the phone in the pda - black hat briefings · the phone in the pda ... — alliance: nokia,...

May 15th, 2003 Black HatAmsterdam

The phone in the PDAPocket PC Phone edition security

Job de Haas<job@itsx.com>

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Overview

¥ What is Pocket PC Phone edition.¥ Some horror scenario's.¥ Features versus flaws.¥ Tools of the trade.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

PDA Operating Systems

¥ PalmÐ PalmOS

¥ SymbianÐ Alliance: Nokia, Sony-Ericsson, Motorola

etc.¥ Microsoft

Ð Pocket PC / Windows CE

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Pocket PC

¥ Windows CE / Embedded¥ Version 3.0, 4.x/.NET in the making¥ Broader than PDAÕs:

Ð AutomotiveÐ Smartphone

¥ Tuned to small devices with Flash ROM

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Pocket PC Phone edition

¥ Major implementation by HTC¥ Strong ARM & TI GSM part¥ Multiple brands

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Other developments

¥ Smartphone also made by HTC¥ Mainly branded as Orange SPV¥ Even buggier than XDA

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Internals

¥ StrongARM 206 Mhz processor runningwince 3.0

¥ TI HERCOM chipset (OMAPpredecessor) running Nucleus (with aG23 GSM stack by former Condat AG)

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Block diagram

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Wince part

¥ The part running wince is very similarto iPAQ (earlier models also by HTC)

¥ It contains a boot-loader that can beentered by pressing power-on whileresetting.

¥ Communicates with the phone part overa serial line.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

HERCOM / OMAP

¥Combined ARM & DSP core.

¥Provisions for typical phoneinterfaces such as SIM card.

¥Stand-alone from the PocketPC processor.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

General impression

¥ The product as a whole is immature.(hey, whatÕs new?)

¥ Pocket PC and the apps added for the phone editionshow a complete lack of understanding of phoneusage:

Ð Names are not shown on incoming SMS.Ð The phone cannot directly be used as a modem.Ð Software running on the device is severely limited

by TAPI (FAX software is not supported)

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Horror scenarioÕs

¥ User is CEO in board meeting.¥ Attacker sends SMS/MMS with payload.¥ Payload turns on GPRS and retrieves

main payload.¥ Main payload starts recording the

microphone and sends it over Internet.¥ Payload shuts down display so the

device appears turned off.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Horror scenarioÕs

¥ Corporate user runÕs infected application.¥ Application stays dormant until active sync.¥ Application connects over GPRS to attacker¥ Backdoor path into corporate network is

created.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Pocket PC security features

¥ Password-on-wake-up.¥ ÔAdminÕ policy to prevent installation of

executables.¥ Hooks for virus checking applications.¥ Code signing / installation limitations.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Pocket PC typical security flaws

¥ All applications run in ÔAdministratorÕcontext. ie. Can access all memory.(for XDA)

¥ No integrated concept with phone:eg. phone PIN readable from registry.

¥ ÔNon executable protectionÕ can becircumvented by custom apps.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Unlocking

¥ Is what phone hacking is currently mostlyabout.

¥ Although Phone memory is only indirectlyreachable, research is possible through:Ð ROM image in upgrades.Ð AT commands that give access to memory.Ð Run code in GSM RAM through upgrade process.

¥ Unlock code is directly readable from GSMROM:Ð AT%UREG?3FE00C,4

May 15th, 2003The phone in the PDA

Black HatAmsterdam

XDA-Manipulator

¥ A tool that manipulates several GSMparameters through a serial cable.

¥ Can make a GSM memory dump.¥ Is available from:

http://www.xda-developers.com

May 15th, 2003The phone in the PDA

Black HatAmsterdam

XDA-Manipulator

May 15th, 2003The phone in the PDA

Black HatAmsterdam

ARM reversing

¥ Fairly straightforward instruction set.¥ IDA Pro support.¥ Free embedded development tools from

Microsoft allow remote debugging.¥ Linux was ported to iPAQ:

Ð Internal knowledgeÐ Cross compiling toolchains

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Future outlook

¥ Wince .NETÐ More attention to security features.Ð Still not tuned to real live use.

¥ Problems of the desktop move to PDA.¥ Embedded systems increase the unjustified

feeling it will be ÔhardÕ to break in to them.¥ More and more developing for embedded

systems becomes ÔeasyÕ.⇒ increase bad apps, increase attackers.

May 15th, 2003The phone in the PDA

Black HatAmsterdam

Resources

¥ At time of printing the list of resourceswas not complete, but it can be foundat

http://www.itsx.com/pocketpc