My Thoughts on Technology and Jamaica: How SGP Technologies survived in the Lion’s Den and how to hack any Blackberry

Tuesday, August 12, 2014

How SGP Technologies survived in the Lion’s Den and how to hack any Blackberry

“Two mobile Black Hat talks were 1000 times more impressive and scarier than my disclosure,” 

CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer tweet about Blackberry Vulnerabilities unveiled at BlackHat in an interview with Ars Technica regarding the alledged Blackphone hacking fiasco at DefCon

Turns out that the Blackphone, which was as being one of the most secure Android smartphones on the planet, isn’t really all that secure.

Based on an initial assessment of the article “The world’s most secure Android phone gets rooted in just 5 minutes”, published Aug 11, 2014 at 11:30 AM by Brad Reed, BGR, the Blackphone allegedly got hacked in less than five minutes by CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer who goes by the twitter handle of @TeamAndIRC.

But as it turns out, Blackberry is being a bit defensive on this one, as their Blackberry smartphone has even more serious vulnerabilities that have been unveiled at the BlackHat Hacker’s Conference.

So what the real story here?

Turns out it’s Blackberry, as they have a secret to hide: their Blackberry can be hacked OTA (Over the Air) as explained in “Blackphone goes to Def Con and gets hacked—sort of”, published Aug 12 2014, 2:07pm EST by Sean Gallagher, ArsTechnica!

Alledged Blackphone Hack – SGP Technologies meets Justin Case at DefCon

SGP Technologies, a 100 man start-up company that make the Blackphone, had sent a delegation to the Def Con Hackers Conference. They actually came into the Lion’s Den with the intent to stir up trouble by seeing who could hack their month-old smartphone, the Blackphone and thus prove via inviting hackers to make an attempt that their smartphone was secure.

They sent a delegation comprising of Silent Circle CTO (Chief Technology Officer) Jon Callas and his sidekick SGP Technologies Chief Security Officer Dan Ford in a bid to basically sell some Blackphones. After all, what better place to get something for your product than at a conference full of the very same people who'd want to test the security of your product.

Sure enough, they got a few curious onlookers who came by the booth, looking at their product offering, asking questions. But when CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer, sauntered by their table and calmly declared that he'd rooted their precious new baby, you could hear a pin drop in DefCon.

That's when the Drama went down......or didn't actually happen, depending on how your understanding and perception of conversations and Body language works.

Jon “Justin Case” Sawyer had just purchased his Blackphone sans an OTA update, as he chose not to enable its connecting to Wi-Fi, as at DefCon, that would be an invitation to getting hacked. So he'd waltzed up the Blackphone booth and in his exchange to the people at the Blackphone Booth, he explained the three vulnerabilities of the Blackphone system. However, the Blackphone vulnerabilities were already well known within the DefCon community as so were the Blackberry's which I’ll get to later.

Because Sawyer hadn't downloaded the latest patch for the Blackphone, he's not known about the fact that Blackphone had already fixed the vulnerabilities the Blackphone had. So when he have them his view on the phone's vulnerabilities to hacking, this problem had ALREADY been solved by SGP Technologies

Also it's good to note here that in order to demonstrate a hack, he'd have to have the phone physically in hand WITH the PIN (Personal Identification Number) for the phone as well as a USB Cable and a Laptop handy.

This suggests that the hacker would have to use some aspect of Social Engineering to persuade the person to hand over their phone and that vital bit of information i.e. just simply stick them up with a Gun or knife or other weapon to get them to give up the information.

Otherwise, it would have been a phone he'd purchased himself using a process no different from installing an Android Launcher on a smartphone as noted in my Geezam article entitled “How to change your smartphone Home Screen and create a Personal Assistant using Android Launchers”.

Blackphone Hack that wasn’t- Anatomy of a Rumour started by a Pro-Blackberry Writer

So how did thus rumour of a five minute hack get started as reported in  “The world’s most secure Android phone gets rooted in just 5 minutes”, published Aug 11, 2014 at 11:30 AM by Brad Reed, BGR?

Because Blogger Brad Reed BGR picked up on a story published by pro-Blackberry Blogger Lucas Atkins of N4BB  who made the claim via his post in “Blackphone Rooted At BlackHat’s DEF CON”, published August 9th 2014 by LUCAS ATKINS, N4BB. Blackberry,  in their near desperation for positive news about their product and negative news about their competition, pounced on the story and went hog wild.

Blackberry is clearly desperate, being as they've been scouring the internet for positive news anywhere they can find it, even from minor league bloggers with very bad grammar such as myself as noted in my blog article entitled “Blackberry blogs positive reviews of Passport as Z3 sells out in India - Blackberry Passport may be their ticket on the Indian Express”.

But how did pro-Blackberry Blogger Lucas Atkins of N4BB get it so wrong, man? Possibly because he doesn’t know how to read Social Cues and Body Language of persons in a conversation, in this case CTO of Applied Cybersecurity LLC Jon “Justin Case” while he was speaking animatedly at the Blackphone booth.

Possibly in a manner similar to how news gets spread, Gossip Girl style, pro-Blackberry Blogger Lucas Atkins of N4BB or someone known to him tipped him off on what was going down at the Blackphone booth when CTO of Applied Cybersecurity LLC Jon “Justin Case” stepped up, thinking they had a solid story.

This someone misread his interaction and reaction when he came over by the Blackphone Booth. After that very bad reading, he probably questioned a few people on what went down and then just published a pro-blackberry Story. Even more sinister, pro-Blackberry Blogger Lucas Atkins of N4BB  may even be on the “take” from Blackberry i.e. getting paid to boost Blackberry's ego by writing “positive” news, even when it wasn't the full details and from dubious Gossip Girl Style Sources!

So using my Monk powers, here’s what happened…..

Apparently while the CTO of Applied Cybersecurity LLC Jon “Justin Case” was at the Blackphone booth, he made his presentation on his hack of the Blackphone, which really took minutes, not under five as other media sources who’ve picked up the story have claimed.

He made his quick presentation on the Blackphone hack, again keeping in mind his lack of an OTA update. Then someone decide to offer him a Blackphone complementary shirt. CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer refused the shirt, being the polite sort of gentleman that his personality exudes by virtue of being so forthcoming with information to Blackphone.

To quote Jon “Justin Case” Sawyer during his recollection of the incident to ArsTechnica, quote: “The shirt was the most impressive part of the hack, considering I had it made in minutes”.

After all, why would his personality compel him to do so, were he not his actions well intended? Plus he's already gotten a shirt with his purchase, a body language posture that suggests that he was quite satisfied with his purchase and was ok, albeit in traditional hacker style, he’d modified his existing shirt to broadcast a different message than what was pre-written!

Good to note here that SGP Technologies is a startup using Open Source code for their secure smartphone called PrivateOS as well as open Source Application provided by Silent Circle. They didn't have any bounty program, just shirts hand out to persons who purchased the smartphone or demonstrated a vulnerability as Jon “Justin Case” Sawyer had done in a few minutes, not five minutes.

To quote SGP Technologies CEO Toby Weir-Jones “Usually, bug bounties are run by larger companies, after they've had time to really tighten down code themselves," he explained. Curiously neither does Blackberry as one would assume that they had one, being as they're not exactly broke”.

Someone saw all this, misinterpreted what they saw, made a blog post, and took the entire Blogging community for a ride, being as few with the exception of ArsTechnica bothered to recheck the facts.

Blackphone Hack – The Social Hack that borders on Kidnapping the Victim for their PIN

How bad is it? Well, according to the article the Blackphone is vulnerable, but not to the extent that some in the industry would like to think.

Ok, with that Gossip Girl Style Drama that’s straight out of hidden camera Reality TV out of the way, how does this vulnerability work exactly?

According to CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer account to ArsTechnica, first you have to have the Blackphone connected directly to a laptop via its USB Cable. Please take note of that; you literally HAVE to have the phone and it’s PIN Number, making this more of a modification than a Hack, really!

Then you boot up the smartphone, enableing the ADB (Android Debug Bridge), which is a fairly standard feature used by Android Developers to gain access to the Smartphone. Nothing strange there, as this gives the users full access to make unauthorized changes to the smartphone!

Jon “Justin Case” Sawyer claims that the fact that ADB is disabled is itself a vulnerability as by enableing full access using this default setting built into Android, it effectively opened up the Blackphone to modification, quote his tweet: “I disagree with [Ford’s] statement that enabling USB debugging when they explicitly disabled the ability to do so is not a vuln”.

SGP Technologies CEO Toby Weir-Jones, tells a different side to the story in a phone conversation with ArsTechnica. He claimed that ADB had to be disabled as there was a bug in Blackphone adopted usage of PrivatOS, their modification of Android OS that is used on the Blackphone.

This Bug causes the smartphone to start rebooting when the phone encryption was turned on. SGP Technologies claims that an upcoming OTA will fix that problem and re-enable ADB, so they'd merely disabled ADB as a precaution. To quote SGP Technologies CEO Toby Weir-Jones: “All we had done was remove the ability to call up the developer menu. We hadn’t isolated the bug yet and had to burn a ROM to ship the first phones.”

Still, this must be very serious as SGP Technologies Chief Security Officer Dan Ford began to get defensive with a Blackphone's blog post in which he defended the move, quote: “Disabling ADB is not a security measure. And was never meant to be — it will be returning in an OTA to Blackphone in the future once the boot bug is resolved; the realities of getting a product manufactured and shipped within the available manufacturing window meant a quick fix was needed. No root or other privilege escalation was required in order for this to be performed”

Ok, so score one for Jon “Justin Case” Sawyer. Now back to the hack that wasn't.

Once the Blackphone was accessible via ADB, the hack then focused on the Blackphone’s remote wipe functionality, now clearly accessible thanks to the fact that the Debugging option came factory-enabled. Thus a hacker could leverage his code and increase his access to the phone's Data, including bypassing encryption, as at that point PrivateOS would assume that he's the owner of the Smartphone.

According to SGP Technologies, an OTA had been issued to patch that bug before his disclosure. So score one for SGP Technologies, especially as Jon “Justin Case” Sawyer Blackphone Wi-Fi while he was at DefCon hadn't been enabled, hence he'd not have known about that update and thus spoke without having full knowledge of what was going down.

But the stickler for me, dear reader, is the last part of the hack, which now takes advantage of the now administrator-level access the hacker now has to the smartphone. As described by Jon “Justin Case” Sawyer, it is, quote “really impractical to hit, and very hard, and very low risk”, suggesting that this is not only a new vulnerability, but implies a level of skill on the part of the hacker to implement. Worse, SGP Technologies hasn't patched the Blackphone for that vulnerability, suggesting that it's STILL hackable....once you've gone through all the steps of course!

Game set match as clearly CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer blow-by-blow account on his Twitter feed is not only factual, but absolve him of this 5 minute wonder.

Kidnapping App Needed – Hackable only AFTER being kidnapped and divulge PIN at Gunpoint

The hack couldn’t have been done under five minutes as advertised, but could only be conducted under extreme duress, not OTA attack via a Femtocell or a grab-and-run scenario. Assuming that the situation is a Grab-and-run by a thief looking to hack the smartphone, the Blackphone is safe.

Otherwise if the thieves are more like kidnappers, then once they have the level of expertise, they can hack the Blackphone and retrieve all its data.....AFTER they've forced the victim to cough up his PIN Number. So it’s hacker proof like any typical smartphone, not kidnapping-and-then-forced-to-cough-up-the-PIN-Number-under-duress proof.

Hopefully the Blackphone has a kidnapping Mode similar to the Samsung Galaxy S5 Emergency Mode to send information so that I can get rescued as explained in my blog article entitled “Introducing the Samsung Galaxy S5 – 16 Megapixel Camera with Fingerprint Scanner and Fitness Tracker is Improved Fun Experience in a better Business Suit”. Otherwise High profile Executives working in, say, a Weapons Contractor might turn their noses up at this smartphone.

Blackberry exposed at BlackHat - Blackberry sweating but Long Hair Positive News hide it

So it’s becoming Crystal Clear to anyone that reads this redacted story.

The Hack that wasn’t was the Blackphone as reported in “The world’s most secure Android phone gets rooted in just 5 minutes”, published Aug 11, 2014 at 11:30 AM by Brad Reed, BGR.

There's a deeper story here though: the lack of serious Developers for Enterprise Grade Applications and Operating Systems and why they don’t make Apps for these former clients of Blackberry.

But there’s an even more troubling story that’s sure to sink the upcoming Passport and Blackberry’s reputation as being unhackable and having Enterprise Grade Security. The real hack, however, took place over by BlackHat, and involved the Blackberry!

Blackberry is susceptible to a Baseband Processor Attack as demonstrated by at Black Hat by Accuvant research scientists Mr. Mathew Solnik and Mr. Marc Blanchou. They took advantage instead not of vulnerabilities in the Operating System but in a universal problem in the firmware of most Smartphone, that being the OTA interface used by Wireless Carriers to perform updates.

This as all Cellphones use a Baseband Processor a SOC (System on a Chip) used to mediate interactions with the Cell Towers of a particular Carrier and perform OTA updates. Surprisingly on some smartphones, the Baseband Processor can access the SSD Drive and SD Card and even gain Root access to the smartphone, making any hack of the Firmware give the hacker total control over the smartphone.

But how did the Accuvant research scientists Mr. Mathew Solnik and Mr. Marc Blanchou at BlackHat perform their Baseband Processor Attack?

Basically the hackers tricked the smartphone by using a Femtocell, which is a mini-portable cell tower as described in my blog article entitled “When in Roam (ing) carry a attocell - SnapDragon and The Tourist” as demonstrated in the video below!

This Femtocell was basically used to trick the smartphone's firmware into thinking that it was connecting to a legitimate Cell Tower to then send the Smartphone an OTA Update. This OTA Update basically made modifications to the Smartphone that would allow a hacker using this duplicate femtocell or even Wi-Fi to gain remote control of the Cellphone.

This hack is very similar to hacking a Car by installing a software update or Trojan virus via a smartphone e.g. an Apple iPhone acting as a vector for the virus. Once synched to the Cars Entertainment System, it would end up accessing the rest of the Cars as it would be connected to the Engine Management system, which in most Cars is on a common Internal Network as described in my blog article entitled “Automotive Security Researchers tell CNN Money Vehicles are hackable - How Vehicle Entertainment Systems are hacked”.

Only in this case, it's done OTA via deceiving the Smartphone that it's communicating with a Cell Tower and receiving a legitimate OTA Update. That OTA update can basically be a Trojan Horse Virus and basically opens up the smartphone like a Hard-Drive connected to a Wi-Fi Modem; once installed, the smartphone can be remotely accessed and controlled via it's Wi-Fi Interface a the video below demonstrates. They were able to not only gain access to Root but also to the Configuration of some iOS devices.

Yes you read that right......Apple iPhones!

What’s more troubling here is that it's not just the BlackBerry Z10 that’s susceptible. A whole laundry list of Google Android Smartphone’s such as the HTC One M7, for example, are susceptible to this hack that takes advantage of the Telecom Providers M2M (machine-to-machine ) interfaces used to do updates and even services such as Mobile Money as described in my blog article entitled “JCCUL get's approval from BOJ to launch their JCUES Mobile Money Platform - JCUES Mobile Money Wolverine (2013) marks the Kick-Ass 2 (2013) beginning of a Cashless Society”.

In fact, it may have implications for Digicel's planned launch of a Mobile Money Service in partnership with ScotiaBank later in the Fourth Quarter of 2014 a describe in my blog article entitled “Digicel to roll out Mobile Money Service in 2014 - Haiti Tcho Tcho Mobile Love is Bringing the Boom with ScotiaBank heralds Cashless Society by 2015” as it implies that persons can hack their phone and gain access to their Mobile Money Accounts.

 So is the Blackphone susceptible to this type of Attack?

Apparently not according Silent Circle CTO (Chief Technology Officer) Jon Callas and his sidekick SGP Technologies Chief Security Officer Dan Ford, who point out that, like the 2014 Audi, the Baseband Processor has no access to the rest of the smartphone, quote: “It’s completely segregated”. Looks like the Blackphone designers made sure that PrivateOS was secure enough to withstand what's basically a hack by a femtocell that's impersonating a legitimate Cell Tower from the Telecom Provider.

Mimicking a Cell Tower is a Technical feat I’d pointed out was possible and may be the source of persons being able to bypass our local Jamaica Telecom Provider Digicel and LIME and make Phone Calls as if they were in Jamaica at local Rates as explained in my blog article entitled “How US$1 Billion is lost from the USF and Telecoms Tax via Inbound International Calling Bypass  - LIME, Digicel and Network Engineer French Connection”.

Blackberrys are quite common in the Developing World, making hackers with the knowledge of how to do this in Jamaica have a field day using it to steal personal information, including pictures and Voice Notes from Blackberrys without even touching the Blackberry.

Suddenly Blackberry is in the spotlight as they’re the ones that are really vulnerable here. Worse this fiasco created by pro-Blackberry Blogger Lucas Atkins of N4BB may have been Blackberrys doing to distract attention from themselves……and the rest of the smartphone crowd.

In fact the Blackberry Passport come September 2014 as announced in my blog article entitled “Blackberry Passport coming in September 2014 - Squaring up again the competition in Portrait and Landscape Mode” may also be vulnerable to this Baseband Attack. It’s definitely not going to be hip to be Square as this hack makes them very oft duplicated  and easily remotely controlled via a Trojan OTA Update from a femtocell masquerading as a real cell tower!

Why do I feel that the Luddite Camp to which I belong as described in my blog article entitled “The Reason why I don't like Smartphones - Location Privacy and How to disable Location Services on Android and iOS” is suddenly getting bigger and bigger?

SGP Technologies Blackphone – Survived spending a night like Daniel in the Lion’s Den

SGP Technologies Blackphone has vulnerability, mainly in their App Store Apps, which have to be assessed, as they can themselves create vulnerabilities making the Smartphone  hackable. Also, there a lack of a physical switch to disable the camera and microphone, as this super secure Smartphone can with the right hack, be turned in a tool to spy on the owner!

This as well as complaints about their 4G LTE Service have to be addressed. Still to their credit SGP Technologies has shown that they're serious about security on their much-touted month-old smartphone product to CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer. By merely even turning up at DefCon, they're basically showed that like Daniel in the Bible, they can spend a night with the Lions in their Den.....and survive.

No comments: