Behind The Code // by Exness

Hidden Threats
of Technological
Enhancements
Dmitry Sklyarov /
Security Researcher | Reverse
Engineer

Agenda
01. Password Managers on Smartphones
02. Flash Storage Forensics
03. 4G modem – best present ever!

01.
Password Managers
on Smartphones

Authentication: PC
Trusted
Platform
Module
Password
/Passphrase
Biometrics
SmartCard
+ PIN

Authentication: PC
Password
/Passphrase
X X X

Authentication:
Smartphone (modern)
Hardware
security
features
Password
/Passphrase
Biometrics
of different
types
But…
To unlock
the phone
after reboot
you have to
provide the

Authentication:
Smartphone
Password is the only
option on the smartphones.
“Lock patterns” are essentially
numeric passcodes [1-4-2-5-6-9-8]

Password Typing
PC:
Full-sized keyboard,
motor memory
Long and complex
passwords are easy

PC:
Full-sized keyboard,
motor memory
Long and complex
passwords are easy
Smartphone:
Touch keyboard
Long and complex
passwords are hard
Password Typing

Password Typing
It is fair to assume
that passwords on the
smartphones are shorter
than their PC counterparts.
* * * *

Password
Transformation
Fast CPU
Can do complex
password-to-key
transforms
PC:

Password
Transformation
PC:
Fast CPU
Can do complex
password-to-key
transforms
Smartphone:
Relatively slow CPU
Complex
password-to-key
transforms will
impact usability

Password Cracking
Oﬄine attacks
can utilize GPUs
for attackers’
advantage

Authentication
Wrap Up
PC:
Password entered
not too often
(usually just after
unlocking console)
Smartphone:
Password entered
every time you need
access data
(after switching
applications or after
short time-out)
Handling passwords on
smartphone is more diﬃcult
than on PC
Smartphone requires stronger
password protection than PC
but provides less capabilities
for doing so!

Threat Model
Assumptions:
01.
Attacker
has:
Recover master password
for password manager(s)
on the mobile device
Extract passwords stored
by those managers
02.
Attacker
wants to:
Physical access
to the device, or
Backup of
the device, or
Access to password
manager database ﬁle

Are those assumptions
fair at all?

Physical Access
PC:
Computers are
relatively big. Thus,
hard to steal or lose.
You know where it is
(well, most of the
time).
Smartphone:
Lots of phones go
in wrong hands every
year. Many are left
in the bars.
Do you really know
where exactly your
phone is right now?

Physical Access
Someone just got
physical access
to the device

Device Backup
Apple iOS:
Need device password
Optional encryption
(not enforced)
PBKDF2-SHA1
with 20’000 iterations
BlackBerry:
Need device passcode
or iTunes pairing
Optional encryption (enforced by
device) PBKDF2-SHA1 with 10’000
iterations

Database Files
Apple iOS:
Need device password
BlackBerry:
Via afc (need passcode
or iTunes pairing)
Via SSH (jailbroken devices)
Via physical imaging
(up to iPhone 4)

iOS Passcode
Starting with iOS 4 passcode is involved
in encryption of sensitive data
Passcode key derivation is slowed down
by doing 50’000 iterations
- Each iteration requires
talking to hardware AES
- 6 p/s on iPhone 4
Can’t be performed off-line and scaled
Checking all 6-digit
passcodes will take
more than 40 hours

Cracking Passwords
Name
Keeper® Password & Data Vault
Password Safe - iPassSafe Free
Strip Lite - Password Manager
SafeWallet - Password Manager
DataVault Password Manager
mSecure - Password Manager
LastPass for Premium Customers
1Password Pro
BlackBerry Password Keeper
BlackBerry Wallet 1.0
iOS passcode
Complexity
1x MD5
1x AES-256
4000x PBKDF2-SHA1 + 1x AES-256
1x SHA-256 + 1x SHA-1
1x SHA-256 + 1x Blowﬁsh
2x SHA-256 + 1x AES-256
1x MD5 + 1x AES-128
2x SHA-256
1x SHA-512 + 100x PBKDF2-SHA1 + 1x AES-256
50000 iterations with HW AES
CPU p/s
60 M
20 M
5000
1500 K
7 M
300 K
5 M
15 M
5 M
6 M
200K
6
GPU p/s
6000 M
N/A
160 K
20 M
500 M
N/A
20 M
20 M
20 M
300 M
3200 K
0
Len/24h
14.7
12.2
10.1
12.2
13.6
10.4
12.2
12.2
12.2
13.4
11.4
5.7

Cracking Passwords
Name
Keeper® Password & Data Vault
Password Safe - iPassSafe Free
Strip Lite - Password Manager
SafeWallet - Password Manager
DataVault Password Manager
mSecure - Password Manager
LastPass for Premium Customers
1Password Pro
BlackBerry Password Keeper
iOS passcode
Complexity
1x MD5
1x AES-256
1x SHA-256 + 1x SHA-1
1x SHA-256 + 1x Blowﬁsh
1x MD5 + 1x AES-128
2x SHA-256
1x SHA-512 + 100x PBKDF2-SHA1 + 1x AES-256
50000 iterations with HW AES
CPU p/s
60 M
20 M
5000
1500 K
7 M
300 K
12 K
15 M
5 M
6 M
200K
6
GPU p/s
6000 M
N/A
160 K
20 M
500 M
N/A
600 K
20 M
20 M
300 M
3200 K
0
Len/24h
14.7
12.2
10.1
12.2
13.6
10.4
10.7
12.2
12.2
13.4
11.4
5.7

None of the tested password
keepers offers reliable protection
on top of OS security
Using them on improperly conﬁgured
device may expose sensitive data
Paid apps are not necessarily
more secure than free ones
Summary

Magnetic Recording
Invented in 1898
Media moves
near magnetic
head

Magnetic drives
becomes smaller…

and smaller…
Toshiba's 0.85” 4GB HDD
General principles still the same
Any piece of data could
be modiﬁed independently
Erasing performed via overwriting
Data erasure standards exists

Flash Memory
Intel’s m-SATA 80G SSD (2010)
Invented in 1984
Two major types: NOR (1988,
Intel) NAND (1989, Toshiba)
Stores electrical charge into
a ﬂoating gate of transistor
Able to retain data
for 10-100 years

Flash Memory
Characteristics
Any byte could be written independently
Need erase (make all bits=1) before re-writing
Erasing with precision of block (e.g. 64K) only
- Limited number of guaranteed erase cycles
- Usually between 10’000 and 1’000’000
- Inerasable block should be marker as “bad”
Some blocks could be inerasable
when leaving factory

Flash Memory
Layout
Spare area could
be used for:
Marking bad pages/blocks
Storing ECC data
Holding Physical-to-Logical
mapping information
Bank 1
Bank 2
Bank 3
Erase Block 1
Erase Block 2
Erase Block 3
Page 1
Page 2
Page 3
Page N
Erase Block N
Bank N
Data
(512b)
Spare

Wear Leveling
Dynamic process that rearranges
pages/blocks in order to extend
ﬂash lifetime
Algorithms developed by
memory device manufacturers
Implementation details
usually keeps secret
Goal: evenly spread
the erasing of blocks
over the full range
of physical blocks
Data is written
on blocks with the
lowest erase count.
Writing and erasing
of data are evenly
distributed.
Blocks are maximized
and ideally, fail
at the same time.

Logical
Characteristics
Simulates behavior of common HDD
Logical Block Addressing
Logical Address translates to Physical
Address by Flash Memory Controller
TRIM command for SSD
Intel’s m-SATA 80G SSD (2010)

Logical
Characteristics
Flash-aware ﬁrmware
Tight integration between OS and Flash
Memory
Logical-to-Physical translation often
performed on CPU
Embedded Device
(e.g. Smartphone)

Flash Translation
Layer (FTL)
Responsible for ﬁnding Physical Page
that represents actual data for speciﬁc
Logical Page Number (LPN) of Block device
State of mapping tables is stored in Flash
and cached in RAM
Unused (TRIM-ed) LPNs are not mapped at all

Altering data
in Flash Storage
Any modiﬁcation of data changes the mapping
New data is written to new (free) page
Previous version of page data (and content
of TRIM-ed pages) still resides somewhere
in Flash until block erased due to wear leveling
or garbage collection

FTL in iOS devices
LPN
Implemented in software (runs on CPU)
Spare area of Data pages contains:
USN
(Update Sequence Number)
allows to ﬁnd all Physical
pages that were used to store
data of some Logical page
allows to build the ordered
“history” of page copies

Accessing raw Flash
on iOS devices
IOFlashControllerUserClient kernel service
is available
externalMethod functions allows perform
“raw” reading of Physical pages
ReadPage request support removed in iOS 5
- RAMdisk based on iOS 4 could help
- It is possible to patch the kernel in
memory and restore ability to read pages

Which devices
could be examined?
Anything prior to iPhone4S
/iPad2/iPod5 by loading
custom RAMdisk/Kernel
01. Jailbroken device
by patching kernel
in memory
03.
Any iOS device if you
know how to obtain digital
signature for your RAMdisk
from Apple
02.

How “Forensic” is it?
Not too much…
Booting the
iDevice causes
some alteration
of Flash content
Obtaining Flash
dump twice would
not produce
identical results
01. 02.

Is there secure
way to erase data?
Deleting ﬁle produces good result at logical
level (due to TRIM) – better that HDD
Neither deleting nor overwriting are actually
removes the data at physical level – much
worse than HDD
Probability of successful data recovery
depends on amount of unused space
on Flash Storage (more space – more
chances)

03.
4G modem –
best present ever!

How it looks
(approximately ;)

Back side:
nothing
Explore textual
marks on Modem
Hmm, what the actual manufacturer name and model number?
Front side:
4G” logo
operator’s logo
Under the cover
(access to SIM and SD cards):
Operator’s internal
model number
IMEI
Serial number

Explore packaging
Manufacturer name
(ZTE) printed on the
box and in booklet

ZTE MF823 4G
Modem Speciﬁcation
LTE-FDD: 800/900/1800/2600MHz;
UMTS: 900/2100MHz;
LTE-FDD: DL/UL 100/50Mbps (Category3)
DC-HSPA+: DL/UL 42/5.76Mbps
Size: 90 x 28.4 x 13mm
OS: Win7, Windows XP,
Vista, Win8, Mac OS

ZTE MF823 4G Modem
re-Branding
MegaFon
(Russia)
Beeline
(Russia)
O2
(Germany)
Three
(UK)
Altel
(Kazakhstan)

Is there Modem
anymore?
After plugging into PC running Windows 7:
CWID USB SCSI CD-ROM USB Device
ZTE MMC Storage USB Device
(MicroSD Card Reader)
After performing “Eject CD Drive”:
CD-ROM (sometimes they come back!)
MicroSD Card Reader
Remote NDIS* based Internet Sharing Device
*NDIS == Network Driver Interface Speciﬁcation
No drivers
required!
(at least on Windows 7 ;)

Remote NDIS
adapter properties
> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.0.182
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

How to speak
with MF823?
Results of ports
scan for 192.168.0.1

HTTP server
on 192.168.0.1
GET /index.html HTTP/1.1
Host: 192.168.0.1
HTTP/1.1 404 Site or Page Not Found
GET / HTTP/1.1
Host: 192.168.0.1
HTTP/1.0 302 Redirect
Server: GoAhead-Webs/2.5.0
Location: http://192.168.0.1/index.html

HTTP server Handlers
Defined UrlHandlers:
/goform
/cgi-bin
/mmc2
/api/xmlclient/post
/client/backup
/api/nvramul.cgi
Defined GoForm handlers:
/goform/goform_get_cmd_process
/goform/goform_set_cmd_process
/goform/goform_process
/goform/formTest

Getting diagnostics info
http://192.168.0.1/goform/
goform_get_cmd_process?
cmd=device_diagnostics
Returns:
productName softwareVersion modemVersion
routerVersion webUiVersion hardwareVersion
serialNumber simSerialNumber simMsisdn
deviceImei simImsi simStatus
sdCardAvailable sdCardTotalMemory sdCardUsedMemory
currentConnectedUsers maxConnectedUsers timeSinceStartup

Switching to Download
(FACTORY) mode
http://192.168.0.1/goform/goform_process?
goformId=MODE_SWITCH&switchCmd=FACTORY
New devices appears:
ZTE Diagnostics Interface (COMX)
ZTE NMEA Device (COMY)
ZTE Proprietary USB Modem
NB: Send AT+ZCDRUN=F to COM-port associated
with “ZTE NMEA Device” to return from Download mode

telnetd on 192.168.0.1
OpenEmbedded Linux 9615-cdp
msm 20130729 9615-cdp
9615-cdp login: root
Password: zte9x15
root@9615-cdp:~# id
uid=0(root) gid=0(root) groups=0(root)

Root is good!
Full-featured ARM-based Linux
busybox apps (e.g. nc and netstat)
iptables
tcpdump
gdbserver
CD image at /usr/zte_web/ZTEMODEM.ISO
HTTP server root at /usr/zte_web/web/*
auto_apn
copy
zte_log

What is actually
under your control?

What are the treats?
log all
internet activity
replicate all
internet activity
access to
local network?
GPS-enabled?
store/report
GPS location
WiFi-enabled?
access to
local WiFi
under remote
management
controls all
external traﬃc

eBPF
the hidden linux
superpower
Alexander Sungurov, Exness /
Security Architect

Bit of history
01. Who knows what is
BPF/eBPF/Systemtap/DTrace?
02. Have you ever used any of these technology
before?
03. Why do we need eBPF if we already have
/proc/vmstat/lsof/strace/tcpdump/ ... ?

Bit of history
Who knows what is
BPF/eBPF/Systemtap/DTrace?
01.
Why do we need eBPF if we already have
/proc/vmstat/lsof/strace/tcpdump/ ... ?
03.
Have you ever used any
of these technology before?
02.

Man bpf
* Run code
in the kernel without
having to write a ko
(kernel module)
Description
The bpf() system call performs a range of operations related to
extended Berkeley Packet Filters. Extended BPF (or eBPF) is similar
to the original ("classic") BPF (cBPF) used to ﬁlter network pack‐
ets. For both cBPF and eBPF programs, the kernel statically analyzes
the programs before loading them, in order to ensure that they cannot
harm the running system.
eBPF extends cBPF in multiple ways, including the ability to call
a ﬁxed set of in-kernel helper functions (via the BPF_CALL opcode
extension provided by eBPF) and access shared data structures such
as eBPF maps.
limited C eBPF bytecode

λ ~ sudo tcpdump host 127.0.0.1 and port 80 -d
(000) ldb [0]
(001) and #0xf0
(002) jeq #0x40 jt 3 jf 19
(003) ld [12]
(004) jeq #0x7f000001 jt 7 jf 5
(005) ld [16]
(006) jeq #0x7f000001 jt 7 jf 19
(007) ldb [9]
(008) jeq #0x84 jt 11 jf 9
(009) jeq #0x6 jt 11 jf 10
(010) jeq #0x11 jt 11 jf 19
(011) ldh [6]
(012) jset #0x1fff jt 19 jf 13
(013) ldxb 4*([0]&0xf)
(014) ldh [x + 0]
(015) jeq #0x50 jt 18 jf 16
(016) ldh [x + 2]
(017) jeq #0x50 jt 18 jf 19
(018) ret #262144
(019) ret #0
tcpdump?

Enhanced BPF
Observability
Intrusion Detection
Container security
DDoS mitigation
SDN
veriﬁer / linter
BPF
BPF actions
sockets
user probes
(uprobes)
kernel probes
(kprobes)
tracepoints
kernel

Capabilities
BPF Compiler
Collection (BCC)

Security -> IDS / EDR
Сustomizable
Lighter
Fast reaction

Observability -> Debug / Proﬁling
View all what
you need

eXpress Data Path (XDP)
Allows easily mitigate
DDoS attacks on L3-L7
Your weakest point is your
network bandwidth
Requires supported
network cards to oﬄoad
XDP program on it
Application
Network devices
BPF
program
Network
stack
Kernel
Fast drop

Container Security
Detection
Prevention
Monitoring

Tools
● bcc – BPF Compiler Collection
● Cilium – container-aware eBPF-based Networking, Observability, Security
● Katran – high-performance layer 4 load balancing forwarding plane
● Falco – Open Source Security Tool for containers, Kubernetes and Cloud
● bpftrace – High-level tracing language for Linux eBPF
● KubeArmor – Container-aware Runtime Security Enforcement System
● Tracee – Linux Runtime Security and Forensics using eBPF
● Pixie – Scriptable observability for Kubernetes

eBPF use-cases
● Facebook uses Katran as a software-based solution to load balancing at a FB scale.
● Google announces Cilium & eBPF as the new networking dataplane for GKE.
● Netflix uses eBPF flow logs at scale for network insight.
● Cloudflare used eBPF to Build Programmable filter in Magic Firewall
● CF uses XDP to mitigate DDoS attacks
● etc …

One-liners / quick examples
● ﬁles opened by process:
bpftrace -e 'tracepoint:syscalls:sys_enter_open
{ printf("%s %sn", comm, str(args->filename)); }'
● Any invoked processes / forks / children:
bpftrace -e 'tracepoint:syscalls:sys_enter_exec*
{ printf("%s %sn", comm, str(args->filename)); }
● get any line entered in bash (command sniﬃng):
bpftrace -e 'uretprobe:/bin/bash:readline {
printf("readline: "%s"n", str(retval)); }'

References / Credits
● Brendan Gregg’s blog - http://www.brendangregg.com/
● IOVisor project - https://www.iovisor.org/
● Project Cilium - https://cilium.io/
● BCC - https://github.com/iovisor/bcc
● Linux kernel project - https://kernel.org

Corporate
Cryptocurrency
Wallet Management
Valery Tyukhmenev, Exness /
Application Security Engineer | The Wheel Reinventor

Cryptocurrency is decentralized digital money
that’s based on blockchain technology.
A blockchain is an open, distributed ledger that
records transactions in code. In practice, it’s a little
like a checkbook that’s distributed across countless
computers around the world. Transactions are
recorded in “blocks” that are then linked together
on a “chain” of previous cryptocurrency transactions.
What is
cryptocurrency?
86
86
86
86 86
Corporate Cryptocurrency Wallet Management
Cryptocurrency
https://www.forbes.com/advisor/investing/cryptocurrency/what-is-cryptocurrency/
https://marketing.exness.com/crypto/

87
87
87
87 87
https://www.forbes.com/sites/jonathanponciano/2022/03/29/second
-biggest-crypto-hack-ever-600-million-in-ethereum-stolen-from-nft-
gaming-blockchain/
Why it should be protected?

88
88
88
88 88
https://crystalblockchain.com/s
ecurity-breaches-and-fraud-inv
olving-crypto/
Why it should be protected?

89
89
89
89 89
https://www.coinparticle.com/market/all
Cryptocurrency

Know Your Transaction or KYT is
a commonly used financial industry term
that refers to the process of examining
financial transactions for fraudulent or
suspicious activities including money
laundering.
As cryptocurrency adoption continues
to grow, it has been important for
institutions to have the ability to drill
down into crypto transactions for
evidence of financial crimes.
Addition
to KYC / AML
90
90
90
90 90
KYT (Know Your Transaction)
https://crystalblockchain.com/articles/the-importanc
e-of-knowing-your-cryptocurrency-transaction-kyt/

91
91
91
91 91
Wallet Types
Hot
Wallet
● Private key is being stored on
special hardware device with
● no internet access
● Requires manual actions
● for signing
● Usually signed TX is being
broadcasted on separate device
● Best overall security
https://glacierprotocol.org/
● Easiest to start using crypto
● Keys are being generated
and stored online
● Transactions (TXs) are
being signed by provider
● Lowest security level
● Uses proprietary software to
generate and store wallets
● Keys stored oﬄine on device
(eg smartphone)
● TXs are being signed on
user’s device
● Balanced approach for
everyday usage
Warm
Wallet
Cold
Wallet

The enclosed instructions tell the person to
connect the Ledger to their computer, open
a drive that appears, and run the enclosed
application.
The instructions then tell the person to
enter their Ledger recovery phrase to
import their wallet to the new device.
Hardware
Wallets is not
a panacea
92
92
92
92 92
https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-alt
ered-ledger-devices-to-steal-cryptocurrency/
Wallet Types

93
93
93
93 93
Crypto Custody Types
● Custodian handles any problems
● Easier for small business
● Usually have insurance
● Custodian controls crypto liquidity
(can be frozen etc)
● Custodian may be hacked
(or any other 3rd-party risk)
● Fees can be applied
Third-party custody
● Full control of crypto liquidity
● No 3rd party risks
● Have to handle the management
of keys
● Also can be hacked
Self-Custody

This standard deﬁnes how to derive private and public
keys of a wallet from a binary master seed (m) and an
ordered set of indices (called path) usually provided by
values separated by slash:
m / purpose' / coin_type' /
account' / change / address_index
m / 44' / 0' / 1' / 3 / 37
There are two possible types of BIP32 derivation:
hardened or non-hardened
How does it work?
94
94
94
94 94
Hierarchical Deterministic
Wallets (BIP-0032)
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki

95
95
95
95 95
https://medium.com/@blainemalone01/hd-wallets-why
-hardened-derivation-matters-89efcdc71671
https://learnmeabitcoin.com/technical/extended-keys
A parent extended
public key together with
a non-hardened child
private key can expose
the parent
private key.
Hierarchical
Deterministic Wallets

96
Corporate Key Structure

Hardware Security Modules (HSMs)
are hardware devices that can reside on a
computer motherboard, but the more advanced
models are contained in their own chassis
as an external device and can be accessed
via the network.
What are HSM & TPM?
97
97
97
97 97
HSM
Trusted Platform Modules (TPMs) are small
hardware devices that are usually embedded
into computer motherboards and are available
as external devices.
https://goteleport.com/blog/tpm-vs-hsm-difference/
Hardware Security
Module TPM Trusted Platform
Module

Mechanism that moves multiple signatures
veriﬁcation on the blockchain side.
scriptPubKey:
m {pubkey}...{pubkey} n OP_CHECKMULTISIG
scriptSig:
OP_0 ...signatures…
Order matters!
OP_0 sigB sigA OP_2 pubA pubB pubC OP_3
OP_CHECKMULTISIG -> fail
98
98
98
98 98
Bitcoin Multisig
(BIP-0011)
https://www.forbes.com/advisor/investing/cryptocurrency/what-is-cryptocurrency/
https://marketing.exness.com/crypto/

99
99
99
99 99
Real-World Business Bitcoin Multisig
Implementation

100
100
100
100
100
Implementation

101
101
101
101
101
Implementation

102
102
102
102
102
MPC TSS
DKG
Multi-party computation ]
[
Distributed key generation ]
[
Threshold signature scheme ]
[
https://github.com/ZenGo-X/awesome-tss
Multiple Bugs in Multi-Party Computation: https://www.youtube.com/watch?v=0Okqvm4lBQI
Allows to make the signature and
derive the keys without having the
private key in the same place
Allows to generate the private key
parts without having the original
one in the same place
Allows to make a signature
of transaction having M of N
required secret parts
● Can be combined with
standards like multisig
& hd wallets
● Universal solution for
multiple blockchains
● Requires more research
for enterprise usage
MPC, TSS, DKG
New Wave of Secure
Cryptocurrency Management

Behind The Code // by Exness

Recommended

Recommended

More Related Content

Similar to Behind The Code // by Exness

Similar to Behind The Code // by Exness (20)

More from Maxim Gaponov

More from Maxim Gaponov (13)

Recently uploaded

Recently uploaded (20)

Behind The Code // by Exness