Overview
Updated: 6/7/14 (*NEW* Detailed Information)
The Mobile Hacking Summit (MHS) is broken down into several modules.
These researchers have disclosed critical application, infrastructure, and OS related mobile flaws throughout the industry. They are part of some of the same teams that bring you your roots/jailbreaks, mobile forensics toolsets, application auditing tools, vulnerability frameworks, OS 0-days, etc.
QUESTIONS
Please email: blake@hotwan.com
SCHEDULE
Day 1:
Intro to Advanced: Mobile Application Audits Advanced iOS Exploitation Advanced Baseband Hacking for iOS devices
Day 2:
Intro to Advanced: Android Exploitation Android Data extraction via Jtag Intro to Advanced: Baseband Hacking for Android devices Intro to Software Defined Radio Attacks against Mobile
MODULES
Module 1: Mobile Application Assessments (Jason Haddix)Are you an auditor of applications? A pentester? This is the section for you! Jason will cover all three arenas of application assessment types (static, dynamic, and binary). He will show you how to streamline your application auditing using new techniques and tools. He will go over the current mobile application assessment toolset and cover which tools are worth your time. The application assessments modules general outline is as follows:
Threat Modeling a Mobile Application
• Spotting valuable data
• Attack scenarios explained
Practical iOS Application Auditing
• Setting up an iOS 7 Pentest environment
• iOS Binary Assessment
• Binary analysis for iOS applications
• Spotting privacy and security concerns without running code
• Security related Class and method inspection
• Corollary to static code analysis
iOS Static Assessment
• Spotting vulns in Objective-c
• Spotting vulns in frameworks
iOS Dynamic Assessment
• Logs, SQLite, Plists, Caches, oh my!
• Injections
• Traffic analysis
• Web service assessment
• The mobile app vuln checklist
• Bypassing headaches
• Advanced hooking, introspection, etc, will be covered in theory but later expanded upon in Jay Freeman’s module
Windows Phone Application Auditing
Module 2: Android Application Assessments (James Fitts)Practical Android Application Auditing
• Setting up the Android testing environment
• Android binary assessments
• Identifying red flags in the AndroidManifest.xml
Android Static Assessment
• Spotting vulnerabilities in the application source code
Android Dynamic Assessment
• Parsing logcat to find vulnerabilities
• Tools of the trade
Module 3: Advanced Mobile Application Assessments (saurik - Jay Freeman)Substrate is a developer library and framework that makes it easy (and, surprisingly, somewhat safe) to perform low-level runtime code modification on applications, whether they are written in C/C++, Objective-C (on iOS), or Java (on Android).
This module will cover using Substrate (on iOS and Android) to inject changes to applications and will use demonstrations of complex use cases (including hooking the middle of functions) where Substrate's feature set makes what would have been a tedious and error-prone task simple enough to support a cottage industry of jailbreak hacks.
Cycript (for iOS) provides a remote console environment to introspect and modify running applications on iOS and Mac OS X. Supporting a hybrid of JavaScript and Objective-C syntax, Cycript makes it easy to explore applications:
• Looking for vulnerabilities
• Logging behavior
• Extracting secrets
While you may have seen this tool covered in other contexts, this module--run by Cycript's developer, saurik--will go into depth on new features of:
• The console
• Language syntax
• Object modelwith the goal of getting the attendee into a position to use more advanced techniques.
Module 4: Advanced iOS Exploitation (Nikias Bassen)This module dives into the internals of the Evasi0n7 Jailbreak for iOS which is an untethered jailbreak for iOS 7 to iOS 7.0.6 for iPhone and iPad users. You will learn about the iOS Security Features and how to defeat them.
Key Learning Objectives
• Understanding iOS Security Features
• Understanding Buffer/Heap/Stack Overflows
• Exploiting iOS applications, services, and the kernel
Prerequisites
• Students should have a basic knowledge and understanding of writing code in python and C as well as familiarity with using the terminal to compile code with gcc. Knowledge of gdb and a basic understanding of ARM assembly is advantageous but not mandatory.
Hardware / Software Requirements
• Students must bring their own laptops running OS X (10.9 preferred) with root access to install software and tools. The latest version of Xcode needs to be installed. For a better hands-on training experience, students are also strongly encouraged to bring a jailbroken iOS 7.x (preferred) or jailbroken iOS 6.x device along with a USB cable - or non-jailbroken iPhone 4, iPod Touch 4th gen with iOS 6.1.2 - iOS 7.0.6 installed or with VALID SHSH blobs to restore to 6.1.2-7.0.6.
Please keep in mind that the devices might lose all it’s data and we are not responsible for any data loss incurred.Topics covered
• Code signing
• Sandbox
• Entitlements
• Stack canaries
• ROP
• (K)ASLR
• Exploit mitigations at boot, user and kernel level
• Reverse engineering and forensics
• Firmware, boot loaders, and kernel decryption
• Application decryption
• Mach-O binary course: file format, entitlements, dynamic library loading
• Return Oriented Programming and tips
• Fuzzing mobile services using python and/or C code
• In-depth userland and kernel security mechanisms and weaknesses
• Exploitation techniques
• Stack based buffer overflows: how to get through stack canaries
• Heap based buffer overflows: heap spraying, heap massage and how to get control
• Write anywhere kind of vulnerabilities
• Kernel Fuzzing (hands-on) : writing a kernel fuzzer from scratch in C
• Discussion of possible vulnerabilities found
• From kernel-land memory corruption to code execution
• From code execution to jailbreak
Module 5: Advanced iOS Baseband Hacking from the Handset (p0sixninja - Josh Hill)Have you ever wished you could hide inside someone’s phone and listen to all their phone calls, read all their text messages, and get access to their real time GPS coordinates? I sure hope not, but let’s just play a little game of hypothetical. Here we’ll explore how and why a dedicated attacker might go about attempting this.
This module will cover from the ground up how to identify, reverse engineer, interact, and fuzz iPhone baseband to find some potential scary vulnerabilities. We will be focusing primarily on iPhone’s Qualcomm basebands (MDM6600, MDM6610, and MDM9615) found in iPhone4 CDMA, iPhone4s, iPhone5, and iPhone5s.
What is a baseband
• What's included in the baseband
• What protections are there from attackersWhat are the attack vectors
• Where can we attack the baseband from
• Why would we even want to attack the basebandHow does the phone talk to the baseband
• MitM communication from device to baseband
• HSIC bus interface
• Enumerating HSIC devicesCommunicating with the primary boot loader
• What is DLOAD mode?
• ETL protocol
• PBL commandsCommunicating with the secondary boot loader
• What is DBL mode?
• Sahara protocol
• DBL commandsCommunicating with the primary operating system
• What is AMSS?
• QMI protocol, services, and commands
• DIAG protocol and commandsWhat fun things can we do with a baseband
• Fuzzing baseband
• PBL Fuzzing
• DBL Fuzzing
• QMI Fuzzing
• DIAG Fuzzing
DAY 2Module 6: Practical Android Exploitation (Jon Sawyer)This module covers practical exploitation of Android devices from denial of service, bootloader unlocking, information disclosure to privilege escalation. We will learn to how to identify weaknesses and backdoors in firmware, and exploit them for our own gain. Past exploits from the trainer and others will be covered. Demo licenses for JEB will be available. Expect a zero-day or two.
Firmware Components:
• Bootloaders
• Trustzone
• Kernel
• Recovery
• Android framework & appsTools:
• JEB (Primary tool used in this session)
• Smali (briefly touched upon)
• dex2jar/JD-Gui (briefly touched upon)
• ApkTool (briefly touched upon)
• OthersVulnerability Sources:
• Carriers
• Chipset manufacturers
• Component manufacturers
• Device manufacturers
• AOSP (Google)Techniques:
• Identifying vulnerabilities
• Exploit developmentFighting Back:
• Defensive development
• Offensive development
• Fighting Analysis
• Staying up to date
Extra: Data Extraction via JTAG, and direct emmc access.
Module 7: Android Baseband Hacking (Subho Halder)This module covers the concept of Android Baseband. We will be covering how to intercept the commands and messages sent to the baseband and decode it. We will be trying to fuzz the Android Baseband using simple tools. We will also be learning how to debug Android Application through JDB (Java Debug Bridge).
• Android Baseband Basics
• MiTM the Android Baseband in the Emulator
• Fuzzing the Android Baseband in the Emulator
• Debugging Android Application through JDB
Module 8: Android Runtime Modification (Subho Halder)This module covers the concept of basic injection and hooking into DEX files and process ID for runtime manipulation. We will also try to find out how these processes are spawned and how we can hook into them to run our own injected script.
• Basics about linux process Injection
• Using Indroid we will try to run our own script
• Basics of DEX class loading
• Using DEX class loading to inject and run our own DEX file
Module 9: Smartphones and Software Defined Radio Attacks (Drew Porter)Software Defined Radio (SDR) Attacks against mobile devices and Cellular Network Manipulation
• Cellular Interception and tracking
• Getting unauthorized mobile devices on military cellular networks
• Manipulation of WCDMA and LTE networks and flaws within these networks.
Who Should Take This Course
• Mobile Application Auditors
• Security Professionals interested in Mobile Security
• Hackers
Student Requirements
• Mac, Linux, Windows experience is helpful.
• Attendees bring their own laptops.
What Students Should Bring
This class will be using iPhones, iPads, Android devices, Macs, and Software Defined Radios such as USRP N2xx.
It is recommended to bring your already rooted / jailbroken devices to class. In some cases, specifically in the iOS realm, a Macbook is suggested (with Xcode and developer tools installed).
Please note: Smartphones / tablets are use-at-their-own-risk. Though unlikely, one such risk is that your device may get 'bricked' in a lab exercise and may not function ever again. Caution will be given for specific labs.
For the host machine, around 100 Gig of drive space is needed or an equivalent USB drive.
Windows 7 and 8.x laptops are supported with the latest version of VMWare. For Macs, use VMFusion.
What Students Will Be Provided With
White Papers, Presentations, labs, unreleased tools and Image. The ThunderCell 2.x VM Image (a cutting edge mobile and radio hacking distribution) will also be provided.
Trainers
Module 1: Jason Haddix (@jhaddix) is a security researcher and consultant at www.securityaegis.com. Jason is also the Director of Penetration Testing at Fortify Software. Jason performs and trains internal candidates on mobile penetration testing, black box web application auditing, network/infrastructural security assessments, etc, etc. He also the project leader for the OWASP Mobile Top Ten.
Module 2:James Fitts (@h1ghtopfade) is a Sr. Mobile Application Security Engineer at HP Fortify OnDemand and has been in the industry for over 6 years. As an application security consultant, James performs static and dynamic analysis against mobile applications (primarily Android). Prior to coming to HP, James worked for a large government consulting firm performing network and web assessments against numerous large and small public and private companies.
Module 3: Jay Freeman (@saurik) is the primary developer and community manager of Cydia, a platform for distribution and development of extensions to third-party applications on iOS. Substrate, which is also available on Android, acts as the core of Cydia, providing a library and framework that makes it easy for developers to perform modifications to third-party applications. He also develops Cycript, a popular tool for manipulating and exploring applications on iOS and Mac OS X at runtime using a highly-interactive JavaScript console.
Module 4: Nikias Bassen (@pimskeks) from Evad3rs Jailbreak team is the main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws and directory traversals in iDevice services that allowed installation of Corona, Rocky-Racoon and the latest iOS 7 jailbreak. Apart from reverse engineering and security research he founded the company samaraIT and is working as an independent consultant, developer, and researcher for international clients.
Module 5: Josh Hill (@p0sixninja) former chief architect of the Chronic Dev Team and member of “The iPhone Dream Team”. He has been an iOS Jailbreaker for more than 6 years. He lead architecture and development of many popular jailbreaking software such as GreenPois0n, Absinthe, and OpenJailbreak. Please pay no attention to the man behind the curtain.
Module 6: Jon Sawyer (@TeamAndIRC) is the CTO of Applied Cybersecurity LLC, a mobile security researcher, a full time advocate for improving the state of Android security and a member of Qualcomm’s CAF’s Security Hall of Fame. “Justin Case” is one of the more prolific publishers of Android vulnerabilities and exploits. Born with a natural curiosity for learning how things work, and a long history of breaking things.
Module 7 and 8: Subho Halder (@sunnyrockzzs) is the Founder of XYSecurity, where he focusses on Android security research, product development and iOS App pentesting. He also enjoys giving talks and trainings on Android and iOS Exploitation in international conferences. His main expertise include Android Malware Analysis and Reversing, writing automated security tools and Android App Pentesting.
Module 9: Drew Porter (@IAmRedShift) Drew “RedShift” Porter is a Senior Security Analyst at Bishop Fox (formerly Stach & Liu). Drew’s current roles include preforming a wide range of RF security assessments, hardware security, and penetration tests of financial and critical infrastructure organizations. Drew’s background stems from developing offensive cellular and cognitive radio systems for DoD agencies, creating man-portable cellular communication platforms for DoD and DHS agencies, and leading cellular security research teams. Drew is a sought after speaker and instructor and has been quoted in multiple publications.
Lead:Blake Turrentine