:87:8A
  • 81. PICOOC BT LOGS PICOOCDOCUMENTSBLUETOOTHLOG.TEXT 04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-45F9DDB731D6 ---- Connect a Galaxy S7 to your Samsung TV with Bluetooth to have a fun and spread your content   TV with enabled Bluetooth & Samsung Galaxy S7  Open the notification pane on your handset.  Select Quick Connect and then Scan for nearby devices  Select Register TV, Tap the new icon with a TV and an arrow  Tap the Share button and then Smart View to play any media you play on your phone on the TV
  • 82. BODY VALUES PICOOCDOCUMENTSPICOOC.SQLITE CREATE TABLE `body_indexs` ( `id` `weight` `body_fat` `visceral_fat_level` `muscle_race` `body_age` `bone_mass` `basic_metabolism` `bmi` `local_time` `water_race` `abnormal` `day_intValue` `time_period` `electric_resistance` `mac` `body_fat_reference_value` `skeletal_muscle`);
  • 83. PICOOC DEVICE AND PREFERENCES Dev Info - picoocdocumentspicooc.sqlite Preferences - picoocLibraryPreferences com.picooc.international.plist  <key>PasswordLockType</key>  <integer>2</integer>  <key>PasswordNumherLockContnet</key>  <string>7124</string>  <key>currendDay</key>  <string>20180922</string>  <key>kStartupUserIdKey</key>  <integer>4611483</integer>
  • 84. USER BASIC INFO – MAIN USER PICOOCDOCUMENTSPLISTFILEUSERINFO.PLIST <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>nickName</key> <string>Yury Chemerkin</string> </dict> </plist>
  • 85. USER EXTENDED INFO – LAST ADDED USER ONLY PICOOCLIBRARYSENSORSANALYTICS- SUPER_PROPERTIES.PLIST  current_age_characteristic  current_role_is_athlete  current_role_height  current_language  current_role_age  current_role_sex  app_type  time_zone  current_role_race  current_role_type  3  false  178  英语  58  男  PICOOC国际版  Europe/Moscow  白  使用者  As is  As is  As is  English  As is   Man   PICOOC Worldwide Version  As is   White   User
  • 86. PICOOC SENSOR VALUES PICOOCLIBRARYSENSORSANALYTICS- MESSAGE-V2.PLIST.DB • {"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144 339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白 ","current_role_type":"主角色 ","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6. 1","current_age_characteristic":3,"$is_first_day":false,"$model":"iPhone8,4","$device_id":"E C640161-EC87-4A90-AD99-5B29A3F86700","$network_type":"WIFI","$carrier":"Mobile TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren t_language":"英语","$screen_height":568,"app_type":"PICOOC国际版 ","time_zone":"Europe/Moscow","$lib_version":"1.9.3","$os_version":"12.0","$is_first_time": false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男 ","current_role_id":"9144339"},"type":"track","lib":{"$lib_version":"1.9.3","$lib":"iOS","$app _version":"3.6.1","$lib_method":"code"}}
  • 87. PICOOC MITM - NOT SSL-PINNED • Profile URL (public accessible) https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png • Request URL - https://api2.picooc- int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque st=https://api2.picooc- int.com/v1/api&roleId=9144339&timestamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi ce_id=EC640161-EC87-4A90-AD99-5B29A3F86700&device_mac=&method=update_role& • Same URL (public accessible) https://picoocheadportrait.oss-cn- beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png • Request URL - https://picoocheadportrait.oss-cn-beijing.aliyuncs.com
  • 88. PICOOC MITM - NOT SSL-PINNED https://api2.picooc-int.com GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token=iOS%3A%3AEC640161- EC87-4A90-AD99- 5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe /Moscow&timestamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6 HTTP/1.1
  • 89. PICOOC MITM - NOT SSL-PINNED https://api2.picooc- int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap i2.picooc- int.com/v1/api&roleId=9144339&timestamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT hread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&method=update_role&
  • 90. PICOOC MITM - NOT SSL-PINNED https://api2.picooc- int.com/v1/api/account/updateUserPa ssword?sign=41EE8B396970992A85E 9259B134B96BE&urlOfGetRequest=ht tps://api2.picooc- int.com/v1/api&roleId=9144339&tim estamp=1538581202&version=i3.6.1 &appver=i3.6.1.0&requestByChildThre ad=0&os=iOS&userId=4611483&lan g=en&timezone=Europe/Moscow&pus h_token=iOS::019290ade677be79f5f bded930b2435fa81eef103d893471 08e265c0cd984cf2&device_id=EC64 0161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&metho d=update_user_password&
  • 91. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 92. PICOOC SUMMARY Body indexes and changes day-by-day  Fat indexes, Mass  Productivity, Delta Dev Info, Friends results, User data Network  Data stored on Alibaba servers  Profile, Device Info, Credentials, additionally passw on pass-change tab  Bonus: Bluetooth scanner of near located devices Preferences: Local Password, Unlocking method, last active day
  • 93.
  • 94. ~30 mHEALTH APPS  Google Fit  MyFitnessPal  RunKeeper - GPS  Nike+ Running  WebMD  Blood Pressure (BP) Watch  Water Your Body  Instant Heart Rate  Drugs.com Medication Guide  Runtastic Pedometer  Noom Walk Pedometer: Fitness  Strava Running and Cycling GPS  Bleep Fitness Test  Fitness Buddy: 300+ Exercises  BodySpace- Social Fitness  Walk with Map My Walk  Endomondo Running Cycling Walking  FitNotes – gym Workout Log  Period Calendar  Period Tracker  My Pregnancy Today  My Baby Today  Calorie Counter by FatSecret  MyNetDiary Calorie Counter PRO  My Diet Diary Calorie Counter  Calories! Basic – cal counter  Calorie Counter  Lifesum- Calorie Counter  User credentials and pins  Personal details of users  User activities  User location  Activity timestamps  Images
  • 95. ~30 mHEALTH APPS MYFITNESSPAL User profile Pics  com.myfitnesspal.android/cache/Picasso-cache User profile Pics /sdcard/ /data/data/com.myfitnesspal.android/databases/myfitnesspal.db  User details including time zone, gender, date of birth and email - in tables <user_properties, users> - see a pic  User profile pictures - in table <images>  User personal notes - in table <diary_notes>  User records of exercises, food habits and personal measurements - in tables <exercise_entries; exercises; food_entries; foods; measurement_types; measurements>  User last synched items with the server - in table <last_sync_pointers>  User food search history - in table <search_history>
  • 96. ~30 mHEALTH APPS RUNKEEPER  User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache  / fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite  User details including activities, trips  Trips deleted by user - in table <deleted_trips>  Activities posted by user - in table <feed>  List of user’s friends - in table <friends>  Images uploaded during trips by user - in table <status_updates>  User settings for each trip - in table <trip_settings>  Places visited during all the trips - in table <points>  Information about each trip - in table <trips>  More tables  The points table is to locate the map coordinates of a user’s route
  • 97. ~30 mHEALTH APPS PERIOD CALENDAR • Personal info –/data/data/ fitnesskeeper.runkeeper.pro /databases/PC.db. Tables • User - List of the users with passwords (Plaintext passwords, secret questions and answers ) • Period - Period start time and length of users • Note - Diary notes inserted by users • Personal info –/data/data/ fitnesskeeper.runkeeper.pro /databases/PC_PILL.db. Tables • pill - Pills used by users including date and time • pill_record - Details about the pills
  • 98. ~30 MEDICAL/FITNESS/HEALTH APPS  User credentials: Apps may require users to login using their user credentials (e.g. username and password, PIN, and authentication tokens) in order to use the apps. Therefore, user credentials should be an artefact that forensic investigators seek to locate during the app forensic process (e.g. determine whether the credentials are stored in and can be recovered from the app’s databases).  User personal details: User personal details include name, gender, date of birth, email address, height, weight and other personal data would be helpful for forensic investigators to positively identify the app or device users.  User activities: The mHealth apps require users to enter their day-to-day food habit, health conditions, activity or exercise details, diagnosis details, medication details and symptom details, etc.  User location: Fitness apps allow users to keep track of their exercise, running, jogging, cycling and other activities. These apps generally store the geographical coordinates of the user location during these activities which can provide useful evidence to the investigators.  Activity timestamps: Another important artefact is the timestamp of the user activity. For example, linking activity timestamps with corresponding user locations (e.g. geographical coordinates) and other relevant information (e.g. CCTV feeds) would provide useful information in an investigation.  Images: This artefact includes profile images, and images taken and posted from a location.
  • 99. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Google Fit N N P N F N MyFitnessPal P F F N F F RunKeeper - GPS N N F F F N Nike+ Running N F F N F F WebMD N N P N N N Blood Pressure (BP) Watch N P F N F N Water Your Body N N F N N N Instant Heart Rate N N N N N N Drugs.com Medication Guide N F N N P N Runtastic Pedometer N N F N F N
  • 100. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Noom Walk Pedometer: Fitness N N F N F F Strava Running and Cycling GPS N F F F F N Bleep Fitness Test N F F N P N Fitness Buddy: 300+ Exercises N N F N F N BodySpace- Social Fitness N F F N P F Walk with Map My Walk N F F F F P Endomondo Running Cycling Walking N N F F F F FitNotes – gym Workout Log N N F N P N Period Calendar F F F N P N Period Tracker N N F N P N My Pregnancy Today P N N N N F My Baby Today N F N N P N
  • 101. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Calorie Counter by FatSecret N N F N P N MyNetDiary Calorie Counter PRO N N N N N F My Diet Diary Calorie Counter N P F N F N Calories! Basic – cal counter N N P N F N Calorie Counter N F F N F N Lifesum- Calorie Counter N P F N F F
  • 102. ~30 MEDICAL/FITNESS/HEALTH APPS THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY) 3 9 6 8 1 5 2 0 3 4 6 8 5 4 7 9 8 3 7 3 3 3 3 2 5 3 6 7 0 1 2 3 4 5 6 7 8 9 10 Average Issue Index
  • 103. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 104. HEALTHCARE SUMMARY Native Health App is good protected, however not a basic information  Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)  Exported data is not protected at all Source apps (medical, fitness, health, …)  Data contains everything with GPS, timestamp and lot of day-by-day changes  Usually stores data locally, but basic activity over network is intercepted and credentials gained Pseudo health apps – usually requires user to handle all data by himself  Friend list, Credentials, secret questions & answers  Body values, timestamp, visited places & geo  Medical periods, schedule, pills and so on  Preferences, searches
  • 105. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 106.
  • 107.
  • 108. APPLE TV – FIVES GENERATIONS MacOS X, iOS, tvOS Common ways to break into Jailbreak tools Password management USB Acquisition Backup Jailbroken acquisition Profiling
  • 109. APPLE TV – I GENERATION EASILY TO BREAK First edition of TV, Mac OS X & HDD makes breaking much easier All possible ways to break into the first Apple TV 8 years ago:  “Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and Randy Robbins, Def Con 2009 https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17- kevin_estis-apple_tv.pdf https://www.youtube.com/watch?v=z-WCy3Bdzkc
  • 110. APPLE TV – II-V GENERATION EASILY TO BREAK TOO  Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)  Backup contains valuable data (forensics tool works too)  Find a jailbreak to obtain the whole OS  Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube  Get access to App’s data and reveal credentials, card – depend on application  Why Apple TV can be jailbroken (why men jail it)? Outdated compromised TV 2 with OpenSSH and default password https://www.tvaddons.co/appletv2-jailbreak-threat/ Direct access to filesystem and file management beyond the backups & cloud Stream media from devices beyond AirPlay or iOS devices Sideloading 3rd party tools  Kodi, Hulu, LastFM, XBMC, Nito TV, , Pandora Radio, and other apps.  Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies
  • 111. APPLE TV DATA EXAMINATION & FORENSICS  Apple TV jailbreak support https://pangu8.com/appletv.html  Apple TV 1 – scripts, ssh, HD extraction and other way  Apple TV 2 – Seas0npass jail for TV running tvOS 4.3 - tvOS 5.3 (untethered) & tvOS 6.1.2 (tethered)  Apple TV 3 – No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1, and not beyond 5.0.2  Apple TV 4  Pangu9 jail for TV running tvOS 9.0 - tvOS 9.0.1  LiberTV jail for TV running tvOS 9.1 - tvOS 10.1  GreenG0blin jail for TV running tvOS 10.2.2  Apple TV 4 / 5  LiberTV jail for TV running tvOS 11.0 and 11.1  Apple TV 4 / 5 – Electra jail for TV running tvOS 11.2 - tvOS 11.3
  • 112. APPLE TV DATA EXAMINATION & FORENSICS  USB port is reserved for “service and support” purpose Vanished since Apple 5th Gen (4k)  No password management – we trust you, breakers   Seriously, No Password or Passcode protection at all ! Restrictions instead: Use Restrictions on your Apple TV https://support.apple.com/en-md/HT200198 Allow all by default Restrict blocks by passcode purchases, apps, content, settings and remote pairing (no one blocks pairing usually) Account-Password requires for purchases in a way like any Apple device (https://support.apple.com/en-us/HT204030)
  • 113. APPLE TV – 2TH – 4TH GEN USB ACQUISITION (USB, MICRO, USB-C) 5TH GEN IS OUT OF SCOPE (NO USB) AFC (Apple File Conduit) service works here  /private/var/mobile/Media USB Acquisition gives:  Basic device information  Real Time Log (Syslog), Crash Logs  Part of the file system (“Media” folder) Device information  MAC – WiFi, Bluetooth, Ethernet  Name, Timezone, Serial ID, Model Ideviceinfo, idevicesyslog http://www.libimobiledevice.org/
  • 114. APPLE TV BACKUP  Real Time Log  Crash Log  MediaLibrary.sqlitedb  iCloud Account Name  iCloud ID  Wi-Fi networks  Device usage timeline  Shopping database
  • 115. APPLE TV – 2TH – 5TH GEN JAILBREAK Timezone  /private/var/db/timezone/localtime Network tcp/ip lease  /private/var/db/dhcpclient/leases/ Network wi-fi history  /private/var/preferences/com.apple.wifi.plist
  • 116. APPLE TV – 2TH – 5TH GEN JAILBREAK Keyboard dictionary  /private/var/mobile/library/keyboard/dynamic- text.dat Accounts  /private/var/mobile/library/accounts/  /private/var/mobile/library/preferences/com.apple.ids .service.com User email User info: email + phone yury.chemerkin@icloud.com +79851719122 Network
  • 117. APPLE TV – 2TH – 5TH GEN JAILBREAK iCloud synced preferences  /var/mobile/Library/SyncedPreferences/ Wi-Fi Access Points  com.apple.wifid.plist Weather Cities  com.apple.nanoweatherprefsd.plist Moskva, Lianozovo Dictrict 55.800149, 37.565483
  • 118. APPLE TV – 2TH – 5TH GEN JAILBREAK Headboard  /private/var/mobile/library/com.apple.headboard /apporder.plist  /private/var/mobile/library/caches/com.apple.tvic onscache/com.apple.headboard  /private/var/mobile/library/caches/com.apple.hea dboard/fscacheddata
  • 119. APPLE TV – 2TH – 5TH GEN JAILBREAK App snapshots  /private/var/mobile/library/caches/com.app le.pineboard/assetlibrary/snapshots/ Cached video  /private/var/mobile/library/caches/appletv /video/
  • 120. APPLE TV – 2TH – 5TH GEN JAILBREAK Installed applications  /private/var/db/lsd/com.apple.lsdidentifiers.plist Installed applications  /private/var/mobile/containers/bundle/ Installed applications  /private/var/mobile/containers/data/application/
  • 121. APPLE TV – 2TH – 5TH GEN JAILBREAK Country, last activity App snapshots Youtube
  • 122. APPLE TV – ANY GEN PROFILING AS A KIND OF PROTECTION TV Remote Payload The TV Remote payload is designated by specifying com.apple.tvremote as the PayloadType value. If not present, or the list is empty, any device will be allowed to connect. Availability: Available in tvOS 11.3 and iOS 11.3 and later  AllowedRemotes  AllowedTVs  RemoteDeviceID  TVDeviceID https://developer.apple.com/enterprise/documentation/Configuration- Profile-Reference.pdf
  • 123. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 124. APPLE TV SUMMARY Lot of jailbreaks  Except Apple TV 3  Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac Password management  No password  No restrictions by default  Restrictions handle the content only Apple TV 2 – 5  Apple TV 2 – 4 equipped with USB that gives dev info, timelog, crashlog, media folder  Apple TV 5 does not have USB ports Jailbroken TV  Timezone, Network Info & History, Keyboard & Account Info  iCloud preferences, Wi-Fi Accent Point, Weather cities (list) easy to remap geo  TVs - Headboard, App snapshots, Cached video  App List, App Data, App Snapshots
  • 125.
  • 126. AMAZON TV: PREREQUISITE Amazon Fire TV Stick Amazon account plus other accounts per app MITM is out of scope, but wait for Amazon Dot  Forensics tools (no support atm) Known ways to break into Root Data acquisition (streaming, photo, app, sideloaded Android app)
  • 127. AMAZON TV BREAK OPPORTUNITIES No support of Forensics tools Sideloading is allowed, ADB exists and is off by default Rooting many root-apps (like KingRoot) is around of outdated FireOS such as 5.0.5 but not limited it The rooting requires a keyboard, no support for TV remote devices Use dd command to obtain an image of Fire TV
  • 128. AMAZON TV ROOT, BOOTLOADER, SIDELOADING Non-root things  Sideloading is allowed without root like on Android  Bootloader: 51.1.x.x – non-locked, 5.x.x.x – locked but 5.0.x are unlockable (no info about older versions)  Downgrading might be possible Roots  Fire TV 1 – rootable for 51.1.0.0 - 51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 - 5.2.6.3  Fire TV 2 – rootable for 5.0.0 – 5.2.1.1, no root for 5.2.4.0 – 5.2.6.3  Fire TV 2 – 5.2.6.6 – pre-rooted ROM (http://www.aftvnews.com/pre-rooted-5-2-6-6-rom- is-now-available-for-the-fire-tv-2/)  Fire TV 3, Fire TV Cube – no root or pre-rooted ROM  Fire TV Stick 1 – rootable for 5.0.0 - 5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 - 5.2.6.3  Fire TV Stick 2 – no root, except hardware rooting to direct access to the device eMMC storage (http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)  Fire TV Edition television – rootable for 5.2.5.0 and no root for 5.2.5.1 - 5.2.6.3
  • 129. AMAZON TV ROOTED TV  browser.db – Browser History & navigating to websites using Mozilla Firefox  [root]/data/com.amazon.bueller.photos/files/cmsimages – Pictures from Amazon cloud drive but formatted for better viewing up to Fire TV Stick  [root]/data/com.amazon.device.controllermanager/ databases/devices – Bluetooth Devices and their names, MAC paired with Fire TV (such as, keyboard mouse, Amazon Fire TV remote)  [root]/data/com.amazon.device.logmanager/files – Amazon Logs including Log.amazonmain
  • 130. AMAZON TV ROOTED TV  /data/data/ = All application data is stored in this directory  com.amazon.venezia/ = Amazon appstore data /cache/ = thumbnails & previews for appstore apps /databases/ = sqlite files in each folder /contentProvider = Table "Apps" contains app-names("key") with relation thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory /locker = workflow, orders, wishlist, applications, cache, content tokens. /logging = logs for appstore application  com.android.cloud9/ = Amazon browser data /cache/webviewcache/ = any cache data /databases/ = sqlite files in each folder /webview.db = webview cookies & form data. /webviewCache.db = association of files in ../cache/webviewcache/ directory to urls. /browser.db = history & bookmarks also have path to page previews and thumbnails stored in ../files /files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above) /shared_prefs = preferences for a cross-access  com.amazon.provid ers.contacts/databases/conta cts2.db = All contacts
  • 131. FORENSIC ANALYSIS METHOD FOR THE AMAZON FIRE TV STICK
  • 132. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 133. AMAZON TV: SUMMARY  Several older firmwares are affected by rooting tools  Rooting requires BT-keyboard that’s is not a big deal for TV  Sideloading is allowed without root  ADB is possible  Downgrading the Fire TV Stick software/firmware might possible  Personal data is revealed  Credentials of streaming services is found Netflix, NHL, NBA, Vimeo, … Kodi to get access to hundreds, of music, TV, movies  No way to restrict connection and bind TV and device to themselves only  FireOS ver 5.x is based on Android 5.1.1 Lollipop, ver 6.x is based on Android 7.1 Nougat
  • 134. AMAZON ECHO DOT • Картинки и спецификацию
  • 135. AMAZON ECHO DOT Local access Bootloader MITM: SSL, MITM, Firmware MITM Credentials breaks
  • 136. AMAZON ECHO DOT LOCAL ACCESS, LACK OF ROOT  Alexa doesn’t have ADB, but have a MTK  bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx Preloader  However a SP Flash Tool does not work atm  Bootloader – press and keep ‘Uber’ while it is loading, but bootloader is locked and no unlocking key is available  Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo  # fastboot devices fastboot  # fastboot getvar all lk_build_desc: c1….. prod: 1 unlock_status: false serialno: […..] product: BISCUIT version-preloader: 0.1.00 version: 0.5
  • 137. AMAZON ECHO DOT MITM. WHAT ABOUT SSL? Self signed certificates is allowed on Alexa for devs  https://developer.amazon.com/docs/custom- skills/configure-web-service-self-signed-certificate.html  https://www.amazon.com/gp/help/customer/display.ht ml?nodeId=201589180 Change endpoint configuration and region Make your Alexa installs a SSL from Intercepting tools  No lack, Alexa Echo Dot as a device prevents this shit   Try with Alex app that comes installed by default on the Kindle Fire Tablets, or download for Android or iOS devices even (!)
  • 138. AMAZON ECHO DOT MITM. FIRST TIME SETUP  Navigate via browser https://alexa.amazon.com  Up to end of 2017 a redirect to Alexa setup was a http URL (!)  Expected credentials stolen in plaintext & expiring in 2036 like before, but no lack before  POST /ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx& pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x xxxx&pf_rd_s=signin-slot HTTP/1.1  Host: www.amazon.com  Content-Length: 1349  “name”: “Set-Cookie”,  “value”: “session-token=”xx/y//zz==”; Version=1; Domain=.amazon.com; Max-Age=630720000; Expires=Sat, 01-Nov-2036 22:39:37 GMT; Path=/” Now  HTTPS, prevents MITM attack  Certificate expires every 2 years
  • 139. AMAZON ECHO DOT MITM. FIRMWARE Intercepting firmware updates is possible Here is a bin-firware http request  GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin HTTP/1.1  Host: amzdigitaldownloads.edgesuite.net  Connection: close  User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC Build/LVY48F) Firmware contains build.prop = designed as a Android & have .APKs  ro.build.version.fireos=5.5.0.3  ro.build.version.fireos.sdk=4 Non-Encrypted bin-firmware -rw-r--r-- boot.img; file_contexts drwxr-xr-x images; META-INF -rw-r--r-- ota.prop drwxr-xr-x system -rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list
  • 140. AMAZON ALEXA APP Alexa app has a good a solid protection No sensitive data stored locally Well encrypted communication (online, internal) and used the TLS 1.2 However, MITM is possible, because no SSL Pinning used  Credentials and all communication compromised
  • 141. AMAZON ECHO DOT ALEXA APP – MITM, NOT PINNED Credentials  {"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}  Email, Password from POST action ‘https://www.amazon.com/ap/signin’  Device Info plus token Metrics - https://device-metrics-us-2.amazon.com/metricsBatch  HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"  CountryCode RU" Profile  Name, Billing Address, Shipping Address  Device IDs, types, Account ID, Device capabilities First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
  • 142. AMAZON ALEXA APP LOCAL  LibraryApplication Supportdevice.sqlite – device list with ID, serials  LibraryMETRICS_NORMAL* - Logs & MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM 2W81,iOS/12.0,Alexa//2.2.233205,DCM)  LibraryPreferencescom.amazon.echo.plist – Account Info  DocumentsLocalData.sqlite – settings of devices
  • 143. AMAZON ECHO DOT ALEXA APP Alexa and Echo allow many users to manage devices  Echo has no voice differentiation capabilities nor protection against non-human or repeated speech Each device locks by 4 digit PIN  The Set of PINs is ~10k values  Two attempts and have to restart but no limit the number of total attempts  Bruteforce it for 2 days How to break 1. Computer says “wake word” followed by the command to order an Amazon Echo Dot 2. Alexa responds with top Amazon search for and asks if user wants to place the order 3. Computer confirms order 4. Alexa asks for 4-digit PIN 5. Computer guesses next PIN in numerical order 6. Alexa accepts or rejects PIN 7. Computer guesses next PIN in numerical order Repeat until you break it  take up to 48h max
  • 144. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 145. AMAZON ECHO DOT & ALEXA APP SUMMARY Intercepting firmware updates is possible Alexa allows to use self-signed SSLs but not accepts Burp/Charles certificate?  True for Alexa Echo Dot  Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert Not everything is HTTPS FireOS is based on Android - https://en.wikipedia.org/wiki/Fire_OS  ver 5.x – Android 5.1.1 Lollipop. Alexa is still on 5.x  ver 6.x – Android 7.1 Nougat Even hardware root is possible https://vanderpot.com/Clinton_Cook_Paper.pdf
  • 147. CONNECTED HOME READYFORSKY Backup MITM: Hub, Remote BT MITM: out of scope
  • 148. READYFORSKY DOCUMENTSR4S.SQLITE Device list, models, pairing text Receipts per device (how to cook, basic details & requirements) Username, email User devices & Mac
  • 149. READYFORSKY MITM  Firmware version – 2.29 - http://service2.readyforsky.com/firmware/list/148/["2.29"]  Device Pic - http://image- server.readyforsky.com/i/1899/200x200.png  Recipes – BlackTea, GreenTea, Others  Do smth with a Kettle  https://content.readyforsky.com/api/program/catalog/id:IN:90,9 7?locale=en  "id": 90,  "protocol_id": 0,  "value": "BOILING", / HEATING  "value": "40", | "value": "55", | "value": "70", | "value": "85", | "value": "95",
  • 150. READYFORSKY MITM Credentials, password, tokens  https://content.readyforsky.com/headless/change-password  {"current_password": "1", "plainPassword": "1"}  { "error": "invalid_grant", "error_description": "The access token provided is invalid."}  { "access_token": "YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",  "expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token": "YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4 ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }
  • 151. READYFORSKY MITM User details - https://content.readyforsky.com/api/user/current  "username": "yurychemerkin",  "username_canonical": "yurychemerkin",  "email": "yury.chemerkin@gmail.com",  "last_login": null,  "enabled": true,  "locked": false,  "expired": false,  "id": 527679 Client Address 192.168.1.38:50654 | this port changes Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
  • 152. READYFORSKY MITM Device details  https://content.readyforsky.com/ api/device/user  “name": "RK-G200S",  "address": "E7:7F:BC:60:C2:2A",  "name": "Gateway XIAOMI Redmi 4X",  "address": "77d3efcf-f627- 402e-bbed-4ee0c8290417", Client Address 192.168.1.38:50654 | this port changes Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
  • 153. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 154. REDMOND SUMMARY Communications & MITM  App, Hub, Device IP, Ports including internal info, Device info (name, model, network info)  Actions, receipts, to-do  Credentials, password, tokens  User details & Login details Local  Device list, models, pairing text  Receipts per device (how to cook, basic details & requirements)  Username, email  User devices & Mac
  • 155.
  • 157.
  • 158. LIGHTIFY  Lightify is the IoT platform with a simplest integration of wireless lighting.  Need to have an Lightify-account  Online communication uses QUIC-protocol with encryption over UDP  Wireshark does not support QUIC decryption at the moment. The drafts at tools.ietf.org/wg/quic are also not really detailed on the ciphers.  Lightify Gateway communicates over TCP completely unencrypted locally, but via a binary protocol https://github.com/noctarius/lightify-binary- protocol#basics-about-the-protocol and here a plugin to manage the light https://github.com/tfriedel/python-lightify  Credentials stored in a local folder – shared preferences
  • 159. IKEA TRADFRI Smart lightning and assistant to control it No online communications except firmware requests in plaintext  GET http://fw.ota.homesmart.ikea.net/feed/version_info.json  User-Agent: HertzClient/1.0  Host: fm.ota.homesmart.ikea.net  Connection: close  Response : No response Local communication is DTLS (SSL over UDP)  Pairing via QR code (Serial Number = Mac Address, Security Code/ pre-shared key)  QR code can be revealed for further decryption Locally stored data  Encrypted QR-code and store in keystore – need root to get an access  Keystore doesn’t work for outdated Android (< 4.3)  AES encryption alg for outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”  The Issue here is a patched APK file with a removed strong encryption
  • 160. PHILIPS HUE  HUE light, lamps and other with a smart assistant and bridge to works over Philips servers  The list of paired Apps and services with timestamp sent across Hue apps  Online communication  [BridgeServers] works over HTTP with additional layer of AES-encryption. Guess they store secret key somewhere but no lack to find it  [AppServers] works over HTTPS with SSL Pinning  Local communication works over HTTP  PUT http://192.168.1.38/api/Ds7KfNjjYtC8uN mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action  Host http://192.168.1.38  Accept *.*  Content-Type: application-json  Content-Length: 11  Json {“on:true”}  Loading malicious firmware over-the-air http://iotworm.eyalro.net/  In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters http://iotworm.eyalro.net/iotworm.pdf
  • 161. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 162. LIGHTNING SUMMARY IoT platforms: Lightify, IFTTT  One account to access all tokens & credentials to manage services, devices and data Communication  Online – usually encrypted, MITM sometimes possible  Local – non-protected, custom protocols & encryption – usually analyzed  Firmware – plaintext usually, malicious attacks are possible Local  Credentials, log, data
  • 163. CONNECTED HOME SUMMARY Jailbreaks & roots  Available for popular devices  Sideloading apps are possible  New in-house manager devices, such as Alexa Dot doesn’t have root tools Backup & Data  Works for many devices  Works for synchronizing apps, like Alexa In-house smart manageable things works over app-manager that, in turn  Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content  Doesn’t have a good protection and available over Internet  Has a firmware issues with malicious over-air-attacks  Locally stored lot of data in app installed on the mobile device  Moved in an user’s pocket everywhere
  • 164. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  • 165. IoT HOW TO SECURE Risk Management  Device Profiling – divide your devices according to a critical info & risk score  Use cases – define where and what for are you going to use devices  Compatibility - use devices that are compatible with existing technology stack, and security equipment and software  Lost of smartphones – avoid devices to be lost or left unattended In-home Secured Network  Obscure name – NOT for vendor & model names or revealing user identity e.g. personal  Encryption – use up-to-date devices with the latest & strongest encryption schemes  Guest network – setup it if you’re sure but better to Disable guest network access entirely  Two or more different Wi-Fi networks (logically or physically) – one for typical activities (networking, messaging, etc.), second for IoT, third for critical banking, shopping  Firewall - a stand-alone software or shipped with the router, allow traffic on those specific ports & no others  Limit of public network usage – avoid pairing device or using device apps over public network due to lack of encryption of data Password Management  Default credentials – change it for router’s , IoT devices’ password  Unique passwords - use unique, complex passwords made up of letters, numbers, and symbols
  • 166. IoT HOW TO SECURE Software Management  Settings – change it to default privacy policies & security settings  Features – disable features you don’t need, such as a remote access  Apps – avoid use apps that don’t encrypt data locally or while it’s transferring  Patches – keep all devices & software up-to-date  VPN – stand alone software or shipped with router to protect connections of IoT device that working over Internet  Multifactor & Hubs – use all security settings that require additional actions before it’s being easily hacked Data  Data Analysis - analyzing data generated by IoT devices to understand what data might be monetized  Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked Breaking tools  Risky app – avoid apps out of store, junk apps from app store  Broken - don’t break any device in a chain of devices, rely on supported vendor ROMs  Flashed – flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs Cloud & third party tools  IoT clouds – audit it before using for your personal/business need  Third party services – there are many automation tools to manage IoT devices. Use secured and audited and be informed
  • 167. MOBILE, IoT, CLOUDS… IT’S TIME TO HIRE A RISK MANAGER! HOW TO CONTACT ME ? ADD ME IN LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN YURY CHEMERKIN SEND A MAIL TO: YURY.S@CHEMERKIN.COM