logging in or signing up BH AMS 2003 itsx Amateur Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 157 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript The phone in the PDAPocket PC Phone edition security: The phone in the PDA Pocket PC Phone edition security Job de Haas andlt;job@itsx.comandgt; Overview: Overview What is Pocket PC Phone edition. Some horror scenarios. Features versus flaws. Tools of the trade. What is Pocket PC Phone Edition?: What is Pocket PC Phone Edition? PDA Operating Systems: PDA Operating Systems Palm PalmOS; No phone type available. Symbian Symbian OS Alliance: Nokia, Sony-Ericsson, Motorola etc. Microsoft Pocket PC / Windows CE Pocket PC: Pocket PC Windows CE / Embedded Version 3.0, 4.x/.NET in the making Broader than PDAs: Automotive Smartphone Tuned to small devices with Flash ROM. Pocket PC Phone edition: Pocket PC Phone edition Major implementation by HTC Strong ARM andamp; TI GSM part Multiple brands Other developments: Other developments Smartphone also made by HTC Mainly branded as Orange SPV Even buggier than XDA General impression: General impression The product as a whole is immature and lack of understanding of phone usage, for example: Names are not shown on incoming SMS and SMS API does not support any of the features seen in other mobile phones. The phone cannot directly be used as a modem. Software running on the device is severely limited by TAPI and the Radio Interface Layer (FAX software is not supported) Internals: Internals StrongARM 206 Mhz processor running WinCE 3.0 TI HERCOM chipset (OMAP predecessor) running Nucleus (with a G23 GSM stack by former Condat AG) Block diagram: Block diagram Windows CE part: Windows CE part The part running WinCE is very similar to iPAQ (earlier models also by HTC) It contains a boot-loader that can be entered by pressing power button while resetting. Communicates with the phone part over a serial line. HERCOM / OMAP: HERCOM / OMAP Combined ARM andamp; DSP core made by TI. Provisions for typical phone interfaces such as SIM card. Stand-alone from the Pocket PC processor. Radio Interface Layer: Radio Interface Layer An API defined by Microsoft to create an abstract phone interface. Based on the GSM AT modem command set. Is not public, but was described in detail in a patent application. Is used by higher level applications and APIs such as SMS and SIM. Diagram of RIL in TAPI: Diagram of RIL in TAPI Diagram of RIL stub usage: Diagram of RIL stub usage VSP: Virtual Serial Port AT commands: AT commands The serial channel is multiplexed between AT commands and other data. Viewable with AtDbg.exe or rilcomtmp.exe +CMT is incoming SMS. RIL callbacks: RIL callbacks Translate the AT commands to API format. Security aspects: Security aspects Horror scenarios: Horror scenarios User is CEO in board meeting. Attacker sends SMS/MMS with payload. Payload turns on GPRS and retrieves main payload. Main payload starts recording the conversation and sends it over the Net. Payload shuts down display so the device appears turned off. Horror scenarios: Horror scenarios Corporate user runs infected application. Application stays dormant until ActiveSync. Application connects over GPRS to attacker. Backdoor path into corporate network is created. Feasibility: Feasibility Code signing and trusted applications are OEM choice -andgt; XDA has none. Applications have access to everything in the device. Main use, risk of trojan horse: Business agenda, calendar, e-mail. Games. Pocket PC security features: Pocket PC security features Password-on-wake-up. ‘Admin’ policy to prevent installation of executables. Hooks for virus checking applications. Code signing / installation limitations. Third-party encryption solutions. Pocket PC typical security flaws: Pocket PC typical security flaws All applications run in ‘Administrator’ context. ie. Can access all memory. (for XDA) No integrated concept with phone: eg. phone PIN readable from registry. ‘Non executable protection’ can be circumvented by custom apps if they were already installed. Pocket PC typical security flaws: Pocket PC typical security flaws Startup PIN or Password depends on 2 bits in RAM. GPRS connections do not need user confirmation. All data is normally unencrypted in RAM and readable from bootloader mode. Risks of automatic Active-sync / no authentication to PC. Unlocking: Unlocking Is what phone hacking is currently mostly about. Although Phone memory is only indirectly reachable, research is possible through: ROM image in upgrades. AT commands that give access to memory. Run code in GSM RAM through upgrade process. Unlock code is directly readable from GSM : AT%UREG?3FE00C,4 Insecure boot loader: Insecure boot loader Allows access to a device without passing any access controls. Presents a detailed debugging and diagnostics interface. Has a special mode to recognize diagonstic SD cards and executes code from them. Typical bootloader screens: Typical bootloader screens Custom boot loader menu: Custom boot loader menu Custom boot loader menu: Custom boot loader menu Tools of the trade: Tools of the trade Microsoft Development: Microsoft Development Embedded Visual Tools C/C++ compiler. Visual Basic. Remote debugger. Emulator on x86. Platform Builder for creating custom ROM images. ‘Shared Source’ effort for part of the kernel source. ARM reversing: ARM reversing Fairly straightforward instruction set. IDA Pro support. http://www.datarescue.com Some DLL signatures available. Linux was ported to iPAQ: Internal knowledge Cross compiling toolchains XDA Developer tools: XDA Developer tools Some custom tools that support analysis of both ROM images and running devices. Based on the API used by ActiveSync. dumprom that allows extraction of all objects from a ROM image, including those normally not accessible. XDA-Manipulator: XDA-Manipulator A tool that manipulates several GSM parameters through a serial cable. Can make a GSM memory dump. Is available from: http://www.xda-developers.com XDA-Manipulator: XDA-Manipulator Future outlook: Future outlook Wince .NET More attention to security features. Still not tuned to real life use. Problems of the desktop move to PDA. Embedded systems increase the unjustified feeling it will be ‘hard’ to break in to them. More and more developing for embedded systems becomes ‘easy’. increase bad apps, increase attackers. Acknowledgements: Acknowledgements XDA Developers http://www.xda-developers.com Itsme http://www.xs4all.nl/~itsme/projects/xda Peter van der Spek For the first wallaby patch tool. Resources: Resources At time of printing the list of resources was not complete, but it can be found at http://www.itsx.com/pocketpc You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
BH AMS 2003 itsx Amateur Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 157 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript The phone in the PDAPocket PC Phone edition security: The phone in the PDA Pocket PC Phone edition security Job de Haas andlt;job@itsx.comandgt; Overview: Overview What is Pocket PC Phone edition. Some horror scenarios. Features versus flaws. Tools of the trade. What is Pocket PC Phone Edition?: What is Pocket PC Phone Edition? PDA Operating Systems: PDA Operating Systems Palm PalmOS; No phone type available. Symbian Symbian OS Alliance: Nokia, Sony-Ericsson, Motorola etc. Microsoft Pocket PC / Windows CE Pocket PC: Pocket PC Windows CE / Embedded Version 3.0, 4.x/.NET in the making Broader than PDAs: Automotive Smartphone Tuned to small devices with Flash ROM. Pocket PC Phone edition: Pocket PC Phone edition Major implementation by HTC Strong ARM andamp; TI GSM part Multiple brands Other developments: Other developments Smartphone also made by HTC Mainly branded as Orange SPV Even buggier than XDA General impression: General impression The product as a whole is immature and lack of understanding of phone usage, for example: Names are not shown on incoming SMS and SMS API does not support any of the features seen in other mobile phones. The phone cannot directly be used as a modem. Software running on the device is severely limited by TAPI and the Radio Interface Layer (FAX software is not supported) Internals: Internals StrongARM 206 Mhz processor running WinCE 3.0 TI HERCOM chipset (OMAP predecessor) running Nucleus (with a G23 GSM stack by former Condat AG) Block diagram: Block diagram Windows CE part: Windows CE part The part running WinCE is very similar to iPAQ (earlier models also by HTC) It contains a boot-loader that can be entered by pressing power button while resetting. Communicates with the phone part over a serial line. HERCOM / OMAP: HERCOM / OMAP Combined ARM andamp; DSP core made by TI. Provisions for typical phone interfaces such as SIM card. Stand-alone from the Pocket PC processor. Radio Interface Layer: Radio Interface Layer An API defined by Microsoft to create an abstract phone interface. Based on the GSM AT modem command set. Is not public, but was described in detail in a patent application. Is used by higher level applications and APIs such as SMS and SIM. Diagram of RIL in TAPI: Diagram of RIL in TAPI Diagram of RIL stub usage: Diagram of RIL stub usage VSP: Virtual Serial Port AT commands: AT commands The serial channel is multiplexed between AT commands and other data. Viewable with AtDbg.exe or rilcomtmp.exe +CMT is incoming SMS. RIL callbacks: RIL callbacks Translate the AT commands to API format. Security aspects: Security aspects Horror scenarios: Horror scenarios User is CEO in board meeting. Attacker sends SMS/MMS with payload. Payload turns on GPRS and retrieves main payload. Main payload starts recording the conversation and sends it over the Net. Payload shuts down display so the device appears turned off. Horror scenarios: Horror scenarios Corporate user runs infected application. Application stays dormant until ActiveSync. Application connects over GPRS to attacker. Backdoor path into corporate network is created. Feasibility: Feasibility Code signing and trusted applications are OEM choice -andgt; XDA has none. Applications have access to everything in the device. Main use, risk of trojan horse: Business agenda, calendar, e-mail. Games. Pocket PC security features: Pocket PC security features Password-on-wake-up. ‘Admin’ policy to prevent installation of executables. Hooks for virus checking applications. Code signing / installation limitations. Third-party encryption solutions. Pocket PC typical security flaws: Pocket PC typical security flaws All applications run in ‘Administrator’ context. ie. Can access all memory. (for XDA) No integrated concept with phone: eg. phone PIN readable from registry. ‘Non executable protection’ can be circumvented by custom apps if they were already installed. Pocket PC typical security flaws: Pocket PC typical security flaws Startup PIN or Password depends on 2 bits in RAM. GPRS connections do not need user confirmation. All data is normally unencrypted in RAM and readable from bootloader mode. Risks of automatic Active-sync / no authentication to PC. Unlocking: Unlocking Is what phone hacking is currently mostly about. Although Phone memory is only indirectly reachable, research is possible through: ROM image in upgrades. AT commands that give access to memory. Run code in GSM RAM through upgrade process. Unlock code is directly readable from GSM : AT%UREG?3FE00C,4 Insecure boot loader: Insecure boot loader Allows access to a device without passing any access controls. Presents a detailed debugging and diagnostics interface. Has a special mode to recognize diagonstic SD cards and executes code from them. Typical bootloader screens: Typical bootloader screens Custom boot loader menu: Custom boot loader menu Custom boot loader menu: Custom boot loader menu Tools of the trade: Tools of the trade Microsoft Development: Microsoft Development Embedded Visual Tools C/C++ compiler. Visual Basic. Remote debugger. Emulator on x86. Platform Builder for creating custom ROM images. ‘Shared Source’ effort for part of the kernel source. ARM reversing: ARM reversing Fairly straightforward instruction set. IDA Pro support. http://www.datarescue.com Some DLL signatures available. Linux was ported to iPAQ: Internal knowledge Cross compiling toolchains XDA Developer tools: XDA Developer tools Some custom tools that support analysis of both ROM images and running devices. Based on the API used by ActiveSync. dumprom that allows extraction of all objects from a ROM image, including those normally not accessible. XDA-Manipulator: XDA-Manipulator A tool that manipulates several GSM parameters through a serial cable. Can make a GSM memory dump. Is available from: http://www.xda-developers.com XDA-Manipulator: XDA-Manipulator Future outlook: Future outlook Wince .NET More attention to security features. Still not tuned to real life use. Problems of the desktop move to PDA. Embedded systems increase the unjustified feeling it will be ‘hard’ to break in to them. More and more developing for embedded systems becomes ‘easy’. increase bad apps, increase attackers. Acknowledgements: Acknowledgements XDA Developers http://www.xda-developers.com Itsme http://www.xs4all.nl/~itsme/projects/xda Peter van der Spek For the first wallaby patch tool. Resources: Resources At time of printing the list of resources was not complete, but it can be found at http://www.itsx.com/pocketpc