Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

•

2 j'aime•2,181 vues

CanSecWest

CanSecWest2016

Internet

Having fun with secure
messengers and Android Wear
(and Android Auto)
Artem Chaykin
Positive Technologies
CanSecWest’16

Who I am?
•  Russian hacker / Putin’s agent
•  Mobile application security team lead
•  SCADA Strangelove Team
•  RDot.Org team member

Android IPC basics
•  Private memory for each process
•  Data is passed through kernel module – Binder
•  Intent-based

Intents
•  Intent is an object
•  App1 can send intents to exported components of App2
Intent
Package
name
Component
name
Ac0on Data

Android IPC basics
Binder
App
1
App
N
App
2

Android IPC basics
App1
Binder
IAc/vityManager

Android IPC basics
App1
Binder
IAc/vityManager
App2

PendingIntent
Intent
Iden/ty Permissions
•  getActivity()
•  getService()
•  getBroadcast()

PendingIntent
•  AlarmManager
•  NotiﬁcationManager
•  Identity conﬁrmation

Example 0x2 – PendingIntent hijacking
•  3rd party push services
•  Identity conﬁrmation
Victims:

Android Wear & Android Auto
•  Remote Input class is based on PendingIntent

Example 0x3: Intercepting Victim:
•  Bug:

Example 0x3: Intercepting Victim:
•  Exploit:

Example 0x3: Intercepting
•  Android Auto victims:
•  Android Wear victims:

Fixes
Still no thanks
•  Signal – emailed Moxie – ﬁxed same day – got “thanks”
•  Telegram – emailed security@ - partial ﬁx after ~ 45 days -

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

Recommandé

分かったうえではじめるCI/CDYuta Matsumura

FridaによるAndroidアプリの動的解析とフッキングの基礎ken_kitahara

Gitlab ci-cdDan MAGIER

[2017 Incognito] 스택 구조 분석을 통한 ROP 기법의 모든 것NAVER D2

Stack pivotsounakano

ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptxShota Shinogi

Windows container securityDocker, Inc.

GitLab CI/CD パイプラインTetsurou Yano

Recommandé

分かったうえではじめるCI/CDYuta Matsumura

FridaによるAndroidアプリの動的解析とフッキングの基礎ken_kitahara

Gitlab ci-cdDan MAGIER

[2017 Incognito] 스택 구조 분석을 통한 ROP 기법의 모든 것NAVER D2

Stack pivotsounakano

ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptxShota Shinogi

Windows container securityDocker, Inc.

GitLab CI/CD パイプラインTetsurou Yano

ノンプログラマでも今日から使える「Git」でバージョン管理H2O Space. Co., Ltd.

CODE BLUE 2014 : バグハンターの愉しみ by キヌガワマサト Masato KinugawaCODE BLUE

今なら間に合う分散型IDとEntra Verified IDNaohiro Fujie

いつやるの？Git入門Masakazu Matsushita

Binderのはじめの一歩とAndroidl_b__

The Internals of "Hello World" ProgramNational Cheng Kung University

DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community

An Abusive Relationship with AngularJSMario Heiderich

ディープラーニングとAppiumでモバイルテスト自動化Nozomi Ito

DevOps with GitHub ActionsNilesh Gule

はじめようGittechscore

Hackfest presentation.pptxPeter Yaworski

iOS Application Penetration Testing for BeginnersRyanISI

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource

アプリの鍵が消える時_Droid kaigi2018ak_shio_555

Git flowの活用事例Hirohito Kato

Offzone | Another waf bypassДмитрий Бумов

Writing External Rsyslog PluginsRainer Gerhards

Gitlab CI/CDJEMLI Fathi

実践 NestJSAyumi Goto

Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCanSecWest

Csw2016 d antoine_automatic_exploitgenerationCanSecWest

Contenu connexe

Tendances

ノンプログラマでも今日から使える「Git」でバージョン管理H2O Space. Co., Ltd.

CODE BLUE 2014 : バグハンターの愉しみ by キヌガワマサト Masato KinugawaCODE BLUE

今なら間に合う分散型IDとEntra Verified IDNaohiro Fujie

いつやるの？Git入門Masakazu Matsushita

Binderのはじめの一歩とAndroidl_b__

The Internals of "Hello World" ProgramNational Cheng Kung University

DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community

An Abusive Relationship with AngularJSMario Heiderich

ディープラーニングとAppiumでモバイルテスト自動化Nozomi Ito

DevOps with GitHub ActionsNilesh Gule

はじめようGittechscore

Hackfest presentation.pptxPeter Yaworski

iOS Application Penetration Testing for BeginnersRyanISI

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource

アプリの鍵が消える時_Droid kaigi2018ak_shio_555

Git flowの活用事例Hirohito Kato

Offzone | Another waf bypassДмитрий Бумов

Writing External Rsyslog PluginsRainer Gerhards

Gitlab CI/CDJEMLI Fathi

実践 NestJSAyumi Goto

Tendances (20)

ノンプログラマでも今日から使える「Git」でバージョン管理

CODE BLUE 2014 : バグハンターの愉しみ by キヌガワマサト Masato Kinugawa

今なら間に合う分散型IDとEntra Verified ID

いつやるの？Git入門

Binderのはじめの一歩とAndroid

The Internals of "Hello World" Program

DevSecOps Jenkins Pipeline -Security

An Abusive Relationship with AngularJS

ディープラーニングとAppiumでモバイルテスト自動化

DevOps with GitHub Actions

はじめようGit

Hackfest presentation.pptx

iOS Application Penetration Testing for Beginners

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

アプリの鍵が消える時_Droid kaigi2018

Git flowの活用事例

Offzone | Another waf bypass

Writing External Rsyslog Plugins

Gitlab CI/CD

実践 NestJS

En vedette

Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCanSecWest

Csw2016 d antoine_automatic_exploitgenerationCanSecWest

Csw2016 wang docker_escapetechnologyCanSecWest

Csw2016 julien moinard-hardsploitCanSecWest

Csw2016 economou nissim-getting_physicalCanSecWest

Csw2016 song li-smart_warsCanSecWest

Csw2016 macaulay eh_trace-rop_hooksCanSecWest

Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest

Csw2016 evron sysman_apt_reports_and_opsec_evolutionCanSecWest

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest

Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest

CSW2017 Qidan he+Gengming liu_cansecwest2017CanSecWest

CSW2017 Harri hursti csw17 finalCanSecWest

Csw2016 tang virtualization_device emulator testing technologyCanSecWest

CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest

Csw2016 freingruber bypassing_application_whitelistingCanSecWest

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest

CSW2017 Scott kelly secureboot-csw2017-v1CanSecWest

CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest

En vedette (20)

Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 wang docker_escapetechnology

Csw2016 julien moinard-hardsploit

Csw2016 economou nissim-getting_physical

Csw2016 song li-smart_wars

Csw2016 macaulay eh_trace-rop_hooks

Csw2016 gawlik bypassing_differentdefenseschemes

Csw2016 evron sysman_apt_reports_and_opsec_evolution

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket

Csw2016 chen grassi-he-apple_graphics_is_compromised

CSW2017 Qidan he+Gengming liu_cansecwest2017

CSW2017 Harri hursti csw17 final

Csw2016 tang virtualization_device emulator testing technology

CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT

Csw2016 freingruber bypassing_application_whitelisting

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

CSW2017 Scott kelly secureboot-csw2017-v1

CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...

Similaire à Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backendAPIsecure_ Official

Mwri security testing-android-with-mercury-2013-04-02Droidcon Berlin

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham

Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch

Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community

Man in the Bindernitayart

IoT backend architectureTomasz Tarczyński

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidMahmoud Hammad

Document Verification through C-One E-Id - CopyRima Hajou

Outsmarting SmartPhonessaurabhharit

The art of android hackingAbhinav Mishra

The art of android hacking by Abhinav Mishra (0ctac0der)OWASP Delhi

Android village @nullcon 2012 hakersinfo

Android App Security: What (not) to do!Thomas Methlie

I haz you and pwn your maalHarsimran Walia

Manish Chasta - Android forensicsPositive Hack Days

Windows Phone 8 application securityAndrey Chasovskikh

I haz you and pwn your maalc0c0n - International Cyber Security and Policing Conference

Outsmarting smartphonesSensePost

Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon

Similaire à Csw2016 chaykin having_funwithsecuremessengers_and_androidwear (20)

2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend

Mwri security testing-android-with-mercury-2013-04-02

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

Steelcon 2015 Reverse-Engineering Obfuscated Android Applications

Stealing sensitive data from android phones the hacker way

Man in the Binder

IoT backend architecture

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Document Verification through C-One E-Id - Copy

Outsmarting SmartPhones

The art of android hacking

The art of android hacking by Abhinav Mishra (0ctac0der)

Android village @nullcon 2012

Android App Security: What (not) to do!

I haz you and pwn your maal

Manish Chasta - Android forensics

Windows Phone 8 application security

I haz you and pwn your maal

Outsmarting smartphones

Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao

Plus de CanSecWest

Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest

CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest

CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest

CSW2017 jun li_car anomaly detectionCanSecWest

CSW2017 chuanda ding_state of windows application securityCanSecWest

CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest

CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest

CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest

CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest

CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest

CSW2017 Mickey+maggie low cost radio attacks on modern platformsCanSecWest

CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest

CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CanSecWest

CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest

Plus de CanSecWest (14)

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated

CSW2017 Geshev+Miller logic bug hunting in chrome on android

CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...

CSW2017 jun li_car anomaly detection

CSW2017 chuanda ding_state of windows application security

CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

CSW2017 Weston miller csw17_mitigating_native_remote_code_execution

CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark

CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...

CSW2017 Enrico branca What if encrypted communications are not as secure as w...

CSW2017 Mickey+maggie low cost radio attacks on modern platforms

CSW2017 Privilege escalation on high-end servers due to implementation gaps i...

CSW2017 Saumil shah stegosploit_internals_cansecwest_2017

CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell

Dernier

Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo

📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678

VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698

Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceDelhi Call girls

6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678

💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg

Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...roncy bisnoi

pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1

Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...SUHANI PANDEY

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls

"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids

VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023

Real Men Wear Diapers T Shirts sweatshirtrahman018755

20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair

VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo

Trump Diapers Over Dems t shirts Sweatshirtrahman018755

Thalassery Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call G...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC

Dernier (20)

Microsoft Azure Arc Customer Deck Microsoft

📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱

VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking

Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service

6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...

💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋

Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...

pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf

Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)

"Boost Your Digital Presence: Partner with a Leading SEO Agency"

VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...

Real Men Wear Diapers T Shirts sweatshirt

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf

VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available

Trump Diapers Over Dems t shirts Sweatshirt

Thalassery Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call G...

VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

1. Having fun with secure messengers and Android Wear (and Android Auto) Artem Chaykin Positive Technologies CanSecWest’16

2. Who I am? •  Russian hacker / Putin’s agent •  Mobile application security team lead •  SCADA Strangelove Team •  RDot.Org team member

3. Android IPC basics •  Private memory for each process •  Data is passed through kernel module – Binder •  Intent-based

4. Intents •  Intent is an object •  App1 can send intents to exported components of App2 Intent Package name Component name Ac0on Data

5. Android IPC basics Binder App 1 App N App 2

6. Android IPC basics App1 Binder IAc/vityManager

7. Android IPC basics App1 Binder IAc/vityManager App2

8. Example 0x1: MobiDM

9. Example 0x1: MobiDM

10. Example 0x1: MobiDM

11. PendingIntent Intent Iden/ty Permissions •  getActivity() •  getService() •  getBroadcast()

12. PendingIntent App1

13. PendingIntent App1 App2 pIntent

14. PendingIntent App1 App2 pIntent

15. PendingIntent App1 App2 pIntent

16. PendingIntent •  AlarmManager •  NotiﬁcationManager •  Identity conﬁrmation

17. Example 0x2 – PendingIntent hijacking •  3rd party push services •  Identity conﬁrmation Victims:

18. Example 0x2 – Victim:

19. Example 0x2 – Victim: •  Exploit:

20. Android Wear & Android Auto •  Remote Input class is based on PendingIntent

21. Android Wear & Android Auto •  Remote Input class is based on PendingIntent

22. Android Wear & Android Auto

23. Android Wear & Android Auto

24. Android Wear & Android Auto Voice reply

25. Example 0x3: Spam Victim: •  Bug:

26. Example 0x3: Spam Victim: •  Bug:

27. Example 0x3: Spam Victim: •  Exploit:

28. Example 0x3: Spam Victim: •  Result:

29. Example 0x3: Spam •  Victims:

30. Example 0x3: Intercepting Victim: •  Bug:

31. Example 0x3: Intercepting Victim: •  Exploit:

32. Example 0x3: Intercepting •  Android Auto victims: •  Android Wear victims:

33. Detecting with Xposed module

34. Fixes Still no thanks •  Signal – emailed Moxie – ﬁxed same day – got “thanks” •  Telegram – emailed security@ - partial ﬁx after ~ 45 days -

35. Microsoft

36. Microsoft

37. Fin! Questions?