SlideShare a Scribd company logo

(Pdf) yury chemerkin def_con_2013

STO STRATEGY
STO STRATEGY

This document provides an overview and agenda for dissecting the security of the Blackberry Z10 mobile device. It begins with a review of the Blackberry OS which is built on QNX. It then discusses gaining shell access, various approaches for analyzing the device such as fuzzing and exploiting system utilities, examining the firmware, analyzing the browser and application-level security. It also covers interacting with APIs and MDM capabilities. Metrics are provided on the efficiency of security features compared to other mobile platforms. The document aims to serve as a guide for further researching the Blackberry Z10.

Technology
1 of 42
Download to read offline
Dissecting Blackberry Z10: 2-in-1 By Alexander Antukh & Yury Chemerkin Jun 30, 2013
Alexander Antukh  Security Consultant  Offensive Security Certified Expert  Interests: kittens and stuff /whoami
Yury Chemerkin      Experienced in : Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing /whoami
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 4 Dissecting Blackberry Z10
Blackberry OS review Built on QNX!  Tiny  Micro-kernel architecture  Virtual memory alloc for each process  POSIX-compilant QNX = MK + PM + processes 5 Dissecting Blackberry Z10
Blackberry OS review That’s how the system looks like: 6 Dissecting Blackberry Z10
Blackberry OS review That’s how the microkernel looks like: 7 Dissecting Blackberry Z10
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 8 Dissecting Blackberry Z10
Shell Access Extremely easy!  development mode  on  generate a 4096-bit RSA key (ssh-keygen/putty)  blackberry-connect <t> -password <p> -sshPublicKey <k>  ssh 169.254.0.1  nuts Even easier:  Dingleberry  nuts /accounts/devuser/ 9 Dissecting Blackberry Z10
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 10 Dissecting Blackberry Z10
The Approaches 1. General permissions  SUID/SGID -rwxrwsrwx 1 root root  Writable files and folders "find all suid files" => "find / -type f -perm -04000 –ls” "find all sgid files" => "find / -type f -perm -02000 –ls” "find config* files" => "find / -type f -name "config*”” "find all writable folders and files" => "find / -perm -2 –ls” "find all writable folders and files in current dir" => "find . -perm -2 -ls" 11 Dissecting Blackberry Z10
The Approaches 2. Fuzzers  IOCTL fuzzing • no params • overlong strings • pre-determined DWORDs Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000  Binary bit-/byteflipping (EDB-ID #7823) 12 Dissecting Blackberry Z10
The Approaches 3.1. System utilities. BOFs Many missing: setuidgid, id, dumpifs… Many interesting: • confstr – current configuration including path, architecture and network info • dmc – digital media controller • fsmon – file system monitor • jsc – JavaScript engine for Webkit used on a device • ldo-msm – LDO Driver • mkdosfs – format a DOS filesystem (FAT-12/16/32) • mkqnx6fs – format a filesystem (for QNX6, however, is presented in Blackberry OS) • and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl. 13 Dissecting Blackberry Z10
The Approaches 3.1. System utilities. BOFs Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHALr086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff 14 Dissecting Blackberry Z10
The Approaches 3.2. System utilities. Vulnerable syscalls. displayctl. 15 Dissecting Blackberry Z10
The Approaches 3.2. System utilities. Vulnerable syscalls. nvs_write_bin. Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM) 16 Dissecting Blackberry Z10
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 17 Dissecting Blackberry Z10
Firmware from the inside Firmware update? Yes, please! MFCQ  QNX image 18 Dissecting Blackberry Z10
Firmware from the inside Tools to deal with: qfcm_parser.py  partitions! chkqnx6fs  info about the images dumpifs  IFS dump  https://github.com/intrepidusgroup/pbtools 19 Dissecting Blackberry Z10
Firmware from the inside Pearls inside: ALL the scripts and configs can be read now!  .script (starting up)  ifs_variables.sh (sysvars)  os_device_image_check Microkernel itself 20 Dissecting Blackberry Z10
Firmware from the inside Pearls inside: Protected tools can be launched now! persist-tool: insecure syscalls can be reproduced (read/dump data) 21 Bootrom Version: 0x0523001D (5.35.0.29) DeviceString: RIM BlackBerry Device BuildUserName: ec_agent BuildDate: Nov 3 2012 … IsInsecureDevice: false HWVersionOffset: 0x000000D4 NumberHWVEntries: 0x00000014 MemCfgTableOffset: 0x000000FC MemCfgTableSize: 0x00000100 Drivers: 0x00000010 [ MMC ] LDRBlockAddr: 0x2E02FE00 BootromSize: 0x00080000 BRPersistAddr: 0x2E0AFC00 Dissecting Blackberry Z10
Firmware from the inside Pearls inside: Funny comments (code reviewers will like it) function setScreenScaling (width, height) { ... //ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center of screen … and more // TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc() 22 Dissecting Blackberry Z10
Firmware from the inside Pearls inside: Facebook – too much;)      23 IDs Emails Mobile phones Secrets Passwords Plaintext! Dissecting Blackberry Z10
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 24 Dissecting Blackberry Z10
Playing with the browser  Webkit rendering engine  Vulnerabilities are just the same (i.e. as for Google Chrome) 25 Dissecting Blackberry Z10
Playing with the browser Local file access from the browser HTML page as an email attachment file://  nuts Currently the vulnerability is removed 26 Dissecting Blackberry Z10
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 27 Dissecting Blackberry Z10
Security on the Application Level BlackBerry Z10 – Vulnerability in BlackBerry Protect Limited: by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device Affected Software  BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743  BlackBerry Z10 smartphone only Currently the vulnerability is removed 28 Dissecting Blackberry Z10
Security on the Application Level Special artifacts “.all” as a kind of logs  PATH : /pps/system/<name>/.all  Browsers : history  Networking : ID, flags, MACs  Device IDs : Hardware, PIN, Name, Serials, etc.  Video Chats : params, call details:  BlackBerry Bridge  SapphireProxy  Status, name, address, auth token, key  Autostart param  Routes: BB, BIS, BER: 127.0.0.2:188/189/187  Results : access to internal network, internal storage, media files, the rest (contacts, cal, .etc) in case of non-QNX device Currently there is no details if it is solved Author’s opinion : can’t be solved or cracked in similar ways 29 Dissecting Blackberry Z10
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 30 Dissecting Blackberry Z10
Funny with APIs  Useful ideas that make no enough sense  Merging permissions into one group  No way to emulate hardware inputs but results of pressing are strongly restricted if there are  Sandbox  Malware is a personal application subtype in terms of blackberry’s security  Sandbox protects only app data, while user data stored in shared folders 31 Dissecting Blackberry Z10
Funny with APIs  Non-controlled activity by any permission  Accessing to data passed through the clipboard  Access to ‘Accounts’ leads to a ‘read’ access to contacts,messages, notebooks, calendar by default  MediaPlayer is a great way to access to the FS  Access to file system in many ways and most cases managing device’s resources  Camera activity,  Contact photos  Calendar event attachments  Message attachments (Email, BBM)  Saving records (camera photos, video, audios) 32 Dissecting Blackberry Z10
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 33 Dissecting Blackberry Z10
BlackBerry MDM Agenda 100 1100 90 80 1200 1000 80,00 70 800 60 55 50 600 38,46 31,82 10,26 40 30 34 5 7 7 4 4 200 80 10 Quantity of Groups Average perm per group Efficiency Totall permissions 400 49 20 20 0 16 16 BlackBerry Old 55 20 80,00 1100 Quantity of Groups iOS 16 5 38,46 80 BlackBerry QNX 7 7 31,82 49 Dissecting per group Average perm Blackberry Z10 Efficiency Android 4 4 10,26 16 Totall permissions 0
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 35 Dissecting Blackberry Z10
Efficiency of security features  Activity  Common Min/Average/Max quantity :: 2 / 8 / 34  Additional Min/Average/Max quantity :: 0 / 2 / 7  Derived Min/Average/Max quantity :: 3 / 31 / 116  Permission  Common Min/Average/Max quantity :: 0 – 1 – 3  Additional Min/Average/Max quantity :: 1 – 0 – 1  Derived Min/Average/Max quantity :: 4 – 4 – 8  APIs  Common / Significant quantity :: 100 – 61  The most security unit is LED activity 36 Dissecting Blackberry Z10
Efficiency of security features Ratio of common activities to permissions 34 35 30 25 21 20 18 17 14 15 10 6 6 5 5 0 8 7 4 1 3 3 2 1 1 1 2 Q. of m.+a. activity 37 4 3 2 2 4 4 2 1 1 Q. of m.+a. permission Dissecting Blackberry Z10 1 4 4 3 1 1 2 2 5 1
Efficiency of security features Ratio of derived activities to permissions 116 120 100 89 80 59 60 47 46 40 24 23 11 7 6 0 19 16 20 1 4 3 3 1 3 3 1 2 Q. of derived activities 38 2 9 3 2 1 2 Q. of derived perm Dissecting Blackberry Z10 27 25 24 8 1 1 1 2 25 1
Efficiency of security features 250,00 250,00 250,00 200,00 150,00 12,50 3,37 3,45 100,00 16,67 16,67 60,00 8,70 14,29 5,08 66,67 66,67 9,09 88,89 66,67 66,67 50,00 50,00 5,56 19,05 5,88 14,29 6,25 16,67 4,26 11,76 25,00 5,26 25,00 0,00 % m+a activity vs perm 39 % m+a derived activity vs perm Dissecting Blackberry Z10 50,00 50,00 33,33 25,00 2,17 4,17 8,00 3,70 7,14
Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 40 Dissecting Blackberry Z10
Future research Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous 41 Dissecting Blackberry Z10
Full articles … are available here (no SMS to send is required! Free for a very limited time!) Blackberry Z10 research Blackberry and more 42 http://goo.gl/dP9iR http://goo.gl/PpXxg Dissecting Blackberry Z10

Recommended

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
Mohamed Khaled
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
Mikko Ohtamaa
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)
Mikko Ohtamaa
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveries
Ibrahim Mosaad
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
Zeus
ZeusZeus
Zeus
MaGn3t0
 

Recommended

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
Mohamed Khaled
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
Mikko Ohtamaa
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)
Mikko Ohtamaa
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveries
Ibrahim Mosaad
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
Zeus
ZeusZeus
Zeus
MaGn3t0
 
Solo EPM
Solo EPMSolo EPM
Solo EPMSoloten
 
Cosas antiguas
Cosas antiguasCosas antiguas
Cosas antiguasJosé de María Pinto Pinto
 
Teknologi Inovasi Cheryl Ariella Wijaya
Teknologi Inovasi Cheryl Ariella WijayaTeknologi Inovasi Cheryl Ariella Wijaya
Teknologi Inovasi Cheryl Ariella Wijaya
cherylariel
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedingsSTO STRATEGY
 
Diego 9º3
Diego 9º3Diego 9º3
Diego 9º3diegoandresvergaraavilez
 
Men Plain Socks by Cl aovsocks
Men Plain Socks by Cl aovsocksMen Plain Socks by Cl aovsocks
Men Plain Socks by Cl aovsocks
Aov Cleverknits Pvt Ltd
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013STO STRATEGY
 
Is data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceIs data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceSTO STRATEGY
 
The logo detailed analysis
The logo detailed analysisThe logo detailed analysis
The logo detailed analysis
gmisso33
 
2.1. Dissecting blackberry
2.1. Dissecting blackberry2.1. Dissecting blackberry
2.1. Dissecting blackberry
defconmoscow
 
Android e mobile security - Falcomatà
Android e mobile security - FalcomatàAndroid e mobile security - Falcomatà
Android e mobile security - Falcomatà
Codemotion
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
BO2K Byline
BO2K BylineBO2K Byline
BO2K BylineCondition Zebra (CONZebra)
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
LibbySchulze
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAli Habeeb
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
IOSR Journals
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 

More Related Content

Viewers also liked

Solo EPM
Solo EPMSolo EPM
Solo EPMSoloten
 
Teknologi Inovasi Cheryl Ariella Wijaya
Teknologi Inovasi Cheryl Ariella WijayaTeknologi Inovasi Cheryl Ariella Wijaya
Teknologi Inovasi Cheryl Ariella Wijaya
cherylariel
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedingsSTO STRATEGY
 
Men Plain Socks by Cl aovsocks
Men Plain Socks by Cl aovsocksMen Plain Socks by Cl aovsocks
Men Plain Socks by Cl aovsocks
Aov Cleverknits Pvt Ltd
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013STO STRATEGY
 
Is data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceIs data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceSTO STRATEGY
 
The logo detailed analysis
The logo detailed analysisThe logo detailed analysis
The logo detailed analysis
gmisso33
 

Viewers also liked (11)

Solo EPM
Solo EPMSolo EPM
Solo EPM
 
Cosas antiguas
Cosas antiguasCosas antiguas
Cosas antiguas
 
Teknologi Inovasi Cheryl Ariella Wijaya
Teknologi Inovasi Cheryl Ariella WijayaTeknologi Inovasi Cheryl Ariella Wijaya
Teknologi Inovasi Cheryl Ariella Wijaya
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings
 
Diego 9º3
Diego 9º3Diego 9º3
Diego 9º3
 
Men Plain Socks by Cl aovsocks
Men Plain Socks by Cl aovsocksMen Plain Socks by Cl aovsocks
Men Plain Socks by Cl aovsocks
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013
 
Is data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceIs data secure on the password protected blackberry device
Is data secure on the password protected blackberry device
 
The logo detailed analysis
The logo detailed analysisThe logo detailed analysis
The logo detailed analysis
 

Similar to (Pdf) yury chemerkin def_con_2013

2.1. Dissecting blackberry
2.1. Dissecting blackberry2.1. Dissecting blackberry
2.1. Dissecting blackberry
defconmoscow
 
Android e mobile security - Falcomatà
Android e mobile security - FalcomatàAndroid e mobile security - Falcomatà
Android e mobile security - Falcomatà
Codemotion
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
LibbySchulze
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAli Habeeb
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
IOSR Journals
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
PROIDEA
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Mobile security
Mobile securityMobile security
Mobile security
Stefaan
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
dino715195
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
Srishti Ahuja
 

Similar to (Pdf) yury chemerkin def_con_2013 (20)

2.1. Dissecting blackberry
2.1. Dissecting blackberry2.1. Dissecting blackberry
2.1. Dissecting blackberry
 
Android e mobile security - Falcomatà
Android e mobile security - FalcomatàAndroid e mobile security - Falcomatà
Android e mobile security - Falcomatà
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
BO2K Byline
BO2K BylineBO2K Byline
BO2K Byline
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
Implementation of Cmos Camera Device Driver and Wifi Technology on S3c2440 Us...
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Mobile security
Mobile securityMobile security
Mobile security
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
 

More from STO STRATEGY

(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013STO STRATEGY
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013STO STRATEGY
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedingsSTO STRATEGY
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013STO STRATEGY
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012STO STRATEGY
 
Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012STO STRATEGY
 
(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011STO STRATEGY
 
Pen test career. how to begin
Pen test career. how to beginPen test career. how to begin
Pen test career. how to beginSTO STRATEGY
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensicsSTO STRATEGY
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security ChallengesSTO STRATEGY
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesSTO STRATEGY
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Social network privacy.
Social network privacy.Social network privacy.
Social network privacy.STO STRATEGY
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesSTO STRATEGY
 
Social network privacy
Social network privacySocial network privacy
Social network privacySTO STRATEGY
 

More from STO STRATEGY (20)

(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012
 
Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012
 
(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011
 
Pen test career. how to begin
Pen test career. how to beginPen test career. how to begin
Pen test career. how to begin
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Social network privacy.
Social network privacy.Social network privacy.
Social network privacy.
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniques
 
Social network privacy
Social network privacySocial network privacy
Social network privacy
 

Recently uploaded

State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 

Recently uploaded (20)

State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 

(Pdf) yury chemerkin def_con_2013

  • 1. Dissecting Blackberry Z10: 2-in-1 By Alexander Antukh & Yury Chemerkin Jun 30, 2013
  • 2. Alexander Antukh  Security Consultant  Offensive Security Certified Expert  Interests: kittens and stuff /whoami
  • 3. Yury Chemerkin      Experienced in : Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing /whoami
  • 4. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 4 Dissecting Blackberry Z10
  • 5. Blackberry OS review Built on QNX!  Tiny  Micro-kernel architecture  Virtual memory alloc for each process  POSIX-compilant QNX = MK + PM + processes 5 Dissecting Blackberry Z10
  • 6. Blackberry OS review That’s how the system looks like: 6 Dissecting Blackberry Z10
  • 7. Blackberry OS review That’s how the microkernel looks like: 7 Dissecting Blackberry Z10
  • 8. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 8 Dissecting Blackberry Z10
  • 9. Shell Access Extremely easy!  development mode  on  generate a 4096-bit RSA key (ssh-keygen/putty)  blackberry-connect <t> -password <p> -sshPublicKey <k>  ssh 169.254.0.1  nuts Even easier:  Dingleberry  nuts /accounts/devuser/ 9 Dissecting Blackberry Z10
  • 10. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 10 Dissecting Blackberry Z10
  • 11. The Approaches 1. General permissions  SUID/SGID -rwxrwsrwx 1 root root  Writable files and folders "find all suid files" => "find / -type f -perm -04000 –ls” "find all sgid files" => "find / -type f -perm -02000 –ls” "find config* files" => "find / -type f -name "config*”” "find all writable folders and files" => "find / -perm -2 –ls” "find all writable folders and files in current dir" => "find . -perm -2 -ls" 11 Dissecting Blackberry Z10
  • 12. The Approaches 2. Fuzzers  IOCTL fuzzing • no params • overlong strings • pre-determined DWORDs Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000  Binary bit-/byteflipping (EDB-ID #7823) 12 Dissecting Blackberry Z10
  • 13. The Approaches 3.1. System utilities. BOFs Many missing: setuidgid, id, dumpifs… Many interesting: • confstr – current configuration including path, architecture and network info • dmc – digital media controller • fsmon – file system monitor • jsc – JavaScript engine for Webkit used on a device • ldo-msm – LDO Driver • mkdosfs – format a DOS filesystem (FAT-12/16/32) • mkqnx6fs – format a filesystem (for QNX6, however, is presented in Blackberry OS) • and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl. 13 Dissecting Blackberry Z10
  • 14. The Approaches 3.1. System utilities. BOFs Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHALr086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff 14 Dissecting Blackberry Z10
  • 15. The Approaches 3.2. System utilities. Vulnerable syscalls. displayctl. 15 Dissecting Blackberry Z10
  • 16. The Approaches 3.2. System utilities. Vulnerable syscalls. nvs_write_bin. Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM) 16 Dissecting Blackberry Z10
  • 17. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 17 Dissecting Blackberry Z10
  • 18. Firmware from the inside Firmware update? Yes, please! MFCQ  QNX image 18 Dissecting Blackberry Z10
  • 19. Firmware from the inside Tools to deal with: qfcm_parser.py  partitions! chkqnx6fs  info about the images dumpifs  IFS dump  https://github.com/intrepidusgroup/pbtools 19 Dissecting Blackberry Z10
  • 20. Firmware from the inside Pearls inside: ALL the scripts and configs can be read now!  .script (starting up)  ifs_variables.sh (sysvars)  os_device_image_check Microkernel itself 20 Dissecting Blackberry Z10
  • 21. Firmware from the inside Pearls inside: Protected tools can be launched now! persist-tool: insecure syscalls can be reproduced (read/dump data) 21 Bootrom Version: 0x0523001D (5.35.0.29) DeviceString: RIM BlackBerry Device BuildUserName: ec_agent BuildDate: Nov 3 2012 … IsInsecureDevice: false HWVersionOffset: 0x000000D4 NumberHWVEntries: 0x00000014 MemCfgTableOffset: 0x000000FC MemCfgTableSize: 0x00000100 Drivers: 0x00000010 [ MMC ] LDRBlockAddr: 0x2E02FE00 BootromSize: 0x00080000 BRPersistAddr: 0x2E0AFC00 Dissecting Blackberry Z10
  • 22. Firmware from the inside Pearls inside: Funny comments (code reviewers will like it) function setScreenScaling (width, height) { ... //ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center of screen … and more // TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc() 22 Dissecting Blackberry Z10
  • 23. Firmware from the inside Pearls inside: Facebook – too much;)      23 IDs Emails Mobile phones Secrets Passwords Plaintext! Dissecting Blackberry Z10
  • 24. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 24 Dissecting Blackberry Z10
  • 25. Playing with the browser  Webkit rendering engine  Vulnerabilities are just the same (i.e. as for Google Chrome) 25 Dissecting Blackberry Z10
  • 26. Playing with the browser Local file access from the browser HTML page as an email attachment file://  nuts Currently the vulnerability is removed 26 Dissecting Blackberry Z10
  • 27. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 27 Dissecting Blackberry Z10
  • 28. Security on the Application Level BlackBerry Z10 – Vulnerability in BlackBerry Protect Limited: by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device Affected Software  BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743  BlackBerry Z10 smartphone only Currently the vulnerability is removed 28 Dissecting Blackberry Z10
  • 29. Security on the Application Level Special artifacts “.all” as a kind of logs  PATH : /pps/system/<name>/.all  Browsers : history  Networking : ID, flags, MACs  Device IDs : Hardware, PIN, Name, Serials, etc.  Video Chats : params, call details:  BlackBerry Bridge  SapphireProxy  Status, name, address, auth token, key  Autostart param  Routes: BB, BIS, BER: 127.0.0.2:188/189/187  Results : access to internal network, internal storage, media files, the rest (contacts, cal, .etc) in case of non-QNX device Currently there is no details if it is solved Author’s opinion : can’t be solved or cracked in similar ways 29 Dissecting Blackberry Z10
  • 30. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 30 Dissecting Blackberry Z10
  • 31. Funny with APIs  Useful ideas that make no enough sense  Merging permissions into one group  No way to emulate hardware inputs but results of pressing are strongly restricted if there are  Sandbox  Malware is a personal application subtype in terms of blackberry’s security  Sandbox protects only app data, while user data stored in shared folders 31 Dissecting Blackberry Z10
  • 32. Funny with APIs  Non-controlled activity by any permission  Accessing to data passed through the clipboard  Access to ‘Accounts’ leads to a ‘read’ access to contacts,messages, notebooks, calendar by default  MediaPlayer is a great way to access to the FS  Access to file system in many ways and most cases managing device’s resources  Camera activity,  Contact photos  Calendar event attachments  Message attachments (Email, BBM)  Saving records (camera photos, video, audios) 32 Dissecting Blackberry Z10
  • 33. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 33 Dissecting Blackberry Z10
  • 34. BlackBerry MDM Agenda 100 1100 90 80 1200 1000 80,00 70 800 60 55 50 600 38,46 31,82 10,26 40 30 34 5 7 7 4 4 200 80 10 Quantity of Groups Average perm per group Efficiency Totall permissions 400 49 20 20 0 16 16 BlackBerry Old 55 20 80,00 1100 Quantity of Groups iOS 16 5 38,46 80 BlackBerry QNX 7 7 31,82 49 Dissecting per group Average perm Blackberry Z10 Efficiency Android 4 4 10,26 16 Totall permissions 0
  • 35. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 35 Dissecting Blackberry Z10
  • 36. Efficiency of security features  Activity  Common Min/Average/Max quantity :: 2 / 8 / 34  Additional Min/Average/Max quantity :: 0 / 2 / 7  Derived Min/Average/Max quantity :: 3 / 31 / 116  Permission  Common Min/Average/Max quantity :: 0 – 1 – 3  Additional Min/Average/Max quantity :: 1 – 0 – 1  Derived Min/Average/Max quantity :: 4 – 4 – 8  APIs  Common / Significant quantity :: 100 – 61  The most security unit is LED activity 36 Dissecting Blackberry Z10
  • 37. Efficiency of security features Ratio of common activities to permissions 34 35 30 25 21 20 18 17 14 15 10 6 6 5 5 0 8 7 4 1 3 3 2 1 1 1 2 Q. of m.+a. activity 37 4 3 2 2 4 4 2 1 1 Q. of m.+a. permission Dissecting Blackberry Z10 1 4 4 3 1 1 2 2 5 1
  • 38. Efficiency of security features Ratio of derived activities to permissions 116 120 100 89 80 59 60 47 46 40 24 23 11 7 6 0 19 16 20 1 4 3 3 1 3 3 1 2 Q. of derived activities 38 2 9 3 2 1 2 Q. of derived perm Dissecting Blackberry Z10 27 25 24 8 1 1 1 2 25 1
  • 39. Efficiency of security features 250,00 250,00 250,00 200,00 150,00 12,50 3,37 3,45 100,00 16,67 16,67 60,00 8,70 14,29 5,08 66,67 66,67 9,09 88,89 66,67 66,67 50,00 50,00 5,56 19,05 5,88 14,29 6,25 16,67 4,26 11,76 25,00 5,26 25,00 0,00 % m+a activity vs perm 39 % m+a derived activity vs perm Dissecting Blackberry Z10 50,00 50,00 33,33 25,00 2,17 4,17 8,00 3,70 7,14
  • 40. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 40 Dissecting Blackberry Z10
  • 41. Future research Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous 41 Dissecting Blackberry Z10
  • 42. Full articles … are available here (no SMS to send is required! Free for a very limited time!) Blackberry Z10 research Blackberry and more 42 http://goo.gl/dP9iR http://goo.gl/PpXxg Dissecting Blackberry Z10