Mobile, IoT, Clouds… It’s time to hire your own risk manager!

Mobile, IoT, Clouds…
It’s time to hire a Risk Manager!
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
CJSC ADVANCED MONITORING

YURY CHEMERKIN
I have ten+ years of experience in information
security. I‘m a multi-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
I published many papers on mobile and cloud
security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: YURY.S@CHEMERKIN.COM

IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management

IoT TAXONOMY & FRAGMENTATION
Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/

IoT TAXONOMY
 Wearable Tech
 Connected Home
 Building Blocks & Platforms
 Industrial Internet
 Healthcare
 In-store Retail
 Connected Car
 Venture Capital Firms
 Corporate Investors
 Angel Investors
 Crowdfunding
 Accelerators/Incubators
 IoT Acquirers
 Notable acquisitions

NARROW THINGS
Wearable Tech
Connected Home
Healthcare

WEARABLE TECH
SMARTWATCHES – APPLE WATCH
MITM
Jailbreak
Backup

APPLE WATCH
MITM
The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If
this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple
servers and the iPhone.
Online communication (over Wi-Fi)
 [iPhone apps  iCloud] – prevents MITM, SSL Pinning
 [Apple Watch iCloud] – prevents MITM , SSL Pinning
 No way to install SSL to Apple Watch

APPLE WATCH
BREAKING THE LOCKSCREEN
Remove the Passcode Using Your iPhone
Go to a “Settings->General->Reset”
“Erase Apple Watch Content & Settings”
“Keep Plan” if iWatch has a Cellular Plan
Otherwise just “Erase All Content & Settings”
Pair it again

APPLE WATCH
Removing Your Passcode Without an iPhone
Power Menu  Press & hold the side button
Instead of sliding "Power Off", press on it
Tap "Erase all content and settings,"
Tap the green checkmark to confirm
Pair it again

APPLE WATCH
Unpair iWatch via Apple Watch app & Apple Password
Keep your Apple Watch and iPhone close together.
Open the Apple Watch app on iPhone
Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch”
Press “Keep Plan” for a cellular iWatches
Enter your Apple ID password and tap confirm

APPLE WATCH
JAILBREAKS
Jailbreaks for USB
 Apple Watch series 1- 4 & watchOS 5 – no jailbreak
 watchOS 4.0 - 4.1
 v0rtex jailbreak for developers only
https://github.com/tihmstar/jelbrekTime
 Apple Watch series 1- 2 & watchOS 3.0 – 3.2.3
 OverCl0ck jailbreak – still in development
https://github.com/PsychoTea/OverCl0ck
Jail & Bluetooth Connection over SSH
 https://speakerdeck.com/mbazaliy/jailbreaking-apple-watch

APPLE WATCH - BACKUP
 /mobile/Library/DeviceRegistry.state
/properties.bin
 Binary Plist File – Contains Paired Apple
Watch Specifics incl: Watch Name, Make,
Model, OS, GUID
 Synced Data Path with GUID, date, local
 Serial Number, UDID, WiFi MAC, SEID
(Secure Element ID), Bluetooth MAC

APPLE WATCH - BACKUP
 Plist contained installed apps on Apple
Watch (2 places)
 /mobile/Library/DeviceRegistry/<GUID>/Na
noPreferencesSync/NanoDomains/com.apple.C
arousel
 /mobile/Library/DeviceRegistry/<GUID>
 Example:
/mobile/Library/DeviceRegistry/<GUID>/
AddressBook/

APPLE WATCH
BACKUP
 Email -
/mobile/Library/DeviceRegistry/<
GUID>/NanoMail/registry.sqlite
 Voicemails -
GUID>/PreferencesSync/NanoDo
mains/com.apple.mobilephone
 Records containing Phone
Numbers and paths to synced
voicemail files

APPLE WATCH
BACKUP - PASSBOOK
GUID>/NanoPasses/nanopasses.sqli
te3
Pass table
Unique_ID
Type_ID (boarding pass, loyalty
pass)
Encoded pass (value/data)

APPLE WATCH – BACKUP
APPLE HEALTH
 Encrypted (.hfd) in password-protected
/ encrypted backups only
 No data out of non-encrypted backup
 Export in raw/plaintext
 But take a time, we will back to Health
app soon 

APPLE WATCH
ACCESS ATTACK LOGIC

APPLE WATCH
SUMMARY
Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available
Online communication (over Wi-Fi)
 [iPhone apps  iCloud] – prevents MITM, SSL Pinning
 [Apple Watch iCloud] – prevents MITM , SSL Pinning
 No way to install SSL to Apple Watch
Local data
 Not many but jailbreaks are available
 Backup still works to access the data
 Wallet contains booking, card and other info
 Apple Health app
 Contains a lot of medical user data
 Encrypted if backup is password-protected and out of backup otherwise
 Contains non-encrypted basic medical user data and list of app-sources

WEARABLE TECH
SMARTWATCHES – ANDROID WATCH
Forensics: Physical, Logical, Network Acquisition
Screen Lock Bypassing Techniques
Root opportunities
Android wear app

ANDROID WATCH
FORENSICS OF WEARABLE TECH
Physical Acquisition
Logical Acquisition
Network Acquisition (omitted here)

ANDROID WATCH
IMAGING A SMARTWATCH DEVICE
 The ADB tool should be used to image and explore the Android
smartwatch.
 The dd command, dd if=/dev/block/mmcblk0p12
of=/sdcard/tmp.image can be used to copy the entire device to an
inserted SD card.
 If time is a factor, investigators can copy specific directories by utilizing
the following commands:
DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd
DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd
DD if = /dev/block/mmcblk0p3/efs of = /storage/extSdCard/efs.dd
DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd

ANDROID WATCH
BREACHING A LOCK SCREEN
 Google account credentials is known  remote unlock of connected watches via Google’s
Android Device Manager
 Deleting / altering the gesture.key & settings.db files  to remove the lock screen entirely
 adb.exe shell; cd /data/system; rm gesture.key
 The “settings.db” file contains system settings and can cause system wide changes if modified
 update system set value =0
 Flashing a modified ROM / a reboot in safe mode - to leverage a third-party lock screen
 Utilize adbkey and adbkey.pub files from other computers that have been previously
synchronized with the examined device to create a trust relationship with a new device
 /.android/<ADB keys> - those files are an SSH key-pair that allow me to mark my
computer as "trusted" to my phone.
 Copy of ADB keys stored on synchronized devices in users/<user name>/.android
folders

ANDROID WATCHES
ROOT
Root:
 5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1
 6.0.1 - SuperSU-6.0.1.zip https://supersu.apk.gold/android-6.0.1
 Wear 2.0 - SuperSU-Wear
 Wear-SuperSU 2.4 -
https://androidfilehost.com/?fid=24269982086990060
Recovery:
 TWRP - https://eu.dl.twrp.me/bass/
 5.1.1 twrp-3.1.0-0.img
 6.0.1 и Wear 2.0 twrp-3.0.0-0.img

ANDROID WATCH
WEAR OS
 Tizen OS - Samsung
 Android Wear OS
 Asus Zenwatch, Huawei Watch, LG
Watch and many other
 Many root tools & images for
Android Wear up to 2.0
 Lack of tools for 2.1 and beyond
 Wear app to access data
Android Wear Version Android base version Release date
4.4W1 4.4 June 2014
4.4W2 4.4 October 2014
1.0 5.0.1 December 2014
1.1 5.1.1 May 2015
1.3 5.1.1 August 2015
1.4 6.0.1 February 2016
1.5 6.0.1 June 2016
2.0 7.1.1 Feb 2017
2.6 7.1.1 Nov 2017
2.6 7.1.1/8.0.0 Dec 2017
2.7 7.1.1/8.0.0 Dec 2017
2.8 7.1.1/8.0.0 Jan 2018
2.9 7.1.1/8.0.0 Feb 2018
Wear OS Version Android base version Release date
1.0 7.1.1/8.0.0 Mar 2018
1.1 7.1.1/8.0.0 April 2018
1.2 7.1.1/8.0.0 May 2018
1.3 7.1.1/8.0.0 June 2018
1.4 7.1.1/8.0.0 July 2018
1.5 7.1.1/8.0.0 August 2018
1.6 7.1.1/8.0.0 September 2018
1.7 7.1.1/8.0.0 October 2018
2.0 7.1.1/8.0.0 August 2018
2.1 7.1.1/9.0.0 September 2018

ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM (TIZEN)
Tizen OS, Bluetooth, USB, No Wi-Fi, Optional Password
Protection
#1 Gain root:
 turn on SDB ‘Smart Development Bridge‘,
 find a ROM, uses Odin,
 reboot to ‘download’ mode – hold down the main button through the
turn off prompt
Sdb shell, sdb root

ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image the watches, like a Toybox http://landley.net/toybox/
 adb push toybox /sdcard/download
 adb shell; su
 mv /sdcard/download/toybox /dev/
 chown root:root toybox;
 chmod 755 toybox
 cd /dev/block/platform/msm_sdcc; ls -al by-name
 /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
 dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
 /* Port number being listened to on the watch displayed for user */
 44477 port displayed
 adb forward tcp:44867 tcp:44867
 /* Send request to watch on port number 44867 and send it to image file */
 nc 127.0.0.1 44867 > Samsung.IMG
Here is a user partition

ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#3 Results:
 Messages - apps.com.samsung.message.data.dbspace/msg-
consumer-server.db
 Health/Fitness Data - apps.com.samsung.shealth/shealth.db
 Email - apps.com.samsung.wemail.data.dbspace/wemail.db
 Contacts/Address book - dbspace/contacts-svc.db

ANDROID WATCHES
LG WATCH – ALL OF THEM
Android Wear, USB, Bluetooth, No Wi-Fi
#1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to
bootloader & unlock it, and push image
adb reboot-bootloader
fastboot oem unlock
adb push <SuperSU>.zip /sdcard/download
adb reboot-bootloader
fastboot boot <twrp>.img
Install <SuperSu>.zip, wait for reboot

ANDROID WATCHES
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image the watches, like a Toybox http://landley.net/toybox/
 adb push toybox /sdcard/download
 adb shell; su
 mv /sdcard/download/toybox /dev/
 chown root:root toybox;
 chmod 755 toybox
 cd /dev/block/platform/msm_sdcc; ls -al by-name
 /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
 dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
 /* Port number being listened to on the watch displayed for user */
 44477 port displayed
 adb forward tcp:44867 tcp:44867
 /* Send request to watch on port number 44867 and send it to image file */
 nc 127.0.0.1 44867 > LG.img
Here is a user partition

ANDROID WATCHES
Results:
 Events/Notifications -
data.com.android.providers.calendar.databases/calendar.db
 Contacts/Address book -
data.com.android.providers.contacts.databases/contacts2.db
 Health/Fitness Data -
data.com.google.android.apps.fitness.databases/pedometer.db

ANDROID WATCHES
ANDROID WEAR
Mobile device paired with all watches in this app
/com.samsung.android.app.watchmanager
/auto_update.xml - a timestamp of the day the Samsung Gear was last
updated.
/com.samsung.android.app.watchmanagerstub/shared
preferences/hmonlinehelppref.xml
/data/com.google.android.wearable.app/databases/devices.db
list of devices using Android wear which listed the LG G Watch.

ANDROID SMARTWATCHES
ACCESS ATTACK LOGIC

ANDROID WATCH
SUMMARY
 Forensics
 No forensics tools are NOT available for devices, such as Elcomsoft, Cellebrite
 Forensics techniques are still available for devices
 Forensics of wear-apps works too but no many useful data
 Known techniques of breaking Android screenlock works
 OS
 Tizen OS - Samsung
 Android Wear OS - Asus Zenwatch, Huawei Watch, LG Watch and many other
 Root & Recovery
 Many root tools & images for Android Wear up to 2.0
 Lack of tools for 2.1 and beyond
 SDB, ADB, Fastbook, OEM Unlock
 Data
 Contacts, Fitness, Health, Email – in the device

HUAWEI WEAR & HONOR BAND 3-9C7
• Фотки браслета и приложения (ссылки на магазины)
• Картинки на списки в круглые формы вставить??

FITNESS TRACKERS
HUAWEI WEAR. HONOR BAND 3-9C7
Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/<crash>,<log>
Last Wear’s values: sleep (many params), wakeup (many params), distance (steps, ride, climb,…), heart rate,
calories
Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options
Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude
User Info: Picture, Name, Birthday, Height, Weight, Gender, Age
Account Details: UDID, Security Token, UserID, SessionID
Bluetooth Keys

CRASH LOG: DEVINFO, DEBUG INFO -
/DOCUMENTS/HMS/OCLOG/CRASH
CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond
bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c
<redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw +
56 2 CoreFoundation 0x000000018346bc9c _CFArgv + 0 3
CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear
0x0000000100319064 HuaweiWear + 315492 5 HuaweiWear
0x000000010030ffdc HuaweiWear + 278492 6 libdispatch.dylib
0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib
0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib
0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation
0x000000018347b344 <redacted> + 12 10 CoreFoundation
0x0000000183478f20 <redacted> + 2012 11 CoreFoundation
0x0000000183398c58 CFRunLoopRunSpecific + 436 12 GraphicsServices
0x0000000185244f84 GSEventRunModal + 100 13 UIKit 0x000000018caf15c4
UIApplicationMain + 236 14 HuaweiWear 0x00000001005b13f8 HuaweiWear +
3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4
ClientVersion:21.0.12 OSVersion:11.2.6

HUAWEI WEAR – LAST VALUES
/DOCUMENTS/<*.ARCHIVER> FILES
<string>{
"sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":0,"deepSlee
pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim
e":0},
"distance":3940,"lastHeartRate":0,"steps":4623,"lastHRTimeStamp":0,"
calories":216,"date":1537867958.8875299,"totalClimb":0,"daySport
Info":[]
}</string>

HUAWEI WEAR: FIRMWARE
<string>
 {"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath":
"Nyx_1.5.35.bin.apk","identify":"38:37:8B:B8:C9:C7","firmWareSize":1410023,"deviceTyp
e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",
 "firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199-342F-4897-
9577-59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",
 "changeLogContent":"[Optimizations]nOptimizes calorie counting accuracy while
swimming.nFixes an issue where exercise sessions would suddenly exit due to accidental
touches.nFixes an issue where fitness data would be occasionally cleared.nOptimizes the
TrusleepTM data syncing speed on IOS.n[Notes]n1. New features require that Huawei
Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for
Android.n2. Before updating, make sure the band is charged to at least 20%.n","status":1,
 "baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1
55123/f1/"}
</string>

HUAWEI WEAR: GEO, SPEED
<string>
{"speed":0.63999998569488525,"timestamp":"2018-06-
09T05:12:19+0300",
"longitude":41.512356810310401,"latitude":52.571571199272356,
"totalDistance":0,"verticalAccuracy":4,
"course":10.546875,"duration":0,"distance":0,
"altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5
}
</string>

HUAWEI WEAR: USER INFO
<string>
{"headImgLocal":"/var/mobile/Containers/Data/Application/
9B666199-342F-4897-9577-
59B68F5CF40F/Documents/temp_user/temp_user.jpg",
"age":29,"unitType":0,"nameIsNil":false,"isDefault":true,
"weight":78,"userName":"Yury Chemerkin","walkStepLen":77.28,
"birthday":19880605,"height":184,"modifyTime":0,"runStepLen":92.7
36,"gender":0}
</string>

HUAWEI WEAR:
Account
 Account details stored in protected way
Device Mac Address
<string>deviceMacAddress</string>
<string>38:37:8B:B8:C9:C7</string>
Bluetooth Keys

HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User goals
Device details
User measures
 m_7_DataSourceTable_temp_user
 m_7_FitnessMergedDataTable_temp_user
 m_14_FineSleepDayMergeTable_temp_user
 m_7_MotionGoalTable_temp_user

User measures
 m_14_HeartRateByDay_temp_user
 m_14_SportDataByDay_temp_user
 m_133_MotionPathDetail_temp_user
 m_7_MotionGoalTable_temp_user

User measures
 m_133_SingleMovementStatistic_temp_user
 m_133_SingleMovement_temp_user

HUAWEI HONOR
SUMMARY
Local data
 Credentials is protected
 Personal and medical info – plaintext / as it
Communication
 Local – encrypted
 Online – SSL Pinning for all possible connections, registration,
login and synchronization

XIAOMI MI BAND 2 & MI FIT
Online communication
 AWS storages in Ireland (EU) mainly, secondary US
 TLS 1.2, No SSL Pinning
Local data
 Action Log with details incl. URLs
 https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t=1512648130831
 https://api-
mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848
 https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t=1512648130805

FITNESS APPS
ROAD BIKE, MOUNTAIN BIKE, …
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg & max
speed, upward/downward, heartZone values (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday

FITNESS APPS
DOCUMENTSDATABASE.SQLITE3
Where to search data:
 GPS & location
 HeartRate (requires special devices)
 Session Data
 Speed
 User Data

FITNESS APPS
LOCATION, MAPS AND USER INFO
 Location and geo snapshots -
DocumentsMapOpenCycleMap.sqlite
 User info - Documentsdatabase.sqlite3

FITNESS TRACKERS
SUMMARY AMONG TRACKERS & APPS
Local data
 Credentials is usually protected
 Personal and medical info – plaintext / as it
Communication
 Local – encrypted
 Online – SSL Pinning for all possible connections

IoT: CONCEPT, FACTS, ISSUES
1. IoT 2. Wearable
Tech 3. Healthcare
4. Connected
Home 5. Security & Tips
6. Risk
Management

APPLE HEALTH СЮДА КАРТИНКИ
УСТРОЙСТВ

HEALTHCARE
APPLE HEALTH
Valuable data encrypted and no public cracks is known
Small amount of data not encrypted in backup
List of app-sources (look here for non-encrypted original data)
However, secure built-in app-aggregator does not mean other app is a
secure in the same way  ofc not 

APPLE HEALTH
WHERE TO FIND DATA?
HealthDomainMedicalIDMedicalIDData.archive
HealthDomainHealthhealthdb.sqlite
HealthDomainHealthhealthdb_secure.sqlite
HealthDomainHealthhealthdb_secure.hfd
Exported Raw Data – any place chosen by user

APPLE HEALTH
DATA IN DETAILS
Name, User Pic, height (in cm), and mass (in kg)
Geo Tracking (Mainland/City), iOS version
Device Info: UDID, Name, Last connection time
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Medical implants

APPLE HEALTH
HEALTHDOMAINMEDICALIDMEDICALIDDA
TA.ARCHIVE
 Name  Height  Weight  Medical implants

APPLE HEALTH
HEALTHDOMAINHEALTHHEALTHDB.SQLITE
 Bundle_id, app_name
 Device name, device model, vendor, hardware and software, timestamp

APPLE HEALTH
HEALTHDOMAINHEALTHHEALTHDB_SE
CURE.SQLITE

APPLE HEALTH
RAW EXPORT
Recorded by the any Apple Devices & accessed through the Health App.
Detailed activity log with timestamps
Data can be exported in .xml file format without encryption (!) and
even without encrypting of zip file
Extracted data can be stored anywhere

APPLE HEALTH - RAW EXPORT
PERSONAL, FITNESS, MEDICAL INFO
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Heart rate data (in count/min) or beats-per-minute (BPM)
Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins)
Blood Pressure Diastolic, Systolic
The exact activity log time (creationDate), and activity start and end times (startDate, endDate)
XML Parser (Free): https://github.com/tdda/applehealthdata

APPLE HEALTH - RAW EXPORT
IN EXAMPLES & DETAILS

HEALTHCARE
SUMMARY
Apple Health App is good protected
Basic info - Date of birth, sex, blood group, skin type,
height (in cm), and mass (in kg)
Exported data is not protected at all
List of app sources & these app’s data is not
protected well

PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
• Vertical fat index, body fat
Fat indexes
• Body weight, bone mass, muscle, skeletal muscle
Mass
• BMR, body water, protein, Metabolic Age
Productivity
• Tracking changes, charts, reports
Delta

PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scaler)
Body scale values: body, muscles, productivity, date & time, device mac
Dev Info: Mac, model name, user ID, Device Picture
Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users)
User Info: nick name , userID, height, age, sex, race, type
Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language
Preferences: Local Password, Unlocking method, last active day

PICOOC BT LOGS
PICOOCDOCUMENTSBLUETOOTHLOG.TEXT
 DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE 
 扫描到设备 – means “Device scanning”
 04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV]
Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-
45F9DDB731D6 ---- .
 04-14 13:31:36:453 .扫描到设备 name:Peripheral Info:Name: honor band
A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3-0099CF82DF96 ---- .
 04-14 13:31:37:408 .扫描到设备 name:Peripheral Info:Name: PICOOC-CQ
RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ---- .
 info.macAddress = D0:49:00:1D:87:8A

PICOOC BT LOGS
PICOOCDOCUMENTSBLUETOOTHLOG.TEXT
04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6
Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-45F9DDB731D6 ----
Connect a Galaxy S7 to your Samsung TV with Bluetooth to have a fun and
spread your content 
 TV with enabled Bluetooth & Samsung Galaxy S7
 Open the notification pane on your handset.
 Select Quick Connect and then Scan for nearby devices
 Select Register TV, Tap the new icon with a TV and an arrow
 Tap the Share button and then Smart View to play any media you play
on your phone on the TV

BODY VALUES
PICOOCDOCUMENTSPICOOC.SQLITE
CREATE TABLE `body_indexs` (
ìd`
`weight`
`body_fat`
`visceral_fat_level`
`muscle_race`
`body_age`
`bone_mass`
`basic_metabolism`
`bmi`
`local_time`
`water_race`
àbnormal`
`day_intValue`
`time_period`
èlectric_resistance`
`mac`
`body_fat_reference_value`
`skeletal_muscle`);

PICOOC
DEVICE AND PREFERENCES
Dev Info - picoocdocumentspicooc.sqlite
Preferences - picoocLibraryPreferences com.picooc.international.plist
 <key>PasswordLockType</key>
 <integer>2</integer>
 <key>PasswordNumherLockContnet</key>
 <string>7124</string>
 <key>currendDay</key>
 <string>20180922</string>
 <key>kStartupUserIdKey</key>
 <integer>4611483</integer>

USER BASIC INFO – MAIN USER
PICOOCDOCUMENTSPLISTFILEUSERINFO.PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>nickName</key>
<string>Yury Chemerkin</string>
</dict>
</plist>

USER EXTENDED INFO – LAST ADDED USER ONLY
PICOOCLIBRARYSENSORSANALYTICS-
SUPER_PROPERTIES.PLIST
 current_age_characteristic
 current_role_is_athlete
 current_role_height
 current_language
 current_role_age
 current_role_sex
 app_type
 time_zone
 current_role_race
 current_role_type
 3
 false
 178
 英语
 58
 男
 PICOOC国际版
 Europe/Moscow
 白
 使用者
 As is
 As is
 As is
 English
 As is
  Man
  PICOOC Worldwide
Version
 As is
  White
  User

PICOOC SENSOR VALUES
PICOOCLIBRARYSENSORSANALYTICS-
MESSAGE-V2.PLIST.DB
• {"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144
339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白
","current_role_type":"主角色
","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6.
1","current_age_characteristic":3,"$is_first_day":false,"$model":"iPhone8,4","$device_id":"E
C640161-EC87-4A90-AD99-5B29A3F86700","$network_type":"WIFI","$carrier":"Mobile
TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren
t_language":"英语","$screen_height":568,"app_type":"PICOOC国际版
","time_zone":"Europe/Moscow","$lib_version":"1.9.3","$os_version":"12.0","$is_first_time":
false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男
","current_role_id":"9144339"},"type":"track","lib":{"$lib_version":"1.9.3","$lib":"iOS","$app
_version":"3.6.1","$lib_method":"code"}}

PICOOC
MITM - NOT SSL-PINNED
• Profile URL (public accessible)
https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png
• Request URL - https://api2.picooc-
int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque
st=https://api2.picooc-
int.com/v1/api&roleId=9144339&timestamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re
questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to
ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi
ce_id=EC640161-EC87-4A90-AD99-5B29A3F86700&device_mac=&method=update_role&
• Same URL (public accessible) https://picoocheadportrait.oss-cn-
beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png
• Request URL - https://picoocheadportrait.oss-cn-beijing.aliyuncs.com

PICOOC
https://api2.picooc-int.com
GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token=iOS%3A%3AEC640161-
EC87-4A90-AD99-
5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe
/Moscow&timestamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6
HTTP/1.1

PICOOC
https://api2.picooc-
int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap
i2.picooc-
int.com/v1/api&roleId=9144339&timestamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT
hread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b
e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&method=update_role&

PICOOC
https://api2.picooc-
int.com/v1/api/account/updateUserPa
ssword?sign=41EE8B396970992A85E
9259B134B96BE&urlOfGetRequest=ht
tps://api2.picooc-
int.com/v1/api&roleId=9144339&tim
estamp=1538581202&version=i3.6.1
&appver=i3.6.1.0&requestByChildThre
ad=0&os=iOS&userId=4611483&lan
g=en&timezone=Europe/Moscow&pus
h_token=iOS::019290ade677be79f5f
bded930b2435fa81eef103d893471
08e265c0cd984cf2&device_id=EC64
0161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&metho
d=update_user_password&

PICOOC
SUMMARY
Body indexes and changes day-by-day
 Fat indexes, Mass
 Productivity, Delta
Dev Info, Friends results, User data
Network
 Data stored on Alibaba servers
 Profile, Device Info, Credentials, additionally passw on pass-change tab
 Bonus: Bluetooth scanner of near located devices
Preferences: Local Password, Unlocking method, last active day

~30 mHEALTH APPS
 Google Fit
 MyFitnessPal
 RunKeeper - GPS
 Nike+ Running
 WebMD
 Blood Pressure (BP) Watch
 Water Your Body
 Instant Heart Rate
 Drugs.com Medication Guide
 Runtastic Pedometer
 Noom Walk Pedometer: Fitness
 Strava Running and Cycling GPS
 Bleep Fitness Test
 Fitness Buddy: 300+ Exercises
 BodySpace- Social Fitness
 Walk with Map My Walk
 Endomondo Running Cycling Walking
 FitNotes – gym Workout Log
 Period Calendar
 Period Tracker
 My Pregnancy Today
 My Baby Today
 Calorie Counter by FatSecret
 MyNetDiary Calorie Counter PRO
 My Diet Diary Calorie Counter
 Calories! Basic – cal counter
 Calorie Counter
 Lifesum- Calorie Counter
 User credentials and pins
 Personal details of users
 User activities
 User location
 Activity timestamps
 Images

~30 mHEALTH APPS
MYFITNESSPAL
User profile Pics  com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard/
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
 User details including time zone, gender, date of birth and email
- in tables <user_properties, users> - see a pic
 User profile pictures - in table <images>
 User personal notes - in table <diary_notes>
 User records of exercises, food habits and personal measurements - in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
 User last synched items with the server - in table <last_sync_pointers>
 User food search history - in table <search_history>

~30 mHEALTH APPS
RUNKEEPER
 User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
 / fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
 User details including activities, trips
 Trips deleted by user - in table <deleted_trips>
 Activities posted by user - in table <feed>
 List of user’s friends - in table <friends>
 Images uploaded during trips by user - in table <status_updates>
 User settings for each trip - in table <trip_settings>
 Places visited during all the trips - in table <points>
 Information about each trip - in table <trips>
 More tables
 The points table is to locate the map coordinates of a user’s route

~30 mHEALTH APPS
PERIOD CALENDAR
• Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC.db. Tables
• User - List of the users with passwords (Plaintext passwords, secret questions
and answers )
• Period - Period start time and length of users
• Note - Diary notes inserted by users
• Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC_PILL.db. Tables
• pill - Pills used by users including date and time
• pill_record - Details about the pills

~30 MEDICAL/FITNESS/HEALTH APPS
 User credentials: Apps may require users to login using their user credentials (e.g. username and
password, PIN, and authentication tokens) in order to use the apps. Therefore, user credentials should be
an artefact that forensic investigators seek to locate during the app forensic process (e.g. determine
whether the credentials are stored in and can be recovered from the app’s databases).
 User personal details: User personal details include name, gender, date of birth, email address, height,
weight and other personal data would be helpful for forensic investigators to positively identify the app
or device users.
 User activities: The mHealth apps require users to enter their day-to-day food habit, health conditions,
activity or exercise details, diagnosis details, medication details and symptom details, etc.
 User location: Fitness apps allow users to keep track of their exercise, running, jogging, cycling and other
activities. These apps generally store the geographical coordinates of the user location during these
activities which can provide useful evidence to the investigators.
 Activity timestamps: Another important artefact is the timestamp of the user activity. For example, linking
activity timestamps with corresponding user locations (e.g. geographical coordinates) and other relevant
information (e.g. CCTV feeds) would provide useful information in an investigation.
 Images: This artefact includes profile images, and images taken and posted from a location.

App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
Google Fit N N P N F N
MyFitnessPal P F F N F F
RunKeeper - GPS N N F F F N
Nike+ Running N F F N F F
WebMD N N P N N N
Blood Pressure (BP) Watch N P F N F N
Water Your Body N N F N N N
Instant Heart Rate N N N N N N
Drugs.com Medication
Guide
N F N N P N
Runtastic Pedometer N N F N F N

App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
Noom Walk Pedometer:
Fitness
N N F N F F
Strava Running and Cycling
GPS
N F F F F N
Bleep Fitness Test N F F N P N
Fitness Buddy: 300+
Exercises
N N F N F N
BodySpace- Social Fitness N F F N P F
Walk with Map My Walk N F F F F P
Endomondo Running Cycling
Walking
N N F F F F
FitNotes – gym Workout
Log
N N F N P N
Period Calendar F F F N P N
Period Tracker N N F N P N
My Pregnancy Today P N N N N F
My Baby Today N F N N P N

App Name / Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
Calorie Counter by
FatSecret
N N F N P N
MyNetDiary Calorie
Counter PRO
N N N N N F
My Diet Diary Calorie
Counter
N P F N F N
Calories! Basic – cal counter N N P N F N
Calorie Counter N F F N F N
Lifesum- Calorie Counter N P F N F F

THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY)
3
9
6
8
1
5
2
0
3
4
6
8
5
4
7
9
8
3
7
3 3 3 3
2
5
3
6
7
0
1
2
3
4
5
6
7
8
9
10
Average Issue Index

HEALTHCARE
SUMMARY
Native Health App is good protected, however not a basic information
 Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
 Exported data is not protected at all
Source apps (medical, fitness, health, …)
 Data contains everything with GPS, timestamp and lot of day-by-day changes
 Usually stores data locally, but basic activity over network is intercepted and
credentials gained
Pseudo health apps – usually requires user to handle all data by himself
 Friend list, Credentials, secret questions & answers
 Body values, timestamp, visited places & geo
 Medical periods, schedule, pills and so on
 Preferences, searches

APPLE TV – FIVES GENERATIONS
MacOS X, iOS, tvOS
Common ways to break into
Jailbreak tools
Password management
USB Acquisition
Backup
Jailbroken acquisition
Profiling

APPLE TV – I GENERATION
EASILY TO BREAK
First edition of TV, Mac OS X & HDD makes breaking much easier
All possible ways to break into the first Apple TV 8 years ago:
 “Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and
Randy Robbins, Def Con 2009
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-
kevin_estis-apple_tv.pdf
https://www.youtube.com/watch?v=z-WCy3Bdzkc

APPLE TV – II-V GENERATION
EASILY TO BREAK TOO
 Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)
 Backup contains valuable data (forensics tool works too)
 Find a jailbreak to obtain the whole OS
 Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube
 Get access to App’s data and reveal credentials, card – depend on application
 Why Apple TV can be jailbroken (why men jail it)?
Outdated compromised TV 2 with OpenSSH and default password
https://www.tvaddons.co/appletv2-jailbreak-threat/
Direct access to filesystem and file management beyond the backups & cloud
Stream media from devices beyond AirPlay or iOS devices
Sideloading 3rd party tools
 Kodi, Hulu, LastFM, XBMC, Nito TV, , Pandora Radio, and other apps.
 Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies

APPLE TV
DATA EXAMINATION & FORENSICS
 Apple TV jailbreak support https://pangu8.com/appletv.html
 Apple TV 1 – scripts, ssh, HD extraction and other way
 Apple TV 2 – Seas0npass jail for TV running tvOS 4.3 - tvOS 5.3 (untethered) & tvOS 6.1.2
(tethered)
 Apple TV 3 – No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1,
and not beyond 5.0.2
 Apple TV 4
 Pangu9 jail for TV running tvOS 9.0 - tvOS 9.0.1
 LiberTV jail for TV running tvOS 9.1 - tvOS 10.1
 GreenG0blin jail for TV running tvOS 10.2.2
 Apple TV 4 / 5
 LiberTV jail for TV running tvOS 11.0 and 11.1
 Apple TV 4 / 5 – Electra jail for TV running tvOS 11.2 - tvOS 11.3

APPLE TV
DATA EXAMINATION & FORENSICS
 USB port is reserved for “service and support” purpose
Vanished since Apple 5th Gen (4k)
 No password management – we trust you, breakers 
 Seriously, No Password or Passcode protection at all ! Restrictions instead:
Use Restrictions on your Apple TV https://support.apple.com/en-md/HT200198
Allow all by default
Restrict blocks by passcode purchases, apps, content, settings and remote pairing
(no one blocks pairing usually)
Account-Password requires for purchases in a way like any Apple device
(https://support.apple.com/en-us/HT204030)

APPLE TV – 2TH – 4TH GEN
USB ACQUISITION (USB, MICRO, USB-C)
5TH GEN IS OUT OF SCOPE (NO USB)
AFC (Apple File Conduit) service works here
 /private/var/mobile/Media
USB Acquisition gives:
 Basic device information
 Real Time Log (Syslog), Crash Logs
 Part of the file system (“Media” folder)
Device information
 MAC – WiFi, Bluetooth, Ethernet
 Name, Timezone, Serial ID, Model
Ideviceinfo, idevicesyslog http://www.libimobiledevice.org/

APPLE TV
BACKUP
 Real Time Log
 Crash Log
 MediaLibrary.sqlitedb
 iCloud Account Name
 iCloud ID
 Wi-Fi networks
 Device usage timeline
 Shopping database

JAILBREAK
Timezone
 /private/var/db/timezone/localtime
Network tcp/ip lease
 /private/var/db/dhcpclient/leases/
Network wi-fi history
 /private/var/preferences/com.apple.wifi.plist

JAILBREAK
Keyboard dictionary
 /private/var/mobile/library/keyboard/dynamic-
text.dat
Accounts
 /private/var/mobile/library/accounts/
 /private/var/mobile/library/preferences/com.apple.ids
.service.com
User email
User info: email + phone
yury.chemerkin@icloud.com
+79851719122
Network

JAILBREAK
iCloud synced preferences
 /var/mobile/Library/SyncedPreferences/
Wi-Fi Access Points
 com.apple.wifid.plist
Weather Cities
 com.apple.nanoweatherprefsd.plist
Moskva, Lianozovo Dictrict
55.800149, 37.565483

JAILBREAK
Headboard
 /private/var/mobile/library/com.apple.headboard
/apporder.plist
 /private/var/mobile/library/caches/com.apple.tvic
onscache/com.apple.headboard
 /private/var/mobile/library/caches/com.apple.hea
dboard/fscacheddata

JAILBREAK
App snapshots
 /private/var/mobile/library/caches/com.app
le.pineboard/assetlibrary/snapshots/
Cached video
 /private/var/mobile/library/caches/appletv
/video/

JAILBREAK
Installed applications
 /private/var/db/lsd/com.apple.lsdidentifiers.plist
 /private/var/mobile/containers/bundle/
 /private/var/mobile/containers/data/application/

JAILBREAK
Country, last activity
App snapshots
Youtube

APPLE TV – ANY GEN
PROFILING AS A KIND OF PROTECTION
TV Remote Payload
The TV Remote payload is designated by specifying com.apple.tvremote as the
PayloadType value. If not present, or the list is empty, any device will be allowed
to connect.
Availability: Available in tvOS 11.3 and iOS 11.3 and later
 AllowedRemotes
 AllowedTVs
 RemoteDeviceID
 TVDeviceID
https://developer.apple.com/enterprise/documentation/Configuration-
Profile-Reference.pdf

APPLE TV
SUMMARY
Lot of jailbreaks
 Except Apple TV 3
 Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac
Password management
 No password
 No restrictions by default
 Restrictions handle the content only
Apple TV 2 – 5
 Apple TV 2 – 4 equipped with USB that gives dev info, timelog, crashlog, media folder
 Apple TV 5 does not have USB ports
Jailbroken TV
 Timezone, Network Info & History, Keyboard & Account Info
 iCloud preferences, Wi-Fi Accent Point, Weather cities (list) easy to remap geo
 TVs - Headboard, App snapshots, Cached video
 App List, App Data, App Snapshots

AMAZON TV: PREREQUISITE
Amazon Fire TV Stick
Amazon account plus other accounts per app
MITM is out of scope, but wait for Amazon Dot 
Forensics tools (no support atm)
Known ways to break into
Root
Data acquisition (streaming, photo, app, sideloaded Android app)

AMAZON TV
BREAK OPPORTUNITIES
No support of Forensics tools
Sideloading is allowed, ADB exists and is off by default
Rooting
many root-apps (like KingRoot) is around of outdated FireOS
such as 5.0.5 but not limited it
The rooting requires a keyboard, no support for TV remote
devices
Use dd command to obtain an image of Fire TV

AMAZON TV
ROOT, BOOTLOADER, SIDELOADING
Non-root things
 Sideloading is allowed without root like on Android
 Bootloader: 51.1.x.x – non-locked, 5.x.x.x – locked but 5.0.x are unlockable (no info about
older versions)
 Downgrading might be possible
Roots
 Fire TV 1 – rootable for 51.1.0.0 - 51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 -
5.2.6.3
 Fire TV 2 – rootable for 5.0.0 – 5.2.1.1, no root for 5.2.4.0 – 5.2.6.3
 Fire TV 2 – 5.2.6.6 – pre-rooted ROM (http://www.aftvnews.com/pre-rooted-5-2-6-6-rom-
is-now-available-for-the-fire-tv-2/)
 Fire TV 3, Fire TV Cube – no root or pre-rooted ROM
 Fire TV Stick 1 – rootable for 5.0.0 - 5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 -
5.2.6.3
 Fire TV Stick 2 – no root, except hardware rooting to direct access to the device eMMC
storage (http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)
 Fire TV Edition television – rootable for 5.2.5.0 and no root for 5.2.5.1 - 5.2.6.3

AMAZON TV
ROOTED TV
 browser.db – Browser History & navigating to websites using
Mozilla Firefox
 [root]/data/com.amazon.bueller.photos/files/cmsimages – Pictures
from Amazon cloud drive but formatted for better viewing up to
Fire TV Stick
 [root]/data/com.amazon.device.controllermanager/
databases/devices – Bluetooth Devices and their names, MAC
paired with Fire TV (such as, keyboard mouse, Amazon Fire TV
remote)
 [root]/data/com.amazon.device.logmanager/files – Amazon Logs
including Log.amazonmain

AMAZON TV
ROOTED TV
 /data/data/ = All application data is stored in this directory
 com.amazon.venezia/ = Amazon appstore data
/cache/ = thumbnails & previews for appstore apps
/databases/ = sqlite files in each folder
/contentProvider = Table "Apps" contains app-names("key") with relation
thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory
/locker = workflow, orders, wishlist, applications, cache, content tokens.
/logging = logs for appstore application
 com.android.cloud9/ = Amazon browser data
/cache/webviewcache/ = any cache data
/databases/ = sqlite files in each folder
/webview.db = webview cookies & form data.
/webviewCache.db = association of files in ../cache/webviewcache/ directory to urls.
/browser.db = history & bookmarks also have path to page previews and thumbnails stored in ../files
/files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above)
/shared_prefs = preferences for a cross-access
 com.amazon.provid ers.contacts/databases/conta cts2.db = All contacts

FORENSIC ANALYSIS METHOD FOR
THE AMAZON FIRE TV STICK

AMAZON TV: SUMMARY
 Several older firmwares are affected by rooting tools
 Rooting requires BT-keyboard that’s is not a big deal for TV
 Sideloading is allowed without root
 ADB is possible
 Downgrading the Fire TV Stick software/firmware might possible
 Personal data is revealed
 Credentials of streaming services is found
Netflix, NHL, NBA, Vimeo, … Kodi to get access to hundreds, of music, TV, movies
 No way to restrict connection and bind TV and device to themselves only
 FireOS ver 5.x is based on Android 5.1.1 Lollipop, ver 6.x is based on
Android 7.1 Nougat

AMAZON ECHO DOT
• Картинки и спецификацию

AMAZON ECHO DOT
Local access
Bootloader
MITM: SSL, MITM, Firmware MITM
Credentials breaks

AMAZON ECHO DOT
LOCAL ACCESS, LACK OF ROOT
 Alexa doesn’t have ADB, but have a MTK
 bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx Preloader
 However a SP Flash Tool does not work atm
 Bootloader – press and keep ‘Uber’ while it is loading, but bootloader is locked
and no unlocking key is available
 Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 /
Magic / Tattoo
 # fastboot devices
fastboot
 # fastboot getvar all
lk_build_desc: c1…..
prod: 1
unlock_status: false
serialno: […..]
product: BISCUIT
version-preloader: 0.1.00
version: 0.5

AMAZON ECHO DOT
MITM. WHAT ABOUT SSL?
Self signed certificates is allowed on Alexa for devs
 https://developer.amazon.com/docs/custom-
skills/configure-web-service-self-signed-certificate.html
 https://www.amazon.com/gp/help/customer/display.ht
ml?nodeId=201589180
Change endpoint configuration and region
Make your Alexa installs a SSL from Intercepting tools
 No lack, Alexa Echo Dot as a device prevents this shit 
 Try with Alex app that comes installed by default on the
Kindle Fire Tablets, or download for Android or iOS
devices even (!)

AMAZON ECHO DOT
MITM. FIRST TIME SETUP
 Navigate via browser https://alexa.amazon.com
 Up to end of 2017 a redirect to Alexa setup was a http
URL (!)
 Expected credentials stolen in plaintext & expiring in
2036 like before, but no lack
before
 POST
/ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx&
pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x
xxxx&pf_rd_s=signin-slot HTTP/1.1
 Host: www.amazon.com
 Content-Length: 1349
 “name”: “Set-Cookie”,
 “value”: “session-token=”xx/y//zz==”; Version=1;
Domain=.amazon.com; Max-Age=630720000; Expires=Sat,
01-Nov-2036 22:39:37 GMT; Path=/”
Now
 HTTPS, prevents MITM attack
 Certificate expires every 2 years

AMAZON ECHO DOT
MITM. FIRMWARE
Intercepting firmware updates is possible
Here is a bin-firware http request
 GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin
HTTP/1.1
 Host: amzdigitaldownloads.edgesuite.net
 Connection: close
 User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC
Build/LVY48F)
Firmware contains build.prop = designed as a Android & have .APKs
 ro.build.version.fireos=5.5.0.3
 ro.build.version.fireos.sdk=4
Non-Encrypted bin-firmware
-rw-r--r-- boot.img; file_contexts
drwxr-xr-x images; META-INF
-rw-r--r-- ota.prop
drwxr-xr-x system
-rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list

AMAZON ALEXA APP
Alexa app has a good a solid protection
No sensitive data stored locally
Well encrypted communication (online, internal) and used the TLS 1.2
However, MITM is possible, because no SSL Pinning used
 Credentials and all communication compromised

AMAZON ECHO DOT
ALEXA APP – MITM, NOT PINNED
Credentials
 {"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS
x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}
 Email, Password from POST action ‘https://www.amazon.com/ap/signin’
 Device Info plus token
Metrics - https://device-metrics-us-2.amazon.com/metricsBatch
 HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"
 CountryCode RU"
Profile
 Name, Billing Address, Shipping Address
 Device IDs, types, Account ID, Device capabilities
First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)

AMAZON ALEXA APP
LOCAL
 LibraryApplication Supportdevice.sqlite – device list with
ID, serials
 LibraryMETRICS_NORMAL* - Logs &
MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM
2W81,iOS/12.0,Alexa//2.2.233205,DCM)
 LibraryPreferencescom.amazon.echo.plist – Account Info
 DocumentsLocalData.sqlite – settings of devices

AMAZON ECHO DOT
ALEXA APP
Alexa and Echo allow many users to manage devices
 Echo has no voice differentiation capabilities nor protection against non-human or repeated speech
Each device locks by 4 digit PIN
 The Set of PINs is ~10k values
 Two attempts and have to restart but no limit the number of total attempts
 Bruteforce it for 2 days
How to break
1. Computer says “wake word” followed by the command to order an Amazon Echo Dot
2. Alexa responds with top Amazon search for and asks if user wants to place the order
3. Computer confirms order
4. Alexa asks for 4-digit PIN
5. Computer guesses next PIN in numerical order
6. Alexa accepts or rejects PIN
7. Computer guesses next PIN in numerical order
Repeat until you break it  take up to 48h max

AMAZON ECHO DOT & ALEXA APP
SUMMARY
Intercepting firmware updates is possible
Alexa allows to use self-signed SSLs but not accepts Burp/Charles certificate?
 True for Alexa Echo Dot
 Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert
Not everything is HTTPS
FireOS is based on Android - https://en.wikipedia.org/wiki/Fire_OS
 ver 5.x – Android 5.1.1 Lollipop. Alexa is still on 5.x
 ver 6.x – Android 7.1 Nougat
Even hardware root is possible
https://vanderpot.com/Clinton_Cook_Paper.pdf

CONNECTED HOME
READYFORSKY
Backup
MITM: Hub, Remote
BT MITM: out of scope

READYFORSKY
DOCUMENTSR4S.SQLITE
Device list, models, pairing text
Receipts per device (how to cook, basic details &
requirements)
Username, email
User devices & Mac

READYFORSKY
MITM
 Firmware version – 2.29 -
http://service2.readyforsky.com/firmware/list/148/["2.29"]
 Device Pic - http://image-
server.readyforsky.com/i/1899/200x200.png
 Recipes – BlackTea, GreenTea, Others
 Do smth with a Kettle
 https://content.readyforsky.com/api/program/catalog/id:IN:90,9
7?locale=en
 "id": 90,
 "protocol_id": 0,
 "value": "BOILING", / HEATING
 "value": "40", | "value": "55", | "value": "70", | "value": "85", |
"value": "95",

READYFORSKY
MITM
Credentials, password, tokens
 https://content.readyforsky.com/headless/change-password
 {"current_password": "1", "plainPassword": "1"}
 { "error": "invalid_grant", "error_description": "The access token provided is
invalid."}
 { "access_token":
"YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN
GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",
 "expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token":
"YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4
ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }

READYFORSKY
MITM
User details - https://content.readyforsky.com/api/user/current
 "username": "yurychemerkin",
 "username_canonical": "yurychemerkin",
 "email": "yury.chemerkin@gmail.com",
 "last_login": null,
 "enabled": true,
 "locked": false,
 "expired": false,
 "id": 527679
Client Address 192.168.1.38:50654 | this port changes
Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port

READYFORSKY
MITM
Device details
 https://content.readyforsky.com/
api/device/user
 “name": "RK-G200S",
 "address": "E7:7F:BC:60:C2:2A",
 "name": "Gateway XIAOMI
Redmi 4X",
 "address": "77d3efcf-f627-
402e-bbed-4ee0c8290417",
Client Address 192.168.1.38:50654 | this port changes
Remote
Address
content.readyforsky.com/178.62.194.132:443 |
fixed port

REDMOND
SUMMARY
Communications & MITM
 App, Hub, Device IP, Ports including internal info, Device info (name,
model, network info)
 Actions, receipts, to-do
 Credentials, password, tokens
 User details & Login details
Local
 Device list, models, pairing text
 Receipts per device (how to cook, basic details & requirements)
 Username, email
 User devices & Mac

LIGHTNING
Lightify
IKEA TRÅDFRI
Philips HUE

LIGHTIFY
 Lightify is the IoT platform with a simplest integration of wireless lighting.
 Need to have an Lightify-account
 Online communication uses QUIC-protocol with encryption over UDP
 Wireshark does not support QUIC decryption at the moment. The drafts
at tools.ietf.org/wg/quic are also not really detailed on the ciphers.
 Lightify Gateway communicates over TCP completely unencrypted locally,
but via a binary protocol https://github.com/noctarius/lightify-binary-
protocol#basics-about-the-protocol and here a plugin to manage the
light https://github.com/tfriedel/python-lightify
 Credentials stored in a local folder – shared preferences

IKEA TRADFRI
Smart lightning and assistant to control it
No online communications except firmware requests in plaintext
 GET http://fw.ota.homesmart.ikea.net/feed/version_info.json
 User-Agent: HertzClient/1.0
 Host: fm.ota.homesmart.ikea.net
 Connection: close
 Response : No response
Local communication is DTLS (SSL over UDP)
 Pairing via QR code
(Serial Number = Mac Address, Security Code/ pre-shared key)
 QR code can be revealed for further decryption
Locally stored data
 Encrypted QR-code and store in keystore – need root to get an access
 Keystore doesn’t work for outdated Android (< 4.3)
 AES encryption alg for outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”
 The Issue here is a patched APK file with a removed strong encryption

PHILIPS HUE
 HUE light, lamps and other with a smart assistant and bridge to works over Philips servers
 The list of paired Apps and services with timestamp sent across Hue apps
 Online communication
 [BridgeServers] works over HTTP with additional layer of AES-encryption. Guess they store secret key somewhere
but no lack to find it
 [AppServers] works over HTTPS with SSL Pinning
 Local communication works over HTTP
 PUT http://192.168.1.38/api/Ds7KfNjjYtC8uN
mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action
 Host http://192.168.1.38
 Accept *.*
 Content-Type: application-json
 Content-Length: 11
 Json {“on:true”}
 Loading malicious firmware over-the-air http://iotworm.eyalro.net/
 In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters
http://iotworm.eyalro.net/iotworm.pdf

LIGHTNING
SUMMARY
IoT platforms: Lightify, IFTTT
 One account to access all tokens & credentials to manage services, devices
and data
Communication
 Online – usually encrypted, MITM sometimes possible
 Local – non-protected, custom protocols & encryption – usually analyzed
 Firmware – plaintext usually, malicious attacks are possible
Local
 Credentials, log, data

CONNECTED HOME
SUMMARY
Jailbreaks & roots
 Available for popular devices
 Sideloading apps are possible
 New in-house manager devices, such as Alexa Dot doesn’t have root tools
Backup & Data
 Works for many devices
 Works for synchronizing apps, like Alexa
In-house smart manageable things works over app-manager that, in turn
 Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content
 Doesn’t have a good protection and available over Internet
 Has a firmware issues with malicious over-air-attacks
 Locally stored lot of data in app installed on the mobile device
 Moved in an user’s pocket everywhere

IoT
HOW TO SECURE
Risk Management
 Device Profiling – divide your devices according to a critical info & risk score
 Use cases – define where and what for are you going to use devices
 Compatibility - use devices that are compatible with existing technology stack, and security equipment and
software
 Lost of smartphones – avoid devices to be lost or left unattended
In-home Secured Network
 Obscure name – NOT for vendor & model names or revealing user identity e.g. personal
 Encryption – use up-to-date devices with the latest & strongest encryption schemes
 Guest network – setup it if you’re sure but better to Disable guest network access entirely
 Two or more different Wi-Fi networks (logically or physically) – one for typical activities (networking,
messaging, etc.), second for IoT, third for critical banking, shopping
 Firewall - a stand-alone software or shipped with the router, allow traffic on those specific ports & no others
 Limit of public network usage – avoid pairing device or using device apps over public network due to lack
of encryption of data
Password Management
 Default credentials – change it for router’s , IoT devices’ password
 Unique passwords - use unique, complex passwords made up of letters, numbers, and symbols

IoT
HOW TO SECURE
Software Management
 Settings – change it to default privacy policies & security settings
 Features – disable features you don’t need, such as a remote access
 Apps – avoid use apps that don’t encrypt data locally or while it’s transferring
 Patches – keep all devices & software up-to-date
 VPN – stand alone software or shipped with router to protect connections of IoT device that working over Internet
 Multifactor & Hubs – use all security settings that require additional actions before it’s being easily hacked
Data
 Data Analysis - analyzing data generated by IoT devices to understand what data might be monetized
 Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked
Breaking tools
 Risky app – avoid apps out of store, junk apps from app store
 Broken - don’t break any device in a chain of devices, rely on supported vendor ROMs
 Flashed – flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs
Cloud & third party tools
 IoT clouds – audit it before using for your personal/business need
 Third party services – there are many automation tools to manage IoT devices. Use secured and audited and be
informed

MOBILE, IoT, CLOUDS…
IT’S TIME TO HIRE A RISK MANAGER!
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN
SEND A MAIL TO: YURY.S@CHEMERKIN.COM

Mobile, IoT, Clouds… It’s time to hire your own risk manager!

Recommended

Recommended

More Related Content

Similar to Mobile, IoT, Clouds… It’s time to hire your own risk manager!

Similar to Mobile, IoT, Clouds… It’s time to hire your own risk manager! (20)

More from DefCamp

More from DefCamp (20)

Recently uploaded

Recently uploaded (20)

Mobile, IoT, Clouds… It’s time to hire your own risk manager!