Category Archives: Cell Phone (iPhone, Android, windows mobile)

What is the value of the Trusted Execution Environment (TEE) ? (20th JAN 2023)

Preface: Some said, found malware lets cybercriminal remotely manipulate your Android.

Background: The full name of TEE is trusted execution environment, which is an area on the CPU of mobile devices (smart phones, tablets, smart TVs). The role of this area is to provide a more secure space for data and code execution, and to ensure their confidentiality and integrity.

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel.

Technical details: According to headline news, a new Android malware named ‘Hook’ is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). said bleepingcomputer news.

For details, please refer to URL – https://www.bleepingcomputer.com/news/security/new-hook-android-malware-lets-hackers-remotely-control-your-phone/

Speculation: If this reported malware achieves their goals, do you think they will relies on vulnerability such as CVE-2023-21420?

Solution: To avoid Android malware, you should only install apps from the Google Play Store.

Here’s wishing you a Happy Chinese New Year 2023.

CVE-2022-47630 – See whether your android can skip this vulnerability? Perhaps it can. (16th Jan 2023)

Preface: Why configure Secure Boot? This type of hardware restriction protects the operating system from rootkits and other attacks that may not be detected by antivirus software.

Background: Secure Boot is the process where the operating system boot images and code are authenticated against the hardware before they are authorized to be used in the boot process. The hardware is pre-configured to authenticate code using trusted security credentials. ARM architectures are the most common electronic design in the world, even though x86 is more common in the server market. ARM architectures are used in almost all smartphone designs, as well as in other small mobile devices and laptops.

Arm is the CPU architecture used by all modern smartphones in the Android and Apple ecosystems.

Vulnerability details: Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.

Additional Details – One of its designs is not affected by this vulnerability:

If the config like below:

“load_auth_image” invoke “load_auth_image_internal” – See the attached picture for details

If the platform uses a custom image parser instead of the certificate
parser, the bug in the certificate parser is obviously not relevant. The
bug in auth_nvctr() may be relevant, but only if the returned data is:

  • Taken from an untrusted source (meaning that it is read prior to
    authentication).
  • Not already checked to be a primitively-encoded ASN.1 tag.
    In particular, if the custom image parser implementation wraps a 32-bit integer in an ASN.1 INTEGER, it is not affected.

Official announcement : Official details, please refer to url – https://nvd.nist.gov/vuln/detail/CVE-2022-47630

Retrospect a simple bug in smartphones software development in 2022 (28th Dec 2022)

Denial of service from the big world to the small world

Preface: Perhaps the historical information can be enrich our knowledge base. Even through you think the information I posted by today not very useful. However this is so called database. See whether you are still interested in this matter today?

Background:

The Flutter framework is a popular, multi-platform UI toolkit that’s powered by the Dart platform, and that provides tooling and UI libraries to build UI experiences that run on iOS, Android, macOS, Windows, Linux, and the web. When creating configuration files for application projects, languages like Python and the Google-developed Flutter framework for Dart both use YAML (. yaml). Furthermore, YAML can be used to format containerized files. Cloud computing operations also using it.

There are several libraries available to parse. yaml is a popular library to read yaml files. yaml_writer library is used to write to a yaml file.

  • yaml[.]dart for reading
  • yaml_writer for write operations

yaml is a popular library in dart and flutter for reading the yaml file and yaml_writer for writing to yaml document.

Ref: YAML is a data serialization language that is often used for writing configuration files. Depending on whom you ask, YAML stands for yet another markup language or YAML ain’t markup language (a recursive acronym), which emphasizes that YAML is for data, not documents. 

Vulnerability details: Certain versions of Gopkg[.]in/yaml[.]v2 from Gopkg[.]inyaml[.]v2 contain the following vulnerability:
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Official announcement: For details about the vulnerability, please refer to the official announcement – https://pkg.go.dev/vuln/GO-2022-0956

Wish you a Happy New Year.

CVE-2022-46702 Apple iOS/iPadOS up to 16.1.2 GPU Drivers memory corruption (23rd Dec 2022)

Preface: When an external GPU is connected to the iOS system. Refer to attached diagram , it will perform compute simulations on that external GPU. And thus graphics rendering on a built-in GPU.

According the current GPU design. Do you think is there desugn weakness happen here. For instance, memory access control and access permission.

Background: A MTLBuffer can’t be directly transferred between different devices; its data must be transferred via system memory. Refer to attached diagram. The sample calls the vm_allocate function to allocate a page-aligned buffer, updateAddress, backed by system memory. The sample then calls the newBufferWithBytesNoCopy:length:options:deallocator: method to create a new MTLBuffer, _updateBuffer, backed by the same system memory used for the previous buffer.

Vulnerability details: The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

As details could not be found in the official announcement. My speculation is shown as below:

According to step 1 and 2 (refer to attached diagram), believe that it will have way to enhance the access control of GPU Driver buffer. The reason is that it may have potential risk  let attacker do manipulation with an unknown input leads to a memory corruption vulnerability. As a result, it may be possible for an application to leak kernel memory.

Official announcement: For details, see the link – https://support.apple.com/en-us/HT213530

  • Christmas is celebrated to commemorate the birth of Jesus Christ, who Christians believe is the Son of God. Sunday, December 25, 2022 is Christmas. Maybe you don’t have this belief. However, I also wish you Merry Christmas and my best wishes to you and your family.

Commonplace, smartphone OS vulnerability  (22nd Dec 2022)

Preface: The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution.

Background: In the Android system, an application has at least one process, and each process has its own independent resources and memory space. Other processes cannot arbitrarily access the memory and resources of the current process. If you want to communicate between processes, you need to use IPC means.

Virtual memory managed by the kernel, with the help of hardware (the memory management unit). Multiple mappings are maintained at all times. In modern smartphone design, kernel has one or two of its own, shared by all processes, and each process gets its own user-space mapping.

A Look Back at Previous Linux Design Flaws  – eBPF ALU32 boundary tracking for bitwise operations (AND, OR, and XOR) in the Linux kernel did not properly update 32-bit boundaries, causing out-of-bounds reads and writes in the Linux kernel, leading to arbitrary code execution. The three vulnerable functions are scalar32_min_max_and(), scalar32_min_max_or(), scalar32_min_max_xor(). AND/OR was introduced in Linux 5.7-rc1 and XOR was introduced in Linux 5.10-rc1.

Research and speculation: Communication in Microkernels use the messaging queues. A message queue is an inter-process communication (IPC) mechanism that allows processes to exchange data in the form of messages between two processes. In this case, if the Linux kernel did not properly update 32-bit boundaries, Therefore, there are potential risks to occur. Successful exploitation of this vulnerability may lead to abnormal system services.

Today is the winter solstice, I wish you a happy dinner with your family tonight.

About GriftHorse Malware (30th Sep 2021)

Preface: Large portion of smartphone will not installed antivirus software. Even though it is installed. The antivirus vendor similar doing racing campaign with cyber criminals. Nowadays, vendor established malware sinkhole to find zero day vulnerability and existing cyber attack. If cyber criminals relies on software design limitation hiding itself on phone. Perhaps sinkhole not easy to figure it is a malicious acclivities. Therefore certain amount of personal data will be go to unknown area.

Ref: Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.

Background: Headline News (Bleepingcomputer) report today that there is a malware nickname GriftHorse. It did the infiltration to Android and causes hundred of million smartphones become a victims. According to the article by Bleepingcomputer expert. A mobile security solution firm (Zimperium) observe malware (GriftHorse) exploiting the software flexibility of Apache Cordova. And hunting over 10 million victims globally.

Details: The Trojans are developed using the mobile application development framework named Apache Cordova, Zimperium said. They uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing. Before you read the details of the article. Perhaps you can quickly read the attached picture to understand that there are many ways to exploits Apache Cordova feature to sniff the data on the endpoint.

Ref: Cordova wraps your HTML/JavaScript app into a native container which can access the device functions of several platforms. Apache Cordova is an open source framework that enables web developers to use their HTML, CSS, and JavaScript content to create a native application for a variety of mobile platforms.

Reference article, please refer to the link:

Bleepingcomputer – https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

Zimperium – https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/

Reduce e-waste and achieve environmental protection: ​outdated iphone models – Security updates (14-06-2021)

Preface: To protect the safety of customers, Apple will not disclose, discuss or confirm security issues until the investigation is completed and patches or updated versions are provided.

My observations on CVE-2021-30737:

Background: PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa.
PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT.

Vulnerability details:
A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code.
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 Generalized Time decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution.

Official announcement: https://support.apple.com/en-us/HT212548

Iphone 6s owner have serious operation problem after upgrade their IOS to 12.4.9. Do you think vendor will be fixed?

Preface: Vendor insists to fix the cyber security weakness of CVE-2020-27929 & CVE-2020-27930. However, this iOS upgrade action was caused the specify iPhone product encounter operation difficulties especially 6s.

Observation 1: On 5th November, 2020, apple implement security update to enhance the cyber security protection on their products. This enhancement including an remediation action to two different vulnerabilities. However quite a lot of user including myself encountered technical problem. For instance, the touch screen service on iPhone 6s suspended intermittent.

Observation 2: When I connect my iPhone 6s to my notebook. The touch screen service malfunction problem not been happen in frequent But still occur intermittent. The symptom looks that it is related to a daemon (com.apple.mtmergeprops.plist). Do you think this problem cause by missing a step to check ios device chip model (A9 or a10). Whereby causes memory mapping problem occurs.

Reference: Apple security updates on 5th Nov 2020 – https://support.apple.com/en-us/HT211940

Please be vigilant. Spyware will be installed on your phone at any time – Oct 2019

Preface: Since the spyware runs in a stealth mode, it will let you track the device without being detected.

Background: Patroit Act empower law enforcement agency or related department can legally monitor the movements of suspect especially Terrorism. And therefore law enforcement agency will be used spyware monitor what’ the target movement. As time goes by, quite a lot of software vendors do a transformation of mobile phone monitoring tool (spyware) to consumer product. Flexispy and Spyzie are popular in the market. You can purchase this product though vendor web portal. The slogan by vendor is that no rooting or jailbreaking required. It can easy to track SMS, CallLogs, Social Apps and locations.

Legal point of view: If the spyware was ‘used on a case,’ a detail document of report should be provided. Given the functionality of FlexiSpy, it would require a wiretap order, not just a search and seizure warrant, said attorney.

The reasons why cyber criminals want to hack your phone?

  • To eavesdrop on calls
  • To steal money
  • To blackmail people

So the Federal Trade Commission recommended Smartphone users who suspect an illegitimate stalking app on their device should consider their recommendations. Refer to URL for more details. https://www.consumer.ftc.gov/blog/2019/10/stalking-apps-retina-x-settles-charges

Reflection – Crafted emoji cause WeChat application (for Android) service crash.

Preface: When mobile computing born, cyber attack (botnet attack) and data leakage rapidly growth. Do you think this is the destiny.

Observation: A proof of concept shown that a technical limitation occurs on TenCent WeChat 7.0.4 (android version). When a stranger send a craft emoji to WeChat user. The WeChat application will be crashed once open the emoji file. The security expert found the following reason:

vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service

Refer to attached diagram, the 1st phase of attack should get the IMEI. Perhaps the specify attack has per-requisite. So it let the people feeling that it is only an idea and therefore may not pay attention in high pioritty. But it is an alert signal to WeChat users. Why? Wechat’s plug-ins are encapsulated in jar files and so files in the / assets / preload directory (see attached diagram). Security expert found technical limitation on vcodec2_hls_filter in libvoipCodec_v7a.so. From technical point of view , attacker can be develop attack technique ride on this issue. Stay tuned.

End.