[00:00.800 --> 00:02.620]  So, what are we going to talk about?
[00:02.620 --> 00:07.340]  So, the Hacking Team, what is this team?
[00:07.340 --> 00:12.200]  Then they created the Hacking Team, which is much more interesting.
[00:12.380 --> 00:17.280]  They had an Android WebView exploit for Android.
[00:17.660 --> 00:19.780]  We are going to take a quick look at this.
[00:19.780 --> 00:21.600]  I'm sure it will be very quick.
[00:21.880 --> 00:26.900]  Then there will be a little demo of how this could be used in everyday life.
[00:26.900 --> 00:32.480]  Then, there will be more interesting techniques that the Hacking Team used
[00:32.480 --> 00:36.120]  to keep this thing under radar.
[00:36.560 --> 00:40.060]  And then, a quick follow-up.
[00:40.060 --> 00:42.340]  So, what is the Hacking Team?
[00:42.730 --> 00:48.990]  Their flagship was this Remote Control System,
[00:49.990 --> 00:55.110]  which was given exclusively to authorized organizations.
[00:55.110 --> 01:00.250]  We are talking about state agencies, investigative agencies,
[01:00.250 --> 01:06.330]  prosecutors, and police, depending on who can use this in a given country.
[01:07.090 --> 01:11.130]  Virtually every operating system had the appropriate agent,
[01:11.130 --> 01:15.330]  which could be installed or deployed in some way,
[01:15.330 --> 01:20.410]  and the company provided quite a lot of services and opportunities for this.
[01:20.650 --> 01:25.470]  Windows, Linux, Mac OS, and Android, or even mobile,
[01:25.470 --> 01:30.410]  were all implemented on this platform.
[01:33.670 --> 01:39.950]  They operated with several 0Ds, which helped them to be able to use these things.
[01:39.950 --> 01:43.250]  We can see that they started in the direction of UEFI,
[01:43.250 --> 01:46.650]  so they also worked on BIOS rootkits at the end,
[01:46.650 --> 01:51.170]  and what makes their work particularly interesting and effective,
[01:51.170 --> 01:56.830]  is that these devices were state-supported,
[01:56.830 --> 01:58.790]  so they could do their work from a fairly good position.
[01:59.970 --> 02:04.030]  So, for example, devices could be placed at Internet providers,
[02:04.030 --> 02:06.490]  and with this they could carry out attacks,
[02:06.490 --> 02:11.730]  which an average hacker would not be able to do,
[02:11.730 --> 02:15.810]  or would not be able to attack from this direction every day.
[02:15.810 --> 02:19.190]  They also provided such injectors for this.
[02:19.790 --> 02:26.690]  Why did they appear? Why were they always in the foreground?
[02:26.690 --> 02:31.490]  It seems that what provides the ammunition for the presentation,
[02:31.490 --> 02:33.210]  this 400 gigabyte data,
[02:33.210 --> 02:38.670]  is due to the fact that human rights activists actively attacked the company,
[02:38.670 --> 02:40.690]  and the GAMA group was similar to this,
[02:40.690 --> 02:45.210]  which was broken up almost the same day or the same day a year ago,
[02:50.290 --> 02:53.090]  and the data was sprayed out.
[02:53.670 --> 02:57.070]  So the problem was that, according to their claims,
[02:59.590 --> 03:00.950]  these softwares were sold to countries
[03:00.950 --> 03:05.070]  who, for example, are not democratic organizers,
[03:05.070 --> 03:11.150]  and are not criminals and murderers,
[03:11.150 --> 03:13.470]  and I do not know who used these devices,
[03:13.470 --> 03:21.450]  but to journalists and other democratic countries,
[03:21.530 --> 03:25.790]  or to people who are not subject to attacks with such devices.
[03:26.650 --> 03:30.810]  This probably caused their loss even now.
[03:30.810 --> 03:32.570]  But we do not know this.
[03:32.730 --> 03:34.130]  This has not been found out yet.
[03:34.130 --> 03:37.090]  This was the first message that the company put out.
[03:37.090 --> 03:41.810]  They did not put it out, but they were so upset that in every possible way,
[03:42.690 --> 03:48.690]  and this included the fact that they put the torrent link on their own Twitter pages,
[03:48.690 --> 03:51.090]  through which they were able to post all their things.
[03:51.550 --> 03:53.610]  This is a pretty painful move.
[03:54.130 --> 03:58.970]  Then, following this, as an avalanche on the Internet,
[03:58.970 --> 04:05.030]  the articles in which these data were leaked,
[04:05.030 --> 04:10.070]  this 400 gigabytes, were served with a lot of information.
[04:10.070 --> 04:14.150]  E-mails and conversations with non-technical people,
[04:14.150 --> 04:17.220]  with whom, what, how, how,
[04:17.550 --> 04:24.610]  and for the technical people, the so-called technical solutions.
[04:24.610 --> 04:27.290]  In many cases, 0D vulnerabilities
[04:27.290 --> 04:29.150]  and other things.
[04:29.150 --> 04:35.290]  Here, every manufacturer reacted to these things with their own tools and pace,
[04:36.050 --> 04:37.890]  to fill these gaps.
[04:38.710 --> 04:42.290]  This also shows that they were able to attack on a fairly large scale,
[04:42.910 --> 04:43.850]  if it was about that.
[04:43.850 --> 04:45.670]  So, they had good tools.
[04:46.330 --> 04:49.470]  This turned out, it will be mentioned later,
[04:49.470 --> 04:52.410]  that this is not all for them, they bought something.
[04:53.910 --> 04:54.810]  So, what happened?
[04:54.810 --> 05:00.890]  On the 5th of July, this Twitter message appeared with the Torrent link,
[05:00.890 --> 05:04.790]  and from then on, it was possible to access this 400 gigabyte data,
[05:04.790 --> 05:09.750]  which contained 53 Git repos,
[05:09.750 --> 05:14.530]  with all the source code, writing and everything else.
[05:17.170 --> 05:18.830]  Six exploits were identified,
[05:18.830 --> 05:23.150]  among them several Flash, Adobe, Windows,
[05:23.150 --> 05:29.810]  so a lot of things had to be fixed after this.
[05:29.810 --> 05:34.390]  We can say that this is good, because these were fixed from then on.
[05:34.990 --> 05:40.290]  And the full documentation of the application was released,
[05:40.290 --> 05:44.890]  so from then on, it was possible to evaluate how they worked,
[05:44.890 --> 05:47.790]  how this application worked.
[05:47.790 --> 05:54.990]  And what gave us the biggest ammunition to deal with this,
[05:54.990 --> 05:56.670]  were the e-mails.
[05:56.670 --> 06:00.110]  So, the company had a full e-mail circulation,
[06:00.110 --> 06:02.890]  so it was clear who they were talking to,
[06:02.890 --> 06:06.330]  and good stories came out of this.
[06:06.430 --> 06:11.370]  For example, I don't know if it ever happened before,
[06:11.370 --> 06:13.670]  that it was possible to trace back from such a good and reliable source
[06:16.530 --> 06:20.050]  how the 0D brand looks like.
[06:20.050 --> 06:24.330]  So, with the unknown vulnerabilities,
[06:24.330 --> 06:27.570]  who can you find, how can you trade with them,
[06:27.570 --> 06:28.770]  how can you make a deal with them,
[06:28.770 --> 06:32.230]  this is a pretty interesting thing, that I have a vulnerability,
[06:32.230 --> 06:33.930]  if I give it to you, you already know,
[06:33.930 --> 06:37.830]  so it is no longer 0D on a surface,
[06:37.830 --> 06:39.990]  how can you guarantee this,
[06:39.990 --> 06:45.870]  that if this vulnerability is patched in a day,
[06:45.870 --> 06:47.890]  then it is practically worthless.
[06:48.010 --> 06:50.250]  I recommend this article, everyone should read it,
[06:50.250 --> 06:51.850]  it is very well summarized,
[06:51.850 --> 06:53.930]  who they were in contact with,
[06:53.930 --> 06:56.810]  how much they were paid, and under what conditions.
[06:59.430 --> 07:04.870]  The infrastructure itself was simple,
[07:04.870 --> 07:07.970]  there was an agent, which was implemented on every platform,
[07:07.970 --> 07:12.250]  where they wanted to be, or where they wanted to provide control.
[07:14.850 --> 07:17.450]  Infection is the more interesting thing,
[07:17.450 --> 07:19.810]  if we can infect something, or we are there,
[07:19.810 --> 07:23.290]  then we can manage things from a pretty good position,
[07:23.290 --> 07:26.810]  so this is the most important thing.
[07:27.170 --> 07:29.770]  They offered several tools.
[07:34.070 --> 07:36.170]  They have several Melting Projects,
[07:36.170 --> 07:42.070]  the point of which is to connect their agent with legal applications,
[07:42.920 --> 07:45.570]  this was implemented on practically every platform,
[07:45.570 --> 07:47.330]  starting with Android,
[07:47.330 --> 07:50.410]  with native Windows applications,
[07:50.410 --> 07:51.630]  it worked everywhere,
[07:51.630 --> 07:59.450]  and this Injector, the appliance on the ISP side,
[08:00.020 --> 08:01.570]  could do this on the fly,
[08:01.570 --> 08:03.230]  so if you clicked on something,
[08:03.230 --> 08:05.870]  and the ISP said, you can inject into this,
[08:05.870 --> 08:07.210]  because it is not signed,
[08:07.210 --> 08:09.810]  because this will be good for me,
[08:09.810 --> 08:11.330]  and I can do my job with it,
[08:11.330 --> 08:13.370]  then it did its job,
[08:13.370 --> 08:16.310]  and with a slightly modified version,
[08:16.310 --> 08:18.730]  with a plus feature,
[08:18.730 --> 08:23.230]  you got the application as you downloaded it.
[08:23.230 --> 08:28.690]  So, these were pretty good things,
[08:28.690 --> 08:31.910]  and if you have already infected the given device,
[08:31.910 --> 08:35.950]  you have to provide a proxy network,
[08:35.950 --> 08:37.670]  which they offered,
[08:37.670 --> 08:40.130]  or the service itself could be built,
[08:40.130 --> 08:44.330]  with these Anonymizer server applications,
[08:44.330 --> 08:49.270]  which helped to hide the traffic,
[08:49.270 --> 08:53.170]  and to make it look like things were really behind it,
[08:53.750 --> 08:59.630]  and you could control the infected devices
[08:59.630 --> 08:59.910]  from a single panel,
[08:59.910 --> 09:03.250]  and collect the proofs,
[09:04.090 --> 09:08.310]  and monitor the devices.
[09:11.350 --> 09:13.050]  What I would highlight,
[09:13.050 --> 09:14.550]  which I liked,
[09:14.550 --> 09:17.010]  and I think this is a good solution,
[09:17.010 --> 09:19.870]  well, a good solution, yes, in this industry,
[09:19.870 --> 09:22.910]  is the Exploit Delivery Network,
[09:23.610 --> 09:25.910]  which I think is interesting,
[09:26.890 --> 09:30.270]  which was solved for Windows and Android,
[09:30.270 --> 09:35.630]  and you could see that they supported one and the other platform
[09:35.630 --> 09:35.970]  with approximately the same frequencies,
[09:35.970 --> 09:38.210]  so as long as they worked well,
[09:38.210 --> 09:41.370]  there was no reason to buy a new one or another.
[09:41.890 --> 09:44.330]  Then, it turned out from the reports,
[09:44.330 --> 09:45.950]  that when they fixed something,
[09:45.950 --> 09:47.510]  they modified it a bit,
[09:47.510 --> 09:50.130]  and with another 0d frequency,
[09:50.470 --> 09:53.390]  they were able to shoot their little things.
[09:54.250 --> 09:59.010]  An infection was almost always a one-shot event,
[09:59.010 --> 10:00.370]  so they shot it only once,
[10:00.370 --> 10:04.150]  so it wasn't like a campaign,
[10:04.150 --> 10:05.690]  where there is a link,
[10:05.690 --> 10:07.390]  and they send it back together,
[10:07.390 --> 10:10.150]  and if they find what they need,
[10:10.150 --> 10:12.470]  they can open it many times, no?
[10:12.470 --> 10:14.510]  Here, there is a dedicated URL,
[10:14.510 --> 10:16.990]  which needs to be sent to the target.
[10:16.990 --> 10:20.370]  This can be either in SMS,
[10:20.370 --> 10:21.890]  crafted in MMS,
[10:21.990 --> 10:24.950]  e-mail, or from the ASP page,
[10:24.950 --> 10:26.730]  to the right place,
[10:27.530 --> 10:30.290]  to reach the client's page,
[10:30.290 --> 10:32.310]  to open it in some way.
[10:33.850 --> 10:38.190]  It was limited to how many times it can be opened,
[10:38.190 --> 10:39.950]  and what the order is.
[10:39.950 --> 10:41.270]  So, in an exploit,
[10:41.270 --> 10:43.910]  it is not one URL or one thing,
[10:43.910 --> 10:45.510]  but several sources,
[10:45.510 --> 10:47.550]  several things need to be called.
[10:47.550 --> 10:48.870]  This was also linked,
[10:48.870 --> 10:50.770]  to what order it can be done.
[10:50.770 --> 10:52.810]  This also guaranteed,
[10:52.810 --> 10:53.830]  or ensured,
[10:53.830 --> 10:56.670]  that as the exploit works normally,
[10:56.670 --> 10:57.510]  it can be run.
[10:57.510 --> 10:58.990]  Otherwise, it doesn't matter.
[10:58.990 --> 11:00.490]  So, you don't have to look at this.
[11:00.490 --> 11:02.830]  This can only be run in one form.
[11:03.050 --> 11:05.230]  You don't have to deal with it in any other way.
[11:06.450 --> 11:09.470]  The implementation itself is extremely simple.
[11:09.470 --> 11:11.410]  They used the HTTPD service.
[11:11.410 --> 11:14.030]  It was a PHP, or a downloader PHP,
[11:14.030 --> 11:16.230]  which ran the whole thing,
[11:16.230 --> 11:17.690]  and each file,
[11:17.690 --> 11:19.550]  which they wanted to serve,
[11:19.550 --> 11:20.330]  contained an IniFile,
[11:20.330 --> 11:22.250]  with a random name,
[11:22.250 --> 11:24.690]  and in this, they wrote down
[11:25.350 --> 11:26.230]  the things,
[11:26.230 --> 11:27.610]  when, how long,
[11:27.610 --> 11:28.470]  and under what circumstances
[11:28.470 --> 11:29.970]  it can be opened.
[11:30.970 --> 11:32.310]  And this guaranteed,
[11:32.310 --> 11:33.470]  that the exploit should end
[11:34.350 --> 11:36.590]  as it should end.
[11:37.070 --> 11:38.990]  So, for example, in this case,
[11:38.990 --> 11:40.790]  this crafted URL,
[11:40.790 --> 11:42.810]  which we somehow open
[11:42.810 --> 11:46.290]  at the victim,
[11:46.290 --> 11:49.010]  is solved with this IniFile,
[11:49.010 --> 11:50.370]  where it checks,
[11:52.050 --> 11:53.790]  if the request is valid,
[11:53.790 --> 11:55.110]  if it can be served,
[11:55.110 --> 11:57.130]  if the user-agent is correct,
[11:57.130 --> 11:57.950]  and if it is,
[11:57.950 --> 12:01.330]  then it will return the Go file,
[12:01.330 --> 12:03.230]  where the exploit starts,
[12:03.230 --> 12:04.810]  and immediately refreshes
[12:04.810 --> 12:07.170]  the files containing the exploit,
[12:07.170 --> 12:08.890]  so that within 5 minutes,
[12:08.890 --> 12:10.450]  the other files can be returned.
[12:10.770 --> 12:12.610]  But only in this form.
[12:12.610 --> 12:13.910]  Otherwise, no.
[12:14.170 --> 12:16.010]  And when it looks at the other files,
[12:16.670 --> 12:17.410]  it sees,
[12:17.410 --> 12:19.230]  okay, this is the file,
[12:19.230 --> 12:20.450]  this is the .ini,
[12:20.450 --> 12:22.730]  where this is the description,
[12:22.730 --> 12:25.450]  so this is currently a runnable state,
[12:25.450 --> 12:27.910]  so we need to run a Python script,
[12:27.910 --> 12:28.990]  so exit,
[12:28.990 --> 12:30.410]  we need to run the stage4,
[12:31.010 --> 12:34.510]  and what will be the output of the thing?
[12:34.510 --> 12:36.410]  So this will be a JavaScript.
[12:36.690 --> 12:38.390]  So they were able to regulate
[12:38.390 --> 12:39.970]  that the exploit only runs
[12:39.970 --> 12:42.190]  in the given timeframe.
[12:43.530 --> 12:45.310]  Here it is a little more detailed,
[12:45.310 --> 12:47.090]  so you can see how many hits there are,
[12:47.090 --> 12:50.070]  so how many times the page can reach itself,
[12:50.070 --> 12:51.690]  what is the time frame
[12:51.690 --> 12:53.330]  until it can be opened,
[12:53.330 --> 12:56.050]  so these were also very limited,
[12:56.050 --> 12:57.550]  so that it is not like
[12:58.830 --> 13:01.010]  the right person opens it,
[13:01.610 --> 13:03.770]  or the title gets further analyzed.
[13:07.190 --> 13:08.870]  What kind of user agent?
[13:08.870 --> 13:10.670]  Actually, this is the point here.
[13:10.670 --> 13:13.230]  So 534.30, this was the webkit
[13:13.230 --> 13:16.210]  that they supported on Android,
[13:16.210 --> 13:21.250]  and, by the way, how to evaluate the response.
[13:23.790 --> 13:27.250]  Okay, what did the agent look like?
[13:28.190 --> 13:29.770]  The fact that they can run these things
[13:30.490 --> 13:32.390]  to the end,
[13:32.390 --> 13:34.850]  save a screenshot,
[13:34.850 --> 13:37.990]  collect all kinds of data,
[13:37.990 --> 13:38.970]  so this requires root,
[13:38.970 --> 13:40.730]  so it is completely understandable
[13:40.730 --> 13:43.970]  that if we install a normal Android application,
[13:44.510 --> 13:45.690]  we will not be able to solve this,
[13:45.690 --> 13:46.430]  so in any case,
[13:46.430 --> 13:47.830]  we need to get some extra rights.
[13:50.010 --> 13:51.690]  After the exploitation,
[13:52.250 --> 13:54.510]  we already get the root right,
[13:54.510 --> 13:55.790]  or at least we had to get it,
[13:55.790 --> 13:57.470]  because we could not install the application
[13:58.230 --> 14:00.790]  without the user's consent,
[14:00.790 --> 14:02.590]  so if we already have a root right,
[14:02.590 --> 14:07.790]  then they installed a root service,
[14:07.790 --> 14:08.510]  so they did not use ASHU
[14:08.510 --> 14:11.110]  or some traditional thing,
[14:11.110 --> 14:13.650]  but developed their own
[14:15.310 --> 14:16.710]  helper application,
[14:16.710 --> 14:18.130]  which I will show you
[14:18.130 --> 14:21.290]  what nice services they added to it,
[14:21.290 --> 14:23.130]  and this was what gave them
[14:23.130 --> 14:24.630]  the extra rights.
[14:24.950 --> 14:26.970]  So, for example, the application,
[14:26.970 --> 14:28.030]  when it is installed,
[14:28.030 --> 14:30.110]  has almost no rights,
[14:30.110 --> 14:32.650]  but with the help of this,
[14:32.650 --> 14:35.030]  it can give itself permissions
[14:35.430 --> 14:37.090]  that it is not ashamed of,
[14:37.090 --> 14:40.170]  and if it needs new things
[14:40.170 --> 14:40.490]  about a refresh,
[14:40.490 --> 14:42.910]  then it gives it to itself.
[14:43.090 --> 14:44.830]  What is also interesting,
[14:44.830 --> 14:44.950]  is that they included themselves
[14:44.950 --> 14:47.490]  in the media service,
[14:47.490 --> 14:49.790]  which means that it does not matter
[14:49.790 --> 14:50.810]  what kind of application
[14:50.810 --> 14:53.070]  and how we communicate,
[14:53.070 --> 14:54.250]  because somehow the sound
[14:54.250 --> 14:55.790]  has to go into the device,
[14:55.790 --> 14:57.090]  and somehow it has to come out.
[14:57.090 --> 14:58.810]  If I want to make a phone call,
[14:58.810 --> 14:59.030]  it does not matter
[14:59.030 --> 15:00.250]  what kind of application
[15:00.250 --> 15:00.950]  is in between.
[15:00.950 --> 15:01.090]  It does not matter
[15:01.090 --> 15:04.470]  if I log into the media service,
[15:04.470 --> 15:05.590]  then I can tap the input-output
[15:05.590 --> 15:07.650]  in the right place,
[15:07.650 --> 15:09.570]  and I can really control
[15:09.570 --> 15:11.650]  all the sound in and out.
[15:11.650 --> 15:12.850]  So it does not matter
[15:12.850 --> 15:14.410]  what kind of applications
[15:14.410 --> 15:16.910]  and what kind of secrecy they use,
[15:16.910 --> 15:18.410]  because I do not attack this side.
[15:19.630 --> 15:21.070]  And by the way,
[15:21.070 --> 15:22.470]  the database of all popular
[15:22.470 --> 15:26.730]  applications was nicely
[15:27.990 --> 15:28.810]  parsed,
[15:28.810 --> 15:30.090]  and they were able to extract
[15:30.090 --> 15:31.510]  the appropriate data
[15:31.510 --> 15:34.230]  that would be interesting.
[15:34.230 --> 15:36.790]  Here is the application itself,
[15:36.790 --> 15:37.770]  in the newer version it was called
[15:37.770 --> 15:40.110]  DDF before RealCAP,
[15:40.110 --> 15:41.810]  which is basically the same.
[15:42.850 --> 15:44.790]  And this was inserted
[15:44.790 --> 15:47.090]  into the per-system per-bin,
[15:47.510 --> 15:48.070]  and if you called the right
[15:48.070 --> 15:50.530]  connector, then the right
[15:51.330 --> 15:53.170]  service could be reached.
[15:53.390 --> 15:55.350]  So let's say,
[15:55.350 --> 15:56.770]  I do not know,
[15:56.770 --> 15:57.190]  I could start a route
[15:57.190 --> 16:00.230]  with QZS, and it would
[16:00.520 --> 16:01.370]  interactively run
[16:01.370 --> 16:04.330]  with the right that it wanted,
[16:04.330 --> 16:05.370]  or if it wanted to register
[16:05.370 --> 16:08.610]  an application for an administrator,
[16:08.610 --> 16:09.170]  then it would do so,
[16:09.170 --> 16:10.710]  or it could be practical
[16:10.710 --> 16:12.190]  to search for a content
[16:13.110 --> 16:14.710]  from anywhere,
[16:14.710 --> 16:15.910]  regardless of the right,
[16:15.910 --> 16:17.750]  then this could be searched
[16:17.750 --> 16:19.430]  for proof.
[16:20.990 --> 16:23.830]  What is even nicer,
[16:23.830 --> 16:26.210]  here you can
[16:26.210 --> 16:27.990]  connect the per-system,
[16:28.150 --> 16:29.810]  a single command to the
[16:29.810 --> 16:31.790]  author, and then I change
[16:31.790 --> 16:34.070]  the system as I like,
[16:34.070 --> 16:36.190]  so this is very pleasant.
[16:37.450 --> 16:39.190]  The exploit itself, the webview
[16:39.190 --> 16:40.990]  they used to
[16:40.990 --> 16:44.110]  install it on the agent
[16:44.110 --> 16:44.950]  on Android,
[16:44.950 --> 16:46.490]  this is a pretty
[16:46.490 --> 16:49.410]  well-organized exploit.
[16:49.410 --> 16:53.810]  They combined three
[16:53.810 --> 16:55.230]  things to be able to
[16:55.230 --> 16:56.990]  run this thing.
[16:57.470 --> 16:59.310]  The exploit and the installation
[16:59.310 --> 17:01.710]  consists of two steps.
[17:01.710 --> 17:02.950]  The first one is to
[17:02.950 --> 17:05.350]  run a code, this is what
[17:05.350 --> 17:06.570]  the webview was used for,
[17:06.570 --> 17:07.490]  and the second one is
[17:07.490 --> 17:08.590]  the local route
[17:08.590 --> 17:11.230]  for which
[17:12.910 --> 17:15.150]  they didn't use 0D
[17:15.150 --> 17:16.650]  or anything else,
[17:16.650 --> 17:18.290]  they used the existing
[17:19.570 --> 17:20.970]  codes.
[17:20.970 --> 17:23.050]  This can be seen in the source code,
[17:23.050 --> 17:24.110]  how they copied
[17:24.110 --> 17:26.870]  these things and changed them.
[17:26.870 --> 17:28.330]  But in reality, they didn't
[17:28.330 --> 17:29.550]  really need it.
[17:29.550 --> 17:33.130]  In the Android community,
[17:34.490 --> 17:35.070]  the refreshes
[17:35.070 --> 17:37.370]  are not that important,
[17:37.370 --> 17:38.450]  so you can operate
[17:38.450 --> 17:39.450]  with older exploits
[17:39.450 --> 17:42.210]  quite well.
[17:43.550 --> 17:46.170]  These are the three
[17:46.170 --> 17:46.970]  vulnerabilities
[17:47.610 --> 17:49.190]  they used.
[17:49.190 --> 17:49.370]  So,
[17:50.390 --> 17:50.990]  I can get a title
[17:50.990 --> 17:54.490]  with an information link,
[17:54.490 --> 17:56.550]  I can read with a reading,
[17:56.990 --> 17:58.550]  and I can write with an overflow.
[17:58.850 --> 18:00.250]  So, from now on, I don't need
[18:00.250 --> 18:01.490]  much more.
[18:01.550 --> 18:04.370]  Because from now on,
[18:04.370 --> 18:07.110]  they know exactly what they want to write,
[18:07.110 --> 18:08.310]  they can read back,
[18:08.310 --> 18:09.750]  and they can also write.
[18:09.750 --> 18:12.650]  So, this is how they solved
[18:12.650 --> 18:13.810]  the whole thing.
[18:13.810 --> 18:15.150]  Privacy,
[18:16.190 --> 18:16.790]  this
[18:17.550 --> 18:19.970]  statistic is from September 7th,
[18:19.970 --> 18:21.230]  so it's not that old,
[18:21.230 --> 18:23.750]  and still 35.5%
[18:23.750 --> 18:24.630]  of the devices
[18:25.050 --> 18:25.350]  used
[18:27.650 --> 18:28.850]  are vulnerable
[18:30.110 --> 18:30.910]  to this
[18:31.850 --> 18:33.050]  vulnerability.
[18:33.470 --> 18:34.470]  And here you can see
[18:34.470 --> 18:36.550]  that the webkit that can be attacked
[18:36.550 --> 18:38.890]  is the delivery from 4.0 to 4.3.
[18:40.410 --> 18:41.150]  The problem
[18:41.150 --> 18:43.910]  is that this is part of the operating system,
[18:43.910 --> 18:45.750]  so we can't change this in any way.
[18:46.210 --> 18:47.670]  I mean, if we change the firmware,
[18:47.670 --> 18:49.810]  then yes, but because I start
[18:49.810 --> 18:51.570]  using another part of it,
[18:51.570 --> 18:54.230]  I can reduce the attack surface,
[18:54.230 --> 18:55.250]  but you can see in the demo
[18:55.660 --> 18:57.570]  that this is not everything.
[18:58.490 --> 19:00.610]  Here is a quick summary
[19:00.610 --> 19:02.330]  of how the hacking team
[19:02.330 --> 19:03.250]  put together
[19:03.660 --> 19:04.590]  what kind of devices
[19:05.770 --> 19:06.930]  the exploit works for.
[19:06.930 --> 19:09.990]  So, remote to local, and local to root,
[19:09.990 --> 19:12.950]  so that WebView can run a code,
[19:12.950 --> 19:14.990]  and can get root access.
[19:14.990 --> 19:16.990]  So you can see the importance.
[19:17.410 --> 19:18.310]  Samsung itself gives
[19:19.410 --> 19:21.230]  more than 40%
[19:21.630 --> 19:21.850]  to Android devices,
[19:21.850 --> 19:24.450]  so if we want to hack a big one,
[19:24.450 --> 19:25.070]  then it is worth
[19:25.990 --> 19:27.270]  working with them in the first round,
[19:27.270 --> 19:29.970]  and then with our small size,
[19:29.970 --> 19:31.270]  you can see from this
[19:31.270 --> 19:33.610]  that they focused on this.
[19:34.310 --> 19:37.550]  So, how does the attack look like?
[19:39.150 --> 19:41.210]  It starts with GoHTML,
[19:41.210 --> 19:42.070]  which checks
[19:43.350 --> 19:44.490]  if the first
[19:47.610 --> 19:48.570]  information leak
[19:48.570 --> 19:50.010]  works or not.
[19:50.010 --> 19:50.510]  If it doesn't,
[19:50.510 --> 19:53.870]  then it turns off and doesn't run anymore.
[19:53.870 --> 19:55.330]  This is true for every
[19:55.330 --> 19:56.030]  step of the exploit,
[19:56.030 --> 19:59.430]  that they only move forward
[19:59.430 --> 20:00.950]  if they are sure
[20:00.950 --> 20:02.950]  that it makes sense to move forward.
[20:02.950 --> 20:05.350]  So they don't send anything wrong,
[20:05.350 --> 20:07.910]  they don't give out the code,
[20:07.910 --> 20:08.170]  they really
[20:08.170 --> 20:08.870]  always
[20:08.870 --> 20:12.110]  move on to the next stage
[20:12.110 --> 20:13.870]  and then they give something else,
[20:13.870 --> 20:15.270]  or send something else,
[20:15.270 --> 20:16.810]  if it makes sense.
[20:16.810 --> 20:19.830]  This exploit protects itself very well.
[20:20.810 --> 20:22.170]  So, in the first one,
[20:22.170 --> 20:24.230]  they create a 4MB
[20:24.230 --> 20:25.850]  area,
[20:25.850 --> 20:27.010]  which they use
[20:27.010 --> 20:29.970]  with a little Http package,
[20:29.970 --> 20:31.530]  which by the way,
[20:31.530 --> 20:33.390]  is at the beginning of XMR,
[20:34.150 --> 20:36.050]  with the Http perv, vvv3
[20:36.050 --> 20:37.470]  and the schema,
[20:37.470 --> 20:38.630]  so with this,
[20:38.630 --> 20:40.770]  they can access
[20:40.770 --> 20:43.270]  this blog.
[20:44.090 --> 20:45.770]  Then, the crafted
[20:45.770 --> 20:47.170]  XMLs
[20:47.950 --> 20:49.290]  are downloaded,
[20:49.290 --> 20:52.410]  here they use the cut out titles,
[20:52.410 --> 20:53.350]  these are basically
[20:53.970 --> 20:57.190]  the XML documents,
[20:57.190 --> 20:58.090]  which will be useful
[20:58.090 --> 20:59.890]  for the buffer overflow
[20:59.890 --> 21:01.450]  to leak.
[21:02.030 --> 21:04.070]  Here, actually,
[21:04.070 --> 21:05.390]  the module show is loaded,
[21:05.390 --> 21:07.970]  which is basically a kind of payload,
[21:08.130 --> 21:09.770]  a shared library,
[21:09.770 --> 21:11.790]  which will load
[21:11.790 --> 21:14.430]  the rest of the exploit.
[21:15.830 --> 21:16.790]  However,
[21:16.790 --> 21:18.170]  the key is not given,
[21:18.170 --> 21:20.370]  this is only loaded for now.
[21:20.610 --> 21:22.970]  Then, in stage 3,
[21:22.970 --> 21:24.270]  this module
[21:24.610 --> 21:26.550]  is loaded into the memory,
[21:26.550 --> 21:27.610]  with RobGadget,
[21:27.610 --> 21:28.690]  with mProtect,
[21:28.690 --> 21:30.610]  to make it runable,
[21:30.610 --> 21:32.330]  they put together the call,
[21:32.330 --> 21:34.890]  which can be easily triggered,
[21:34.890 --> 21:36.270]  and they read
[21:36.270 --> 21:37.610]  an area from the memory.
[21:37.950 --> 21:39.710]  If everything works well,
[21:39.710 --> 21:42.110]  and everything was written correctly,
[21:42.110 --> 21:44.210]  then there will be an appropriate value.
[21:44.210 --> 21:45.990]  This is sent back to the server,
[21:45.990 --> 21:47.890]  and if everything is correct,
[21:47.890 --> 21:49.870]  then the server sends back
[21:49.870 --> 21:51.930]  the correct A key,
[21:51.930 --> 21:53.730]  if not, it sends back some nonsense.
[21:54.270 --> 21:55.410]  So, this is how
[21:57.550 --> 21:58.970]  the content is protected.
[21:58.970 --> 22:00.450]  After this,
[22:00.970 --> 22:03.730]  the exploit and the installer
[22:03.730 --> 22:03.750]  are loaded.
[22:03.750 --> 22:05.530]  This is the module itself,
[22:05.530 --> 22:07.270]  so this is a payload.
[22:07.270 --> 22:09.550]  Here we have our code run.
[22:09.890 --> 22:12.370]  These go through the network
[22:12.370 --> 22:15.370]  encrypted, decrypted in place,
[22:15.370 --> 22:17.410]  and the exploit itself,
[22:17.410 --> 22:19.950]  which contains these 3 root exploits,
[22:19.950 --> 22:20.930]  which tries to get
[22:20.930 --> 22:22.070]  root access,
[22:22.830 --> 22:24.250]  if it succeeds,
[22:24.250 --> 22:26.590]  it immediately throws the DDF
[22:26.590 --> 22:27.890]  into the root shell,
[22:27.890 --> 22:30.230]  making sure that from this point on,
[22:30.230 --> 22:32.550]  the add-ons already have
[22:32.550 --> 22:33.890]  root access,
[22:33.890 --> 22:35.970]  and then the installer starts
[22:35.970 --> 22:38.710]  and upgrades itself.
[22:38.710 --> 22:40.390]  This is, by the way,
[22:40.510 --> 22:41.950]  a scouter,
[22:41.950 --> 22:44.790]  the company used it
[22:44.790 --> 22:45.250]  to create
[22:45.250 --> 22:48.890]  several types of agents,
[22:48.890 --> 22:50.410]  and it never shot
[22:50.410 --> 22:51.690]  the whole thing at once,
[22:51.690 --> 22:53.190]  but first a little bit,
[22:53.190 --> 22:54.290]  and then they looked around,
[22:54.290 --> 22:55.610]  and said, okay, this looks like
[22:55.610 --> 22:57.730]  the tool, and there is nothing
[22:57.730 --> 22:59.530]  that might fail, so we can
[22:59.530 --> 23:00.830]  upgrade the DDF.
[23:00.930 --> 23:03.030]  So this also ensured
[23:03.030 --> 23:05.830]  that there would be no problems.
[23:07.930 --> 23:09.330]  The first demo is coming,
[23:09.330 --> 23:11.610]  where I will take a
[23:11.610 --> 23:12.690]  crafted URL,
[23:12.690 --> 23:14.990]  I will send it to the link,
[23:14.990 --> 23:17.050]  and I will like it a lot,
[23:17.050 --> 23:18.470]  and I will click on it.
[23:18.470 --> 23:19.450]  I will not do this, because
[23:19.450 --> 23:20.890]  this is very boring,
[23:21.450 --> 23:22.870]  so I will do something
[23:22.870 --> 23:24.350]  more sophisticated.
[23:25.050 --> 23:26.630]  First, I will try
[23:26.630 --> 23:29.270]  to share my screen.
[23:52.260 --> 23:53.720]  If it doesn't work, I will
[23:53.720 --> 23:56.540]  move the phone, that's it.
[24:15.880 --> 24:17.380]  It doesn't matter, I can see
[24:17.440 --> 24:18.980]  a little bit of it.
[24:21.260 --> 24:23.440]  Here is my server.
[24:24.540 --> 24:26.040]  I have a little
[24:26.040 --> 24:27.440]  crafted link,
[24:27.440 --> 24:30.700]  and I am waiting for this IP
[24:30.700 --> 24:31.080]  on port 800,
[24:31.080 --> 24:33.820]  and if I get the right link,
[24:33.820 --> 24:36.060]  I will send the exploit.
[24:36.140 --> 24:36.980]  What do we need
[24:36.980 --> 24:39.780]  for this to work?
[24:41.780 --> 24:43.500]  Somehow, we have to get
[24:43.500 --> 24:45.840]  to the network layer,
[24:45.840 --> 24:47.380]  where the tool
[24:47.380 --> 24:49.180]  operates, and if we are
[24:49.180 --> 24:51.180]  on the ISP side, so we are the internet
[24:51.180 --> 24:52.980]  service side, then this question
[24:52.980 --> 24:54.000]  is pretty simple.
[24:54.020 --> 24:56.240]  But if we think a little further,
[24:56.240 --> 24:58.480]  and we see that this exploit
[24:58.480 --> 25:00.280]  has just been released, and anyone
[25:00.280 --> 25:02.680]  can use it, where can we
[25:02.680 --> 25:05.060]  get it? At FreeWiFi,
[25:05.060 --> 25:06.460]  and unreliable
[25:07.040 --> 25:08.740]  networks. If we connect,
[25:08.740 --> 25:10.620]  we can
[25:11.180 --> 25:12.300]  get this kind of
[25:12.300 --> 25:14.540]  preciousness. I solved this
[25:14.940 --> 25:15.300]  by
[25:17.040 --> 25:19.000]  signing in to my own server
[25:19.000 --> 25:21.000]  and all traffic
[25:21.000 --> 25:23.000]  goes through my server.
[25:23.440 --> 25:24.920]  Here we have
[25:26.280 --> 25:27.040]  a mitproxy,
[25:27.040 --> 25:28.360]  I don't know if you heard about it,
[25:28.360 --> 25:31.420]  I think you should use it for everything.
[25:32.420 --> 25:33.220]  I am watching
[25:33.220 --> 25:34.840]  with a mitproxy,
[25:34.840 --> 25:36.540]  in transparent mode,
[25:36.540 --> 25:38.540]  and there is an
[25:38.540 --> 25:39.040]  inject
[25:40.780 --> 25:42.780]  Python script, an inline script,
[25:42.780 --> 25:43.880]  which does so much
[25:43.880 --> 25:45.560]  to check
[25:46.920 --> 25:47.600]  what
[25:47.600 --> 25:49.240]  HTTP requests
[25:49.240 --> 25:51.680]  go to my network,
[25:51.680 --> 25:54.040]  and if the stars stand together,
[25:54.040 --> 25:55.420]  so if a content
[25:55.420 --> 25:57.080]  is requested by the bugger,
[25:57.080 --> 25:59.660]  and the answer is text per HTML,
[25:59.660 --> 26:00.200]  so the content will arrive
[26:00.200 --> 26:03.360]  at the right place, and the agent
[26:03.360 --> 26:05.460]  is vulnerable, then I
[26:05.460 --> 26:07.680]  choose my own payload.
[26:07.680 --> 26:10.000]  Actually, I will return an iframe,
[26:10.000 --> 26:10.840]  which will
[26:11.360 --> 26:13.560]  implement the things. So I
[26:13.560 --> 26:14.780]  inline modify
[26:15.320 --> 26:16.680]  the traffic.
[26:20.750 --> 26:21.670]  Yes,
[26:21.670 --> 26:23.390]  now we won't be nice,
[26:23.390 --> 26:24.350]  because it would be like
[26:24.350 --> 26:26.690]  I am not injecting, I am just listing,
[26:26.690 --> 26:28.350]  but there is no time for that.
[26:29.150 --> 26:30.270]  So here I am waiting
[26:30.270 --> 26:33.370]  for the traffic. Let's say I open
[26:33.370 --> 26:35.550]  any browser,
[26:41.190 --> 26:43.590]  and I type in index.hu,
[26:44.150 --> 26:45.190]  then you can see
[26:45.190 --> 26:47.350]  that this is a Chrome,
[26:47.350 --> 26:49.350]  and for Chrome,
[26:51.010 --> 26:51.850]  Chrome
[26:51.850 --> 26:53.890]  delivers the webkit,
[26:53.890 --> 26:55.210]  this is written by the
[26:55.210 --> 26:56.690]  operating system, so
[26:56.690 --> 26:59.830]  the built-in webkit of 4.3,
[26:59.830 --> 27:02.030]  and this also means
[27:02.030 --> 27:03.250]  that, unfortunately, I can't
[27:03.250 --> 27:05.590]  attack, so I don't
[27:05.590 --> 27:07.070]  bother with this, I let
[27:07.070 --> 27:09.670]  the thing work, something will happen
[27:09.670 --> 27:10.750]  when
[27:11.350 --> 27:13.470]  my time comes.
[27:13.590 --> 27:14.710]  Let's see
[27:14.710 --> 27:16.970]  what is happening in the background.
[27:16.970 --> 27:18.810]  I opened this session-starting
[27:20.810 --> 27:21.990]  output here,
[27:21.990 --> 27:22.800]  we will see that here,
[27:23.590 --> 27:25.450]  and what I will do
[27:29.010 --> 27:30.090]  is that
[27:30.090 --> 27:31.290]  I don't know if you saw,
[27:31.290 --> 27:32.690]  for example, Hacktivity has
[27:32.930 --> 27:34.610]  a small app, very
[27:34.610 --> 27:37.110]  cute, it has a lot of things on it.
[27:37.110 --> 27:38.710]  I like this, by the way,
[27:39.410 --> 27:40.750]  this is not effective,
[27:40.750 --> 27:42.910]  the app doesn't work, this is a framework,
[27:43.350 --> 27:45.350]  a thing called Instap,
[27:45.350 --> 27:47.430]  we can tell you a little about it here,
[27:47.430 --> 27:49.050]  and if you are more interested
[27:49.050 --> 27:50.370]  in this thing, then by clicking
[27:50.370 --> 27:52.870]  on this link, we can get a little more
[27:52.870 --> 27:55.270]  info about this thing.
[27:55.870 --> 27:56.830]  I think you can see
[27:56.830 --> 27:58.590]  that it is not really
[27:58.590 --> 28:00.970]  Instap's thing
[28:00.970 --> 28:02.690]  that is being loaded now.
[28:02.990 --> 28:04.650]  The application used
[28:04.850 --> 28:06.870]  a WebView component, the WebView
[28:06.870 --> 28:09.110]  component is part of the operating system,
[28:09.110 --> 28:11.030]  this itself is harmful,
[28:11.030 --> 28:11.510]  I saw this
[28:11.510 --> 28:15.450]  from the agent,
[28:15.450 --> 28:17.210]  that this is my time,
[28:17.210 --> 28:19.390]  and here I changed the content,
[28:19.390 --> 28:20.710]  and I sent the
[28:20.710 --> 28:23.110]  exploited itself, and
[28:23.110 --> 28:26.930]  if we look at it,
[28:26.930 --> 28:27.610]  then
[28:27.610 --> 28:30.970]  there is a problem.
[28:50.390 --> 28:52.930]  It worked well so far.
[28:54.790 --> 28:55.530]  Yes,
[28:55.530 --> 28:56.550]  so here we would see
[28:56.550 --> 28:58.910]  how the attack ends,
[28:58.910 --> 29:01.410]  luckily I have a history.
[29:08.720 --> 29:09.580]  Aha.
[29:13.720 --> 29:15.400]  Let's see what happens.
[29:18.430 --> 29:19.630]  The problem is that
[29:19.630 --> 29:20.510]  my console froze,
[29:20.510 --> 29:22.210]  I think I broke it.
[29:43.630 --> 29:44.750]  But this was probably the
[29:44.750 --> 29:46.650]  safest point for the presentation.
[29:49.050 --> 29:50.690]  This worked at the very beginning,
[29:50.690 --> 29:52.090]  this was solved before everything.
[29:52.170 --> 29:54.770]  But well, this is pop art.
[30:06.250 --> 30:08.070]  Aha, now it works.
[30:08.590 --> 30:10.070]  I will bake this one more time,
[30:10.070 --> 30:11.810]  because this is so stupid,
[30:11.810 --> 30:14.150]  that I have to do this.
[30:17.590 --> 30:19.150]  I will skip a few lines,
[30:19.150 --> 30:20.630]  it doesn't matter.
[30:23.980 --> 30:24.820]  So,
[30:24.820 --> 30:27.080]  again, in a very stupid way,
[30:27.080 --> 30:28.560]  oh, you can't see it.
[30:29.880 --> 30:31.360]  So I will bake it one more time,
[30:31.360 --> 30:33.040]  because I don't think it will be loaded,
[30:33.040 --> 30:34.440]  so this app is so good,
[30:34.440 --> 30:36.480]  I'm sure their website is also so good.
[30:41.620 --> 30:42.860]  Yes, very good.
[30:42.860 --> 30:43.500]  Yes.
[30:45.000 --> 30:45.520]  So...
[30:45.520 --> 30:46.720]  The previous one was successful,
[30:46.720 --> 30:48.780]  but no one accepted the request.
[30:50.400 --> 30:52.400]  Actually, this is the point.
[30:52.420 --> 30:53.160]  Here you can see
[30:53.160 --> 30:56.100]  that I have already sent the exploit.
[30:56.100 --> 30:57.780]  As I said,
[30:58.420 --> 31:00.180]  when we reach the code run,
[31:00.180 --> 31:01.880]  we load the module,
[31:02.360 --> 31:03.240]  the SO,
[31:03.240 --> 31:05.220]  and he is the one who actually loads
[31:05.220 --> 31:08.300]  the exploit and the installer.
[31:08.300 --> 31:09.480]  So here we already have a code run,
[31:09.480 --> 31:10.880]  everything works here.
[31:11.940 --> 31:13.020]  So,
[31:13.020 --> 31:14.740]  we were able to implement it nicely.
[31:14.740 --> 31:15.620]  By the way,
[31:15.620 --> 31:18.440]  this attack of the hacking team
[31:19.520 --> 31:20.860]  in general,
[31:20.860 --> 31:22.520]  I think it's a bit stupid.
[31:22.860 --> 31:24.400]  Here, while running,
[31:25.130 --> 31:27.410]  I lost my patience with the redirect,
[31:27.860 --> 31:29.660]  which I usually do,
[31:29.660 --> 31:30.780]  and while running, when I shoot,
[31:30.780 --> 31:33.100]  I'm not sure if the attack is going to end,
[31:33.100 --> 31:34.620]  because in general,
[31:34.620 --> 31:36.660]  the exploit itself is 1MB,
[31:36.660 --> 31:38.700]  the installer too,
[31:38.700 --> 31:40.480]  it takes a lot of time,
[31:40.480 --> 31:42.080]  and these are processes
[31:42.080 --> 31:43.880]  based on the original application.
[31:45.180 --> 31:47.140]  So if I shoot the whole thing,
[31:47.140 --> 31:49.140]  it doesn't work.
[31:49.140 --> 31:50.920]  I think it could have been done
[31:50.920 --> 31:52.780]  faster,
[31:53.580 --> 31:55.000]  but I'm sure...
[31:55.000 --> 31:55.980]  Oh, this is at the end.
[31:56.380 --> 31:58.780]  Okay, so...
[31:58.780 --> 32:01.180]  So, it only worked.
[32:02.400 --> 32:03.380]  Sometimes,
[32:03.380 --> 32:04.020]  very slowly,
[32:04.020 --> 32:07.180]  so that it doesn't show up,
[32:07.180 --> 32:09.040]  after a lot of sleep.
[32:10.660 --> 32:12.260]  But here,
[32:12.260 --> 32:15.110]  this extremely serious application
[32:15.340 --> 32:15.900]  appears.
[32:15.900 --> 32:17.200]  I created this with a next-next finish
[32:17.200 --> 32:19.740]  in Android Studio.
[32:19.740 --> 32:21.740]  This is my application that
[32:21.740 --> 32:23.580]  implements the exploit.
[32:23.920 --> 32:26.140]  I don't implement the hacking team
[32:26.140 --> 32:26.400]  stuff,
[32:26.400 --> 32:29.240]  but this itself, yes.
[32:29.240 --> 32:31.020]  So this went to the end.
[32:31.300 --> 32:33.760]  I installed it through a network.
[32:37.630 --> 32:39.130]  So let's move on.
[32:40.750 --> 32:42.670]  Yes, so how did they
[32:42.670 --> 32:45.350]  stay under the radars?
[32:45.670 --> 32:48.230]  At every step,
[32:48.230 --> 32:50.010]  at every opportunity,
[32:50.010 --> 32:50.850]  they were obfuscated,
[32:50.850 --> 32:52.190]  encoded,
[32:52.190 --> 32:53.670]  encrypted,
[32:53.670 --> 32:54.650]  they put in everything
[32:54.650 --> 32:55.090]  that was possible
[32:55.090 --> 32:58.330]  so that the codes
[32:58.330 --> 33:00.530]  would be sufficient.
[33:00.530 --> 33:01.450]  So that we would always
[33:01.450 --> 33:04.150]  be a small part of it,
[33:04.150 --> 33:05.510]  and it would be difficult
[33:05.510 --> 33:08.170]  to access the things.
[33:08.170 --> 33:10.330]  So the source code,
[33:10.330 --> 33:11.610]  when it was built,
[33:11.610 --> 33:13.530]  was already obfuscated,
[33:14.450 --> 33:15.970]  and then it was built,
[33:15.970 --> 33:16.250]  and they packed it
[33:16.250 --> 33:20.090]  with their own packer,
[33:20.090 --> 33:22.190]  then they added MELT,
[33:22.190 --> 33:23.930]  they read some of it,
[33:23.930 --> 33:25.330]  then they added VMProtect,
[33:25.330 --> 33:26.250]  they added so many layers
[33:26.250 --> 33:30.430]  that it was quite expensive.
[33:31.150 --> 33:31.910]  There were people who
[33:31.910 --> 33:33.270]  went for it, and you could
[33:33.270 --> 33:35.170]  download some of it, but
[33:35.930 --> 33:38.290]  the whole infrastructure,
[33:38.290 --> 33:39.550]  especially all the platforms,
[33:39.550 --> 33:42.430]  couldn't afford it.
[33:43.750 --> 33:46.550]  Yes, and I think
[33:46.550 --> 33:47.610]  it was a good idea
[33:48.190 --> 33:49.750]  to only send
[33:49.750 --> 33:53.770]  what was needed
[33:53.770 --> 33:55.410]  for each step.
[33:55.550 --> 33:56.450]  The other thing was
[33:56.450 --> 33:59.010]  that they blacklisted
[33:59.010 --> 33:59.990]  the applications,
[33:59.990 --> 34:00.910]  so if they felt
[34:01.410 --> 34:03.450]  that their research
[34:03.450 --> 34:04.710]  was already dangerous,
[34:05.510 --> 34:06.070]  they would rather
[34:06.070 --> 34:07.170]  send it back.
[34:07.190 --> 34:08.270]  They didn't have to
[34:08.270 --> 34:10.430]  poison it at all.
[34:10.970 --> 34:14.670]  As if that was the only
[34:14.670 --> 34:15.670]  risk.
[34:17.670 --> 34:19.190]  They used
[34:19.190 --> 34:20.370]  VM Inquiry
[34:20.370 --> 34:21.170]  for virtualization,
[34:21.170 --> 34:22.070]  and they checked
[34:23.390 --> 34:25.450]  which platform they were running on,
[34:25.450 --> 34:28.050]  and if they had to run on that platform,
[34:28.050 --> 34:29.890]  and if it was config or not,
[34:29.890 --> 34:30.690]  then they
[34:30.690 --> 34:32.650]  withdrew from it.
[34:34.290 --> 34:35.810]  They had
[34:36.650 --> 34:37.530]  a little trick
[34:38.550 --> 34:41.630]  in the FS44 register,
[34:41.630 --> 34:42.830]  they placed a trap,
[34:42.830 --> 34:44.390]  and when they triggered
[34:45.090 --> 34:47.510]  a sleep function on a new wire,
[34:47.510 --> 34:48.950]  which is
[34:48.950 --> 34:52.830]  in the nest,
[34:53.690 --> 34:55.630]  so to check it,
[34:55.630 --> 34:56.370]  it slipped
[34:56.370 --> 34:58.150]  on this trap,
[34:58.150 --> 34:59.070]  and from then on
[34:59.070 --> 35:02.870]  they could
[35:02.870 --> 35:04.530]  check if there was
[35:04.650 --> 35:06.130]  a problem or not, and if there was,
[35:06.130 --> 35:07.690]  they withdrew again,
[35:07.690 --> 35:09.710]  and as a result,
[35:09.710 --> 35:11.810]  there was no report
[35:11.810 --> 35:13.630]  about the application in the nest.
[35:14.350 --> 35:15.570]  This is a good
[35:15.570 --> 35:17.650]  example of a few days
[35:17.650 --> 35:19.870]  after these codes were released,
[35:19.870 --> 35:22.670]  the codes that
[35:22.670 --> 35:23.470]  are used in WADOM came out.
[35:23.470 --> 35:25.010]  So this 400GI is not only
[35:25.530 --> 35:27.770]  good because we can cheat,
[35:27.770 --> 35:29.710]  we can have fun with these codes,
[35:29.710 --> 35:31.430]  but also because criminals
[35:31.430 --> 35:32.910]  use them illegally.
[35:33.270 --> 35:34.850]  And the problem is that
[35:34.850 --> 35:35.590]  what they have developed
[35:35.590 --> 35:38.670]  for a certain amount of time,
[35:38.670 --> 35:40.190]  can now be called
[35:40.190 --> 35:41.170]  an entry level.
[35:41.170 --> 35:42.550]  Because everyone has it,
[35:42.550 --> 35:43.670]  they can use it,
[35:43.670 --> 35:45.870]  so it doesn't divide them.
[35:46.030 --> 35:48.490]  On the Android platform,
[35:48.490 --> 35:49.210]  they also made sure
[35:49.210 --> 35:51.970]  that they don't run into the emulator.
[35:54.250 --> 35:55.690]  These tricks
[35:55.690 --> 35:57.110]  were introduced.
[35:58.470 --> 35:59.590]  And because
[35:59.590 --> 36:00.510]  antiviruses
[36:01.490 --> 36:03.830]  can work well together,
[36:04.910 --> 36:06.170]  they created
[36:06.350 --> 36:08.170]  a full cluster
[36:09.190 --> 36:10.110]  where
[36:12.070 --> 36:13.010]  they installed
[36:15.990 --> 36:16.910]  antiviruses
[36:16.910 --> 36:17.310]  virtual machines.
[36:17.310 --> 36:18.410]  Then they sent
[36:18.410 --> 36:19.690]  their little agent
[36:19.690 --> 36:21.890]  and with remote call
[36:21.890 --> 36:25.490]  they looked at what was happening.
[36:25.490 --> 36:26.870]  Is there an action
[36:26.870 --> 36:29.130]  that one or the other
[36:29.130 --> 36:31.430]  vendor is interested in
[36:31.430 --> 36:31.750]  or is it suitable for
[36:31.750 --> 36:33.310]  rioting?
[36:33.590 --> 36:35.810]  This was a QA process
[36:35.810 --> 36:38.570]  and they were able to guarantee
[36:38.570 --> 36:40.710]  that what they were doing
[36:40.710 --> 36:42.030]  and how they were doing
[36:42.030 --> 36:44.190]  was not suspicious.
[36:44.190 --> 36:44.830]  So here you can see
[36:44.830 --> 36:47.830]  that they tested this
[36:47.830 --> 36:48.290]  quite nicely.
[36:48.290 --> 36:49.930]  They had a full project
[36:49.930 --> 36:52.610]  to be able to intonate
[36:52.610 --> 36:54.310]  these virtual machines
[36:54.310 --> 36:57.250]  and play with appropriate configs
[36:57.250 --> 36:58.370]  to see what would happen
[36:58.370 --> 36:59.850]  if I downloaded
[37:01.890 --> 37:04.030]  a full email list
[37:04.030 --> 37:05.970]  or started to pay attention
[37:05.970 --> 37:07.270]  to the keyboard
[37:07.270 --> 37:07.910]  or something
[37:07.910 --> 37:10.570]  and what would be the result.
[37:11.210 --> 37:13.310]  And then we reached the end
[37:13.310 --> 37:13.830]  where
[37:15.770 --> 37:17.210]  yes,
[37:17.210 --> 37:18.110]  I think,
[37:18.110 --> 37:21.130]  from the leaked data,
[37:21.130 --> 37:22.970]  the sign language and everything else
[37:22.970 --> 37:24.130]  it turned out that
[37:24.130 --> 37:25.350]  there was a front
[37:25.350 --> 37:26.730]  that was really
[37:27.690 --> 37:29.010]  unscrupulous,
[37:29.010 --> 37:32.210]  even though they could not protect their own products.
[37:33.090 --> 37:34.410]  But the whole thing
[37:34.410 --> 37:35.390]  was well planned
[37:35.390 --> 37:36.990]  and it was not
[37:37.990 --> 37:39.170]  perfectly reconsidered,
[37:39.170 --> 37:40.030]  but leaked.
[37:41.730 --> 37:43.870]  And what I would really
[37:43.870 --> 37:45.830]  emphasize is the web view
[37:47.450 --> 37:48.170]  which
[37:50.150 --> 37:50.870]  is
[37:50.950 --> 37:51.670]  a problem.
[37:51.670 --> 37:52.430]  There are a lot of devices
[37:52.430 --> 37:55.350]  and as we saw,
[37:55.350 --> 37:57.610]  I don't have to click
[37:57.610 --> 37:58.990]  on links, or I don't know.
[37:58.990 --> 38:00.610]  I did click on something,
[38:00.610 --> 38:03.270]  but I don't know which was
[38:03.270 --> 38:04.170]  harmful or not.
[38:04.170 --> 38:05.390]  Maybe it was good yesterday,
[38:05.390 --> 38:06.190]  and not today.
[38:06.210 --> 38:09.350]  I can change the content.
[38:09.670 --> 38:10.930]  In the demo,
[38:10.930 --> 38:13.050]  it had to be a bit stupid
[38:13.050 --> 38:15.390]  to fix the settings
[38:15.390 --> 38:17.330]  and the product, I don't know.
[38:17.330 --> 38:18.190]  Because, for example,
[38:21.590 --> 38:22.710]  HTTPS collects all the content
[38:22.710 --> 38:23.710]  and also monitors
[38:25.470 --> 38:26.590]  the notifications
[38:26.590 --> 38:28.410]  to see what they are like.
[38:28.410 --> 38:30.170]  This is a good solution
[38:30.170 --> 38:32.050]  to be safe.
[38:32.070 --> 38:33.310]  There was a special link
[38:33.890 --> 38:36.110]  where this was not linked,
[38:36.110 --> 38:38.070]  so it could be injected there.
[38:38.070 --> 38:39.210]  But from the attacking side,
[38:39.210 --> 38:40.750]  all you have to do is watch and wait,
[38:40.750 --> 38:44.130]  and if there is a request,
[38:44.130 --> 38:46.430]  you can inject the correct content
[38:46.430 --> 38:47.350]  there.
[38:47.350 --> 38:49.550]  A few links.
[38:49.830 --> 38:52.130]  And thank you for your attention.
[38:52.670 --> 38:53.610]  I'm waiting for questions.
[38:53.610 --> 38:55.970]  I loved it.
[38:56.370 --> 38:57.390]  It looks like it was a bit
[38:57.390 --> 38:58.550]  clunky.
[39:02.130 --> 39:04.110]  Done. Did I satisfy
[39:04.110 --> 39:04.870]  everyone?
[39:08.690 --> 39:09.690]  Okay.
[39:09.690 --> 39:11.470]  Thank you very much.