Cupfighter.net

Steve Jobs for Fortune magazine a cc nc nd image from tsevis's Flick stream

By Jean-Baptiste Bédrune and Jean Sigwald

Slides on the HitB Materials page.

This talk is about data security and the iPhone. Almost all iPhone like deices (excluding the iPad2 for the moment) can book usigned code when they are in recovery mode. It is also possible to create acustom ram disk, thee are techniques used by jailbreakers and phone forensics people.

Data in the iPhone is encrypted with either the UID (unique iPhone key) or GID (key unique to each model).

In the iPhone (iOS < 4) the UID key was only used  to facilitate fast wipe (change key, cannot read flash anymore), it did not provide data security. The iPhone 4 was designed with data security in mind. Jean and Jean demonstrate the tools they wrote to get around the data protection of iOS 4

Because the unlock code is used for data security data can be set to be only available when:

• The Phone is unlocked
• After the phone is unlocked for the first time
• Always

In iOS 4 there is an escrow key which allows MobileMe and iTunes to access the phone for backup or passcode reset without unlocking the phone.

The first tool that they developed and demonstrated was the keyChainViewer which can be used to view the contents of keyChain, but not the keys.

Using the built in iOS functions (that use the passwcode) you can actually bruto force the passcode of the phone with a small application on the phone. If you boot the phone from a ram disc you can do this without knowing the passcode. Using the brute forced passcode the keyChain can be read and decrypted.

Next tools where demoed to browse the encrypted filesystem and to decrypt iTunes backup files.

Conclusion of the researchers:

• iOS4 offers far better protection then iOS3
• Mail files (with the exception of exchange) are protected by the passcode this offers additional protection, but it can be obtained if you have the phone

Tools are available on http://code.google.com/p/iphone-dataprotection/

About Jean-Baptiste Bédrune

Jean-Baptiste works at the Software security R&D team at Sogeti for 4 years. His domains of research include code (un)protection, audit of DRM solutions, applied cryptography, reverse engineering on embedded devices and distributed computing. Jean joined Sogeti in early 2010. His research topics include reverse engineering, embedded devices and smartphones security.

About Jean Sigwald

Jean Sigwald is a security researcher working at Sogeti ESEC R&D lab. His research is mainly focused on smartphones security and the services offered by the network operators.

By Chris Paget

The Room was packed and warning poster where all over the place warning people that cell phone traffic may be intercepted in the area around the talk. Expectations are high at the start of the talk and we were about to find out if they are to be met.

In this presentation Chris is going to intercept cell phone calls, specifically GSM calls. For this purpose he uses what he calls an IMSI catcher. Critical for intercepting calls is the IMSI, the International Mobile Subscriber Identity, think of this as the GSM username. Chris built his IMSI catcher for $1,500 out of open software and open hardware, a fraction of the millions charged for commercial IMSI catchers.

Because handsets always choose the strongest signal and a attacker will always win the battle for this. Since GSM assumes that the network is trusted, the base station dictates the settings, so if the base station wants to disable encryption, the phone will do that. The IMSI catcher does have to not break GSM encryption, it just acts as a base station and tell the phone to disable GSM encryption. In theory the phone could warn of this behaviours, but most sims have this disabled, because it would confuse users.

Because of difference in regulations between the USA and Europe there is a frequency in both spectrums that you can use that is in the HAM radio band and thus governed by the HAM radio regulations and these regulations give enough lead way to run GSM across it without needing a telco license. A HAM radio license allows the use of transmitting power of up to 1500W, a very small fraction of the 0.25W used by Chris during his demo.

Read more…