Duo Security, profile picture
Uploaded byDuo Security
PDF, PPTX5,090 views

No Apology Required: Deconstructing BB10

The document discusses methodology for analyzing the security of the BlackBerry 10 mobile operating system. It outlines approaches taken such as gathering publicly available information through search engines and previous research papers, performing dynamic analysis using the BlackBerry Simulator and development tools, and examining log files and network traffic for insights. The presentation focuses on methodology rather than specific findings.

Embed presentation

Download as PDF, PPTX
No Apology Required Deconstructing BB10 CanSecWest 2014
Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
Introduction Ben Nell
 bNull
 Sr. Security Consultant
 Accuvant Labs Zach Lanier
 quine
 Sr. Security Researcher
 Duo Security Presentation foul:
 <--- mixing memes --->
Why this matters
Why this matters
Why this matters You’re an appsec consultant and your customer asks you if BlackBerry Balance solves BYOD
Agenda • Previous Research • Platform Overview • Methodology • Attack Surface • Future Work
Previous Research
Our PlayBook stuff • Targeted predecessor of BB10 — TabletOS on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...
Our PlayBook stuff (cont’d) • Discovered that native apps can exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service
Others • Julio Cesar Fort’s QNX research • SEC Consult BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works
Platform Overview
Overview • ARM-based SoCs (Z10, Q10, and Z30 all Snapdragon S4 SoC) • BB10 (based on QNX Neutrino RTOS 8.0.0) • Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, corporate PIM)
QNX • Microkernel, only truly trusted component • Userspace kernel and process manager - procnto • Separation of network,
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others
Security Controls / Mitigations • OpenBSD NetBSD pf • POSIX (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO
QDE/Momentics default build options
Security Features • Blackberry Balance • Encrypted, FACL’d “container” • a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these
authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together
authman & permissions • /dev/authman: resource manager “dispatch” path (QNX IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type
authman & permissions • Controls access to app permissions (allow, prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)
authman & pf • authman handles setting up (app) GID:rule mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2
Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control “Capabilities” based on permissions ACLs based on permissions pf rule(s) output from sloginfo (tool to print system log)
PPS • “Persistent Publish / Subscribe” • Implemented by pps manager process • Simple interface for sharing data, notifications/eventing via filesystem objects
IPC • IPC is key in QNX • “Message passing” & signals implemented in microkernel • Other IPC (POSIX-compatible) mechanisms implemented by manager processes Message passing Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory Signals Kernel Kernel External process/manager
Application Model • Native • WebWorks / Cordova • Adobe AIR • Android C/C++ Flash/AS/ HTML/JS HTML/JS Java/DEX 20 app perms documented 340 unique app & sys perms observed
Application Model • App processes run with same UIDs, but separate GIDs (incl. supplemental GIDs) ! ! • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server
Our Approach to the Platform meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/( )
Testing Limitations
Testing Limitations • General lack of enthusiasm for BB10 as a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box
OSINT Just ask the internet!
OSINT Existing previous work • Our PlayBook work • SEC Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
OSINT QNX Foundry • Man pages for QNXisms • Downloads • Forums • Wiki • Google dorks are golden…
OSINT Speaking of Google dorks…
OSINT Some random RIM employee’s file dump? Upcoming product feature assessment hardware code names Upcoming project effort estimations/ release dates
OSINT • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level Five Some random RIM employee’s file dump? Internal bug tracker internal URL
OSINT Some random RIM employee’s file dump? Pre-release BB10 developer image for Winchester/PlayBook
Dynamic Analysis Watch it work and try to understand “why”
Dynamic Analysis RIM wants to get your hacking^Wdevelopment
 projects up and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation
Dynamic Analysis Development Tools Sample code
Dynamic Analysis Momentics target navigator Proc/thread mem info FS nav, etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator
Dynamic Analysis • Momentics provides QNX-specific versions/ builds of the typical toolchain • gdb • also objdump, nm, readelf, gcc, etc.
Dynamic Analysis Blackberry Simulator QNX Software Dev Platform (SDP) • Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work
Dynamic Analysis Just another box on the network • Testing harness • Wireshark • Proxy (Burp and friends) • nmap • Various fizzers • Custom stuff
Dynamic Analysis There are lots of network services BB10 network services
Dynamic Analysis • Unsurprisingly, logs => info • slogger (app event logger) and slogger2 (system event logger) • Readable on simulator with sloginfo and slog2info • slog* devices not readable on device :( Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4 ! Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts ! Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0
Dynamic Analysis Debugging is a breeze
Target Host
Fuzzing…
Static Analysis For the things that can’t be watched
Static Analysis Installation bundles • BAR format (hurr durr) • De-facto standard for any non-factory packages • META-INF directory • Code signatures and app info • “assets” % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index
Static Analysis MANIFEST.MF: Package Meta Info
Static Analysis MANIFEST.MF: Application Meta Info
Static Analysis MANIFEST.MF: Entry Point Info
Static Analysis MANIFEST.MF: Entry Point Info
Static Analysis Getting Firmware • MITM the CDN downloads • The “community” has built some good tools http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/
Static Analysis Getting Into the Firmware • “pbtools” • Mount the firmware in Simulator or SDP • SCP the files back out https://github.com/intrepidusgroup/pbtools
Static Analysis Shell Scripts • /base/scripts/ • Easy to read • grep-fu for great success! from “startup.sh”
Static Analysis Python: For everything important on BB10 that isn’t written in bash • Most of it is compiled Python (bytecode; *.pyc) • unpyc3.py https://code.google.com/p/unpyc3/
Static Analysis ActionScript • Decompile with Sothink / whatever • Most ActionScript apps handle front-end stuff qnx.AIRServices.ota.OtaUpdate
Static Analysis Compiled binaries • IDA cleanly disassembles • ARM / x86 • Without a public root, disassembly might be your best/only bet for dorking with many network services
Attack Surface http://www.harkavagrant.com/?id=250
Entry Points Where the device accepts data
IPC • Numerous IPC endpoints available • QNX channels particularly caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')n c x01x00x00x00x00x00x00x00x03x00x00x00x02x0 0x00x00Ox00x00x00sx16x00x00x00|x01x00| x00x00_x00x00|x02x00|x00x00_x01x00d x00x00S(x01x00x00x00N(x02x00x00x00u x04x00x00x00argsux06x00x00x00…
Network Services • Samba! • WWW! • WebDAV! • Proxies! • SSH! • Other stuff!
Network Services Local-hosted CGI scripts are used for device management “stuff” • Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc
WiFi • Many device management functions happen over HTTP/ SMB with the option of operating over WiFi • Handset acts as an UPnP gateway • There are some real problematic areas observable over WiFi
USB • Mass storage? Nay, Ethernet! • Similar to WiFi (WWW/SMB), with additional capabilities
Bluetooth • Tether your handset to your tablet • SapphireProxy (get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference
NFC It works and there are no security problems? • Haven’t really explored this ourselves. • Biggest concern likely bad NDEF message parsing by 3rd party native apps
Local Application • Malware / Client- side attacks • Insufficient controls on sensitive local file and network resources • Privilege escalations are like gold
Balance • An attempt at solving BYOD • “Perimeters” manage the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally
Balance Concerned Consumer: Sounds great. How does it work? I am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.
Balance RIM: I don’t want to say that it’s all based on file permissions… …but it’s all based on file permissions
Future Work
TODO • Further (re-)exploration of... • authman • system IPC endpoints • Balance • Android support • Radio (NFC, Cell/BB, BT) • HDMI, USB
Conclusion
Questions / Contact • https://twitter.com/quine
 zach@n0where.org
 zach@duosecurity.com
 • https://twitter.com/bnull
 [NO_EMAIL_PROVIDED] <--shameless plug

More Related Content

PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
byPriyanka Aash
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
PDF
1000 to 0
bySunny Neo
 
PDF
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
byChris Gates
 
PDF
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
byPriyanka Aash
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PDF
Defcon 22-jesus-molina-learn-how-to-control-every-room
byPriyanka Aash
 
PPTX
Started In Security Now I'm Here
byChristopher Grayson
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
byPriyanka Aash
 
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
1000 to 0
bySunny Neo
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
byChris Gates
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
byPriyanka Aash
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
byPriyanka Aash
 
Started In Security Now I'm Here
byChristopher Grayson
 

What's hot

PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
PPTX
RPS/APS vulnerability in snom/yealink and others - slides
byCal Leeming
 
PDF
Introduction to red team operations
bySunny Neo
 
PDF
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
byJakub Kałużny
 
PPTX
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
byJakub Kałużny
 
PPTX
ASERT's DDoS Malware Corral, Volume 2
bydschwarz_arbor
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
byShakacon
 
PDF
Adventures in Femtoland: 350 Yuan for Invaluable Fun
byarbitrarycode
 
PPTX
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
byPositive Hack Days
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
byPriyanka Aash
 
PPTX
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
byBenjamin Delpy
 
PDF
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
byFelipe Prado
 
PPTX
Troubleshooting K1000
byDell World
 
PPTX
Inventory Tips & Tricks
byDell World
 
PDF
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
byPriyanka Aash
 
PDF
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
byShakacon
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
RPS/APS vulnerability in snom/yealink and others - slides
byCal Leeming
 
Introduction to red team operations
bySunny Neo
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
byJakub Kałużny
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
byJakub Kałużny
 
ASERT's DDoS Malware Corral, Volume 2
bydschwarz_arbor
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
byShakacon
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
byarbitrarycode
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
byPositive Hack Days
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
byPriyanka Aash
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
byBenjamin Delpy
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
byFelipe Prado
 
Troubleshooting K1000
byDell World
 
Inventory Tips & Tricks
byDell World
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
byPriyanka Aash
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
byShakacon
 

Viewers also liked

DOCX
Afichesdecineecuatorianomc00
byJuan Diego Pazmiño
 
PDF
Combinar correspondencia
byBsantiagoAC
 
PDF
Unternehmen & Social Media. Schluss mit lustig.
byBarbara Scholtysik
 
PPT
Hvvhed tuwt surgalt
byShijir Com
 
PDF
grupo6
byJimmy Pizarro
 
PPT
Presentación empresa Junio 2007
bycues7a
 
PDF
Koller Dekorative Graphik Auktion - Old Master Prints Auction
byKoller Auctions
 
PDF
Whipepaper Open Educational Resources in Ausbildung und Weiterbildung
byBertelsmann Stiftung
 
PDF
Anuncios y gas bolivia
bymiq_77
 
PPT
Bank und Zukunft: Ergebnisse einer Studie
byMartina Goehring
 
PDF
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012
byBurton Lee
 
PPSX
Pastelería la flor
bybrihuega12
 
PDF
Patma agropecuario de urubamba 2014
by2hermelinda
 
PDF
Epigenetic and Environmental Influences on the Shellfish Immune Response
bysr320
 
DOC
Comentario de la ménade de scopas
byjoseluisjuansanchezv
 
DOCX
Hiponatremia
bykhaledrafah
 
PPTX
Salvador Diaz Miron y Jose Marti
byJeff Flores Ferrer
 
PPTX
Personal Training Konzept
byChristin Just
 
PDF
Wie man aus langweiligen 
Logdateien Gold gewinnen kann
byKlaus Bild
 
PDF
Dossier IMAT 2016
byESICImat
 
Afichesdecineecuatorianomc00
byJuan Diego Pazmiño
 
Combinar correspondencia
byBsantiagoAC
 
Unternehmen & Social Media. Schluss mit lustig.
byBarbara Scholtysik
 
Hvvhed tuwt surgalt
byShijir Com
 
grupo6
byJimmy Pizarro
 
Presentación empresa Junio 2007
bycues7a
 
Koller Dekorative Graphik Auktion - Old Master Prints Auction
byKoller Auctions
 
Whipepaper Open Educational Resources in Ausbildung und Weiterbildung
byBertelsmann Stiftung
 
Anuncios y gas bolivia
bymiq_77
 
Bank und Zukunft: Ergebnisse einer Studie
byMartina Goehring
 
Ville Miettinen - Microtask - Finland - Stanford Engineering - Feb 13 2012
byBurton Lee
 
Pastelería la flor
bybrihuega12
 
Patma agropecuario de urubamba 2014
by2hermelinda
 
Epigenetic and Environmental Influences on the Shellfish Immune Response
bysr320
 
Comentario de la ménade de scopas
byjoseluisjuansanchezv
 
Hiponatremia
bykhaledrafah
 
Salvador Diaz Miron y Jose Marti
byJeff Flores Ferrer
 
Personal Training Konzept
byChristin Just
 
Wie man aus langweiligen 
Logdateien Gold gewinnen kann
byKlaus Bild
 
Dossier IMAT 2016
byESICImat
 

Similar to No Apology Required: Deconstructing BB10

PDF
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
byPROIDEA
 
PDF
Exp w21
bySelectedPresentations
 
PDF
Hacking QNX
byricardomcm
 
PDF
YURY_CHEMERKIN_DefCon_2013_Conference.pdf
byYury Chemerkin
 
PDF
2.1. Dissecting blackberry
bydefconmoscow
 
PPTX
Blackberry OS
bySundeep Roxx
 
PDF
Mobile_Security_Challenges_On_Compliance.pdf
byYury Chemerkin
 
PDF
Black berry playbook security part one
byYury Chemerkin
 
PDF
Android Security Overview and Safe Practices for Web-Based Android Applications
byh4oxer
 
PPTX
Picking blackberries
byThomas Richards
 
PPTX
Tizen Security
byJason Ross
 
PDF
CodeMotion tel aviv 2015 - burning marshmallows
byRon Munitz
 
PDF
(Pdf) yury chemerkin def_con_2013
bySTO STRATEGY
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
PPT
Securely Deploying Android Device - ISSA (Ireland)
byAngelill0
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
PPTX
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
byChris Sistrunk
 
PDF
Security Issues in Android Custom Rom
byn|u - The Open Security Community
 
PDF
Security Issues in Android Custom ROM
byAnant Shrivastava
 
PPTX
Android Security
byArqum Ahmad
 
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
byPROIDEA
 
Exp w21
bySelectedPresentations
 
Hacking QNX
byricardomcm
 
YURY_CHEMERKIN_DefCon_2013_Conference.pdf
byYury Chemerkin
 
2.1. Dissecting blackberry
bydefconmoscow
 
Blackberry OS
bySundeep Roxx
 
Mobile_Security_Challenges_On_Compliance.pdf
byYury Chemerkin
 
Black berry playbook security part one
byYury Chemerkin
 
Android Security Overview and Safe Practices for Web-Based Android Applications
byh4oxer
 
Picking blackberries
byThomas Richards
 
Tizen Security
byJason Ross
 
CodeMotion tel aviv 2015 - burning marshmallows
byRon Munitz
 
(Pdf) yury chemerkin def_con_2013
bySTO STRATEGY
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
Securely Deploying Android Device - ISSA (Ireland)
byAngelill0
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
byChris Sistrunk
 
Security Issues in Android Custom Rom
byn|u - The Open Security Community
 
Security Issues in Android Custom ROM
byAnant Shrivastava
 
Android Security
byArqum Ahmad
 

More from Duo Security

PDF
Security Fact & Fiction: Three Lessons from the Headlines
byDuo Security
 
PDF
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
byDuo Security
 
PDF
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
byDuo Security
 
PDF
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
byDuo Security
 
PDF
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
byDuo Security
 
PDF
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
PDF
Security For The People: End-User Authentication Security on the Internet by ...
byDuo Security
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
PDF
Probing Mobile Operator Networks - Collin Mulliner
byDuo Security
 
PDF
The Real Deal of Android Device Security: The Third Party
byDuo Security
 
PDF
The Internet of Things: We've Got to Chat
byDuo Security
 
Security Fact & Fiction: Three Lessons from the Headlines
byDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
byDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
byDuo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
byDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
byDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
byDuo Security
 
Making Web Development "Secure By Default"
byDuo Security
 
Probing Mobile Operator Networks - Collin Mulliner
byDuo Security
 
The Real Deal of Android Device Security: The Third Party
byDuo Security
 
The Internet of Things: We've Got to Chat
byDuo Security
 

Recently uploaded

PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 

No Apology Required: Deconstructing BB10

  • 1.
  • 2.
    Introduction • Body LevelOne • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
  • 3.
    Introduction • Body LevelOne • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
  • 4.
    Introduction Ben Nell
 bNull
 Sr. SecurityConsultant
 Accuvant Labs Zach Lanier
 quine
 Sr. Security Researcher
 Duo Security Presentation foul:
 <--- mixing memes --->
  • 5.
  • 6.
  • 7.
    Why this matters You’rean appsec consultant and your customer asks you if BlackBerry Balance solves BYOD
  • 8.
    Agenda • Previous Research •Platform Overview • Methodology • Attack Surface • Future Work
  • 9.
  • 10.
    Our PlayBook stuff •Targeted predecessor of BB10 — TabletOS on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...
  • 11.
    Our PlayBook stuff(cont’d) • Discovered that native apps can exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service
  • 12.
    Others • Julio CesarFort’s QNX research • SEC Consult BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works
  • 13.
  • 14.
    Overview • ARM-based SoCs(Z10, Q10, and Z30 all Snapdragon S4 SoC) • BB10 (based on QNX Neutrino RTOS 8.0.0) • Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, corporate PIM)
  • 15.
    QNX • Microkernel, onlytruly trusted component • Userspace kernel and process manager - procnto • Separation of network,
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others
  • 16.
    Security Controls /Mitigations • OpenBSD NetBSD pf • POSIX (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO
  • 17.
  • 18.
    Security Features • BlackberryBalance • Encrypted, FACL’d “container” • a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these
  • 19.
    authman & permissions •authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together
  • 20.
    authman & permissions •/dev/authman: resource manager “dispatch” path (QNX IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type
  • 21.
    authman & permissions •Controls access to app permissions (allow, prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)
  • 22.
    authman & pf •authman handles setting up (app) GID:rule mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2
  • 23.
    Dec 06 01:53:045 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control “Capabilities” based on permissions ACLs based on permissions pf rule(s) output from sloginfo (tool to print system log)
  • 24.
    PPS • “Persistent Publish/ Subscribe” • Implemented by pps manager process • Simple interface for sharing data, notifications/eventing via filesystem objects
  • 25.
    IPC • IPC iskey in QNX • “Message passing” & signals implemented in microkernel • Other IPC (POSIX-compatible) mechanisms implemented by manager processes Message passing Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory Signals Kernel Kernel External process/manager
  • 26.
    Application Model • Native •WebWorks / Cordova • Adobe AIR • Android C/C++ Flash/AS/ HTML/JS HTML/JS Java/DEX 20 app perms documented 340 unique app & sys perms observed
  • 27.
    Application Model • Appprocesses run with same UIDs, but separate GIDs (incl. supplemental GIDs) ! ! • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server
  • 28.
    Our Approach tothe Platform meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/( )
  • 29.
  • 30.
    Testing Limitations • Generallack of enthusiasm for BB10 as a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box
  • 31.
  • 32.
    OSINT Existing previous work •Our PlayBook work • SEC Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
  • 33.
    OSINT QNX Foundry • Manpages for QNXisms • Downloads • Forums • Wiki • Google dorks are golden…
  • 34.
  • 35.
    OSINT Some random RIMemployee’s file dump? Upcoming product feature assessment hardware code names Upcoming project effort estimations/ release dates
  • 36.
    OSINT • Body LevelOne • Body Level Two • Body Level Three • Body Level Four • Body Level Five Some random RIM employee’s file dump? Internal bug tracker internal URL
  • 37.
    OSINT Some random RIMemployee’s file dump? Pre-release BB10 developer image for Winchester/PlayBook
  • 38.
    Dynamic Analysis Watch itwork and try to understand “why”
  • 39.
    Dynamic Analysis RIM wantsto get your hacking^Wdevelopment
 projects up and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation
  • 40.
  • 41.
    Dynamic Analysis Momentics targetnavigator Proc/thread mem info FS nav, etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator
  • 42.
    Dynamic Analysis • Momenticsprovides QNX-specific versions/ builds of the typical toolchain • gdb • also objdump, nm, readelf, gcc, etc.
  • 43.
    Dynamic Analysis Blackberry SimulatorQNX Software Dev Platform (SDP) • Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work
  • 44.
    Dynamic Analysis Just anotherbox on the network • Testing harness • Wireshark • Proxy (Burp and friends) • nmap • Various fizzers • Custom stuff
  • 45.
    Dynamic Analysis There arelots of network services BB10 network services
  • 47.
    Dynamic Analysis • Unsurprisingly,logs => info • slogger (app event logger) and slogger2 (system event logger) • Readable on simulator with sloginfo and slog2info • slog* devices not readable on device :( Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4 ! Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts ! Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0
  • 48.
  • 49.
  • 50.
  • 51.
    Static Analysis For thethings that can’t be watched
  • 52.
    Static Analysis Installation bundles •BAR format (hurr durr) • De-facto standard for any non-factory packages • META-INF directory • Code signatures and app info • “assets” % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
    Static Analysis Getting Firmware •MITM the CDN downloads • The “community” has built some good tools http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/
  • 58.
    Static Analysis Getting Intothe Firmware • “pbtools” • Mount the firmware in Simulator or SDP • SCP the files back out https://github.com/intrepidusgroup/pbtools
  • 59.
    Static Analysis Shell Scripts •/base/scripts/ • Easy to read • grep-fu for great success! from “startup.sh”
  • 60.
    Static Analysis Python: Foreverything important on BB10 that isn’t written in bash • Most of it is compiled Python (bytecode; *.pyc) • unpyc3.py https://code.google.com/p/unpyc3/
  • 61.
    Static Analysis ActionScript • Decompilewith Sothink / whatever • Most ActionScript apps handle front-end stuff qnx.AIRServices.ota.OtaUpdate
  • 62.
    Static Analysis Compiled binaries •IDA cleanly disassembles • ARM / x86 • Without a public root, disassembly might be your best/only bet for dorking with many network services
  • 63.
  • 64.
    Entry Points Where thedevice accepts data
  • 65.
    IPC • Numerous IPCendpoints available • QNX channels particularly caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')n c x01x00x00x00x00x00x00x00x03x00x00x00x02x0 0x00x00Ox00x00x00sx16x00x00x00|x01x00| x00x00_x00x00|x02x00|x00x00_x01x00d x00x00S(x01x00x00x00N(x02x00x00x00u x04x00x00x00argsux06x00x00x00…
  • 66.
    Network Services • Samba! •WWW! • WebDAV! • Proxies! • SSH! • Other stuff!
  • 67.
    Network Services Local-hosted CGI scriptsare used for device management “stuff” • Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc
  • 68.
    WiFi • Many devicemanagement functions happen over HTTP/ SMB with the option of operating over WiFi • Handset acts as an UPnP gateway • There are some real problematic areas observable over WiFi
  • 69.
    USB • Mass storage?Nay, Ethernet! • Similar to WiFi (WWW/SMB), with additional capabilities
  • 70.
    Bluetooth • Tether yourhandset to your tablet • SapphireProxy (get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference
  • 71.
    NFC It works andthere are no security problems? • Haven’t really explored this ourselves. • Biggest concern likely bad NDEF message parsing by 3rd party native apps
  • 72.
    Local Application • Malware/ Client- side attacks • Insufficient controls on sensitive local file and network resources • Privilege escalations are like gold
  • 73.
    Balance • An attemptat solving BYOD • “Perimeters” manage the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally
  • 74.
    Balance Concerned Consumer: Sounds great.How does it work? I am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.
  • 75.
    Balance RIM: I don’t wantto say that it’s all based on file permissions… …but it’s all based on file permissions
  • 76.
  • 77.
    TODO • Further (re-)explorationof... • authman • system IPC endpoints • Balance • Android support • Radio (NFC, Cell/BB, BT) • HDMI, USB
  • 78.
  • 79.
    Questions / Contact •https://twitter.com/quine
 zach@n0where.org
 zach@duosecurity.com
 • https://twitter.com/bnull
 [NO_EMAIL_PROVIDED] <--shameless plug