Category Archives: Cell Phone (iPhone, Android, windows mobile)

Reflection – Crafted emoji cause WeChat application (for Android) service crash.

Preface: When mobile computing born, cyber attack (botnet attack) and data leakage rapidly growth. Do you think this is the destiny.

Observation: A proof of concept shown that a technical limitation occurs on TenCent WeChat 7.0.4 (android version). When a stranger send a craft emoji to WeChat user. The WeChat application will be crashed once open the emoji file. The security expert found the following reason:

vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service

Refer to attached diagram, the 1st phase of attack should get the IMEI. Perhaps the specify attack has per-requisite. So it let the people feeling that it is only an idea and therefore may not pay attention in high pioritty. But it is an alert signal to WeChat users. Why? Wechat’s plug-ins are encapsulated in jar files and so files in the / assets / preload directory (see attached diagram). Security expert found technical limitation on vcodec2_hls_filter in libvoipCodec_v7a.so. From technical point of view , attacker can be develop attack technique ride on this issue. Stay tuned.

End.

Who is right, who is wrong. Who know?

Preface: Spy Chip Scandal Amplifies Concerns over Huawei’s 5G Equipment on last year (2018).

Doubt – Is it safe to use Huawei phones and should the manufacturer be trusted to make 5G network equipment?

Reality: A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution. It looks that this technical flaw not resolve yet!

Vulnerability Note VU#790839
Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.

https://www.kb.cert.org/vuls/id/790839/

What is your decision? I am a mobile phone users, a lot of time I forget about surveillance scandal. But 5G phone it is expensive in the moment, I do not have money to buy!

Does QR Codes can pose a risk to your security and safety?

Preface:
QR codes have become common in consumer advertising. Friendly speaking, it make your finger and mouth more relaxed!

Is the QR code safe?
Most risks with QR Codes stem from QR Codes not being readable to humans. Since the QR codes not being able to easily identify a code as the original where the problems arise. As a result, the mobile application authentication design will be a key factor for security protection.
In addition, malware hidden in the QR-Reader app can infect your smartphone. Malware known as ‘Andr/HiddnAd-AJ’ was able to load itself onto a number of apps designed to read QR-Codes. And compromise your smartp

Realistic:
Even if it involves risk, the modern world likes to take a risky approach. So how to enhance the QR code system security?

Possible ways:

  1. QR code system uses fingerprints and face recognition.
  2. Awareness training
  3. Mobile device management especially patch management and antivirus system.

Should you have interest to find out more, please refer below url for reference:
Security Considerations of Using QR Code – https://www.polyu.edu.hk/its/general-information/newsletter/144-year-2018/feb-18/732-security-considerations-of-using-qr-code

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil

 

 

Integrated GPU may allow side-channel and rowhammer attacks – 03 May 2018 | Last revised: 03 May 2018

The side-channel attack looks never ending in CPU world.
So called rowhammer attack jeopardize to the cyber security world today especially smartphone. The worst is that it can altering the information saved in a computer’s memory once attack successful.

An academic paper describes an attack called “GLitch,” which leverages two different techniques to achieve a compromise of a web browser using WebGL (see below url for reference).

https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf

Impact

The attacker may be able to bypass security features provided by the web browser.

Observation:

Microsoft and Cisco announce that they will intend to integrate New Intel Threat Detection Technology to Help Defend Against Advanced Security Threats last month.
I think they have to consider this technincal problem before click start of their project.

https://newsroom.intel.com/editorials/securing-digital-world-intel-announces-silicon-level-security-technologies-industry-adoption-rsa-2018/

Status:

 

Vendor Status Date Notified Date Updated
Google Affected 16 Mar 2018 03 May 2018
Mozilla Affected 16 Mar 2018 03 May 2018
Microsoft Not Affected 16 Mar 2018 25 Apr 2018
AMD Unknown 16 Mar 2018 16 Mar 2018
Apple Unknown 16 Mar 2018 16 Mar 2018
Arm Unknown 26 Apr 2018
BlackBerry Unknown 16 Mar 2018 16 Mar 2018
Brave Software Unknown 16 Mar 2018 16 Mar 2018
Broadcom Unknown 16 Mar 2018 16 Mar 2018
IBM, INC. Unknown 26 Apr 2018 26 Apr 2018
Imagination Technologies Unknown 16 Mar 2018 16 Mar 2018
Intel Unknown 16 Mar 2018 16 Mar 2018
NVIDIA Unknown 16 Mar 2018 16 Mar 2018
Opera Unknown 16 Mar 2018 16 Mar 2018
QUALCOMM Incorporated Unknown 16 Mar 2018 16 Mar 2018

Realistic threats exists in NFC. Are they all secure?

The mobile payment is aggressive in some sort of area. As seen, it fully utilized in China market. From the economey point of view, this new payment design driven the retail business in parallel. The traditional banknote concept convert to digitalization silently.Is this a prelude of digital currency? The people doubt of the NFC (near field communcation) technology embedded in Visa payment earlier. As times goes by, it is popular today. The new smartphone market similar pushing the NFC techonology into next phase. The new form of payment method integrated both smartphone (iPhone and Android) and payment card with near field communication. How Secure Are NFC Payments? NFC technology comes with a range of security features that help protect financial data from stolen. But are they capable to avoid modern cyber attack? Perhaps if the computer product contains Java programming element. It is hard to avoid vulnerability. As a matter of fact, Java bytecode Verification is a key element in Java world. If this feature applied in the overalll design. It will significant reduce the malware infection because it is not easy to execute the malicious code. Do you have doubt after this discussion?

Firebase Analytics – To be compliance or not to be compliance on personal privacy

Perhaps the scandal of Facebook and awaken people in the world concerning their personal privacy. Meanwhile web surfing behavior is a major element to do the behaviour analytic.  Now we fully understand the influence power of social media platform. However the analytic function not only valid today. Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. Google Analytics for Firebase is a free app measurement solution that provides insight on app usage and user engagement. I do a survey on popular mobile application software tonight. The reason I chosen this mobile apps software for evaluation is that it contains a series of new claims services includes insurance claim. It  allow insurance claims pay-out at 7-Eleven (Hong Kong). The result is that the mobile apps pass the compliance requirement. The firebase analytics service disabled for legal reasons. For more details, please refer above diagram for reference.

CVE-2018-3561 – Is this a hiccups or it will maintain longer?

Retrospectively, the annual revenue growth of smartphone chips vendor on 2017 Q3. Samsung is the winner.Qualcomm growth only 23% but apple only growth of 12%. From my personal point of view, even though operating system or vulnerability on iPhone looks mystery. Perhaps it is a business strategy in order to avoid competitor know the details. By the way, Qualcomm techincal design limitation lure my interest. Regarding to the CVE 2017-15834 it proof that there is a vulnerability occur in kernel let it encountered potential heap overflow. But this bug found last year, however I believe that it will continous expose something bad until MDM9615 and MDM9x07 end of life.The MDM9615 appears to be a Qualcomm chip. But apple iPad deployed it. Android phone is the biggest comsumer of MDM9615 and MDM9x07 so far. A new vulnerability identify by US-CERT on Mar 2018 with vulnerability record reference no. CVE-2018-3561.The issue is that Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in diag_ioctl_lsm_deinit() leads to a Use After Free condition. Stay alert and update your Android phone once patch for security update available.

Do you concerns of your e-wallet?

Electronic wallets play an important role in our daily lives. Perhaps the demand of e-wallet market in Hong Kong cannot compare with Greater China market. However mobile phone itself like computer device will encounter Zero – day. This week I keen my personal interest review the TNG wallet design. I am concerning the vulnerability (CVE-2016-5195) on android OS in past. TNG wallet is able to working with armeabi-v7a and armeabi.

From cyber security perspective, it is highly recommend TNG e-wallet user follow the security advice of mobile phone vendor. It is better to update OS once it is available. For more details, please refer to below diagram for reference.

Undetected malware on android

Preface:

Till 2018-02-01, the official announcement provides the following details.

Security patch level—Vulnerability details

Start discussion:

ART (Android RunTime) is the next version of Dalvik. Unlike Dalvik, ART introduces the use of ahead-of-time (AOT) compilation by compiling entire applications into native machine code upon their installation. Regarding to Android security bulletin on February 2018, the official announcement did not had cyber incident reports of active customer exploitation or abuse of reported issues. But why do security expert said Andorid smartphone system is under cyber attack.

Basic understanding of ART boot sequence (see below diagram for reference)

Zygote is running as UID=0 (root). After forking child process, its UID is changed by setuid system call.

A closer look on above diagram step 4 to step 6 operation flow (see below)

Software/application installation workflow

We heard that Google App store sometimes contains malicious code APK. And such a way compromise the Android OS. Below diagram can explicitly provide an idea how Android download and install a application program in normal way.

Lock down

Refer to above information (3 items of diagrams), we lock down 2 items of components for our investigation.

Zygote – When the application start, the Zygote will be forked, target into 2 units of VM. Since all the core library interconnect with zygote. And therefore both zygote and application sharing the library. The memory will only be copied if the new process tries to modify it.

Even thought the core library is read only. However the copy of memory procedure lure threat actors modifies Zygote system process in the memory to achieve their goal.

How does it works? – The injection code works is that their payload is part of any new process spawned, whereas if you use Frida to inject into Zygote it will stay behind when it calls fork() to become the app to be spawned. (Though technically Frida’s code Frida 9.x) will be part of the newly forked child, but no threads survive the fork except the thread that called fork(), so any hooked functions will call into Frida code (Frida 9.x) in an undefined state.

Summarize of the concept

  1. spawn([“com.android.xxx”]) with the package name.
  2. enable_spawn_gating() and listen to the spawned signal in order to do early compromise of memory address. For more details, please see below information for reference.

Reference: Frida (Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers).

APK – We notice that Google scan the apps on their play store to avoid malicious APK place on their store. However the security expert aware that it is hard to scan the APK which contained the malicious script embedded in APK file. Below example may a old style technique. However we only provides awareness and therefore I quote this example for reference.

The Android ZIP APIs do not prevent directory traversals by default, allowing for a file with a directory traversal in the name to be injected into the ZIP. This allows us to gain an arbitrary write in the context of the app. The zip was injected with a directory traversal that writes inside of the app directory. As a result, the malicious zip files were written in the application’s data directory. You can gain an arbitrary file write primitive. But the Arbitrary File contains risk causes remote code execution. For instance, Mercury Browser for Android is prone to directory traversal vulnerability and a security bypass vulnerability. Exploiting these issues will allow an attacker to bypass security restrictions, perform unauthorized actions and access, read and execute files. Information harvested may aid in launching further attacks.

Recommendation

In order to avoid unforeseen cyber incident encounter. Below details is the recommendation provided by federal government.

Federal Mobile Device Security Recommendations

  1. Create a mobile device security framework based on existing standards and best practices.
  2. Bolster Federal Information Security Modernization Act (FISMA) metrics to focus on protecting mobile devices, applications and network infrastructure.
  3. Incorporate mobility into the Continuous Diagnostics and Mitigation program to address the security of mobile devices and applications with capabilities that are similar to those of workstations, servers and other network devices.
  4. Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities.
  5. Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include security and defense against mobile threats.
  6. Develop cooperative arrangements and capabilities with mobile network operators to detect and respond to threats.
  7. Create a new defensive security research program to address vulnerabilities in mobile network infrastructure.
  8. Increase active participation by the federal government in mobile-related standards bodies and industry associations.
  9. Develop policies and procedures regarding U.S. government use of mobile devices overseas.

— End of discussion —