Galaxy S3 Vulnerable to Remote Reset

Ravi Borgaonkar has demonstrated Galaxy S3 remote factory reset at the Ekoparty security conference in Argentina. He sent a reset message via NFC, web page or QR, and the target Galaxy launched factory reset without an user’s confirm.

The demonstration was using factory reset code that user can reset their own phone through dialing particular number. The code is “*2767*38XX#”(I remove some code). The reset could succeed using this code with “tel:” via any remote triggers.

It’s not a complicated vulnerability, but easily use to attack denial of user’s SmartPhone. May be other manufacturers has similar code to reset, they need to check their reset process.

[Add another test clip]

E2E(End To End) Encryption for Secure Communication

When a user’s PC was attacked from a malware, exploit or attacker, an attacker can control the PC, and gain user’s credentials and input data. If an user try to login into the website, such as banks, mails and SNS, their login inputs(ID, Password, Account PIN) can be logged and sent to the attacker.

Focus on keylogger issue, there are many types of keylogger, kernel keylogger, user mode keylogger, COM hooking, DOM, BHO hooking and other keylogging methods. And keyloggers are continuously developed and adopted high level techniques.

To protect user’s PC from the client side attack, financial institutions offer the anti-keylogger, communication security solution and personal antivirus in Korea. And to prevent inputs keylogging, they applied the E2E(End To End) encryption. It means applying encrypted communication for significant user inputs like password, PIN, account information and others from the end of user PC(keyboard device driver) to the application server. Therefore, plaintext of these inputs are not stored in user’s application and web browser, even as memory.

E2E is similar with security communication, SSL, it’s only extended client end point from web browser or application to device driver level. If we adopt H/W encryption device that connected between PC and keyboard port, E2E can be more extended to H/W level.

To adopt E2E on the website(or application), the anti-keylogger and the security communication solution are interacted each other for exchange key and transfer encrypted data. The anti-keylogger is operating on kernel and user mode to protect keylogging, and the security communication solution is operating on web browser(or application) and transfer section to secure transfer.

On the E2E process, first, the anti-keylogger need an encryption(session) key to encrypt user inputs, so the key is exchanged between the anti-keylogger and the server. Next, the anti-key logger is encrypting user inputs from a keyboard using the key and send it to the security communication solution. The security communication solution is encrypting received data using key that pre-exchanged for communication encryption and sending encrypted data to the server. The server will decrypt encrypted data twice(communication decryption and anti-keylogger decryption), and the server is checking and processing the user inputs.

User inputs that applied E2E is securely transmitting from the keyboard driver to the server, therefore user inputs were not leave as a plaintext from the application to the server.

But, As you know that attackers continuously try to develop low-level keyloggers, such as i8042 keyboard driver hooking keylogger and others using bypass methods. H/W based E2E can offers more secure communication, but it has a cost and installation issues. S/W  anti-keylogger and E2E are needed to improve and patch to resist new attacks.

From the news, VISA will launch encryption service for their merchants to prevent storing private and payment information. (Link : Visa to launch encryption service) I think they will apply E2E encryption from the cardreader to the application server and the core process of payment will move to operate on the server.(My personal prospect)

Samsung Galaxy S3 NFC hacked at Mobile Pwn2Own competition

The Samsung Galaxy S3 was hacked via NFC at Mobile Pwn2Own competition. From the news, security company MWR Labs founds a vulnerability in the document viewer on Galaxy S3, and they exploited it. It seems that NFC is only a remote trigger for sending the shell code, actual vulnerability is in the document viewer app. NFC and related services’s security gonna be a hot issue.

Link : Galaxy S3 hacked via NFC at Mobile Pwn2Own competition

The Client Digital Certificates for Financial Services

In Korea, every customers of e-financial services, such as banking, stock trading, insurance are needed to use client digital certificates by regulation. Every financial institutions offer client digital certificates based on PKI(Public Key Infrastructure) for user. And many services like financial service, e-government service, company internal service can use same certificate for secure service.The main purpose of the certificate are secure authentication and non-repudiation of financial transactions. Let’s talk more details about this.

When a customer want to use an e-financial service, they are needed to be issued digital certificates from service provider’s website like bank, insurance and others. The digital certificate includes a user and a CA(Certification Authorities)’s information, owner’s public key and encrypted private key files (Standard ISO/IEC X.509). Commonly, these information are combined into one or two files, user can select the place to save, such as HDD, USB. A user can optionally store the certificate into a HSM(Hardware Security Module) that protected from removing, copying and other manipulations.(To store certificate into Smartcard was reviewed by some financial institutions, but it was invalidated because of cost issue)

As I mentioned at first, the purpose of client certificates are user authentication and non-repudiation of financial transactions. First, user authentication, when a user try to login into the service, a user load the certificate files using certificate management application and enter the password. A user identification information from the certificate files, such as user name, serial number, expiration date and others are encrypted using the user’s private key that was decrypted from the key file by the user entering password. The encrypted data is sent to the server, the server will decrypt it using the user’s public key and then verify the user.

Second, non-repudiation of financial transactions, when a user transfer a money or get a loan, an user is needed to lode certificate files and to enter the password at the end of the service process. The transfer information, such as user information, account, amount, date and others, and hash that was made by combination of the transfer information are encrypted using user’s private key and it is sent to the server. The server verify the transaction’s integrity by comparison between hash from encrypted data and hash on server-side that was made by transaction information. And the server save the encrypted data with transaction data into DB later, the information can use to prove the user’s non-repudiation of transaction. Encrypted transaction data were encrypted by user’s private key, thus financial institution can confirm that user did it.

The principle of client certificate are based on 1) Only a user had a their own certificate, 2) Only a user knew a certificate password for decrypting private key. So, if the attacker can steal the certificate files and logging the password, the financial transaction can be manipulated by attacker. To prevent the threat, financial institutions offer multi-factor authentication, such as OTP(One Time Password), and make the certificate issuing process more complicated and secure.