the phone in the pda - black hat briefings · the phone in the pda ... — alliance: nokia,...
TRANSCRIPT
![Page 1: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/1.jpg)
May 15th, 2003 Black HatAmsterdam
The phone in the PDAPocket PC Phone edition security
Job de Haas<[email protected]>
![Page 2: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/2.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Overview
¥ What is Pocket PC Phone edition.¥ Some horror scenario's.¥ Features versus flaws.¥ Tools of the trade.
![Page 3: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/3.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
PDA Operating Systems
¥ PalmÐ PalmOS
¥ SymbianÐ Alliance: Nokia, Sony-Ericsson, Motorola
etc.¥ Microsoft
Ð Pocket PC / Windows CE
![Page 4: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/4.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC
¥ Windows CE / Embedded¥ Version 3.0, 4.x/.NET in the making¥ Broader than PDAÕs:
Ð AutomotiveÐ Smartphone
¥ Tuned to small devices with Flash ROM
![Page 5: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/5.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC Phone edition
¥ Major implementation by HTC¥ Strong ARM & TI GSM part¥ Multiple brands
![Page 6: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/6.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Other developments
¥ Smartphone also made by HTC¥ Mainly branded as Orange SPV¥ Even buggier than XDA
![Page 7: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/7.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Internals
¥ StrongARM 206 Mhz processor runningwince 3.0
¥ TI HERCOM chipset (OMAPpredecessor) running Nucleus (with aG23 GSM stack by former Condat AG)
![Page 8: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/8.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Block diagram
![Page 9: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/9.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Wince part
¥ The part running wince is very similarto iPAQ (earlier models also by HTC)
¥ It contains a boot-loader that can beentered by pressing power-on whileresetting.
¥ Communicates with the phone part overa serial line.
![Page 10: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/10.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
HERCOM / OMAP
¥Combined ARM & DSP core.
¥Provisions for typical phoneinterfaces such as SIM card.
¥Stand-alone from the PocketPC processor.
![Page 11: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/11.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
General impression
¥ The product as a whole is immature.(hey, whatÕs new?)
¥ Pocket PC and the apps added for the phone editionshow a complete lack of understanding of phoneusage:
Ð Names are not shown on incoming SMS.Ð The phone cannot directly be used as a modem.Ð Software running on the device is severely limited
by TAPI (FAX software is not supported)
![Page 12: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/12.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Horror scenarioÕs
¥ User is CEO in board meeting.¥ Attacker sends SMS/MMS with payload.¥ Payload turns on GPRS and retrieves
main payload.¥ Main payload starts recording the
microphone and sends it over Internet.¥ Payload shuts down display so the
device appears turned off.
![Page 13: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/13.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Horror scenarioÕs
¥ Corporate user runÕs infected application.¥ Application stays dormant until active sync.¥ Application connects over GPRS to attacker¥ Backdoor path into corporate network is
created.
![Page 14: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/14.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC security features
¥ Password-on-wake-up.¥ ÔAdminÕ policy to prevent installation of
executables.¥ Hooks for virus checking applications.¥ Code signing / installation limitations.
![Page 15: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/15.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC typical security flaws
¥ All applications run in ÔAdministratorÕcontext. ie. Can access all memory.(for XDA)
¥ No integrated concept with phone:eg. phone PIN readable from registry.
¥ ÔNon executable protectionÕ can becircumvented by custom apps.
![Page 16: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/16.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Unlocking
¥ Is what phone hacking is currently mostlyabout.
¥ Although Phone memory is only indirectlyreachable, research is possible through:Ð ROM image in upgrades.Ð AT commands that give access to memory.Ð Run code in GSM RAM through upgrade process.
¥ Unlock code is directly readable from GSMROM:Ð AT%UREG?3FE00C,4
![Page 17: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/17.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
XDA-Manipulator
¥ A tool that manipulates several GSMparameters through a serial cable.
¥ Can make a GSM memory dump.¥ Is available from:
http://www.xda-developers.com
![Page 18: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/18.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
XDA-Manipulator
![Page 19: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/19.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
ARM reversing
¥ Fairly straightforward instruction set.¥ IDA Pro support.¥ Free embedded development tools from
Microsoft allow remote debugging.¥ Linux was ported to iPAQ:
Ð Internal knowledgeÐ Cross compiling toolchains
![Page 20: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/20.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Future outlook
¥ Wince .NETÐ More attention to security features.Ð Still not tuned to real live use.
¥ Problems of the desktop move to PDA.¥ Embedded systems increase the unjustified
feeling it will be ÔhardÕ to break in to them.¥ More and more developing for embedded
systems becomes ÔeasyÕ.⇒ increase bad apps, increase attackers.
![Page 21: The phone in the PDA - Black Hat Briefings · The phone in the PDA ... — Alliance: Nokia, Sony-Ericsson, Motorola etc. ¥ Microsoft ... ¥ A tool that manipulates several GSM parameters](https://reader031.vdocument.in/reader031/viewer/2022011802/5b4e047c7f8b9ab71a8b45c3/html5/thumbnails/21.jpg)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Resources
¥ At time of printing the list of resourceswas not complete, but it can be foundat
http://www.itsx.com/pocketpc