SlideShare a Scribd company logo
Mobile Phone Hacking:
A lucrative, but largely hidden history
DC4420
David Rogers
27th May 2014
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org
Car Radio Hacking – 1990s / 2000s
 PIN locks to deter and remove value of theft
 Hacking tools reset / calculate / remove security codes
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Some Phone Terms: SIMlock & IMEI
 SIMlock:
– used to secure the device to a particular network during the period of
the subsidy, can be unlocked with CK codes by calling operator
– Different variants of locks
– Recent court case in the US over legality (and lots of other previous
fights)
 IMEI :
– the International Mobile Equipment Identity number
– unique to each device
– can be blocked if device is stolen
 Other interesting information on device that would be hacked
– E.g. to change language packs, phone lock removal, text etc.
 Big battle between mobile industry and hacking groups
between c.1999 and now – has evolved to jailbreak / root
community
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
‘Unlocking’ and IMEI changing
 What is ‘unlocking?
– SIMlocks
– Most hacking used to be aimed at the SIMlock area
 The security area in the handset would protect all sensitive
data – including IMEI and SIMlock
 What is a dirty hack?
– Hacks targeted against the security area would often cause corruption
to data – including the IMEI.
– Data such as RF calibration settings would often be wiped out
 Hacking tools usually dual-use (SIMlock and IMEI)
– Causes problems in countries where IMEI changing is illegal – difficult
and costly to get direct proof
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
INTERNET
Historic Criminal
Structure
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
HACKER
ORGANISED
CRIME
RE-SELLER
END-USERTHIEF
DRUG
DEALER
MASS THEFT
SUBSCRIPTION
FRAUD
STREET CRIME
BLACK MARKET
EXPORTER
(UNLOCKING / IMEI CHANGING)
EBAY
COUNTERFEITING
IP THEFT
‘USER’ CRIMES
MURDER ETC.
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
INTERNET
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
HACKER
ORGANISED
CRIME
RE-SELLER
FREE SOFTWARE
END-USERTHIEF
DRUG
DEALER
VALUE METHOD
£10 - £30 CASH
DEBIT / CREDIT CARD
£50 - £500 WESTERN UNION
PAYPAL
POSTAL ORDER
£500 - £5000 WESTERN UNION
£5000+ WESTERN UNION
Mobile Phone Security - David Rogers
Historic Financial
Structure
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Examples of Hacking Hardware
 Standard service repair equipment
– Fraudulent purchasing of manufacturer’s equipment
 Mass produced hardware by hacking groups
– Griffin Box
– UFS-3 (Twister)
– Blazer
– Clips
 Evolution
– New equipment was constantly developed as new models were
released
– New technologies and hardware security to ensure revenue
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Mass Manufacture of Hacking Hardware
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Examples of Hacking Hardware (2)
• Most hacks steal their solutions from already existing
hacks
— May seem to be 22 hacks available – just old hacks re-packaged.
— Different front-end to software
— Different hardware
— the ‘golden’ part of the source code is from 1 hack
• Lots of ‘ghost’ hacks that are aimed at defrauding people
— same in 2012 with jailbreaking on iOS6
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Hardware Hacking Methods
 EEPROM cloning or ‘Chipping’
– Old method
– Copied EEPROM with basic equipment
– Main aim to put EEPROM with no SIMlock on
– Result: IMEI number was cloned
 PIC’s (Programmable Integrated Circuits)
– Execute small sequences of commands
– Placed in-line to ‘snatch’ or modify data
 Flash device hot-swapping (almost impossible now)
 Exploitation of boundary scan ports
 External clips and dongles
 Note: less economical than software hacks
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
In-line PIC Between SIM and Device
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Software Hacking Methods
 Direct change
– Breaking a programming algorithm
– Finding the correct test interface protocol command
• Still used(!) serial communications / USB monitoring equipment
 Modifying binary files (software download files)
– Inserting jump code
– Hijacking other functions in the code to subvert security
– Taking advantage of software design flaws
 Abuse of boundary scan to monitor phone processes
 ‘Dumping’ to logs of data from secure areas
 Brute force cracking of algorithms
 Theft of information from Design Centres / Factories /
Service Centres
 “Voodoo Galaxy SIII SIM unlock” tool required device to be
rooted…
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Typical (Old) Software Hack Methodology
MARKETING
LAUNCH AT
TRADE SHOW
PHONE
RELEASED
TO MARKET
RESEARCH
THEFT OF
EARLY MODEL
NETWORK
OPERATOR
SAMPLES
MANUFACTURER HACKER
OPEN SOURCE INFO
AND HACKING TOOLS
TIMESCALE
0 MONTHS
6 - 12 MONTHS
HACKING
SOLUTION
DISTRIBUTE
APPLICATION
PROTECT
APPLICATION
APPLICATION
PROTECTION
TOOLS
PRODUCT
SECURITY
DETECTION
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Use of Hardware Clips – 5 Second Unlocking!
 Simple to use, takes it’s power from the handset
 Contains a Programmable Integrated Circuit
 Bombards the handset with commands in a repetitive sequence
 The handset eventually gives up and resets itself – unfortunately
resetting the SIMlock!
 This type of attack was used on many different makes of handsets
 Clips have now evolved and the term is usually used in reference to
dongles
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
“Logs”
 Used as a method of continually generating revenue for the
real hackers and re-sellers at the top of the food chain – a
historical issues for hackers
 Original concept by 3 Nokia hackers and dealers from Serbia:
– George, Boban (Slobodan Andrics) and Dejan (Dejan Kaljevic)
 How do logs work?
– Encrypted by hackers to avoid cracking by other hackers
– An example:
• Crack the master security locks -> generate an encrypted log of
security area information -> close the security lock on the handset
again!
 ‘Logs’ will be available only if the hacking solution is two part
– ‘Dumb’ client application to communicate with handset
– Data is sent to hacker / re-seller
– Corresponding data to unlock / change IMEI received from hacker / re-
seller
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
 Some manufacturers and ODMs used symmetric algorithms
based on the IMEI number to generate CK codes
– Broken and every possible iteration for each IMEI available
 Later versions cracked the factory / service tools because they
were leaked rather than cracking the handset
 Down to poor manufacturer security and breaking principle of no stored,
shared secrets!
CK Algorithm Breaches
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
De-capping and Focused Ion Beam Equipment
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Newer Hardware and System Level Attacks
 George Hotz – original iPhone jailbreak
– Used hardware flaw to XOR data address and insert jump code to
empty memory where he could execute his own bootloader
– Allegedly assisted by European Infineon hacking teams
 Rooting
– Various methods, exploiting vulnerabilities
– Usually used as a staging area for other attacks (e.g. malware)
– Examples:
• RageAgainstTheCage, uboot, zergRush, gingerbreak
• Other private exploits
– Some manufacturers providing it as a service in order to prevent
people hacking
 Legal battles around this area (e.g. US copyright office 2010,
2012)
– OK to remove SIMlocks and root devices
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Newer Motivations
 Main targets / motivations recently have been:
 Rooting / jailbreak device – for piracy / other apps / custom OS
/ spyware
 SIM unlocking – break out of subsidy (cheap device) / fraud /
export of stolen devices
 IMEI changing – re-enable stolen handsets in same country
 Launchpad attacks – spyware / malware / anti-theft tools / in-
app billing
 Fixing issues – e.g. old SIMlocked device, can’t contact operator
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012
EICTA / GSMA 9 Principles
OMTP Trusted
Environment:
OMTP TR0
OMTP Advanced Trusted
Environment: OMTP TR1
TCG MPWG
Specification
GSMA Pay-Buy-Mobile
FragmentedSecurity
Handset Embedded Security Evolution (to 2012)
Google / Apple
Proprietary hardware
security features
Banking / film industry
requirements
WAC
RIM / Nokia proprietary
security features
webinos
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Evad3rs, i0n1c, geohot, RedSn0w – iOS6 & iOS7
 iOS6 hack “used more zero-days than stuxnet”*
 Millions of downloads – huge market
 Evasi0n iOS7 jailbreak rushed out due to competition (and 7.1
release), packaged with Chinese app store (Taig)
– Rumoured to be $1million
– Rumours of dirty tricks / questionable sources for some holes
– Strategic and tactical thinking, all ‘untethered’
 Some holes allegedly held back by various teams for future
cracks on iOS8
 Teams still reverse and hack each others tools (like SIMlock)
 George Hotz tried to sell to a Chinese team (via a broker) for
$350,000
– Audio clip released with negotiation discussions
* Ref:
http://www.forbes.com/sites
/andygreenberg/2013/02/05
/inside-evasi0n-the-most-
elaborate-jailbreak-to-ever-
hack-your-iphone/
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
May 2014 – Root Bounty for Verizon & AT&T
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Kill Switch / Anti-Theft Mechanism Targeting?
 Obvious this would happen
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Car Radio Hacking - 2014
Questions?
david.rogers {@} copperhorse.co.uk
@drogersuk
Mobile Systems Security course:
http://www.cs.ox.ac.uk/softeng/subjects/MSS.html
Mobile Security: A Guide for Users:
http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-
guide-for-users/paperback/product-21197551.html
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org

More Related Content

What's hot

Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
Shreya Pohekar
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
John Rhoton
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
Ethical Hacking Tools
Ethical Hacking ToolsEthical Hacking Tools
Ethical Hacking Tools
Multisoft Virtual Academy
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
BYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO'sBYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO's
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Securing Online Transactions and Customer Data
Securing Online Transactions and Customer DataSecuring Online Transactions and Customer Data
Securing Online Transactions and Customer Data
National Retail Federation
 
InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in Action
Satnam Singh
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingHacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical Hacking
Ravi Sankar
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
Yu-Hsin Hung
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats  and Owasp Top 10 RisksMobile Threats  and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
Satria Ady Pradana
 
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Abhinav Biswas
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com -  IoT SecurityRyan Wilson - ryanwilson.com -  IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction
Speakinprivate
 
Intro to Smart Cards & Multi-Factor Authentication
Intro to Smart Cards & Multi-Factor AuthenticationIntro to Smart Cards & Multi-Factor Authentication
Intro to Smart Cards & Multi-Factor Authentication
hon1nbo
 

What's hot (20)

Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Ethical Hacking Tools
Ethical Hacking ToolsEthical Hacking Tools
Ethical Hacking Tools
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
BYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO'sBYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO's
 
Securing Online Transactions and Customer Data
Securing Online Transactions and Customer DataSecuring Online Transactions and Customer Data
Securing Online Transactions and Customer Data
 
InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in Action
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingHacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical Hacking
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats  and Owasp Top 10 RisksMobile Threats  and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
 
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com -  IoT SecurityRyan Wilson - ryanwilson.com -  IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction
 
Intro to Smart Cards & Multi-Factor Authentication
Intro to Smart Cards & Multi-Factor AuthenticationIntro to Smart Cards & Multi-Factor Authentication
Intro to Smart Cards & Multi-Factor Authentication
 

Similar to Phone Hacking: A lucrative, but largely hidden history

The Future Mobile Security
The Future Mobile Security The Future Mobile Security
The Future Mobile Security
Qualcomm Developer Network
 
UplinQ - the future of mobile security
UplinQ - the future of mobile securityUplinQ - the future of mobile security
UplinQ - the future of mobile security
Satya Harish
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
Rohan Fernandes
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
Vitor Domingos
 
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud ComputingDark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
David Rogers
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
home
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
viaForensics
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audio
Andy Lee
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
Aruba, a Hewlett Packard Enterprise company
 
Security & Identity for the Internet of Things Webinar
Security & Identity for the Internet of Things WebinarSecurity & Identity for the Internet of Things Webinar
Security & Identity for the Internet of Things Webinar
ForgeRock
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Cellebrite
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
Michael Davis
 
Cell phone cloning
Cell phone cloningCell phone cloning
Cell phone cloning
Gudia Khan
 
Investigation and Analysis of Digital Evidence
Investigation and Analysis of Digital EvidenceInvestigation and Analysis of Digital Evidence
Investigation and Analysis of Digital Evidence
Don Caeiro
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
Denim Group
 
Connected Silicon Security Challenges and Framework - Tyfone - Siva Narendra
Connected Silicon Security Challenges and Framework - Tyfone - Siva NarendraConnected Silicon Security Challenges and Framework - Tyfone - Siva Narendra
Connected Silicon Security Challenges and Framework - Tyfone - Siva Narendra
Tyfone, Inc.
 

Similar to Phone Hacking: A lucrative, but largely hidden history (20)

The Future Mobile Security
The Future Mobile Security The Future Mobile Security
The Future Mobile Security
 
UplinQ - the future of mobile security
UplinQ - the future of mobile securityUplinQ - the future of mobile security
UplinQ - the future of mobile security
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
 
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud ComputingDark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audio
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
 
Security & Identity for the Internet of Things Webinar
Security & Identity for the Internet of Things WebinarSecurity & Identity for the Internet of Things Webinar
Security & Identity for the Internet of Things Webinar
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Cell phone cloning
Cell phone cloningCell phone cloning
Cell phone cloning
 
Investigation and Analysis of Digital Evidence
Investigation and Analysis of Digital EvidenceInvestigation and Analysis of Digital Evidence
Investigation and Analysis of Digital Evidence
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
Connected Silicon Security Challenges and Framework - Tyfone - Siva Narendra
Connected Silicon Security Challenges and Framework - Tyfone - Siva NarendraConnected Silicon Security Challenges and Framework - Tyfone - Siva Narendra
Connected Silicon Security Challenges and Framework - Tyfone - Siva Narendra
 

Recently uploaded

按照学校原版(QU文凭证书)皇后大学毕业证快速办理
按照学校原版(QU文凭证书)皇后大学毕业证快速办理按照学校原版(QU文凭证书)皇后大学毕业证快速办理
按照学校原版(QU文凭证书)皇后大学毕业证快速办理
8db3cz8x
 
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
2g3om49r
 
LORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDAR
LORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDARLORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDAR
LORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDAR
lorraineandreiamcidl
 
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
kuehcub
 
按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理
按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理
按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理
1jtj7yul
 
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
xuqdabu
 
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
uyesp1a
 
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...
Peter Gallagher
 
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
zpc0z12
 
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
nudduv
 
一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理
一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理
一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理
aozcue
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理
peuce
 
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
1jtj7yul
 
Production.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd ddddddddddddddddddddddddddddddddddProduction.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd dddddddddddddddddddddddddddddddddd
DanielOliver74
 
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
byfazef
 
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
nudduv
 
欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台
欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台
欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台
andreassenrolf537
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理
aozcue
 
加急办理美国南加州大学毕业证文凭毕业证原版一模一样
加急办理美国南加州大学毕业证文凭毕业证原版一模一样加急办理美国南加州大学毕业证文凭毕业证原版一模一样
加急办理美国南加州大学毕业证文凭毕业证原版一模一样
u0g33km
 
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
eydeofo
 

Recently uploaded (20)

按照学校原版(QU文凭证书)皇后大学毕业证快速办理
按照学校原版(QU文凭证书)皇后大学毕业证快速办理按照学校原版(QU文凭证书)皇后大学毕业证快速办理
按照学校原版(QU文凭证书)皇后大学毕业证快速办理
 
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
 
LORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDAR
LORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDARLORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDAR
LORRAINE ANDREI_LEQUIGAN_GOOGLE CALENDAR
 
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
 
按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理
按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理
按照学校原版(SUT文凭证书)斯威本科技大学毕业证快速办理
 
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
 
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
 
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...
 
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
 
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
 
一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理
一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理
一比一原版(UCSB毕业证)圣塔芭芭拉社区大学毕业证如何办理
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证如何办理
 
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
 
Production.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd ddddddddddddddddddddddddddddddddddProduction.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd dddddddddddddddddddddddddddddddddd
 
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
 
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
 
欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台
欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台
欧洲杯冠军-欧洲杯冠军网站-欧洲杯冠军|【​网址​🎉ac123.net🎉​】领先全球的买球投注平台
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证如何办理
 
加急办理美国南加州大学毕业证文凭毕业证原版一模一样
加急办理美国南加州大学毕业证文凭毕业证原版一模一样加急办理美国南加州大学毕业证文凭毕业证原版一模一样
加急办理美国南加州大学毕业证文凭毕业证原版一模一样
 
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
 

Phone Hacking: A lucrative, but largely hidden history

  • 1. Mobile Phone Hacking: A lucrative, but largely hidden history DC4420 David Rogers 27th May 2014 Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved. http://www.mobilephonesecurity.org
  • 2. Car Radio Hacking – 1990s / 2000s  PIN locks to deter and remove value of theft  Hacking tools reset / calculate / remove security codes Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 3. Some Phone Terms: SIMlock & IMEI  SIMlock: – used to secure the device to a particular network during the period of the subsidy, can be unlocked with CK codes by calling operator – Different variants of locks – Recent court case in the US over legality (and lots of other previous fights)  IMEI : – the International Mobile Equipment Identity number – unique to each device – can be blocked if device is stolen  Other interesting information on device that would be hacked – E.g. to change language packs, phone lock removal, text etc.  Big battle between mobile industry and hacking groups between c.1999 and now – has evolved to jailbreak / root community Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 4. ‘Unlocking’ and IMEI changing  What is ‘unlocking? – SIMlocks – Most hacking used to be aimed at the SIMlock area  The security area in the handset would protect all sensitive data – including IMEI and SIMlock  What is a dirty hack? – Hacks targeted against the security area would often cause corruption to data – including the IMEI. – Data such as RF calibration settings would often be wiped out  Hacking tools usually dual-use (SIMlock and IMEI) – Causes problems in countries where IMEI changing is illegal – difficult and costly to get direct proof Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 5. INTERNET Historic Criminal Structure EMBEDDED HACKER HACKING GROUP INTERNET SHOP SHOP OR STALL REPAIR CENTRE APPLICATION HACKER ORGANISED CRIME RE-SELLER END-USERTHIEF DRUG DEALER MASS THEFT SUBSCRIPTION FRAUD STREET CRIME BLACK MARKET EXPORTER (UNLOCKING / IMEI CHANGING) EBAY COUNTERFEITING IP THEFT ‘USER’ CRIMES MURDER ETC. Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 6. INTERNET EMBEDDED HACKER HACKING GROUP INTERNET SHOP SHOP OR STALL REPAIR CENTRE APPLICATION HACKER ORGANISED CRIME RE-SELLER FREE SOFTWARE END-USERTHIEF DRUG DEALER VALUE METHOD £10 - £30 CASH DEBIT / CREDIT CARD £50 - £500 WESTERN UNION PAYPAL POSTAL ORDER £500 - £5000 WESTERN UNION £5000+ WESTERN UNION Mobile Phone Security - David Rogers Historic Financial Structure Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 7. Examples of Hacking Hardware  Standard service repair equipment – Fraudulent purchasing of manufacturer’s equipment  Mass produced hardware by hacking groups – Griffin Box – UFS-3 (Twister) – Blazer – Clips  Evolution – New equipment was constantly developed as new models were released – New technologies and hardware security to ensure revenue Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 8. Mass Manufacture of Hacking Hardware Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 9. Examples of Hacking Hardware (2) • Most hacks steal their solutions from already existing hacks — May seem to be 22 hacks available – just old hacks re-packaged. — Different front-end to software — Different hardware — the ‘golden’ part of the source code is from 1 hack • Lots of ‘ghost’ hacks that are aimed at defrauding people — same in 2012 with jailbreaking on iOS6 Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 10. Hardware Hacking Methods  EEPROM cloning or ‘Chipping’ – Old method – Copied EEPROM with basic equipment – Main aim to put EEPROM with no SIMlock on – Result: IMEI number was cloned  PIC’s (Programmable Integrated Circuits) – Execute small sequences of commands – Placed in-line to ‘snatch’ or modify data  Flash device hot-swapping (almost impossible now)  Exploitation of boundary scan ports  External clips and dongles  Note: less economical than software hacks Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 11. In-line PIC Between SIM and Device Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 12. Software Hacking Methods  Direct change – Breaking a programming algorithm – Finding the correct test interface protocol command • Still used(!) serial communications / USB monitoring equipment  Modifying binary files (software download files) – Inserting jump code – Hijacking other functions in the code to subvert security – Taking advantage of software design flaws  Abuse of boundary scan to monitor phone processes  ‘Dumping’ to logs of data from secure areas  Brute force cracking of algorithms  Theft of information from Design Centres / Factories / Service Centres  “Voodoo Galaxy SIII SIM unlock” tool required device to be rooted… Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 13. Typical (Old) Software Hack Methodology MARKETING LAUNCH AT TRADE SHOW PHONE RELEASED TO MARKET RESEARCH THEFT OF EARLY MODEL NETWORK OPERATOR SAMPLES MANUFACTURER HACKER OPEN SOURCE INFO AND HACKING TOOLS TIMESCALE 0 MONTHS 6 - 12 MONTHS HACKING SOLUTION DISTRIBUTE APPLICATION PROTECT APPLICATION APPLICATION PROTECTION TOOLS PRODUCT SECURITY DETECTION Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 14. Use of Hardware Clips – 5 Second Unlocking!  Simple to use, takes it’s power from the handset  Contains a Programmable Integrated Circuit  Bombards the handset with commands in a repetitive sequence  The handset eventually gives up and resets itself – unfortunately resetting the SIMlock!  This type of attack was used on many different makes of handsets  Clips have now evolved and the term is usually used in reference to dongles Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 15. “Logs”  Used as a method of continually generating revenue for the real hackers and re-sellers at the top of the food chain – a historical issues for hackers  Original concept by 3 Nokia hackers and dealers from Serbia: – George, Boban (Slobodan Andrics) and Dejan (Dejan Kaljevic)  How do logs work? – Encrypted by hackers to avoid cracking by other hackers – An example: • Crack the master security locks -> generate an encrypted log of security area information -> close the security lock on the handset again!  ‘Logs’ will be available only if the hacking solution is two part – ‘Dumb’ client application to communicate with handset – Data is sent to hacker / re-seller – Corresponding data to unlock / change IMEI received from hacker / re- seller Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 16.  Some manufacturers and ODMs used symmetric algorithms based on the IMEI number to generate CK codes – Broken and every possible iteration for each IMEI available  Later versions cracked the factory / service tools because they were leaked rather than cracking the handset  Down to poor manufacturer security and breaking principle of no stored, shared secrets! CK Algorithm Breaches Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 17. De-capping and Focused Ion Beam Equipment Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 18. Newer Hardware and System Level Attacks  George Hotz – original iPhone jailbreak – Used hardware flaw to XOR data address and insert jump code to empty memory where he could execute his own bootloader – Allegedly assisted by European Infineon hacking teams  Rooting – Various methods, exploiting vulnerabilities – Usually used as a staging area for other attacks (e.g. malware) – Examples: • RageAgainstTheCage, uboot, zergRush, gingerbreak • Other private exploits – Some manufacturers providing it as a service in order to prevent people hacking  Legal battles around this area (e.g. US copyright office 2010, 2012) – OK to remove SIMlocks and root devices Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 19. Newer Motivations  Main targets / motivations recently have been:  Rooting / jailbreak device – for piracy / other apps / custom OS / spyware  SIM unlocking – break out of subsidy (cheap device) / fraud / export of stolen devices  IMEI changing – re-enable stolen handsets in same country  Launchpad attacks – spyware / malware / anti-theft tools / in- app billing  Fixing issues – e.g. old SIMlocked device, can’t contact operator Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 20. 2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012 EICTA / GSMA 9 Principles OMTP Trusted Environment: OMTP TR0 OMTP Advanced Trusted Environment: OMTP TR1 TCG MPWG Specification GSMA Pay-Buy-Mobile FragmentedSecurity Handset Embedded Security Evolution (to 2012) Google / Apple Proprietary hardware security features Banking / film industry requirements WAC RIM / Nokia proprietary security features webinos Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 21. Evad3rs, i0n1c, geohot, RedSn0w – iOS6 & iOS7  iOS6 hack “used more zero-days than stuxnet”*  Millions of downloads – huge market  Evasi0n iOS7 jailbreak rushed out due to competition (and 7.1 release), packaged with Chinese app store (Taig) – Rumoured to be $1million – Rumours of dirty tricks / questionable sources for some holes – Strategic and tactical thinking, all ‘untethered’  Some holes allegedly held back by various teams for future cracks on iOS8  Teams still reverse and hack each others tools (like SIMlock)  George Hotz tried to sell to a Chinese team (via a broker) for $350,000 – Audio clip released with negotiation discussions * Ref: http://www.forbes.com/sites /andygreenberg/2013/02/05 /inside-evasi0n-the-most- elaborate-jailbreak-to-ever- hack-your-iphone/ Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 22. May 2014 – Root Bounty for Verizon & AT&T Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 23. Kill Switch / Anti-Theft Mechanism Targeting?  Obvious this would happen Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  • 24. Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved. Car Radio Hacking - 2014
  • 25. Questions? david.rogers {@} copperhorse.co.uk @drogersuk Mobile Systems Security course: http://www.cs.ox.ac.uk/softeng/subjects/MSS.html Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a- guide-for-users/paperback/product-21197551.html Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved. http://www.mobilephonesecurity.org