Embed Size (px)
Citation preview
May 15th, 2003 Black HatAmsterdam
The phone in the PDAPocket PC Phone edition security
Job de Haas<[email protected]>
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Overview
¥ What is Pocket PC Phone edition.¥ Some horror scenario's.¥ Features versus flaws.¥ Tools of the trade.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
PDA Operating Systems
¥ PalmÐ PalmOS
¥ SymbianÐ Alliance: Nokia, Sony-Ericsson, Motorola
etc.¥ Microsoft
Ð Pocket PC / Windows CE
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC
¥ Windows CE / Embedded¥ Version 3.0, 4.x/.NET in the making¥ Broader than PDAÕs:
Ð AutomotiveÐ Smartphone
¥ Tuned to small devices with Flash ROM
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC Phone edition
¥ Major implementation by HTC¥ Strong ARM & TI GSM part¥ Multiple brands
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Other developments
¥ Smartphone also made by HTC¥ Mainly branded as Orange SPV¥ Even buggier than XDA
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Internals
¥ StrongARM 206 Mhz processor runningwince 3.0
¥ TI HERCOM chipset (OMAPpredecessor) running Nucleus (with aG23 GSM stack by former Condat AG)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Block diagram
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Wince part
¥ The part running wince is very similarto iPAQ (earlier models also by HTC)
¥ It contains a boot-loader that can beentered by pressing power-on whileresetting.
¥ Communicates with the phone part overa serial line.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
HERCOM / OMAP
¥Combined ARM & DSP core.
¥Provisions for typical phoneinterfaces such as SIM card.
¥Stand-alone from the PocketPC processor.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
General impression
¥ The product as a whole is immature.(hey, whatÕs new?)
¥ Pocket PC and the apps added for the phone editionshow a complete lack of understanding of phoneusage:
Ð Names are not shown on incoming SMS.Ð The phone cannot directly be used as a modem.Ð Software running on the device is severely limited
by TAPI (FAX software is not supported)
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Horror scenarioÕs
¥ User is CEO in board meeting.¥ Attacker sends SMS/MMS with payload.¥ Payload turns on GPRS and retrieves
main payload.¥ Main payload starts recording the
microphone and sends it over Internet.¥ Payload shuts down display so the
device appears turned off.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Horror scenarioÕs
¥ Corporate user runÕs infected application.¥ Application stays dormant until active sync.¥ Application connects over GPRS to attacker¥ Backdoor path into corporate network is
created.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC security features
¥ Password-on-wake-up.¥ ÔAdminÕ policy to prevent installation of
executables.¥ Hooks for virus checking applications.¥ Code signing / installation limitations.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Pocket PC typical security flaws
¥ All applications run in ÔAdministratorÕcontext. ie. Can access all memory.(for XDA)
¥ No integrated concept with phone:eg. phone PIN readable from registry.
¥ ÔNon executable protectionÕ can becircumvented by custom apps.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Unlocking
¥ Is what phone hacking is currently mostlyabout.
¥ Although Phone memory is only indirectlyreachable, research is possible through:Ð ROM image in upgrades.Ð AT commands that give access to memory.Ð Run code in GSM RAM through upgrade process.
¥ Unlock code is directly readable from GSMROM:Ð AT%UREG?3FE00C,4
May 15th, 2003The phone in the PDA
Black HatAmsterdam
XDA-Manipulator
¥ A tool that manipulates several GSMparameters through a serial cable.
¥ Can make a GSM memory dump.¥ Is available from:
http://www.xda-developers.com
May 15th, 2003The phone in the PDA
Black HatAmsterdam
XDA-Manipulator
May 15th, 2003The phone in the PDA
Black HatAmsterdam
ARM reversing
¥ Fairly straightforward instruction set.¥ IDA Pro support.¥ Free embedded development tools from
Microsoft allow remote debugging.¥ Linux was ported to iPAQ:
Ð Internal knowledgeÐ Cross compiling toolchains
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Future outlook
¥ Wince .NETÐ More attention to security features.Ð Still not tuned to real live use.
¥ Problems of the desktop move to PDA.¥ Embedded systems increase the unjustified
feeling it will be ÔhardÕ to break in to them.¥ More and more developing for embedded
systems becomes ÔeasyÕ.⇒ increase bad apps, increase attackers.
May 15th, 2003The phone in the PDA
Black HatAmsterdam
Resources
¥ At time of printing the list of resourceswas not complete, but it can be foundat
http://www.itsx.com/pocketpc
