Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile, IoT, Clouds… It’s time to hire your own risk manager!

66 views

Published on

Yury Chemerkin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Mobile, IoT, Clouds… It’s time to hire your own risk manager!

  1. 1. Mobile, IoT, Clouds… It’s time to hire a Risk Manager! YURY CHEMERKIN MULTI-SKILLED SECURITY EXPERT CJSC ADVANCED MONITORING
  2. 2. YURY CHEMERKIN I have ten+ years of experience in information security. I‘m a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile &, Cloud Computing, IAM, Forensics & Compliance. I published many papers on mobile and cloud security, regularly appears at conferences such as CyberCrimeForum, HackerHalted, DefCamp, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence-Sec, InfoSec NetSysAdmins, etc. LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN TWITTER: @YURYCHEMERKIN EMAIL: YURY.S@CHEMERKIN.COM
  3. 3. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  4. 4. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  5. 5. UNDERSTANDING THINGS
  6. 6. IoT TAXONOMY & FRAGMENTATION Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
  7. 7. IoT TAXONOMY  Wearable Tech  Connected Home  Building Blocks & Platforms  Industrial Internet  Healthcare  In-store Retail  Connected Car  Venture Capital Firms  Corporate Investors  Angel Investors  Crowdfunding  Accelerators/Incubators  IoT Acquirers  Notable acquisitions
  8. 8. NARROW THINGS Wearable Tech Connected Home Healthcare
  9. 9. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  10. 10. WATCHES
  11. 11. WEARABLE TECH SMARTWATCHES – APPLE WATCH MITM Jailbreak Backup
  12. 12. APPLE WATCH MITM The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple servers and the iPhone. Online communication (over Wi-Fi)  [iPhone apps  iCloud] – prevents MITM, SSL Pinning  [Apple Watch iCloud] – prevents MITM , SSL Pinning  No way to install SSL to Apple Watch
  13. 13. APPLE WATCH BREAKING THE LOCKSCREEN Remove the Passcode Using Your iPhone Go to a “Settings->General->Reset” “Erase Apple Watch Content & Settings” “Keep Plan” if iWatch has a Cellular Plan Otherwise just “Erase All Content & Settings” Pair it again
  14. 14. APPLE WATCH BREAKING THE LOCKSCREEN Removing Your Passcode Without an iPhone Power Menu  Press & hold the side button Instead of sliding "Power Off", press on it Tap "Erase all content and settings," Tap the green checkmark to confirm Pair it again
  15. 15. APPLE WATCH BREAKING THE LOCKSCREEN Unpair iWatch via Apple Watch app & Apple Password Keep your Apple Watch and iPhone close together. Open the Apple Watch app on iPhone Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch” Press “Keep Plan” for a cellular iWatches Enter your Apple ID password and tap confirm
  16. 16. APPLE WATCH JAILBREAKS Jailbreaks for USB  Apple Watch series 1- 4 & watchOS 5 – no jailbreak  watchOS 4.0 - 4.1  v0rtex jailbreak for developers only https://github.com/tihmstar/jelbrekTime  Apple Watch series 1- 2 & watchOS 3.0 – 3.2.3  OverCl0ck jailbreak – still in development https://github.com/PsychoTea/OverCl0ck Jail & Bluetooth Connection over SSH  https://speakerdeck.com/mbazaliy/jailbreaking-apple-watch
  17. 17. APPLE WATCH - BACKUP  /mobile/Library/DeviceRegistry.state /properties.bin  Binary Plist File – Contains Paired Apple Watch Specifics incl: Watch Name, Make, Model, OS, GUID  Synced Data Path with GUID, date, local  Serial Number, UDID, WiFi MAC, SEID (Secure Element ID), Bluetooth MAC
  18. 18. APPLE WATCH - BACKUP  Plist contained installed apps on Apple Watch (2 places)  /mobile/Library/DeviceRegistry/<GUID>/Na noPreferencesSync/NanoDomains/com.apple.C arousel  /mobile/Library/DeviceRegistry/<GUID>  Example: /mobile/Library/DeviceRegistry/<GUID>/ AddressBook/
  19. 19. APPLE WATCH BACKUP  Email - /mobile/Library/DeviceRegistry/< GUID>/NanoMail/registry.sqlite  Voicemails - /mobile/Library/DeviceRegistry/< GUID>/PreferencesSync/NanoDo mains/com.apple.mobilephone  Records containing Phone Numbers and paths to synced voicemail files
  20. 20. APPLE WATCH BACKUP - PASSBOOK /mobile/Library/DeviceRegistry/< GUID>/NanoPasses/nanopasses.sqli te3 Pass table Unique_ID Type_ID (boarding pass, loyalty pass) Encoded pass (value/data)
  21. 21. APPLE WATCH – BACKUP APPLE HEALTH  Encrypted (.hfd) in password-protected / encrypted backups only  No data out of non-encrypted backup  Export in raw/plaintext  But take a time, we will back to Health app soon 
  22. 22. APPLE WATCH ACCESS ATTACK LOGIC
  23. 23. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  24. 24. APPLE WATCH SUMMARY Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available Online communication (over Wi-Fi)  [iPhone apps  iCloud] – prevents MITM, SSL Pinning  [Apple Watch iCloud] – prevents MITM , SSL Pinning  No way to install SSL to Apple Watch Local data  Not many but jailbreaks are available  Backup still works to access the data  Wallet contains booking, card and other info  Apple Health app  Contains a lot of medical user data  Encrypted if backup is password-protected and out of backup otherwise  Contains non-encrypted basic medical user data and list of app-sources
  25. 25. WEARABLE TECH SMARTWATCHES – ANDROID WATCH Forensics: Physical, Logical, Network Acquisition Screen Lock Bypassing Techniques Root opportunities Android wear app
  26. 26. ANDROID WATCH FORENSICS OF WEARABLE TECH Physical Acquisition Logical Acquisition Network Acquisition (omitted here)
  27. 27. ANDROID WATCH IMAGING A SMARTWATCH DEVICE  The ADB tool should be used to image and explore the Android smartwatch.  The dd command, dd if=/dev/block/mmcblk0p12 of=/sdcard/tmp.image can be used to copy the entire device to an inserted SD card.  If time is a factor, investigators can copy specific directories by utilizing the following commands: DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd DD if = /dev/block/mmcblk0p3/efs of = /storage/extSdCard/efs.dd DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd
  28. 28. ANDROID WATCH BREACHING A LOCK SCREEN  Google account credentials is known  remote unlock of connected watches via Google’s Android Device Manager  Deleting / altering the gesture.key & settings.db files  to remove the lock screen entirely  adb.exe shell; cd /data/system; rm gesture.key  The “settings.db” file contains system settings and can cause system wide changes if modified  update system set value =0  Flashing a modified ROM / a reboot in safe mode - to leverage a third-party lock screen  Utilize adbkey and adbkey.pub files from other computers that have been previously synchronized with the examined device to create a trust relationship with a new device  /.android/<ADB keys> - those files are an SSH key-pair that allow me to mark my computer as "trusted" to my phone.  Copy of ADB keys stored on synchronized devices in users/<user name>/.android folders
  29. 29. ANDROID WATCHES ROOT Root:  5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1  6.0.1 - SuperSU-6.0.1.zip https://supersu.apk.gold/android-6.0.1  Wear 2.0 - SuperSU-Wear  Wear-SuperSU 2.4 - https://androidfilehost.com/?fid=24269982086990060 Recovery:  TWRP - https://eu.dl.twrp.me/bass/  5.1.1 twrp-3.1.0-0.img  6.0.1 и Wear 2.0 twrp-3.0.0-0.img
  30. 30. ANDROID WATCH WEAR OS  Tizen OS - Samsung  Android Wear OS  Asus Zenwatch, Huawei Watch, LG Watch and many other  Many root tools & images for Android Wear up to 2.0  Lack of tools for 2.1 and beyond  Wear app to access data Android Wear Version Android base version Release date 4.4W1 4.4 June 2014 4.4W2 4.4 October 2014 1.0 5.0.1 December 2014 1.1 5.1.1 May 2015 1.3 5.1.1 August 2015 1.4 6.0.1 February 2016 1.5 6.0.1 June 2016 2.0 7.1.1 Feb 2017 2.6 7.1.1 Nov 2017 2.6 7.1.1/8.0.0 Dec 2017 2.7 7.1.1/8.0.0 Dec 2017 2.8 7.1.1/8.0.0 Jan 2018 2.9 7.1.1/8.0.0 Feb 2018 Wear OS Version Android base version Release date 1.0 7.1.1/8.0.0 Mar 2018 1.1 7.1.1/8.0.0 April 2018 1.2 7.1.1/8.0.0 May 2018 1.3 7.1.1/8.0.0 June 2018 1.4 7.1.1/8.0.0 July 2018 1.5 7.1.1/8.0.0 August 2018 1.6 7.1.1/8.0.0 September 2018 1.7 7.1.1/8.0.0 October 2018 2.0 7.1.1/8.0.0 August 2018 2.1 7.1.1/9.0.0 September 2018
  31. 31. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM (TIZEN) Tizen OS, Bluetooth, USB, No Wi-Fi, Optional Password Protection #1 Gain root:  turn on SDB ‘Smart Development Bridge‘,  find a ROM, uses Odin,  reboot to ‘download’ mode – hold down the main button through the turn off prompt Sdb shell, sdb root
  32. 32. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM #2 Get Data as an image:  Requires root (see step #1)  Use anything to image the watches, like a Toybox http://landley.net/toybox/  adb push toybox /sdcard/download  adb shell; su  mv /sdcard/download/toybox /dev/  chown root:root toybox;  chmod 755 toybox  cd /dev/block/platform/msm_sdcc; ls -al by-name  /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */  dd if=/dev/block/mmcblk0p21 | ./toybox nc -L  /* Port number being listened to on the watch displayed for user */  44477 port displayed  adb forward tcp:44867 tcp:44867  /* Send request to watch on port number 44867 and send it to image file */  nc 127.0.0.1 44867 > Samsung.IMG Here is a user partition
  33. 33. ANDROID WATCHES SAMSUNG GEAR – ALL OF THEM #3 Results:  Messages - apps.com.samsung.message.data.dbspace/msg- consumer-server.db  Health/Fitness Data - apps.com.samsung.shealth/shealth.db  Email - apps.com.samsung.wemail.data.dbspace/wemail.db  Contacts/Address book - dbspace/contacts-svc.db
  34. 34. ANDROID WATCHES LG WATCH – ALL OF THEM Android Wear, USB, Bluetooth, No Wi-Fi #1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to bootloader & unlock it, and push image adb reboot-bootloader fastboot oem unlock adb push <SuperSU>.zip /sdcard/download adb reboot-bootloader fastboot boot <twrp>.img Install <SuperSu>.zip, wait for reboot
  35. 35. ANDROID WATCHES LG WATCH – ALL OF THEM #2 Get Data as an image:  Requires root (see step #1)  Use anything to image the watches, like a Toybox http://landley.net/toybox/  adb push toybox /sdcard/download  adb shell; su  mv /sdcard/download/toybox /dev/  chown root:root toybox;  chmod 755 toybox  cd /dev/block/platform/msm_sdcc; ls -al by-name  /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */  dd if=/dev/block/mmcblk0p21 | ./toybox nc -L  /* Port number being listened to on the watch displayed for user */  44477 port displayed  adb forward tcp:44867 tcp:44867  /* Send request to watch on port number 44867 and send it to image file */  nc 127.0.0.1 44867 > LG.img Here is a user partition
  36. 36. ANDROID WATCHES LG WATCH – ALL OF THEM Results:  Events/Notifications - data.com.android.providers.calendar.databases/calendar.db  Contacts/Address book - data.com.android.providers.contacts.databases/contacts2.db  Health/Fitness Data - data.com.google.android.apps.fitness.databases/pedometer.db
  37. 37. ANDROID WATCHES ANDROID WEAR Mobile device paired with all watches in this app /com.samsung.android.app.watchmanager /auto_update.xml - a timestamp of the day the Samsung Gear was last updated. /com.samsung.android.app.watchmanagerstub/shared preferences/hmonlinehelppref.xml /data/com.google.android.wearable.app/databases/devices.db list of devices using Android wear which listed the LG G Watch.
  38. 38. ANDROID SMARTWATCHES ACCESS ATTACK LOGIC
  39. 39. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  40. 40. ANDROID WATCH SUMMARY  Forensics  No forensics tools are NOT available for devices, such as Elcomsoft, Cellebrite  Forensics techniques are still available for devices  Forensics of wear-apps works too but no many useful data  Known techniques of breaking Android screenlock works  OS  Tizen OS - Samsung  Android Wear OS - Asus Zenwatch, Huawei Watch, LG Watch and many other  Root & Recovery  Many root tools & images for Android Wear up to 2.0  Lack of tools for 2.1 and beyond  SDB, ADB, Fastbook, OEM Unlock  Data  Contacts, Fitness, Health, Email – in the device
  41. 41. HUAWEI WEAR & HONOR BAND 3-9C7 • Фотки браслета и приложения (ссылки на магазины) • Картинки на списки в круглые формы вставить??
  42. 42. FITNESS TRACKERS HUAWEI WEAR. HONOR BAND 3-9C7 Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/<crash>,<log> Last Wear’s values: sleep (many params), wakeup (many params), distance (steps, ride, climb,…), heart rate, calories Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude User Info: Picture, Name, Birthday, Height, Weight, Gender, Age Account Details: UDID, Security Token, UserID, SessionID Bluetooth Keys
  43. 43. CRASH LOG: DEVINFO, DEBUG INFO - /DOCUMENTS/HMS/OCLOG/CRASH CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c <redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw + 56 2 CoreFoundation 0x000000018346bc9c _CFArgv + 0 3 CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear 0x0000000100319064 HuaweiWear + 315492 5 HuaweiWear 0x000000010030ffdc HuaweiWear + 278492 6 libdispatch.dylib 0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib 0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib 0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation 0x000000018347b344 <redacted> + 12 10 CoreFoundation 0x0000000183478f20 <redacted> + 2012 11 CoreFoundation 0x0000000183398c58 CFRunLoopRunSpecific + 436 12 GraphicsServices 0x0000000185244f84 GSEventRunModal + 100 13 UIKit 0x000000018caf15c4 UIApplicationMain + 236 14 HuaweiWear 0x00000001005b13f8 HuaweiWear + 3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4 ClientVersion:21.0.12 OSVersion:11.2.6
  44. 44. HUAWEI WEAR – LAST VALUES /DOCUMENTS/<*.ARCHIVER> FILES <string>{ "sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":0,"deepSlee pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim e":0}, "distance":3940,"lastHeartRate":0,"steps":4623,"lastHRTimeStamp":0," calories":216,"date":1537867958.8875299,"totalClimb":0,"daySport Info":[] }</string>
  45. 45. HUAWEI WEAR: FIRMWARE /DOCUMENTS/<*.ARCHIVER> FILES <string>  {"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath": "Nyx_1.5.35.bin.apk","identify":"38:37:8B:B8:C9:C7","firmWareSize":1410023,"deviceTyp e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",  "firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199-342F-4897- 9577-59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",  "changeLogContent":"[Optimizations]nOptimizes calorie counting accuracy while swimming.nFixes an issue where exercise sessions would suddenly exit due to accidental touches.nFixes an issue where fitness data would be occasionally cleared.nOptimizes the TrusleepTM data syncing speed on IOS.n[Notes]n1. New features require that Huawei Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for Android.n2. Before updating, make sure the band is charged to at least 20%.n","status":1,  "baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1 55123/f1/"} </string>
  46. 46. HUAWEI WEAR: GEO, SPEED /DOCUMENTS/<*.ARCHIVER> FILES <string> {"speed":0.63999998569488525,"timestamp":"2018-06- 09T05:12:19+0300", "longitude":41.512356810310401,"latitude":52.571571199272356, "totalDistance":0,"verticalAccuracy":4, "course":10.546875,"duration":0,"distance":0, "altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5 } </string>
  47. 47. HUAWEI WEAR: USER INFO /DOCUMENTS/<*.ARCHIVER> FILES <string> {"headImgLocal":"/var/mobile/Containers/Data/Application/ 9B666199-342F-4897-9577- 59B68F5CF40F/Documents/temp_user/temp_user.jpg", "age":29,"unitType":0,"nameIsNil":false,"isDefault":true, "weight":78,"userName":"Yury Chemerkin","walkStepLen":77.28, "birthday":19880605,"height":184,"modifyTime":0,"runStepLen":92.7 36,"gender":0} </string>
  48. 48. HUAWEI WEAR: /DOCUMENTS/<*.ARCHIVER> FILES Account  Account details stored in protected way Device Mac Address <string>deviceMacAddress</string> <string>38:37:8B:B8:C9:C7</string> Bluetooth Keys
  49. 49. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User goals Device details User measures  m_7_DataSourceTable_temp_user  m_7_FitnessMergedDataTable_temp_user  m_14_FineSleepDayMergeTable_temp_user  m_7_MotionGoalTable_temp_user
  50. 50. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User measures  m_14_HeartRateByDay_temp_user  m_14_SportDataByDay_temp_user  m_133_MotionPathDetail_temp_user  m_7_MotionGoalTable_temp_user
  51. 51. HUAWEI WEAR: PERSONAL DETAILS /DOCUMENTS/<WEAR*.DB> FILES User measures  m_133_SingleMovementStatistic_temp_user  m_133_SingleMovement_temp_user
  52. 52. HUAWEI HONOR SUMMARY Local data  Credentials is protected  Personal and medical info – plaintext / as it Communication  Local – encrypted  Online – SSL Pinning for all possible connections, registration, login and synchronization
  53. 53. XIAOMI MI BAND 2 & MI FIT Online communication  AWS storages in Ireland (EU) mainly, secondary US  TLS 1.2, No SSL Pinning Local data  Action Log with details incl. URLs  https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t=1512648130831  https://api- mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848  https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t=1512648130805
  54. 54. FITNESS APPS ROAD BIKE, MOUNTAIN BIKE, … GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter, upward/downward (meters), timestamp local, timestamp gps Session Data: timestamp (start, end), distance, duration, avg & max speed, upward/downward, heartZone values (need special device) Speed Data: timestamp, speed, duration, distance User Data: email, password, weight, height, gender, name, birthday
  55. 55. FITNESS APPS DOCUMENTSDATABASE.SQLITE3 Where to search data:  GPS & location  HeartRate (requires special devices)  Session Data  Speed  User Data
  56. 56. FITNESS APPS LOCATION, MAPS AND USER INFO  Location and geo snapshots - DocumentsMapOpenCycleMap.sqlite  User info - Documentsdatabase.sqlite3
  57. 57. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  58. 58. FITNESS TRACKERS SUMMARY AMONG TRACKERS & APPS Local data  Credentials is usually protected  Personal and medical info – plaintext / as it Communication  Local – encrypted  Online – SSL Pinning for all possible connections
  59. 59. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  60. 60. APPLE HEALTH СЮДА КАРТИНКИ УСТРОЙСТВ
  61. 61. HEALTHCARE APPLE HEALTH Valuable data encrypted and no public cracks is known Small amount of data not encrypted in backup List of app-sources (look here for non-encrypted original data) However, secure built-in app-aggregator does not mean other app is a secure in the same way  ofc not 
  62. 62. APPLE HEALTH WHERE TO FIND DATA? HealthDomainMedicalIDMedicalIDData.archive HealthDomainHealthhealthdb.sqlite HealthDomainHealthhealthdb_secure.sqlite HealthDomainHealthhealthdb_secure.hfd Exported Raw Data – any place chosen by user
  63. 63. APPLE HEALTH DATA IN DETAILS Name, User Pic, height (in cm), and mass (in kg) Geo Tracking (Mainland/City), iOS version Device Info: UDID, Name, Last connection time Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Medical implants
  64. 64. APPLE HEALTH HEALTHDOMAINMEDICALIDMEDICALIDDA TA.ARCHIVE  Name  Height  Weight  Medical implants
  65. 65. APPLE HEALTH HEALTHDOMAINHEALTHHEALTHDB.SQLITE  Bundle_id, app_name  Device name, device model, vendor, hardware and software, timestamp
  66. 66. APPLE HEALTH HEALTHDOMAINHEALTHHEALTHDB_SE CURE.SQLITE
  67. 67. APPLE HEALTH RAW EXPORT Recorded by the any Apple Devices & accessed through the Health App. Detailed activity log with timestamps Data can be exported in .xml file format without encryption (!) and even without encrypting of zip file Extracted data can be stored anywhere
  68. 68. APPLE HEALTH - RAW EXPORT PERSONAL, FITNESS, MEDICAL INFO Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Heart rate data (in count/min) or beats-per-minute (BPM) Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins) Blood Pressure Diastolic, Systolic The exact activity log time (creationDate), and activity start and end times (startDate, endDate) XML Parser (Free): https://github.com/tdda/applehealthdata
  69. 69. APPLE HEALTH - RAW EXPORT IN EXAMPLES & DETAILS
  70. 70. APPLE HEALTH - RAW EXPORT IN EXAMPLES & DETAILS
  71. 71. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  72. 72. HEALTHCARE SUMMARY Apple Health App is good protected Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg) Exported data is not protected at all List of app sources & these app’s data is not protected well
  73. 73. PICOOC MINI (BT) – BODY COMPOSITION SMART SCALE • Vertical fat index, body fat Fat indexes • Body weight, bone mass, muscle, skeletal muscle Mass • BMR, body water, protein, Metabolic Age Productivity • Tracking changes, charts, reports Delta
  74. 74. PICOOC MINI (BT) – BODY COMPOSITION SMART SCALE BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scaler) Body scale values: body, muscles, productivity, date & time, device mac Dev Info: Mac, model name, user ID, Device Picture Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users) User Info: nick name , userID, height, age, sex, race, type Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language Preferences: Local Password, Unlocking method, last active day
  75. 75. PICOOC BT LOGS PICOOCDOCUMENTSBLUETOOTHLOG.TEXT  DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE   扫描到设备 – means “Device scanning”  04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A- 45F9DDB731D6 ---- .  04-14 13:31:36:453 .扫描到设备 name:Peripheral Info:Name: honor band A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3-0099CF82DF96 ---- .  04-14 13:31:37:408 .扫描到设备 name:Peripheral Info:Name: PICOOC-CQ RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ---- .  info.macAddress = D0:49:00:1D:87:8A
  76. 76. PICOOC BT LOGS PICOOCDOCUMENTSBLUETOOTHLOG.TEXT 04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-45F9DDB731D6 ---- Connect a Galaxy S7 to your Samsung TV with Bluetooth to have a fun and spread your content   TV with enabled Bluetooth & Samsung Galaxy S7  Open the notification pane on your handset.  Select Quick Connect and then Scan for nearby devices  Select Register TV, Tap the new icon with a TV and an arrow  Tap the Share button and then Smart View to play any media you play on your phone on the TV
  77. 77. BODY VALUES PICOOCDOCUMENTSPICOOC.SQLITE CREATE TABLE `body_indexs` ( `id` `weight` `body_fat` `visceral_fat_level` `muscle_race` `body_age` `bone_mass` `basic_metabolism` `bmi` `local_time` `water_race` `abnormal` `day_intValue` `time_period` `electric_resistance` `mac` `body_fat_reference_value` `skeletal_muscle`);
  78. 78. PICOOC DEVICE AND PREFERENCES Dev Info - picoocdocumentspicooc.sqlite Preferences - picoocLibraryPreferences com.picooc.international.plist  <key>PasswordLockType</key>  <integer>2</integer>  <key>PasswordNumherLockContnet</key>  <string>7124</string>  <key>currendDay</key>  <string>20180922</string>  <key>kStartupUserIdKey</key>  <integer>4611483</integer>
  79. 79. USER BASIC INFO – MAIN USER PICOOCDOCUMENTSPLISTFILEUSERINFO.PLIST <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>nickName</key> <string>Yury Chemerkin</string> </dict> </plist>
  80. 80. USER EXTENDED INFO – LAST ADDED USER ONLY PICOOCLIBRARYSENSORSANALYTICS- SUPER_PROPERTIES.PLIST  current_age_characteristic  current_role_is_athlete  current_role_height  current_language  current_role_age  current_role_sex  app_type  time_zone  current_role_race  current_role_type  3  false  178  英语  58  男  PICOOC国际版  Europe/Moscow  白  使用者  As is  As is  As is  English  As is   Man   PICOOC Worldwide Version  As is   White   User
  81. 81. PICOOC SENSOR VALUES PICOOCLIBRARYSENSORSANALYTICS- MESSAGE-V2.PLIST.DB • {"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144 339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白 ","current_role_type":"主角色 ","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6. 1","current_age_characteristic":3,"$is_first_day":false,"$model":"iPhone8,4","$device_id":"E C640161-EC87-4A90-AD99-5B29A3F86700","$network_type":"WIFI","$carrier":"Mobile TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren t_language":"英语","$screen_height":568,"app_type":"PICOOC国际版 ","time_zone":"Europe/Moscow","$lib_version":"1.9.3","$os_version":"12.0","$is_first_time": false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男 ","current_role_id":"9144339"},"type":"track","lib":{"$lib_version":"1.9.3","$lib":"iOS","$app _version":"3.6.1","$lib_method":"code"}}
  82. 82. PICOOC MITM - NOT SSL-PINNED • Profile URL (public accessible) https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png • Request URL - https://api2.picooc- int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque st=https://api2.picooc- int.com/v1/api&roleId=9144339&timestamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi ce_id=EC640161-EC87-4A90-AD99-5B29A3F86700&device_mac=&method=update_role& • Same URL (public accessible) https://picoocheadportrait.oss-cn- beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png • Request URL - https://picoocheadportrait.oss-cn-beijing.aliyuncs.com
  83. 83. PICOOC MITM - NOT SSL-PINNED https://api2.picooc-int.com GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token=iOS%3A%3AEC640161- EC87-4A90-AD99- 5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe /Moscow&timestamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6 HTTP/1.1
  84. 84. PICOOC MITM - NOT SSL-PINNED https://api2.picooc- int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap i2.picooc- int.com/v1/api&roleId=9144339&timestamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT hread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&method=update_role&
  85. 85. PICOOC MITM - NOT SSL-PINNED https://api2.picooc- int.com/v1/api/account/updateUserPa ssword?sign=41EE8B396970992A85E 9259B134B96BE&urlOfGetRequest=ht tps://api2.picooc- int.com/v1/api&roleId=9144339&tim estamp=1538581202&version=i3.6.1 &appver=i3.6.1.0&requestByChildThre ad=0&os=iOS&userId=4611483&lan g=en&timezone=Europe/Moscow&pus h_token=iOS::019290ade677be79f5f bded930b2435fa81eef103d893471 08e265c0cd984cf2&device_id=EC64 0161-EC87-4A90-AD99- 5B29A3F86700&device_mac=&metho d=update_user_password&
  86. 86. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  87. 87. PICOOC SUMMARY Body indexes and changes day-by-day  Fat indexes, Mass  Productivity, Delta Dev Info, Friends results, User data Network  Data stored on Alibaba servers  Profile, Device Info, Credentials, additionally passw on pass-change tab  Bonus: Bluetooth scanner of near located devices Preferences: Local Password, Unlocking method, last active day
  88. 88. ~30 mHEALTH APPS  Google Fit  MyFitnessPal  RunKeeper - GPS  Nike+ Running  WebMD  Blood Pressure (BP) Watch  Water Your Body  Instant Heart Rate  Drugs.com Medication Guide  Runtastic Pedometer  Noom Walk Pedometer: Fitness  Strava Running and Cycling GPS  Bleep Fitness Test  Fitness Buddy: 300+ Exercises  BodySpace- Social Fitness  Walk with Map My Walk  Endomondo Running Cycling Walking  FitNotes – gym Workout Log  Period Calendar  Period Tracker  My Pregnancy Today  My Baby Today  Calorie Counter by FatSecret  MyNetDiary Calorie Counter PRO  My Diet Diary Calorie Counter  Calories! Basic – cal counter  Calorie Counter  Lifesum- Calorie Counter  User credentials and pins  Personal details of users  User activities  User location  Activity timestamps  Images
  89. 89. ~30 mHEALTH APPS MYFITNESSPAL User profile Pics  com.myfitnesspal.android/cache/Picasso-cache User profile Pics /sdcard/ /data/data/com.myfitnesspal.android/databases/myfitnesspal.db  User details including time zone, gender, date of birth and email - in tables <user_properties, users> - see a pic  User profile pictures - in table <images>  User personal notes - in table <diary_notes>  User records of exercises, food habits and personal measurements - in tables <exercise_entries; exercises; food_entries; foods; measurement_types; measurements>  User last synched items with the server - in table <last_sync_pointers>  User food search history - in table <search_history>
  90. 90. ~30 mHEALTH APPS RUNKEEPER  User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache  / fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite  User details including activities, trips  Trips deleted by user - in table <deleted_trips>  Activities posted by user - in table <feed>  List of user’s friends - in table <friends>  Images uploaded during trips by user - in table <status_updates>  User settings for each trip - in table <trip_settings>  Places visited during all the trips - in table <points>  Information about each trip - in table <trips>  More tables  The points table is to locate the map coordinates of a user’s route
  91. 91. ~30 mHEALTH APPS PERIOD CALENDAR • Personal info –/data/data/ fitnesskeeper.runkeeper.pro /databases/PC.db. Tables • User - List of the users with passwords (Plaintext passwords, secret questions and answers ) • Period - Period start time and length of users • Note - Diary notes inserted by users • Personal info –/data/data/ fitnesskeeper.runkeeper.pro /databases/PC_PILL.db. Tables • pill - Pills used by users including date and time • pill_record - Details about the pills
  92. 92. ~30 MEDICAL/FITNESS/HEALTH APPS  User credentials: Apps may require users to login using their user credentials (e.g. username and password, PIN, and authentication tokens) in order to use the apps. Therefore, user credentials should be an artefact that forensic investigators seek to locate during the app forensic process (e.g. determine whether the credentials are stored in and can be recovered from the app’s databases).  User personal details: User personal details include name, gender, date of birth, email address, height, weight and other personal data would be helpful for forensic investigators to positively identify the app or device users.  User activities: The mHealth apps require users to enter their day-to-day food habit, health conditions, activity or exercise details, diagnosis details, medication details and symptom details, etc.  User location: Fitness apps allow users to keep track of their exercise, running, jogging, cycling and other activities. These apps generally store the geographical coordinates of the user location during these activities which can provide useful evidence to the investigators.  Activity timestamps: Another important artefact is the timestamp of the user activity. For example, linking activity timestamps with corresponding user locations (e.g. geographical coordinates) and other relevant information (e.g. CCTV feeds) would provide useful information in an investigation.  Images: This artefact includes profile images, and images taken and posted from a location.
  93. 93. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Google Fit N N P N F N MyFitnessPal P F F N F F RunKeeper - GPS N N F F F N Nike+ Running N F F N F F WebMD N N P N N N Blood Pressure (BP) Watch N P F N F N Water Your Body N N F N N N Instant Heart Rate N N N N N N Drugs.com Medication Guide N F N N P N Runtastic Pedometer N N F N F N
  94. 94. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Noom Walk Pedometer: Fitness N N F N F F Strava Running and Cycling GPS N F F F F N Bleep Fitness Test N F F N P N Fitness Buddy: 300+ Exercises N N F N F N BodySpace- Social Fitness N F F N P F Walk with Map My Walk N F F F F P Endomondo Running Cycling Walking N N F F F F FitNotes – gym Workout Log N N F N P N Period Calendar F F F N P N Period Tracker N N F N P N My Pregnancy Today P N N N N F My Baby Today N F N N P N
  95. 95. ~30 MEDICAL/FITNESS/HEALTH APPS App Name / Data User credentials and pins Personal details of users User activities User location Activity timestamps Images Calorie Counter by FatSecret N N F N P N MyNetDiary Calorie Counter PRO N N N N N F My Diet Diary Calorie Counter N P F N F N Calories! Basic – cal counter N N P N F N Calorie Counter N F F N F N Lifesum- Calorie Counter N P F N F F
  96. 96. ~30 MEDICAL/FITNESS/HEALTH APPS THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY) 3 9 6 8 1 5 2 0 3 4 6 8 5 4 7 9 8 3 7 3 3 3 3 2 5 3 6 7 0 1 2 3 4 5 6 7 8 9 10 Average Issue Index
  97. 97. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  98. 98. HEALTHCARE SUMMARY Native Health App is good protected, however not a basic information  Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)  Exported data is not protected at all Source apps (medical, fitness, health, …)  Data contains everything with GPS, timestamp and lot of day-by-day changes  Usually stores data locally, but basic activity over network is intercepted and credentials gained Pseudo health apps – usually requires user to handle all data by himself  Friend list, Credentials, secret questions & answers  Body values, timestamp, visited places & geo  Medical periods, schedule, pills and so on  Preferences, searches
  99. 99. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  100. 100. APPLE TV – FIVES GENERATIONS MacOS X, iOS, tvOS Common ways to break into Jailbreak tools Password management USB Acquisition Backup Jailbroken acquisition Profiling
  101. 101. APPLE TV – I GENERATION EASILY TO BREAK First edition of TV, Mac OS X & HDD makes breaking much easier All possible ways to break into the first Apple TV 8 years ago:  “Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and Randy Robbins, Def Con 2009 https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17- kevin_estis-apple_tv.pdf https://www.youtube.com/watch?v=z-WCy3Bdzkc
  102. 102. APPLE TV – II-V GENERATION EASILY TO BREAK TOO  Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)  Backup contains valuable data (forensics tool works too)  Find a jailbreak to obtain the whole OS  Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube  Get access to App’s data and reveal credentials, card – depend on application  Why Apple TV can be jailbroken (why men jail it)? Outdated compromised TV 2 with OpenSSH and default password https://www.tvaddons.co/appletv2-jailbreak-threat/ Direct access to filesystem and file management beyond the backups & cloud Stream media from devices beyond AirPlay or iOS devices Sideloading 3rd party tools  Kodi, Hulu, LastFM, XBMC, Nito TV, , Pandora Radio, and other apps.  Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies
  103. 103. APPLE TV DATA EXAMINATION & FORENSICS  Apple TV jailbreak support https://pangu8.com/appletv.html  Apple TV 1 – scripts, ssh, HD extraction and other way  Apple TV 2 – Seas0npass jail for TV running tvOS 4.3 - tvOS 5.3 (untethered) & tvOS 6.1.2 (tethered)  Apple TV 3 – No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1, and not beyond 5.0.2  Apple TV 4  Pangu9 jail for TV running tvOS 9.0 - tvOS 9.0.1  LiberTV jail for TV running tvOS 9.1 - tvOS 10.1  GreenG0blin jail for TV running tvOS 10.2.2  Apple TV 4 / 5  LiberTV jail for TV running tvOS 11.0 and 11.1  Apple TV 4 / 5 – Electra jail for TV running tvOS 11.2 - tvOS 11.3
  104. 104. APPLE TV DATA EXAMINATION & FORENSICS  USB port is reserved for “service and support” purpose Vanished since Apple 5th Gen (4k)  No password management – we trust you, breakers   Seriously, No Password or Passcode protection at all ! Restrictions instead: Use Restrictions on your Apple TV https://support.apple.com/en-md/HT200198 Allow all by default Restrict blocks by passcode purchases, apps, content, settings and remote pairing (no one blocks pairing usually) Account-Password requires for purchases in a way like any Apple device (https://support.apple.com/en-us/HT204030)
  105. 105. APPLE TV – 2TH – 4TH GEN USB ACQUISITION (USB, MICRO, USB-C) 5TH GEN IS OUT OF SCOPE (NO USB) AFC (Apple File Conduit) service works here  /private/var/mobile/Media USB Acquisition gives:  Basic device information  Real Time Log (Syslog), Crash Logs  Part of the file system (“Media” folder) Device information  MAC – WiFi, Bluetooth, Ethernet  Name, Timezone, Serial ID, Model Ideviceinfo, idevicesyslog http://www.libimobiledevice.org/
  106. 106. APPLE TV BACKUP  Real Time Log  Crash Log  MediaLibrary.sqlitedb  iCloud Account Name  iCloud ID  Wi-Fi networks  Device usage timeline  Shopping database
  107. 107. APPLE TV – 2TH – 5TH GEN JAILBREAK Timezone  /private/var/db/timezone/localtime Network tcp/ip lease  /private/var/db/dhcpclient/leases/ Network wi-fi history  /private/var/preferences/com.apple.wifi.plist
  108. 108. APPLE TV – 2TH – 5TH GEN JAILBREAK Keyboard dictionary  /private/var/mobile/library/keyboard/dynamic- text.dat Accounts  /private/var/mobile/library/accounts/  /private/var/mobile/library/preferences/com.apple.ids .service.com User email User info: email + phone yury.chemerkin@icloud.com +79851719122 Network
  109. 109. APPLE TV – 2TH – 5TH GEN JAILBREAK iCloud synced preferences  /var/mobile/Library/SyncedPreferences/ Wi-Fi Access Points  com.apple.wifid.plist Weather Cities  com.apple.nanoweatherprefsd.plist Moskva, Lianozovo Dictrict 55.800149, 37.565483
  110. 110. APPLE TV – 2TH – 5TH GEN JAILBREAK Headboard  /private/var/mobile/library/com.apple.headboard /apporder.plist  /private/var/mobile/library/caches/com.apple.tvic onscache/com.apple.headboard  /private/var/mobile/library/caches/com.apple.hea dboard/fscacheddata
  111. 111. APPLE TV – 2TH – 5TH GEN JAILBREAK App snapshots  /private/var/mobile/library/caches/com.app le.pineboard/assetlibrary/snapshots/ Cached video  /private/var/mobile/library/caches/appletv /video/
  112. 112. APPLE TV – 2TH – 5TH GEN JAILBREAK Installed applications  /private/var/db/lsd/com.apple.lsdidentifiers.plist Installed applications  /private/var/mobile/containers/bundle/ Installed applications  /private/var/mobile/containers/data/application/
  113. 113. APPLE TV – 2TH – 5TH GEN JAILBREAK Country, last activity App snapshots Youtube
  114. 114. APPLE TV – ANY GEN PROFILING AS A KIND OF PROTECTION TV Remote Payload The TV Remote payload is designated by specifying com.apple.tvremote as the PayloadType value. If not present, or the list is empty, any device will be allowed to connect. Availability: Available in tvOS 11.3 and iOS 11.3 and later  AllowedRemotes  AllowedTVs  RemoteDeviceID  TVDeviceID https://developer.apple.com/enterprise/documentation/Configuration- Profile-Reference.pdf
  115. 115. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  116. 116. APPLE TV SUMMARY Lot of jailbreaks  Except Apple TV 3  Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac Password management  No password  No restrictions by default  Restrictions handle the content only Apple TV 2 – 5  Apple TV 2 – 4 equipped with USB that gives dev info, timelog, crashlog, media folder  Apple TV 5 does not have USB ports Jailbroken TV  Timezone, Network Info & History, Keyboard & Account Info  iCloud preferences, Wi-Fi Accent Point, Weather cities (list) easy to remap geo  TVs - Headboard, App snapshots, Cached video  App List, App Data, App Snapshots
  117. 117. AMAZON TV: PREREQUISITE Amazon Fire TV Stick Amazon account plus other accounts per app MITM is out of scope, but wait for Amazon Dot  Forensics tools (no support atm) Known ways to break into Root Data acquisition (streaming, photo, app, sideloaded Android app)
  118. 118. AMAZON TV BREAK OPPORTUNITIES No support of Forensics tools Sideloading is allowed, ADB exists and is off by default Rooting many root-apps (like KingRoot) is around of outdated FireOS such as 5.0.5 but not limited it The rooting requires a keyboard, no support for TV remote devices Use dd command to obtain an image of Fire TV
  119. 119. AMAZON TV ROOT, BOOTLOADER, SIDELOADING Non-root things  Sideloading is allowed without root like on Android  Bootloader: 51.1.x.x – non-locked, 5.x.x.x – locked but 5.0.x are unlockable (no info about older versions)  Downgrading might be possible Roots  Fire TV 1 – rootable for 51.1.0.0 - 51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 - 5.2.6.3  Fire TV 2 – rootable for 5.0.0 – 5.2.1.1, no root for 5.2.4.0 – 5.2.6.3  Fire TV 2 – 5.2.6.6 – pre-rooted ROM (http://www.aftvnews.com/pre-rooted-5-2-6-6-rom- is-now-available-for-the-fire-tv-2/)  Fire TV 3, Fire TV Cube – no root or pre-rooted ROM  Fire TV Stick 1 – rootable for 5.0.0 - 5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 - 5.2.6.3  Fire TV Stick 2 – no root, except hardware rooting to direct access to the device eMMC storage (http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)  Fire TV Edition television – rootable for 5.2.5.0 and no root for 5.2.5.1 - 5.2.6.3
  120. 120. AMAZON TV ROOTED TV  browser.db – Browser History & navigating to websites using Mozilla Firefox  [root]/data/com.amazon.bueller.photos/files/cmsimages – Pictures from Amazon cloud drive but formatted for better viewing up to Fire TV Stick  [root]/data/com.amazon.device.controllermanager/ databases/devices – Bluetooth Devices and their names, MAC paired with Fire TV (such as, keyboard mouse, Amazon Fire TV remote)  [root]/data/com.amazon.device.logmanager/files – Amazon Logs including Log.amazonmain
  121. 121. AMAZON TV ROOTED TV  /data/data/ = All application data is stored in this directory  com.amazon.venezia/ = Amazon appstore data /cache/ = thumbnails & previews for appstore apps /databases/ = sqlite files in each folder /contentProvider = Table "Apps" contains app-names("key") with relation thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory /locker = workflow, orders, wishlist, applications, cache, content tokens. /logging = logs for appstore application  com.android.cloud9/ = Amazon browser data /cache/webviewcache/ = any cache data /databases/ = sqlite files in each folder /webview.db = webview cookies & form data. /webviewCache.db = association of files in ../cache/webviewcache/ directory to urls. /browser.db = history & bookmarks also have path to page previews and thumbnails stored in ../files /files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above) /shared_prefs = preferences for a cross-access  com.amazon.provid ers.contacts/databases/conta cts2.db = All contacts
  122. 122. FORENSIC ANALYSIS METHOD FOR THE AMAZON FIRE TV STICK
  123. 123. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  124. 124. AMAZON TV: SUMMARY  Several older firmwares are affected by rooting tools  Rooting requires BT-keyboard that’s is not a big deal for TV  Sideloading is allowed without root  ADB is possible  Downgrading the Fire TV Stick software/firmware might possible  Personal data is revealed  Credentials of streaming services is found Netflix, NHL, NBA, Vimeo, … Kodi to get access to hundreds, of music, TV, movies  No way to restrict connection and bind TV and device to themselves only  FireOS ver 5.x is based on Android 5.1.1 Lollipop, ver 6.x is based on Android 7.1 Nougat
  125. 125. AMAZON ECHO DOT • Картинки и спецификацию
  126. 126. AMAZON ECHO DOT Local access Bootloader MITM: SSL, MITM, Firmware MITM Credentials breaks
  127. 127. AMAZON ECHO DOT LOCAL ACCESS, LACK OF ROOT  Alexa doesn’t have ADB, but have a MTK  bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx Preloader  However a SP Flash Tool does not work atm  Bootloader – press and keep ‘Uber’ while it is loading, but bootloader is locked and no unlocking key is available  Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo  # fastboot devices fastboot  # fastboot getvar all lk_build_desc: c1….. prod: 1 unlock_status: false serialno: […..] product: BISCUIT version-preloader: 0.1.00 version: 0.5
  128. 128. AMAZON ECHO DOT MITM. WHAT ABOUT SSL? Self signed certificates is allowed on Alexa for devs  https://developer.amazon.com/docs/custom- skills/configure-web-service-self-signed-certificate.html  https://www.amazon.com/gp/help/customer/display.ht ml?nodeId=201589180 Change endpoint configuration and region Make your Alexa installs a SSL from Intercepting tools  No lack, Alexa Echo Dot as a device prevents this shit   Try with Alex app that comes installed by default on the Kindle Fire Tablets, or download for Android or iOS devices even (!)
  129. 129. AMAZON ECHO DOT MITM. FIRST TIME SETUP  Navigate via browser https://alexa.amazon.com  Up to end of 2017 a redirect to Alexa setup was a http URL (!)  Expected credentials stolen in plaintext & expiring in 2036 like before, but no lack before  POST /ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx& pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x xxxx&pf_rd_s=signin-slot HTTP/1.1  Host: www.amazon.com  Content-Length: 1349  “name”: “Set-Cookie”,  “value”: “session-token=”xx/y//zz==”; Version=1; Domain=.amazon.com; Max-Age=630720000; Expires=Sat, 01-Nov-2036 22:39:37 GMT; Path=/” Now  HTTPS, prevents MITM attack  Certificate expires every 2 years
  130. 130. AMAZON ECHO DOT MITM. FIRMWARE Intercepting firmware updates is possible Here is a bin-firware http request  GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin HTTP/1.1  Host: amzdigitaldownloads.edgesuite.net  Connection: close  User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC Build/LVY48F) Firmware contains build.prop = designed as a Android & have .APKs  ro.build.version.fireos=5.5.0.3  ro.build.version.fireos.sdk=4 Non-Encrypted bin-firmware -rw-r--r-- boot.img; file_contexts drwxr-xr-x images; META-INF -rw-r--r-- ota.prop drwxr-xr-x system -rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list
  131. 131. AMAZON ALEXA APP Alexa app has a good a solid protection No sensitive data stored locally Well encrypted communication (online, internal) and used the TLS 1.2 However, MITM is possible, because no SSL Pinning used  Credentials and all communication compromised
  132. 132. AMAZON ECHO DOT ALEXA APP – MITM, NOT PINNED Credentials  {"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}  Email, Password from POST action ‘https://www.amazon.com/ap/signin’  Device Info plus token Metrics - https://device-metrics-us-2.amazon.com/metricsBatch  HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"  CountryCode RU" Profile  Name, Billing Address, Shipping Address  Device IDs, types, Account ID, Device capabilities First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
  133. 133. AMAZON ALEXA APP LOCAL  LibraryApplication Supportdevice.sqlite – device list with ID, serials  LibraryMETRICS_NORMAL* - Logs & MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM 2W81,iOS/12.0,Alexa//2.2.233205,DCM)  LibraryPreferencescom.amazon.echo.plist – Account Info  DocumentsLocalData.sqlite – settings of devices
  134. 134. AMAZON ECHO DOT ALEXA APP Alexa and Echo allow many users to manage devices  Echo has no voice differentiation capabilities nor protection against non-human or repeated speech Each device locks by 4 digit PIN  The Set of PINs is ~10k values  Two attempts and have to restart but no limit the number of total attempts  Bruteforce it for 2 days How to break 1. Computer says “wake word” followed by the command to order an Amazon Echo Dot 2. Alexa responds with top Amazon search for and asks if user wants to place the order 3. Computer confirms order 4. Alexa asks for 4-digit PIN 5. Computer guesses next PIN in numerical order 6. Alexa accepts or rejects PIN 7. Computer guesses next PIN in numerical order Repeat until you break it  take up to 48h max
  135. 135. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  136. 136. AMAZON ECHO DOT & ALEXA APP SUMMARY Intercepting firmware updates is possible Alexa allows to use self-signed SSLs but not accepts Burp/Charles certificate?  True for Alexa Echo Dot  Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert Not everything is HTTPS FireOS is based on Android - https://en.wikipedia.org/wiki/Fire_OS  ver 5.x – Android 5.1.1 Lollipop. Alexa is still on 5.x  ver 6.x – Android 7.1 Nougat Even hardware root is possible https://vanderpot.com/Clinton_Cook_Paper.pdf
  137. 137. READYFORSKY - ??? a
  138. 138. CONNECTED HOME READYFORSKY Backup MITM: Hub, Remote BT MITM: out of scope
  139. 139. READYFORSKY DOCUMENTSR4S.SQLITE Device list, models, pairing text Receipts per device (how to cook, basic details & requirements) Username, email User devices & Mac
  140. 140. READYFORSKY MITM  Firmware version – 2.29 - http://service2.readyforsky.com/firmware/list/148/["2.29"]  Device Pic - http://image- server.readyforsky.com/i/1899/200x200.png  Recipes – BlackTea, GreenTea, Others  Do smth with a Kettle  https://content.readyforsky.com/api/program/catalog/id:IN:90,9 7?locale=en  "id": 90,  "protocol_id": 0,  "value": "BOILING", / HEATING  "value": "40", | "value": "55", | "value": "70", | "value": "85", | "value": "95",
  141. 141. READYFORSKY MITM Credentials, password, tokens  https://content.readyforsky.com/headless/change-password  {"current_password": "1", "plainPassword": "1"}  { "error": "invalid_grant", "error_description": "The access token provided is invalid."}  { "access_token": "YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",  "expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token": "YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4 ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }
  142. 142. READYFORSKY MITM User details - https://content.readyforsky.com/api/user/current  "username": "yurychemerkin",  "username_canonical": "yurychemerkin",  "email": "yury.chemerkin@gmail.com",  "last_login": null,  "enabled": true,  "locked": false,  "expired": false,  "id": 527679 Client Address 192.168.1.38:50654 | this port changes Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
  143. 143. READYFORSKY MITM Device details  https://content.readyforsky.com/ api/device/user  “name": "RK-G200S",  "address": "E7:7F:BC:60:C2:2A",  "name": "Gateway XIAOMI Redmi 4X",  "address": "77d3efcf-f627- 402e-bbed-4ee0c8290417", Client Address 192.168.1.38:50654 | this port changes Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
  144. 144. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  145. 145. REDMOND SUMMARY Communications & MITM  App, Hub, Device IP, Ports including internal info, Device info (name, model, network info)  Actions, receipts, to-do  Credentials, password, tokens  User details & Login details Local  Device list, models, pairing text  Receipts per device (how to cook, basic details & requirements)  Username, email  User devices & Mac
  146. 146. LIGHTNING Lightify IKEA TRÅDFRI Philips HUE
  147. 147. LIGHTIFY  Lightify is the IoT platform with a simplest integration of wireless lighting.  Need to have an Lightify-account  Online communication uses QUIC-protocol with encryption over UDP  Wireshark does not support QUIC decryption at the moment. The drafts at tools.ietf.org/wg/quic are also not really detailed on the ciphers.  Lightify Gateway communicates over TCP completely unencrypted locally, but via a binary protocol https://github.com/noctarius/lightify-binary- protocol#basics-about-the-protocol and here a plugin to manage the light https://github.com/tfriedel/python-lightify  Credentials stored in a local folder – shared preferences
  148. 148. IKEA TRADFRI Smart lightning and assistant to control it No online communications except firmware requests in plaintext  GET http://fw.ota.homesmart.ikea.net/feed/version_info.json  User-Agent: HertzClient/1.0  Host: fm.ota.homesmart.ikea.net  Connection: close  Response : No response Local communication is DTLS (SSL over UDP)  Pairing via QR code (Serial Number = Mac Address, Security Code/ pre-shared key)  QR code can be revealed for further decryption Locally stored data  Encrypted QR-code and store in keystore – need root to get an access  Keystore doesn’t work for outdated Android (< 4.3)  AES encryption alg for outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”  The Issue here is a patched APK file with a removed strong encryption
  149. 149. PHILIPS HUE  HUE light, lamps and other with a smart assistant and bridge to works over Philips servers  The list of paired Apps and services with timestamp sent across Hue apps  Online communication  [BridgeServers] works over HTTP with additional layer of AES-encryption. Guess they store secret key somewhere but no lack to find it  [AppServers] works over HTTPS with SSL Pinning  Local communication works over HTTP  PUT http://192.168.1.38/api/Ds7KfNjjYtC8uN mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action  Host http://192.168.1.38  Accept *.*  Content-Type: application-json  Content-Length: 11  Json {“on:true”}  Loading malicious firmware over-the-air http://iotworm.eyalro.net/  In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters http://iotworm.eyalro.net/iotworm.pdf
  150. 150. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  151. 151. LIGHTNING SUMMARY IoT platforms: Lightify, IFTTT  One account to access all tokens & credentials to manage services, devices and data Communication  Online – usually encrypted, MITM sometimes possible  Local – non-protected, custom protocols & encryption – usually analyzed  Firmware – plaintext usually, malicious attacks are possible Local  Credentials, log, data
  152. 152. CONNECTED HOME SUMMARY Jailbreaks & roots  Available for popular devices  Sideloading apps are possible  New in-house manager devices, such as Alexa Dot doesn’t have root tools Backup & Data  Works for many devices  Works for synchronizing apps, like Alexa In-house smart manageable things works over app-manager that, in turn  Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content  Doesn’t have a good protection and available over Internet  Has a firmware issues with malicious over-air-attacks  Locally stored lot of data in app installed on the mobile device  Moved in an user’s pocket everywhere
  153. 153. IoT: CONCEPT, FACTS, ISSUES 1. IoT 2. Wearable Tech 3. Healthcare 4. Connected Home 5. Security & Tips 6. Risk Management
  154. 154. IoT HOW TO SECURE Risk Management  Device Profiling – divide your devices according to a critical info & risk score  Use cases – define where and what for are you going to use devices  Compatibility - use devices that are compatible with existing technology stack, and security equipment and software  Lost of smartphones – avoid devices to be lost or left unattended In-home Secured Network  Obscure name – NOT for vendor & model names or revealing user identity e.g. personal  Encryption – use up-to-date devices with the latest & strongest encryption schemes  Guest network – setup it if you’re sure but better to Disable guest network access entirely  Two or more different Wi-Fi networks (logically or physically) – one for typical activities (networking, messaging, etc.), second for IoT, third for critical banking, shopping  Firewall - a stand-alone software or shipped with the router, allow traffic on those specific ports & no others  Limit of public network usage – avoid pairing device or using device apps over public network due to lack of encryption of data Password Management  Default credentials – change it for router’s , IoT devices’ password  Unique passwords - use unique, complex passwords made up of letters, numbers, and symbols
  155. 155. IoT HOW TO SECURE Software Management  Settings – change it to default privacy policies & security settings  Features – disable features you don’t need, such as a remote access  Apps – avoid use apps that don’t encrypt data locally or while it’s transferring  Patches – keep all devices & software up-to-date  VPN – stand alone software or shipped with router to protect connections of IoT device that working over Internet  Multifactor & Hubs – use all security settings that require additional actions before it’s being easily hacked Data  Data Analysis - analyzing data generated by IoT devices to understand what data might be monetized  Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked Breaking tools  Risky app – avoid apps out of store, junk apps from app store  Broken - don’t break any device in a chain of devices, rely on supported vendor ROMs  Flashed – flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs Cloud & third party tools  IoT clouds – audit it before using for your personal/business need  Third party services – there are many automation tools to manage IoT devices. Use secured and audited and be informed
  156. 156. MOBILE, IoT, CLOUDS… IT’S TIME TO HIRE A RISK MANAGER! HOW TO CONTACT ME ? ADD ME IN LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN YURY CHEMERKIN SEND A MAIL TO: YURY.S@CHEMERKIN.COM

×