SlideShare a Scribd company logo

2.1. Dissecting blackberry

defconmoscow
defconmoscow

Meeting #2.

Internet
1 of 42
Download to read offline
Dissecting Blackberry Z10: 2-in-1 By Alexander Antukh & Yury Chemerkin Jun 30, 2013
/whoami Alexander Antukh  Security Consultant  Offensive Security Certified Expert  Interests: kittens and stuff
/whoami Yury Chemerkin  Experienced in :  Mobile Security and MDM  Cyber Security & Cloud Security  Compliance & Transparency  and Security Writing
Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 4
Dissecting Blackberry Z10 Blackberry OS review Built on QNX! 5  Tiny  Micro-kernel architecture  Virtual memory alloc for each process  POSIX-compilant QNX = MK + PM + processes
Dissecting Blackberry Z10 Blackberry OS review That’s how the system looks like: 6
Dissecting Blackberry Z10 Blackberry OS review That’s how the microkernel looks like: 7
Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 8
Dissecting Blackberry Z10 Shell Access Extremely easy! 9  development mode  on  generate a 4096-bit RSA key (ssh-keygen/putty)  blackberry-connect <t> -password <p> -sshPublicKey <k>  ssh 169.254.0.1  nuts Even easier:  Dingleberry  nuts /accounts/devuser/
Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 10
Dissecting Blackberry Z10 The Approaches 1. General permissions 11  SUID/SGID -rwxrwsrwx 1 root root  Writable files and folders "find all suid files" => "find / -type f -perm -04000 –ls” "find all sgid files" => "find / -type f -perm -02000 –ls” "find config* files" => "find / -type f -name "config*”” "find all writable folders and files" => "find / -perm -2 –ls” "find all writable folders and files in current dir" => "find . -perm -2 -ls"
Dissecting Blackberry Z10 The Approaches 2. Fuzzers 12  IOCTL fuzzing • no params • overlong strings • pre-determined DWORDs Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000  Binary bit-/byteflipping (EDB-ID #7823)
Dissecting Blackberry Z10 The Approaches 3.1. System utilities. BOFs 13 Many missing: setuidgid, id, dumpifs… Many interesting: • confstr – current configuration including path, architecture and network info • dmc – digital media controller • fsmon – file system monitor • jsc – JavaScript engine for Webkit used on a device • ldo-msm – LDO Driver • mkdosfs – format a DOS filesystem (FAT-12/16/32) • mkqnx6fs – format a filesystem (for QNX6, however, is presented in Blackberry OS) • and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl.
Dissecting Blackberry Z10 The Approaches 3.1. System utilities. BOFs 14 Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHAL- r086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff
Dissecting Blackberry Z10 The Approaches 3.2. System utilities. Vulnerable syscalls. displayctl. 15
Dissecting Blackberry Z10 The Approaches 3.2. System utilities. Vulnerable syscalls. nvs_write_bin. 16 Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM)
Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 17
Dissecting Blackberry Z10 Firmware from the inside Firmware update? Yes, please! MFCQ  QNX image 18
Dissecting Blackberry Z10 Firmware from the inside Tools to deal with: 19 qfcm_parser.py  partitions! chkqnx6fs  info about the images dumpifs  IFS dump  https://github.com/intrepidusgroup/pbtools
Dissecting Blackberry Z10 Firmware from the inside Pearls inside: 20 ALL the scripts and configs can be read now!  .script (starting up)  ifs_variables.sh (sysvars)  os_device_image_check Microkernel itself
Dissecting Blackberry Z10 Firmware from the inside 21 Pearls inside: Protected tools can be launched now! Bootrom Version: 0x0523001D (5.35.0.29) DeviceString: RIM BlackBerry Device BuildUserName: ec_agent BuildDate: Nov 3 2012 … IsInsecureDevice: false HWVersionOffset: 0x000000D4 NumberHWVEntries: 0x00000014 MemCfgTableOffset: 0x000000FC MemCfgTableSize: 0x00000100 Drivers: 0x00000010 [ MMC ] LDRBlockAddr: 0x2E02FE00 BootromSize: 0x00080000 BRPersistAddr: 0x2E0AFC00 persist-tool: insecure syscalls can be reproduced (read/dump data)
Dissecting Blackberry Z10 Firmware from the inside 22 Pearls inside: Funny comments (code reviewers will like it) function setScreenScaling (width, height) { ... //ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center of screen // TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc() … and more
Dissecting Blackberry Z10 Firmware from the inside 23 Pearls inside: Facebook – too much;)  IDs  Emails  Mobile phones  Secrets  Passwords Plaintext!
Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 24
Dissecting Blackberry Z10 Playing with the browser  Webkit rendering engine  Vulnerabilities are just the same (i.e. as for Google Chrome) 25
Dissecting Blackberry Z10 Playing with the browser Local file access from the browser 26 HTML page as an email attachment file://  nuts Currently the vulnerability is removed
Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 27
Dissecting Blackberry Z10 Security on the Application Level BlackBerry Z10 – Vulnerability in BlackBerry Protect Limited: by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device Affected Software  BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743  BlackBerry Z10 smartphone only 28 Currently the vulnerability is removed
Dissecting Blackberry Z10 Security on the Application Level Special artifacts “.all” as a kind of logs  PATH : /pps/system/<name>/.all  Browsers : history  Networking : ID, flags, MACs  Device IDs : Hardware, PIN, Name, Serials, etc.  Video Chats : params, call details:  BlackBerry Bridge  SapphireProxy  Status, name, address, auth token, key  Autostart param  Routes: BB, BIS, BER: 127.0.0.2:188/189/187  Results : access to internal network, internal storage, media files, the rest (contacts, cal, .etc) in case of non-QNX device 29 Currently there is no details if it is solved Author’s opinion : can’t be solved or cracked in similar ways
Dissecting Blackberry Z10 Agenda 30 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Dissecting Blackberry Z10 Funny with APIs  Useful ideas that make no enough sense  Merging permissions into one group  No way to emulate hardware inputs but results of pressing are strongly restricted if there are  Sandbox  Malware is a personal application subtype in terms of blackberry’s security  Sandbox protects only app data, while user data stored in shared folders 31
Dissecting Blackberry Z10 Funny with APIs  Non-controlled activity by any permission  Accessing to data passed through the clipboard  Access to ‘Accounts’ leads to a ‘read’ access to contacts,messages, notebooks, calendar by default  MediaPlayer is a great way to access to the FS  Access to file system in many ways and most cases managing device’s resources  Camera activity,  Contact photos  Calendar event attachments  Message attachments (Email, BBM)  Saving records (camera photos, video, audios) 32
Dissecting Blackberry Z10 Agenda 33 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Dissecting Blackberry Z10 Agenda 34 BlackBerry Old iOS BlackBerry QNX Android Quantity of Groups 55 16 7 4 Average perm per group 20 5 7 4 Efficiency 80,00 38,46 31,82 10,26 Totall permissions 1100 80 49 16 55 16 7 4 20 5 7 4 80,00 38,46 31,82 10,26 1100 80 49 16 0 200 400 600 800 1000 1200 0 10 20 30 40 50 60 70 80 90 100 BlackBerry MDM Quantity of Groups Average perm per group Efficiency Totall permissions
Dissecting Blackberry Z10 Agenda 35 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Dissecting Blackberry Z10 Efficiency of security features  Activity  Common Min/Average/Max quantity :: 2 / 8 / 34  Additional Min/Average/Max quantity :: 0 / 2 / 7  Derived Min/Average/Max quantity :: 3 / 31 / 116  Permission  Common Min/Average/Max quantity :: 0 – 1 – 3  Additional Min/Average/Max quantity :: 1 – 0 – 1  Derived Min/Average/Max quantity :: 4 – 4 – 8  APIs  Common / Significant quantity :: 100 – 61  The most security unit is LED activity 36
Dissecting Blackberry Z10 Efficiency of security features 37 6 21 5 34 7 18 6 3 17 3 4 2 4 4 8 3 4 2 14 1 4 3 2 1 1 1 2 2 2 1 1 1 1 4 1 2 5 10 5 10 15 20 25 30 35 Ratio of common activities to permissions Q. of m.+a. activity Q. of m.+a. permission
Dissecting Blackberry Z10 Efficiency of security features 38 6 116 24 59 7 89 16 23 47 3 11 3 19 46 9 24 25 2 27 1 4 3 3 1 3 1 2 2 2 1 2 1 1 8 1 2 5 10 20 40 60 80 100 120 Ratio of derived activities to permissions Q. of derived activities Q. of derived perm
Dissecting Blackberry Z10 Efficiency of security features 39 16,67 19,05 60,00 5,88 14,29 5,56 16,67 66,67 11,76 66,67 25,00 50,00 25,00 25,00 50,00 33,33 50,00 250,00 7,14 16,67 3,45 12,50 5,08 14,29 3,37 6,25 8,70 4,26 66,67 9,09 66,67 5,26 2,17 88,89 4,17 8,00 250,00 3,70 0,00 50,00 100,00 150,00 200,00 250,00 % m+a activity vs perm % m+a derived activity vs perm
Dissecting Blackberry Z10 Agenda 40 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Dissecting Blackberry Z10 Future research 41 Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous
Dissecting Blackberry Z10 Full articles … are available here (no SMS to send is required! Free for a very limited time!) 42 http://goo.gl/dP9iRBlackberry Z10 research http://goo.gl/PpXxgBlackberry and more

Recommended

(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013STO STRATEGY
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Mikko Ohtamaa
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 

Recommended

(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013STO STRATEGY
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Mikko Ohtamaa
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android e mobile security - Falcomatà
Android e mobile security - FalcomatàAndroid e mobile security - Falcomatà
Android e mobile security - FalcomatàCodemotion
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
BO2K Byline
BO2K BylineBO2K Byline
BO2K BylineCondition Zebra (CONZebra)
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011Ashwin Patil, GCIH, GCIA, GCFE
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...LibbySchulze
 
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...IOSR Journals
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAli Habeeb
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Ricardo L0gan
 
Black berry
Black berryBlack berry
Black berryTHE CREATORS
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Nicolas Collery
 
Blackberry_runtime_for_android_apps
Blackberry_runtime_for_android_appsBlackberry_runtime_for_android_apps
Blackberry_runtime_for_android_appsDroidcon Berlin
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...PROIDEA
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRLdefconmoscow
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]defconmoscow
 

More Related Content

Similar to 2.1. Dissecting blackberry

Android e mobile security - Falcomatà
Android e mobile security - FalcomatàAndroid e mobile security - Falcomatà
Android e mobile security - FalcomatàCodemotion
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...LibbySchulze
 
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...IOSR Journals
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAli Habeeb
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Nicolas Collery
 
Blackberry_runtime_for_android_apps
Blackberry_runtime_for_android_appsBlackberry_runtime_for_android_apps
Blackberry_runtime_for_android_appsDroidcon Berlin
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...PROIDEA
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 

Similar to 2.1. Dissecting blackberry (20)

Android e mobile security - Falcomatà
Android e mobile security - FalcomatàAndroid e mobile security - Falcomatà
Android e mobile security - Falcomatà
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
BO2K Byline
BO2K BylineBO2K Byline
BO2K Byline
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
 
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Black berry
Black berryBlack berry
Black berry
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
 
Blackberry_runtime_for_android_apps
Blackberry_runtime_for_android_appsBlackberry_runtime_for_android_apps
Blackberry_runtime_for_android_apps
 
Mobile security
Mobile securityMobile security
Mobile security
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 

More from defconmoscow

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRLdefconmoscow
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]defconmoscow
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2defconmoscow
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hackingdefconmoscow
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenmentdefconmoscow
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF finaldefconmoscow
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jaildefconmoscow
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websitesdefconmoscow
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protectiondefconmoscow
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6defconmoscow
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communicationsdefconmoscow
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]defconmoscow
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecryptdefconmoscow
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]defconmoscow
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardwaredefconmoscow
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditionsdefconmoscow
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddlerdefconmoscow
 
4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitation4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitationdefconmoscow
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypotdefconmoscow
 

More from defconmoscow (20)

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRL
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF final
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communications
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditions
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddler
 
4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitation4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitation
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypot
 

Recently uploaded

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 

Recently uploaded (20)

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 

2.1. Dissecting blackberry

  • 1. Dissecting Blackberry Z10: 2-in-1 By Alexander Antukh & Yury Chemerkin Jun 30, 2013
  • 2. /whoami Alexander Antukh  Security Consultant  Offensive Security Certified Expert  Interests: kittens and stuff
  • 3. /whoami Yury Chemerkin  Experienced in :  Mobile Security and MDM  Cyber Security & Cloud Security  Compliance & Transparency  and Security Writing
  • 4. Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 4
  • 5. Dissecting Blackberry Z10 Blackberry OS review Built on QNX! 5  Tiny  Micro-kernel architecture  Virtual memory alloc for each process  POSIX-compilant QNX = MK + PM + processes
  • 6. Dissecting Blackberry Z10 Blackberry OS review That’s how the system looks like: 6
  • 7. Dissecting Blackberry Z10 Blackberry OS review That’s how the microkernel looks like: 7
  • 8. Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 8
  • 9. Dissecting Blackberry Z10 Shell Access Extremely easy! 9  development mode  on  generate a 4096-bit RSA key (ssh-keygen/putty)  blackberry-connect <t> -password <p> -sshPublicKey <k>  ssh 169.254.0.1  nuts Even easier:  Dingleberry  nuts /accounts/devuser/
  • 10. Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 10
  • 11. Dissecting Blackberry Z10 The Approaches 1. General permissions 11  SUID/SGID -rwxrwsrwx 1 root root  Writable files and folders "find all suid files" => "find / -type f -perm -04000 –ls” "find all sgid files" => "find / -type f -perm -02000 –ls” "find config* files" => "find / -type f -name "config*”” "find all writable folders and files" => "find / -perm -2 –ls” "find all writable folders and files in current dir" => "find . -perm -2 -ls"
  • 12. Dissecting Blackberry Z10 The Approaches 2. Fuzzers 12  IOCTL fuzzing • no params • overlong strings • pre-determined DWORDs Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000  Binary bit-/byteflipping (EDB-ID #7823)
  • 13. Dissecting Blackberry Z10 The Approaches 3.1. System utilities. BOFs 13 Many missing: setuidgid, id, dumpifs… Many interesting: • confstr – current configuration including path, architecture and network info • dmc – digital media controller • fsmon – file system monitor • jsc – JavaScript engine for Webkit used on a device • ldo-msm – LDO Driver • mkdosfs – format a DOS filesystem (FAT-12/16/32) • mkqnx6fs – format a filesystem (for QNX6, however, is presented in Blackberry OS) • and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl.
  • 14. Dissecting Blackberry Z10 The Approaches 3.1. System utilities. BOFs 14 Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHAL- r086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff
  • 15. Dissecting Blackberry Z10 The Approaches 3.2. System utilities. Vulnerable syscalls. displayctl. 15
  • 16. Dissecting Blackberry Z10 The Approaches 3.2. System utilities. Vulnerable syscalls. nvs_write_bin. 16 Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM)
  • 17. Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 17
  • 18. Dissecting Blackberry Z10 Firmware from the inside Firmware update? Yes, please! MFCQ  QNX image 18
  • 19. Dissecting Blackberry Z10 Firmware from the inside Tools to deal with: 19 qfcm_parser.py  partitions! chkqnx6fs  info about the images dumpifs  IFS dump  https://github.com/intrepidusgroup/pbtools
  • 20. Dissecting Blackberry Z10 Firmware from the inside Pearls inside: 20 ALL the scripts and configs can be read now!  .script (starting up)  ifs_variables.sh (sysvars)  os_device_image_check Microkernel itself
  • 21. Dissecting Blackberry Z10 Firmware from the inside 21 Pearls inside: Protected tools can be launched now! Bootrom Version: 0x0523001D (5.35.0.29) DeviceString: RIM BlackBerry Device BuildUserName: ec_agent BuildDate: Nov 3 2012 … IsInsecureDevice: false HWVersionOffset: 0x000000D4 NumberHWVEntries: 0x00000014 MemCfgTableOffset: 0x000000FC MemCfgTableSize: 0x00000100 Drivers: 0x00000010 [ MMC ] LDRBlockAddr: 0x2E02FE00 BootromSize: 0x00080000 BRPersistAddr: 0x2E0AFC00 persist-tool: insecure syscalls can be reproduced (read/dump data)
  • 22. Dissecting Blackberry Z10 Firmware from the inside 22 Pearls inside: Funny comments (code reviewers will like it) function setScreenScaling (width, height) { ... //ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center of screen // TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc() … and more
  • 23. Dissecting Blackberry Z10 Firmware from the inside 23 Pearls inside: Facebook – too much;)  IDs  Emails  Mobile phones  Secrets  Passwords Plaintext!
  • 24. Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 24
  • 25. Dissecting Blackberry Z10 Playing with the browser  Webkit rendering engine  Vulnerabilities are just the same (i.e. as for Google Chrome) 25
  • 26. Dissecting Blackberry Z10 Playing with the browser Local file access from the browser 26 HTML page as an email attachment file://  nuts Currently the vulnerability is removed
  • 27. Dissecting Blackberry Z10 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 27
  • 28. Dissecting Blackberry Z10 Security on the Application Level BlackBerry Z10 – Vulnerability in BlackBerry Protect Limited: by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device Affected Software  BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743  BlackBerry Z10 smartphone only 28 Currently the vulnerability is removed
  • 29. Dissecting Blackberry Z10 Security on the Application Level Special artifacts “.all” as a kind of logs  PATH : /pps/system/<name>/.all  Browsers : history  Networking : ID, flags, MACs  Device IDs : Hardware, PIN, Name, Serials, etc.  Video Chats : params, call details:  BlackBerry Bridge  SapphireProxy  Status, name, address, auth token, key  Autostart param  Routes: BB, BIS, BER: 127.0.0.2:188/189/187  Results : access to internal network, internal storage, media files, the rest (contacts, cal, .etc) in case of non-QNX device 29 Currently there is no details if it is solved Author’s opinion : can’t be solved or cracked in similar ways
  • 30. Dissecting Blackberry Z10 Agenda 30 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
  • 31. Dissecting Blackberry Z10 Funny with APIs  Useful ideas that make no enough sense  Merging permissions into one group  No way to emulate hardware inputs but results of pressing are strongly restricted if there are  Sandbox  Malware is a personal application subtype in terms of blackberry’s security  Sandbox protects only app data, while user data stored in shared folders 31
  • 32. Dissecting Blackberry Z10 Funny with APIs  Non-controlled activity by any permission  Accessing to data passed through the clipboard  Access to ‘Accounts’ leads to a ‘read’ access to contacts,messages, notebooks, calendar by default  MediaPlayer is a great way to access to the FS  Access to file system in many ways and most cases managing device’s resources  Camera activity,  Contact photos  Calendar event attachments  Message attachments (Email, BBM)  Saving records (camera photos, video, audios) 32
  • 33. Dissecting Blackberry Z10 Agenda 33 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
  • 34. Dissecting Blackberry Z10 Agenda 34 BlackBerry Old iOS BlackBerry QNX Android Quantity of Groups 55 16 7 4 Average perm per group 20 5 7 4 Efficiency 80,00 38,46 31,82 10,26 Totall permissions 1100 80 49 16 55 16 7 4 20 5 7 4 80,00 38,46 31,82 10,26 1100 80 49 16 0 200 400 600 800 1000 1200 0 10 20 30 40 50 60 70 80 90 100 BlackBerry MDM Quantity of Groups Average perm per group Efficiency Totall permissions
  • 35. Dissecting Blackberry Z10 Agenda 35 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
  • 36. Dissecting Blackberry Z10 Efficiency of security features  Activity  Common Min/Average/Max quantity :: 2 / 8 / 34  Additional Min/Average/Max quantity :: 0 / 2 / 7  Derived Min/Average/Max quantity :: 3 / 31 / 116  Permission  Common Min/Average/Max quantity :: 0 – 1 – 3  Additional Min/Average/Max quantity :: 1 – 0 – 1  Derived Min/Average/Max quantity :: 4 – 4 – 8  APIs  Common / Significant quantity :: 100 – 61  The most security unit is LED activity 36
  • 37. Dissecting Blackberry Z10 Efficiency of security features 37 6 21 5 34 7 18 6 3 17 3 4 2 4 4 8 3 4 2 14 1 4 3 2 1 1 1 2 2 2 1 1 1 1 4 1 2 5 10 5 10 15 20 25 30 35 Ratio of common activities to permissions Q. of m.+a. activity Q. of m.+a. permission
  • 38. Dissecting Blackberry Z10 Efficiency of security features 38 6 116 24 59 7 89 16 23 47 3 11 3 19 46 9 24 25 2 27 1 4 3 3 1 3 1 2 2 2 1 2 1 1 8 1 2 5 10 20 40 60 80 100 120 Ratio of derived activities to permissions Q. of derived activities Q. of derived perm
  • 39. Dissecting Blackberry Z10 Efficiency of security features 39 16,67 19,05 60,00 5,88 14,29 5,56 16,67 66,67 11,76 66,67 25,00 50,00 25,00 25,00 50,00 33,33 50,00 250,00 7,14 16,67 3,45 12,50 5,08 14,29 3,37 6,25 8,70 4,26 66,67 9,09 66,67 5,26 2,17 88,89 4,17 8,00 250,00 3,70 0,00 50,00 100,00 150,00 200,00 250,00 % m+a activity vs perm % m+a derived activity vs perm
  • 40. Dissecting Blackberry Z10 Agenda 40 Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
  • 41. Dissecting Blackberry Z10 Future research 41 Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous
  • 42. Dissecting Blackberry Z10 Full articles … are available here (no SMS to send is required! Free for a very limited time!) 42 http://goo.gl/dP9iRBlackberry Z10 research http://goo.gl/PpXxgBlackberry and more