Part of my job as a forensic scientist is to hack applications. When working some high profile cases, it’s not always that simple to extract data right off of the file system; this is especially true if the data is encrypted or obfuscated in some way. In such cases, it’s sometimes easier to clone the file system of a device and perform what some would call “forensic hacking”; there are often many flaws within an application that can be exploited to convince the application to unroll its own data. We also perform a number of red-team pen-tests for financial/banking, government, and other customers working with sensitive data, where we (under contract) attack the application (and sometimes the servers) in an attempt to test the system’s overall security. More often than not, we find serious vulnerabilities in the applications we test. In the time I’ve spent doing this, I’ve seen a number of applications whose encryption implementations have been riddled with holes, allowing me to attack the implementation rather than the encryption itself (which is much harder).
There are a number of different ways to manipulate an iOS application. I wrote about some of them in my last book, Hacking and Securing iOS Applications . The most popular (and expedient) method involves using tools such as Cycript or a debugger to manipulate the Objective-C runtime, which I demonstrated in my talk at Black Hat 2012 (slides). This is very easy to do, as the entire runtime funnels through only a handful of runtime C functions. It’s quite simple to hijack an application’s program flow, create your own objects, or invoke methods within an application. Often times, tinkering with the runtime is more than enough to get what you want out of an application. The worst example of security I demonstrated in my book was one application that simply decrypted and loaded all of its data with a single call to an application’s login function, [ OneSafeAppDelegate userIsLogged: ]. Manipulating the runtime will only get you so far, though. Tools like Cycript only work well at a method level. If you’re trying to override some logic inside of a method, you’ll need to resort to a debugger. Debugging an application gives you more control, but is also an interactive process; you’ll need to repeat your process every time you want to manipulate the application (or write some fancy scripts to do it). Developers are also getting a little trickier today in implementing jailbreak detection and counter-debugging techniques, meaning you’ll have to fight through some additional layers just to get into the application.
This is where binary patching comes in handy. One of the benefits to binary patching is that the changes to the application logic can be made permanent within the binary. By changing the program code itself, you’re effectively rewriting the application. It also lets you get down to a machine instruction level and manipulate registers, arguments, comparison operations, and other granular logic. Binary patching has been used historically to break applications’ anti-piracy mechanisms, but is also quite useful in the fields of forensic research as well as penetration testing. If I can find a way to patch an application to give me access to certain evidence that it wouldn’t before, then I can copy that binary back to the original device (if necessary) to extract a copy of the evidence for a case, or provide the investigator with a device that has a permanently modified version of the application they can use for a specific purpose. For our pen-testing clients, I can provide a copy of their own modified binary, accompanied by a report demonstrating how their application was compromised, and how they can strengthen the security for what will hopefully be a more solid production release.
Many governments (including our own, here in the US) would have its citizens believe that privacy is a switch (that is, you either reasonably expect it, or you don’t). This has been demonstrated in many legal tests, and abused in many circumstances ranging from spying on electronic mail, to drones in our airspace monitoring the movements of private citizens. But privacy doesn’t work like a switch – at least it shouldn’t for a country that recognizes that privacy is an inherent right. In fact, privacy, like other components to security, works in layers. While the legal system might have us believe that privacy is switched off the moment we step outside, the intent of our Constitution’s Fourth Amendment (and our basic right, with or without it hard-coded into the Constitution) suggest otherwise; in fact, the Fourth Amendment was designed in part to protect the citizen in public. If our society can be convinced that privacy is a switch, however, then a government can make the case for flipping off that switch in any circumstance they want. Because no-one can ever practice perfect security, it’s easier for a government to simply draw a line at our front door. The right to privacy in public is one that is being very quickly stripped from our society by politicians and lawyers. Our current legal process for dealing with privacy misses one core component which adds dimension to privacy, and that is scope. Scope of privacy is present in many forms of logic that we naturally express as humans. Everything from computer programs to our natural technique for conveying third grade secrets (by cupping our hands over our mouth) demonstrates that we have a natural expectation of scope in privacy.
This should help clear up the common misconception that data is encrypted and secured in iOS. While it’s true that iOS does sport an encrypted file system, that file system is virtually always unlocked from the moment the operating system boots up, as the OS (and your applications) need access to it. Even when the device is locked with your PIN or passphrase, the encrypted file system is readable to the operating system – what this means is that your data is NOT encrypted using an encryption that depends on your password – at least for the most part. Apple adds a second layer of encryption on top of this file system called Data-Protection. Apple’s Data-Protection encryption has the ability to protect a file while the device is locked by encrypting it with a key that is only available when you’ve entered your PIN or passphrase. While a PIN can be brute forced, a passphrase is much stronger.
So what’s the problem? Well, as of even the latest versions of iOS, the only files protected with this secondary encryption is your mail index, the keychain itself, and third party application files specifically tagged (by the developer) as protected with Data-Protection. Virtually everything else (your contacts, SMS, spotlight cache, photos, and so on) remain unprotected. To demonstrate this, I’ve put together a small recipe you can run on your own jailbroken device to bypass the lock screen. You can then use the GUI to browse through all of the data on the device, without ever providing your PIN. The only thing you’ll not be able to access are the files I’ve just mentioned. This lock screen bypass isn’t really a vulnerability in and of itself; it’s just one of many ways I can demonstrate to you that you don’t need a passphrase to view a vast majority if the data on your phone.
I don’t normally write about such personal topics as family illnesses, but it is my hope that those who have gone through a similarly dark cooridor in their life – whether as a result of government control, or just plain ignorant doctors – would know that they are not alone in such frustrations, and to explain to the general oblivious public and incompetent lawmakers the consequences of their actions.
I’ll be giving the talk, The Dark Art of iOS Application Hacking at Black Hat 2012 in Las Vegas this July. This workshop will cover many techniques we use to attack iOS applications, and has numerous applications in the security and government fields; everything from pen-testing to forensic hacking and surveillance for national security related
OnStar today announced the reversal of their original decision to keep the customer’s data connection active to their vehicle after canceling service. The verbiage in the press release is ambiguous, however, and poses the question of whether OnStar is going to amend that specific portion of their new terms and conditions, or if they’re scrapping their new terms of conditions entirely.
If OnStar is only modifying this portion of their updated terms and conditions, then a major problem still exists: namely, the updated T&C, scheduled to go into effect in December 2011, would still grant OnStar broad new rights to collect the GPS positioning information about active customers, “for any purpose, at any time” and would still reserve OnStar the rights to sell access to this data to third parties.
I canceled the OnStar subscription on my new GMC vehicle today after receiving an email from the company about their new terms and conditions. While most people, I imagine, would hit the delete button when receiving something as exciting as new terms and conditions, being the nerd sort, I decided to have a personal drooling session and read it instead. I’m glad I did. OnStar’s latest T&C has some very unsettling updates to it, which include the ability to now collect your GPS location information and speed “for any purpose, at any time”. They also have apparently granted themselves the ability to sell this personal information, and other information to third parties, including law enforcement. To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling. This could mean that if you buy a used car with OnStar, or even a new one that already has been activated by the dealer, your location and other information may get tracked by OnStar without your knowledge, even if you’ve never done business with OnStar.
Rick Ayers at NIST has validated the iPhone forensics tools law enforcement have been using for a few years now. This is quite an honor, not only to know that the tools are considered sound by a government standards entity, but also that this research has been important enough to the community for it to
Fear is proof that what you fear hasn’t happened yet; if you still fear it, then the reality of it hasn’t manifested yet, therefore it isn’t real. Fear only exists because of love. You fear one thing because you love something else. Instead of putting so much energy into the fear side of it, why
Today is the last day of my notes for the website. If you want to find out what happens the very last week here, you’ll have to attend camp! I can tell you that there is a lot of rehearsal, kung-fu, wing chun, and a whole lot more along with a concert at the end.
Anthony Wellington joined us and taught us about fingerboard patterns. But before he dug in, he addressed the many people noodling in the classroom. “Very few people have the discipline to not play music when they’re supposed to”.
If I took out a singles ad today, the description would include, “must love long walks in the desert, and getting caught in the wind.” My trip to Vegas ended with a three hour drive to Death Valley, which is in the Mojave Desert across the border in California. The drive there was just as breathtaking as the actual valley itself, which is over 200 ft below sea level: the lowest area of land in the entire United States. I cannot possibly describe the desert in adequate detail. In Vegas, every one of my senses were overloaded and feeding me more information than I could process. The Mojave Desert was quite the opposite. A barren land, very little vegetation or life lives out here. As soon as you exit your vehicle, you’re met with 120 degree winds blowing at your body. The air is as hot as the air inside a dryer, but much more dry. Within a short time, your sense of touch is severely limited by the wind. There are no smells. There is no taste other than the arid air. The only sound is the sound of your own breathing and the wind blowing in your face. No animals to howl. Very few cars to drive by. No cell signal. Being in the desert is a sobering experience that makes you aware of your own mortality as a human. It further makes you realize just how small and dependent on others you are.
Farewell for just a couple days, Bass/Nature Camp… I’ve got to head to Vegas baby. In just two days, I’ll have flown to Vegas, toured the Las Vegas crime lab (including the Secret Service offices), gave pointers to help with an iPhone-related case, and hiked in Death Valley in the Mojave Desert. I’ve never been to Vegas before, and I must say there were plenty of turnoffs to the city, but there were also many amazing things to explore. I barely scratched the surface, but the strip at night has got to be the most lively activity one can do. People are out and walking around everywhere at all hours of the night. Club music is playing everywhere, large volcano shows are going on, fireworks, and much more. What I didn’t care for were all of the losers snapping up a racket trying to hand out tickets for strippers, or the fact that you can’t turn anywhere without seeing some racy advertisement for something sleazy. But if you can ignore that, you can actually have a ton of fun in Vegas at night… just be careful what streets you walk down.
In addition to being jet lagged, as soon as I stepped off the plane, the culture shock of going from the Tennessee countryside to a city like Vegas had already begun giving me anxiety. In Tennessee, we focused on peace and music, and appreciating the stillness of nature and the world around us. Vegas was a sensory overload on all fronts… I heard everything. I smelled everything, I saw more than I wanted to… every single sensory gate in my mind was overloaded and it took a while to clear my head.
Music theory is the theory of how music works. In other words, music already works without theory. But theory is useful for understanding what made that amazing music you just heard. Theory is broad enough to include any statement, belief, or conception about music. In other words, theory is how someone might analyze why things sound good, but is not the end all to playing well. Music theory is observation. Music came before theory. Music comes from within.
Theory can really come in handy when you’re looking to play something complex. With high caliber musicians, theory can help to make sure that what you have to say fits in with the rest of the conversation. It’s like trying to have a conversation with a handful of rocket scientists. You’ll only be able to say so much if you’ve only mopped the floors in the lab.
Jonelle Mosser is an older woman in her early 50s with a heart still in her 20s. Full of passion for life, music, and signing, Jonelle brings us much more than vocal lessons, but has caused most of us to be able to truly appreciate music in being a human demonstration of the kind of life it gives. I’ve particularly enjoyed her affinity for old gospel from the 20s, 30s, and 40s, and negro spirituals. The wakening of the soul is just as important as the wakening of the heart in making music. Without a soul full of live, music is sterile and without hope.
Jonelle taught us basic breathing technique today for singing. Think of a balloon in a bottle filled with air. As much air as you need to sustain the note, but don’t take huge deep breaths. Lean against a wall with both hands on it and make a plank out of your body – like you were doing pushups on the wall. Breathe bottom to top as you’re headed towards the wall, exhaling. Breathing is one of the most important things needed to phrase properly. As bass players, it’s easy to become detached from our instrument. Don’t be detached from it, and don’t be detached from your audience. Everything has its place and time… including breathing.
What most musicians wouldn’t give for just one day packed full of growth. Bob Franceschini: world renowned saxophonist; helped design a new breed of sax for Yamaha. Victor Wooten: most proficient bassist on the planet. JD Blair: drummer for Shania Twain; so tight, they thought someone turned the metronome off during the audition. Not to mention Richard the nature guy, the one dude you’d want to be friends with if you were half eaten by a bear. I get to spend three weeks with this, and much other amazing talent, and have direct access to ask them questions, request demonstrations, or just pal around. If you haven’t signed up for a camp yet, you don’t know what you’re missing. This blog certainly doesn’t do it justice.
I’ve been recovering from heat exhaustion the past 24 hours, so I missed out on some of the festivities last night and early this morning. Our morning kicked off with another nature walk followed by some archery. Quite frankly, I prefer shooting things until they’re dead. I can do that real well. I have no need for toy sticks and rubber bands. Give me a .44 magnum and we’re cool.
I know Kung-Fu… and about seven other Japanese words. Victor started out the morning showing us some limbering exercises to build our tendons, in preparation for our SiFu’s visit later on in the week. Victor says once you build a tendon, you never lose it. We approach the martial arts from a defensive perspective, but in many ways directly relates to bass playing. Today’s session didn’t feel like it was related to anything but pain. As I type this, I’m still tending to swollen body parts that I never knew I had.
The first exercise had us on our knees with our palms faced backwards. Vic showed us a little magic trick: Flip your hand the other way backwards, then rotate it out, and it looks like you’re rotating it a full 360 degrees. Eat your heart out, David Blane. The next exercise had us lay on our stomach and put all four appendages in the air, like we were a banana. This built our abs, or some other muscle that hurts down there. We then flipped to each side and on our back, balancing only on our center mass with all other body parts up in the air. Next up, calf exercises. Grab a partner’s arm and then push up and down on your calves to raise and lower your legs, without moving the rest of your body. Then spend three minutes raising your leg parallel to the floor and point your foot at the wall. If you’re not in agony by now, pull it to your chest. Finally, grab a partner, take their arm, and alternate round kicks. Try not to kick your partner in the package.
Sundays mark a day off at Wooten Woods, so seven of us got together for a field trip to the music city. The first landmark to hit: Pancake Pantry. We were told by several different sources that it is by far the best place to have breakfast in Nashville, and that became apparent when we came across a line wrapped around the corner outside, at about 90 degrees. When asked, random people polled in line explained that it was worth it and we’d be stupid to go somewhere else. About 20 minutes later, we were sitting down. Georgia peach pancakes. Flavorful sausage. Delicious hash browns. Breakfast was insanely filling and ridiculously delicious.
We have two campers visiting from Russia. We call them the cosmonauts… we spent a good part of the day trying to teach them lame lines to pick up American women. It’s slightly entertaining, but entirely unnerving to hear someone with a thick Russian accent trying to say, “How YOU doing?” and then wink. It was even more unnerving trying to put together a story they could use to impress someone, like “I’m really ex-KGB”. We had them practicing on us a bit, and they did get pretty good: “How YOU doin? Nice shoes. Can you show me around Nashville? I’m kind of a big deal. *wink*”
Have you always suspected the pros had some amazing studio secrets that made their playing reach far beyond scales and modes, and into the realm of impossibility? Pro technique is the Matrix of music. We know it’s there. We’re searching for it. But the secret of the techniques are rarely ever revealed. Instead, we musicians sit in frustration wondering what it takes to play like our heroes. Our heroes have indeed pioneered the way and deserve the pedestal we put them on for finding out the hard way just how to emit great music. Fortunately, we also have men like Vic Wooten and Steve Bailey who are not only pioneers, but generous enough to share their findings with us and show us openly how to dance to the same rhythm and see what they see. Today was the first day of coming into maturity as a musician. I’ll warn you though, you really need to be here to experience these techniques first hand, before you’ll “get” them.
Day five felt like we were introduced to the universe, life, and everything. We were packed with so much music knowledge today, I’m still struggling to grasp onto all of it just to write a reasonable blog entry about it. While previous days at bass/nature camp have been more nature intensive, today was much heavier on the music side. You name it – upright basses, improvisation, theory 101, and advanced techniques all wrapped up in one 100-degree day in where-the-heck-am-I Tennessee.
Day four was much of a blur for a number of reasons. We started out with 90 minutes of what felt like advanced Yoga which both exhausted and rejuvenated me. Our Yoga instructor put us through the gauntlet in the dome, on a day that was approaching about 95 degrees. After an hour and a half of the workout from hell – in a sauna, I felt better than I could imagine. My shorts and shirt were entirely soaked, and I was entirely covered from head to toe in sweat… yet somehow I felt remarkable, as if my body had been through a transformation of sorts. Doing it to some Cheryl Crow made it enjoyable at least. What did we get out of it? We learned how to strengthen our muscles, how to relax, and how to breathe. All things critical to a bass player.
After Yoga, we had three classes back to back along with a bunch of exercises. The first class was with Victor: the power of chromatic scales. Vic had us play the chromatic scales to a groove and taught us how to make it sound like a solo. A few tricks: start a fifth up or down from the root, and start walking back to the root every quarter note. By the time it resolves, it makes for a real pleasing solo to the audience. Also try soloing on the chromatic scale starting a half step below the root for a similar effect. Lastly, start on the flat fifth and work your way up to the ninth. Vic also cleared up some issues I’ve had with chords for years. A lot of chords I’ve tried never sounded quite right, so I’ve been sticking with the ones I’ve read in tabs and such. The secret to great sounding chords is to raise the third of the chord an octave. He also showed us some basic chord 101: Any chord with a 7 or above in, the 7 is minor unless specified as a major. And the third is always major unless it’s specified as a minor.