1 00:00:02,750 --> 00:00:12,030 one oh boy yes right the name that I've 2 00:00:08,280 --> 00:00:14,489 given this presentation is internets of 3 00:00:12,030 --> 00:00:17,970 planes when I sent in the draft fashion 4 00:00:14,490 --> 00:00:19,770 to the people in my company who know how 5 00:00:17,970 --> 00:00:21,630 to sell themselves better than myself 6 00:00:19,770 --> 00:00:24,029 they said Nana Nana you should change 7 00:00:21,630 --> 00:00:27,210 the title and you should give it the 8 00:00:24,029 --> 00:00:29,460 following Hakim Elena jet cabins aniseh 9 00:00:27,210 --> 00:00:32,549 well it's always good to have good 10 00:00:29,460 --> 00:00:35,120 friends so this is the index of my 11 00:00:32,549 --> 00:00:39,000 presentation first of all who am i 12 00:00:35,120 --> 00:00:40,730 introduction the applications let us see 13 00:00:39,000 --> 00:00:45,800 what is the purpose of this presentation 14 00:00:40,730 --> 00:00:48,569 then we move on to analysis some 15 00:00:45,800 --> 00:00:50,339 acquaintances are here in this room 16 00:00:48,570 --> 00:00:52,170 following this presentation that will 17 00:00:50,340 --> 00:00:54,870 help me at the end of the presentation 18 00:00:52,170 --> 00:00:56,670 most likely then we are the plane I will 19 00:00:54,870 --> 00:01:00,300 tell you more about our vulnerabilities 20 00:00:56,670 --> 00:01:06,659 that we found some fixes and then 21 00:01:00,300 --> 00:01:10,460 research timeline so first of all 22 00:01:06,659 --> 00:01:13,799 congratulations and happy Anniversary 23 00:01:10,460 --> 00:01:17,729 for the 10 years for the great work that 24 00:01:13,799 --> 00:01:22,259 you do in terms of dissemination because 25 00:01:17,729 --> 00:01:25,710 treatment having trusted me to give me 26 00:01:22,259 --> 00:01:28,500 the opportunity to share what I do with 27 00:01:25,710 --> 00:01:32,908 you and then we see significant change 28 00:01:28,500 --> 00:01:36,119 in this decade in these 10 years of time 29 00:01:32,909 --> 00:01:40,079 so we also have change our entire watch 30 00:01:36,119 --> 00:01:45,320 see Alberto OMA all of them who work for 31 00:01:40,079 --> 00:01:45,320 free as well as minions volunteers 32 00:01:51,230 --> 00:01:56,720 well according to this photograph what 33 00:01:54,710 --> 00:01:58,699 priority were expecting a dog to give 34 00:01:56,720 --> 00:02:04,340 this presentation well my name is Daniel 35 00:01:58,700 --> 00:02:06,500 Martinez my aliases donítö I'm a sinner 36 00:02:04,340 --> 00:02:09,050 security consultant in terms of 37 00:02:06,500 --> 00:02:11,780 experience I say longer than a hobbits 38 00:02:09,050 --> 00:02:15,470 because I've gone through the experience 39 00:02:11,780 --> 00:02:17,840 of many people I've seen lots of child 40 00:02:15,470 --> 00:02:19,940 labor because people some people say 41 00:02:17,840 --> 00:02:21,800 that they have 18 years of experience 20 42 00:02:19,940 --> 00:02:25,310 years of experience and then I said to 43 00:02:21,800 --> 00:02:29,200 myself okay experience how long more 44 00:02:25,310 --> 00:02:32,330 years or longer run a hobbit and then I 45 00:02:29,200 --> 00:02:35,060 was about to show this photograph and 46 00:02:32,330 --> 00:02:37,220 then perhaps if I go and show that you 47 00:02:35,060 --> 00:02:39,950 would be expecting I don't know some 48 00:02:37,220 --> 00:02:42,800 food to come over here and then spam a 49 00:02:39,950 --> 00:02:45,829 bit of a spam oh I have to say that 50 00:02:42,800 --> 00:02:49,550 working your active company it's an 51 00:02:45,830 --> 00:02:53,890 American company has an office in Madrid 52 00:02:49,550 --> 00:02:56,420 and I'm very lucky to work with highly 53 00:02:53,890 --> 00:03:00,890 interesting people those people that 54 00:02:56,420 --> 00:03:03,589 make you feel a bit stupid when you work 55 00:03:00,890 --> 00:03:06,828 with them and I was like that means 56 00:03:03,590 --> 00:03:09,590 rounded by smarter people we break 57 00:03:06,829 --> 00:03:17,269 things we like big things satellites 58 00:03:09,590 --> 00:03:20,269 aircraft planes ships so what I will be 59 00:03:17,269 --> 00:03:24,320 sharing with you it's a bit related to 60 00:03:20,269 --> 00:03:27,230 what you said nation this is basically a 61 00:03:24,320 --> 00:03:31,609 system in room time where I've found 62 00:03:27,230 --> 00:03:34,340 some vulnerabilities it is installed in 63 00:03:31,610 --> 00:03:40,790 many devices of hismus series in 64 00:03:34,340 --> 00:03:43,790 aircrafts and others and then it is also 65 00:03:40,790 --> 00:03:49,069 related to revenge presentation 66 00:03:43,790 --> 00:03:51,260 about antennas aircraft etc so nowadays 67 00:03:49,069 --> 00:03:53,569 well not that much nowadays but in the 68 00:03:51,260 --> 00:03:57,769 past the incidence of the things is what 69 00:03:53,569 --> 00:04:00,230 has become the option nowadays if you 70 00:03:57,769 --> 00:04:02,299 have luck change when no one so 71 00:04:00,230 --> 00:04:04,250 therefore all the companies started to 72 00:04:02,299 --> 00:04:07,549 push the introduction of Internet of 73 00:04:04,250 --> 00:04:11,090 Things to sell a lot over a short period 74 00:04:07,549 --> 00:04:15,880 of time and when did it all end up well 75 00:04:11,090 --> 00:04:19,070 every day we ended up having lots of 76 00:04:15,880 --> 00:04:22,159 problems with bitcoins and we weren't 77 00:04:19,070 --> 00:04:24,110 being inspired all the time so the 78 00:04:22,160 --> 00:04:26,389 interesting thing about this is when the 79 00:04:24,110 --> 00:04:28,190 Internet's of the things is it was 80 00:04:26,389 --> 00:04:32,720 implemented following the same 81 00:04:28,190 --> 00:04:38,479 philosophy in well other fields such as 82 00:04:32,720 --> 00:04:43,100 aviation nowadays we can find mobile 83 00:04:38,479 --> 00:04:45,680 apps that will help us interact with 84 00:04:43,100 --> 00:04:48,380 some features in the plane such as 85 00:04:45,680 --> 00:04:51,740 multimedia etc this is the most 86 00:04:48,380 --> 00:04:55,760 important slide and it is important to 87 00:04:51,740 --> 00:04:58,940 know that aircraft systems landing 88 00:04:55,760 --> 00:05:01,010 system following a different what 89 00:04:58,940 --> 00:05:06,620 operates on a different network and 90 00:05:01,010 --> 00:05:09,650 network the systems that we'll be 91 00:05:06,620 --> 00:05:11,660 discussing how connected to we can 92 00:05:09,650 --> 00:05:14,960 gather information about the altitude of 93 00:05:11,660 --> 00:05:17,210 the plane that we may introduce into our 94 00:05:14,960 --> 00:05:19,460 device and say well the aircraft is 95 00:05:17,210 --> 00:05:24,590 flying at five thousand feet and we are 96 00:05:19,460 --> 00:05:29,630 flying over Poland so during my 97 00:05:24,590 --> 00:05:32,570 presentation well we ve situations that 98 00:05:29,630 --> 00:05:35,599 we found this could create situations of 99 00:05:32,570 --> 00:05:38,450 discomfort on board an aircraft playing 100 00:05:35,599 --> 00:05:44,260 with temperature light intensity and 101 00:05:38,450 --> 00:05:44,260 other type of attacks but in any case 102 00:05:45,310 --> 00:05:50,840 well this is not a direct threat to 103 00:05:48,320 --> 00:05:54,530 safety we will not be moving any 104 00:05:50,840 --> 00:05:54,869 aircraft at all so these are the 105 00:05:54,530 --> 00:05:57,510 applique 106 00:05:54,870 --> 00:06:00,330 to reanalyze I don't know that you are 107 00:05:57,510 --> 00:06:02,550 aware of these companies well I didn't 108 00:06:00,330 --> 00:06:05,460 know any of them but Bombardier drink 109 00:06:02,550 --> 00:06:07,170 about to me in terms of trains whereas 110 00:06:05,460 --> 00:06:09,359 this one is bombarded having control 111 00:06:07,170 --> 00:06:13,470 developed and then the other one is very 112 00:06:09,360 --> 00:06:16,170 common promote developed by Rockwell 113 00:06:13,470 --> 00:06:18,050 Collins so we also took a look at other 114 00:06:16,170 --> 00:06:20,370 applications but we cannot really show 115 00:06:18,050 --> 00:06:25,520 it to you because of a nondisclosure 116 00:06:20,370 --> 00:06:29,340 agreement so these are some screenshots 117 00:06:25,520 --> 00:06:32,789 that we can see in Google Play we see 118 00:06:29,340 --> 00:06:37,080 here different roles different things 119 00:06:32,790 --> 00:06:43,280 that you can touch on having 120 00:06:37,080 --> 00:06:46,710 entertainment location of the fly the 121 00:06:43,280 --> 00:06:50,729 toilets that was very interesting when I 122 00:06:46,710 --> 00:06:55,669 found it this is a video where Rockwell 123 00:06:50,730 --> 00:06:55,670 Collins company showed us what they do 124 00:07:27,930 --> 00:07:32,890 from the moment you settle into your 125 00:07:30,070 --> 00:07:34,719 aircraft you and your air crew will have 126 00:07:32,890 --> 00:07:39,450 many ways to conduct your cabin 127 00:07:34,720 --> 00:07:39,450 experience your air crew 128 00:08:09,910 --> 00:08:12,480 and without 129 00:08:12,510 --> 00:08:15,950 device becomes an additional 130 00:08:20,569 --> 00:08:39,599 so your mobile device becomes an 131 00:08:23,280 --> 00:08:41,990 additional controller use your wireless 132 00:08:39,599 --> 00:08:44,990 headset for hands-free selections and 133 00:08:41,990 --> 00:08:44,990 communications 134 00:09:05,850 --> 00:09:14,470 Jonathan I don't own any of these jets 135 00:09:09,640 --> 00:09:21,520 oh it's a pity I would have very surely 136 00:09:14,470 --> 00:09:23,680 crushed it so what happens that these 137 00:09:21,520 --> 00:09:27,640 applications cannot be researched cannot 138 00:09:23,680 --> 00:09:30,160 be analyzed and DS it is not a specific 139 00:09:27,640 --> 00:09:35,650 or this is not exclusive of aircrafts 140 00:09:30,160 --> 00:09:37,300 only it also happens in other fields so 141 00:09:35,650 --> 00:09:40,030 this is an app that will have you 142 00:09:37,300 --> 00:09:43,349 interact with having things but if you 143 00:09:40,030 --> 00:09:47,770 don't own that chest you cannot really 144 00:09:43,350 --> 00:09:50,530 go ahead with it so the application is 145 00:09:47,770 --> 00:09:53,910 connected to the Wi-Fi network on the 146 00:09:50,530 --> 00:09:57,730 aircraft and then it interacts with the 147 00:09:53,910 --> 00:10:01,930 capabilities in the aircraft so these 148 00:09:57,730 --> 00:10:05,310 episodes available at is it is not 149 00:10:01,930 --> 00:10:08,500 within the scope of our research and 150 00:10:05,310 --> 00:10:12,310 then it has been developed by Rockwell 151 00:10:08,500 --> 00:10:17,920 Collins which is their developer many 152 00:10:12,310 --> 00:10:21,310 companies work with Rockwell Collins so 153 00:10:17,920 --> 00:10:26,349 when you search for a device over the 154 00:10:21,310 --> 00:10:28,420 map of an aircraft so we can see that 155 00:10:26,350 --> 00:10:30,250 all companies are working with each 156 00:10:28,420 --> 00:10:32,680 other even if they do not kind of 157 00:10:30,250 --> 00:10:34,390 shorten them in the first place and as I 158 00:10:32,680 --> 00:10:37,510 said it helps you interact with all the 159 00:10:34,390 --> 00:10:42,220 carving capabilities and it is based on 160 00:10:37,510 --> 00:10:44,380 wireless access points so we gather data 161 00:10:42,220 --> 00:10:45,460 and we can interact with them and now 162 00:10:44,380 --> 00:10:48,730 I'd like to tell you about the 163 00:10:45,460 --> 00:10:50,740 infrastructure of the systems we but we 164 00:10:48,730 --> 00:10:54,190 are interested in is the mobile device 165 00:10:50,740 --> 00:10:57,130 that is us and we will move on the right 166 00:10:54,190 --> 00:10:59,230 side of the slide these are the elements 167 00:10:57,130 --> 00:11:02,020 we will interact at and then the 168 00:10:59,230 --> 00:11:07,780 elements in the center's will help us 169 00:11:02,020 --> 00:11:10,300 reach the elements on the left this is 170 00:11:07,780 --> 00:11:13,390 another map which I like 171 00:11:10,300 --> 00:11:17,589 well because I was suggested to show a 172 00:11:13,390 --> 00:11:19,569 map of the aircraft's then I could see 173 00:11:17,590 --> 00:11:21,790 that device I said what is that device 174 00:11:19,570 --> 00:11:26,800 there it is a six-legged 175 00:11:21,790 --> 00:11:30,459 device and as a all control is one of 176 00:11:26,800 --> 00:11:32,469 the companies that use win OS and it is 177 00:11:30,460 --> 00:11:37,480 one of the systems and my colleague 178 00:11:32,470 --> 00:11:39,070 deuce ever crashed so I'm not going to 179 00:11:37,480 --> 00:11:44,530 say that those things have broken 180 00:11:39,070 --> 00:11:47,680 everywhere but there are many devices 181 00:11:44,530 --> 00:11:52,990 key devices here that were not fully 182 00:11:47,680 --> 00:11:56,349 robust as some stage of the cycle 183 00:11:52,990 --> 00:11:59,590 development so this is the layout of the 184 00:11:56,350 --> 00:12:02,530 devices on the aircraft's but this is 185 00:11:59,590 --> 00:12:06,280 not that relevant to us but this is for 186 00:12:02,530 --> 00:12:08,339 you to have some background and now let 187 00:12:06,280 --> 00:12:11,730 us move on to applications 188 00:12:08,340 --> 00:12:13,870 well the apps have different user roles 189 00:12:11,730 --> 00:12:19,660 different roles depending on whether you 190 00:12:13,870 --> 00:12:21,490 are true whether you are passenger your 191 00:12:19,660 --> 00:12:24,219 world would allow you to access some 192 00:12:21,490 --> 00:12:27,550 features and not others you will never 193 00:12:24,220 --> 00:12:30,340 be able to drive to move the aircraft to 194 00:12:27,550 --> 00:12:36,520 access a true section you'll have to 195 00:12:30,340 --> 00:12:38,650 enter password we've seen that what do 196 00:12:36,520 --> 00:12:40,420 we say when do you open the manifest you 197 00:12:38,650 --> 00:12:43,150 see an activity to ask you to enter a 198 00:12:40,420 --> 00:12:45,040 password then you take a look at the 199 00:12:43,150 --> 00:12:48,490 code we can see that the password plays 200 00:12:45,040 --> 00:12:50,290 a role but we will not be going into 201 00:12:48,490 --> 00:12:53,440 that in this presentation but it's 202 00:12:50,290 --> 00:12:57,939 interesting for you to know for what 203 00:12:53,440 --> 00:13:00,460 coming is the location of the person on 204 00:12:57,940 --> 00:13:02,920 the aircraft so there is a person in the 205 00:13:00,460 --> 00:13:07,240 front of the cabin the other one at the 206 00:13:02,920 --> 00:13:12,079 rear of the cabin so the purpose of this 207 00:13:07,240 --> 00:13:16,670 presentation is the following 208 00:13:12,080 --> 00:13:19,400 oh we said that we wanted to come here 209 00:13:16,670 --> 00:13:21,650 to see what you do when you are facing 210 00:13:19,400 --> 00:13:25,430 this type of application so that you can 211 00:13:21,650 --> 00:13:28,910 mimic a real connection environment and 212 00:13:25,430 --> 00:13:31,489 to find out the entry points to attacked 213 00:13:28,910 --> 00:13:35,930 a situation or to launch an attack while 214 00:13:31,490 --> 00:13:39,020 the objective is you can't try to be net 215 00:13:35,930 --> 00:13:41,599 crafts and to do that from M mark once 216 00:13:39,020 --> 00:13:44,720 you have the working environments we 217 00:13:41,600 --> 00:13:48,470 will start to find vulnerabilities and 218 00:13:44,720 --> 00:13:50,480 then the we will tell you about the 219 00:13:48,470 --> 00:13:53,300 steps that we follow to find the 220 00:13:50,480 --> 00:13:54,710 vulnerabilities and in some cases we 221 00:13:53,300 --> 00:14:01,180 will exploit some of those from the 222 00:13:54,710 --> 00:14:05,960 abilities these are the target versions 223 00:14:01,180 --> 00:14:08,180 of our research so both are numbered 224 00:14:05,960 --> 00:14:12,020 with the same number and this is not 225 00:14:08,180 --> 00:14:17,930 right because the bashing on top is two 226 00:14:12,020 --> 00:14:22,370 two two and one below is two two one and 227 00:14:17,930 --> 00:14:25,000 thanks to that now I have a new demo I 228 00:14:22,370 --> 00:14:28,670 would also explain you there no mode 229 00:14:25,000 --> 00:14:31,130 basically imagine that you are a new 230 00:14:28,670 --> 00:14:33,560 rage or you are a salesperson of this 231 00:14:31,130 --> 00:14:37,310 company and you want to sell these 232 00:14:33,560 --> 00:14:42,339 products who company because you're not 233 00:14:37,310 --> 00:14:46,760 going to sexy aircraft with you and well 234 00:14:42,340 --> 00:14:52,520 they take these mobile app with a demo 235 00:14:46,760 --> 00:14:54,590 mode the demo mode is then open and then 236 00:14:52,520 --> 00:14:59,319 demoed and then you get to see the air 237 00:14:54,590 --> 00:15:03,740 traffic so this is an innovation of the 238 00:14:59,320 --> 00:15:04,640 operation of the app features in is this 239 00:15:03,740 --> 00:15:07,750 will be interesting 240 00:15:04,640 --> 00:15:07,750 later on in my presentation 241 00:15:10,100 --> 00:15:16,680 during the talk we will combine the type 242 00:15:12,870 --> 00:15:19,800 of analysis the one hand code analysis 243 00:15:16,680 --> 00:15:22,019 which is essential but we will also be 244 00:15:19,800 --> 00:15:26,130 basing ourselves in logs in network 245 00:15:22,019 --> 00:15:30,480 traffic and all that oftentimes you'll 246 00:15:26,130 --> 00:15:35,930 have it in the code when you see it when 247 00:15:30,480 --> 00:15:35,930 you find it having an app that helps you 248 00:15:36,320 --> 00:15:42,029 makes you save time I'm not going to say 249 00:15:39,120 --> 00:15:45,120 CFC but these applications are very 250 00:15:42,029 --> 00:15:50,399 interesting to learn to improve to see 251 00:15:45,120 --> 00:15:52,579 new things what do we do first we get an 252 00:15:50,399 --> 00:16:04,680 apk which is not a 253 00:15:52,579 --> 00:16:08,370 Seyfert zip a PK 2d we open the file and 254 00:16:04,680 --> 00:16:11,579 we analyzed it to XML I don't want you 255 00:16:08,370 --> 00:16:13,740 to read through it but you may notice 256 00:16:11,579 --> 00:16:15,120 that they are very similar the only 257 00:16:13,740 --> 00:16:19,500 thing that changes is the name of the 258 00:16:15,120 --> 00:16:22,470 package in those cases come Robert 259 00:16:19,500 --> 00:16:26,250 Collins venue having promote dot for 260 00:16:22,470 --> 00:16:28,560 Martine and the other one doesn't say 261 00:16:26,250 --> 00:16:31,980 dot Bombardier so therefore we are 262 00:16:28,560 --> 00:16:34,380 talking about the same up what are the 263 00:16:31,980 --> 00:16:36,630 things that are to be channel here entry 264 00:16:34,380 --> 00:16:42,390 points activities that are exported 265 00:16:36,630 --> 00:16:44,520 activities that are not exported DVDs 266 00:16:42,390 --> 00:16:49,949 and all these elements and we are all 267 00:16:44,520 --> 00:16:52,649 aware of we read through all that we 268 00:16:49,950 --> 00:16:59,250 guarantee standing as to what the app 269 00:16:52,649 --> 00:17:03,720 can do the only activities that were 270 00:16:59,250 --> 00:17:06,660 exported for this month of the screen 271 00:17:03,720 --> 00:17:11,300 and now we will be focusing on 272 00:17:06,660 --> 00:17:14,520 permissions you will 273 00:17:11,300 --> 00:17:16,530 later I understand but I'm writing this 274 00:17:14,520 --> 00:17:19,050 when I'm showing this we may write on 275 00:17:16,530 --> 00:17:21,990 the car we can change the Wi-Fi we can 276 00:17:19,050 --> 00:17:24,510 access the network estate more 277 00:17:21,990 --> 00:17:27,030 information about what permission allows 278 00:17:24,510 --> 00:17:34,770 you to do you can find it on the Android 279 00:17:27,030 --> 00:17:36,260 app you can use very many tools well I 280 00:17:34,770 --> 00:17:42,030 like it 281 00:17:36,260 --> 00:17:45,140 J ATX quite a lot with those two flags - 282 00:17:42,030 --> 00:17:50,040 if some of the station is detected maybe 283 00:17:45,140 --> 00:17:53,040 the obfuscated shell byte codes often 284 00:17:50,040 --> 00:17:55,500 times when we compile an app some code 285 00:17:53,040 --> 00:17:58,590 is not well decompiled mistakes are 286 00:17:55,500 --> 00:18:00,780 found whereas in this case instead of 287 00:17:58,590 --> 00:18:03,030 sanity we cannot do that sometimes it 288 00:18:00,780 --> 00:18:04,649 tells you the code right at the bottom 289 00:18:03,030 --> 00:18:08,460 and then sometimes you'll come back to 290 00:18:04,650 --> 00:18:11,870 an older version so we can do several 291 00:18:08,460 --> 00:18:16,290 things to continue discovering things 292 00:18:11,870 --> 00:18:18,000 another one for you to get a travel file 293 00:18:16,290 --> 00:18:20,190 is very good you open it with under the 294 00:18:18,000 --> 00:18:22,050 studio to export it and everything in 295 00:18:20,190 --> 00:18:24,540 the end is this place it's played in a 296 00:18:22,050 --> 00:18:29,040 beautiful manner so the first thing that 297 00:18:24,540 --> 00:18:32,399 we do is start the app we got the ABB I 298 00:18:29,040 --> 00:18:40,320 heard of lots of info so that it is not 299 00:18:32,400 --> 00:18:41,970 too boring so basically in green these 300 00:18:40,320 --> 00:18:46,970 are the things that we found and say 301 00:18:41,970 --> 00:18:51,450 look I'm starting now is that any 302 00:18:46,970 --> 00:18:54,600 session in it then a warning instead of 303 00:18:51,450 --> 00:18:59,850 timeout and then I said finish the step 304 00:18:54,600 --> 00:19:02,600 one okay step one completed it is very 305 00:18:59,850 --> 00:19:02,600 easy to see 306 00:19:04,510 --> 00:19:14,350 so more information than needed is being 307 00:19:08,000 --> 00:19:17,660 locked in this is a good starting point 308 00:19:14,350 --> 00:19:21,590 to look for specific change in the code 309 00:19:17,660 --> 00:19:23,870 and to look for this element when it 310 00:19:21,590 --> 00:19:28,428 says done step one could be interesting 311 00:19:23,870 --> 00:19:32,899 to start organizing the code there as I 312 00:19:28,429 --> 00:19:35,660 was saying if you look for step then you 313 00:19:32,900 --> 00:19:38,030 end up in a Java class which is known as 314 00:19:35,660 --> 00:19:40,250 step one so therefore it makes sense for 315 00:19:38,030 --> 00:19:42,678 me to start off in step one what do we 316 00:19:40,250 --> 00:19:48,340 find in a step one this is an example of 317 00:19:42,679 --> 00:19:52,790 code you call it from the run function 318 00:19:48,340 --> 00:19:55,159 and basically what it does is the 319 00:19:52,790 --> 00:19:58,428 following the code is detecting whether 320 00:19:55,160 --> 00:20:00,590 the SS dld are connected to well first 321 00:19:58,429 --> 00:20:06,200 of all if you are connected to an SS ID 322 00:20:00,590 --> 00:20:11,000 and then if that s ID has dd-wrt dead if 323 00:20:06,200 --> 00:20:15,860 you have a string it gives you an idea 324 00:20:11,000 --> 00:20:23,059 of multicast if you look for that IP you 325 00:20:15,860 --> 00:20:27,290 will see different value to the value 326 00:20:23,059 --> 00:20:29,030 that it would have otherwise so for this 327 00:20:27,290 --> 00:20:33,950 type of things please do not share these 328 00:20:29,030 --> 00:20:37,668 in production shouldn't be there so now 329 00:20:33,950 --> 00:20:39,860 the state machine step one then will be 330 00:20:37,669 --> 00:20:47,470 more onto the step two to step three 331 00:20:39,860 --> 00:20:50,689 when you take a closer look at it that 332 00:20:47,470 --> 00:20:53,120 wants to go from one step to another to 333 00:20:50,690 --> 00:20:55,990 move from one step to another and what 334 00:20:53,120 --> 00:20:58,850 we can see that this is a state machine 335 00:20:55,990 --> 00:21:01,309 State one may finish my way or another 336 00:20:58,850 --> 00:21:05,000 depending on how he finishes he may go 337 00:21:01,309 --> 00:21:09,460 to demo mode etc then there are a couple 338 00:21:05,000 --> 00:21:09,460 of classes coma event 339 00:21:11,040 --> 00:21:14,860 under state initializing that implements 340 00:21:13,750 --> 00:21:16,180 what I've just told you 341 00:21:14,860 --> 00:21:19,030 there never tells you about the step 342 00:21:16,180 --> 00:21:22,090 number two where need performs it 343 00:21:19,030 --> 00:21:24,879 finishes it is ended and then it moves 344 00:21:22,090 --> 00:21:28,990 on to the next step when this step one 345 00:21:24,880 --> 00:21:30,940 is ended takes a look at a number of 346 00:21:28,990 --> 00:21:35,530 things and then it ask you to move on to 347 00:21:30,940 --> 00:21:39,820 step 2 goes to step 2 when the step is 348 00:21:35,530 --> 00:21:46,030 and they're here so do you do that from 349 00:21:39,820 --> 00:21:53,230 a state initializing of Java now let us 350 00:21:46,030 --> 00:21:56,970 move on to multicast to see this line we 351 00:21:53,230 --> 00:22:02,140 see what multicast does multicast is a 352 00:21:56,970 --> 00:22:03,490 protocol running under UDP and then 353 00:22:02,140 --> 00:22:06,130 based on the principle there are a 354 00:22:03,490 --> 00:22:08,640 number of IPS that you can use to 355 00:22:06,130 --> 00:22:12,670 sending information and that information 356 00:22:08,640 --> 00:22:13,780 reaches the devices that are connected 357 00:22:12,670 --> 00:22:15,850 to multicast 358 00:22:13,780 --> 00:22:17,830 therefore I may be emitting in my 359 00:22:15,850 --> 00:22:20,080 network buddy if you are not listening 360 00:22:17,830 --> 00:22:23,500 in that multicast group if you haven't 361 00:22:20,080 --> 00:22:25,419 joined the multicast group you will see 362 00:22:23,500 --> 00:22:27,510 what's in there that if you aren't 363 00:22:25,420 --> 00:22:31,620 having Joan's you cannot really see it 364 00:22:27,510 --> 00:22:36,700 so we will open a second security import 365 00:22:31,620 --> 00:22:42,550 53,000 and now we can already see some 366 00:22:36,700 --> 00:22:48,420 of the next step Jason which is the 367 00:22:42,550 --> 00:22:48,419 Android library to work with Jason 368 00:22:51,910 --> 00:22:57,070 we start our search we continue search 369 00:22:58,150 --> 00:23:06,020 cone announcement Tulsa Zoo 370 00:23:02,480 --> 00:23:09,560 kind of makes us anticipate the format 371 00:23:06,020 --> 00:23:12,800 of Jason but we really want to see 372 00:23:09,560 --> 00:23:15,889 what's in those values up there comes 373 00:23:12,800 --> 00:23:21,290 path come from there it is not very 374 00:23:15,890 --> 00:23:27,290 obvious case it could be bias and then 375 00:23:21,290 --> 00:23:29,780 we agreed port 3 1 & 3 2 I had enough 376 00:23:27,290 --> 00:23:32,450 the rest of it because it is doesn't add 377 00:23:29,780 --> 00:23:34,970 any value so at the end of the day give 378 00:23:32,450 --> 00:23:40,190 us a call announcement with the 379 00:23:34,970 --> 00:23:43,370 following information we take a closer 380 00:23:40,190 --> 00:23:44,990 look at it of this cone announcement in 381 00:23:43,370 --> 00:23:49,219 the step 2 we see a download 382 00:23:44,990 --> 00:23:52,250 configuration file which is getting a 383 00:23:49,220 --> 00:23:56,000 connection and it is but the other 384 00:23:52,250 --> 00:23:59,030 method pretentious so the next method 385 00:23:56,000 --> 00:24:02,150 which is called the next class is file 386 00:23:59,030 --> 00:24:04,639 downloader and the definition is quite 387 00:24:02,150 --> 00:24:08,570 clear or at least it is quite clear to 388 00:24:04,640 --> 00:24:14,990 me we have FTP download our connection 389 00:24:08,570 --> 00:24:18,649 address 3 1 3 2 and half as well as an 390 00:24:14,990 --> 00:24:27,020 enemy file which has been defined in the 391 00:24:18,650 --> 00:24:30,290 package as well as storage we can see 392 00:24:27,020 --> 00:24:32,629 here is that when you reopen FTP file 393 00:24:30,290 --> 00:24:35,629 download it receives a hostage username 394 00:24:32,630 --> 00:24:41,290 the password a directory file name as 395 00:24:35,630 --> 00:24:41,290 well as a local directory of the device 396 00:24:42,370 --> 00:24:48,260 there is a java class known as in its 397 00:24:45,200 --> 00:24:50,180 tasks that will provide quite a lot of 398 00:24:48,260 --> 00:24:53,450 information about the check evasion and 399 00:24:50,180 --> 00:24:56,780 the possible valid values in it I'm not 400 00:24:53,450 --> 00:24:59,560 going to go and analyze each and every 401 00:24:56,780 --> 00:24:59,560 one of data 402 00:25:00,500 --> 00:25:05,309 and now I'm doing good with time but 403 00:25:03,480 --> 00:25:08,730 still I will go a bit fast 404 00:25:05,309 --> 00:25:12,990 Jason so the values that we're 405 00:25:08,730 --> 00:25:21,000 interested in here are 1000 - which is 406 00:25:12,990 --> 00:25:24,870 an IP IP that we will find in the code 407 00:25:21,000 --> 00:25:26,789 of the app 421 and use a password we are 408 00:25:24,870 --> 00:25:32,389 not going to complicate our lives if we 409 00:25:26,789 --> 00:25:32,389 are going to send it will receive an FTP 410 00:25:32,480 --> 00:25:39,139 through multicast why should I enter a 411 00:25:35,909 --> 00:25:41,940 secure password so we will be using the 412 00:25:39,139 --> 00:25:44,039 tool-house IP d I'm sure that you know 413 00:25:41,940 --> 00:25:46,830 it from UNIX to analyze the traffic 414 00:25:44,039 --> 00:25:49,379 between the server and the device with 415 00:25:46,830 --> 00:25:52,710 Wireshark or whatever you would like to 416 00:25:49,379 --> 00:25:55,080 use and then will reduce but - to create 417 00:25:52,710 --> 00:26:04,139 a simple script Ascenta configuration 418 00:25:55,080 --> 00:26:07,918 over multicast output that we get from 419 00:26:04,139 --> 00:26:09,840 Center dot P I and this is the one that 420 00:26:07,919 --> 00:26:15,529 I created to send information through 421 00:26:09,840 --> 00:26:21,059 multi cast you can see the path 422 00:26:15,529 --> 00:26:23,909 configuration at rest port this is the 423 00:26:21,059 --> 00:26:28,259 host apt actually there are many 424 00:26:23,909 --> 00:26:31,980 summoners of a scripts in github I tried 425 00:26:28,259 --> 00:26:36,990 not to look like a hero here in creating 426 00:26:31,980 --> 00:26:39,480 a access point to start one and then you 427 00:26:36,990 --> 00:26:42,659 add HP and then you start to play around 428 00:26:39,480 --> 00:26:46,409 with it and I have already routed one 429 00:26:42,659 --> 00:26:51,659 interface with another so we start the 430 00:26:46,409 --> 00:26:54,029 app we execute our Center we can see 431 00:26:51,659 --> 00:26:58,380 that it tries to connect to our FTP 432 00:26:54,029 --> 00:27:00,880 server this is no surprise 433 00:26:58,380 --> 00:27:02,910 and now let us try to configure an 434 00:27:00,880 --> 00:27:05,950 environment and to start an FTP server 435 00:27:02,910 --> 00:27:08,950 but before that let us take a look at 436 00:27:05,950 --> 00:27:12,580 the log but we see in the log pad the 437 00:27:08,950 --> 00:27:19,710 same thing and trying to connect to 438 00:27:12,580 --> 00:27:19,710 these class refused connection an error 439 00:27:20,700 --> 00:27:28,840 so the app is telling us to follow these 440 00:27:25,750 --> 00:27:30,340 steps so it was kind of it was kind of 441 00:27:28,840 --> 00:27:34,780 interesting too in that it was good fun 442 00:27:30,340 --> 00:27:38,709 actually and as a 1 FTP server oh what a 443 00:27:34,780 --> 00:27:44,170 pain I took a look at it and then I just 444 00:27:38,710 --> 00:27:46,180 the server in the meta exploit assistant 445 00:27:44,170 --> 00:27:49,930 and I said well then I could see that it 446 00:27:46,180 --> 00:27:56,340 didn't work well with folders so if you 447 00:27:49,930 --> 00:27:59,440 insert a point file name is Ola dot txt 448 00:27:56,340 --> 00:28:01,990 it done knows accepted and then I could 449 00:27:59,440 --> 00:28:04,480 realize that if I created in the root 450 00:28:01,990 --> 00:28:07,630 folder under test folder I could take a 451 00:28:04,480 --> 00:28:11,380 look at it and then having reached this 452 00:28:07,630 --> 00:28:14,910 point of craziness I installed an FTP in 453 00:28:11,380 --> 00:28:14,910 the server and that was it 454 00:28:19,470 --> 00:28:26,290 we started the FTP server and what did 455 00:28:22,960 --> 00:28:28,360 we see in the webshop it is asking us 456 00:28:26,290 --> 00:28:33,220 for a remote configuration XML we don't 457 00:28:28,360 --> 00:28:36,850 have - and you can also see that in the 458 00:28:33,220 --> 00:28:39,550 code but we already seen here so let us 459 00:28:36,850 --> 00:28:42,219 take a closer look at it if you took 460 00:28:39,550 --> 00:28:46,120 query XML if you have to read how an app 461 00:28:42,220 --> 00:28:48,580 passes an XML well it could be really 462 00:28:46,120 --> 00:28:51,939 boring but you know that there are very 463 00:28:48,580 --> 00:28:57,550 difficult things to generate however 464 00:28:51,940 --> 00:29:00,640 demo mode I look for data string for 465 00:28:57,550 --> 00:29:04,960 that file and I found a folder that had 466 00:29:00,640 --> 00:29:07,170 the primal configuration XML at the ends 467 00:29:04,960 --> 00:29:10,090 of the day that included information 468 00:29:07,170 --> 00:29:13,809 about the characteristics of the 469 00:29:10,090 --> 00:29:21,820 aircraft such as like UNC its sensors 470 00:29:13,809 --> 00:29:24,340 media etc so in a folder I found this 471 00:29:21,820 --> 00:29:26,950 file at which basically I copied and 472 00:29:24,340 --> 00:29:30,580 pasted on and as well let us give it a 473 00:29:26,950 --> 00:29:36,160 girl so the app is not being very 474 00:29:30,580 --> 00:29:39,070 reluctant so I copied the file the file 475 00:29:36,160 --> 00:29:45,040 was downloaded and I say oh well done 476 00:29:39,070 --> 00:29:47,379 another file is zip file took a look in 477 00:29:45,040 --> 00:29:50,340 and I could see a folder known as asset 478 00:29:47,380 --> 00:29:52,990 and what we find in my configuration XML 479 00:29:50,340 --> 00:29:58,559 and then we also find another two 480 00:29:52,990 --> 00:29:58,559 folders mdpi and excite DPI 481 00:29:59,130 --> 00:30:08,290 because the file is icon Android XH a1 482 00:30:03,550 --> 00:30:10,690 says SH dpi to candle you don't have to 483 00:30:08,290 --> 00:30:13,659 really make a mistake on purpose I just 484 00:30:10,690 --> 00:30:17,710 created a file with information inside I 485 00:30:13,660 --> 00:30:23,170 put it into the folder and then it must 486 00:30:17,710 --> 00:30:26,020 unloaded then I took a look at Lockhart 487 00:30:23,170 --> 00:30:30,070 and we can see that we were going 488 00:30:26,020 --> 00:30:33,460 through all these steps it was connected 489 00:30:30,070 --> 00:30:35,590 to our up and then when I went back to 490 00:30:33,460 --> 00:30:40,090 this light and I said well this is not 491 00:30:35,590 --> 00:30:42,189 that that was not such a big job and now 492 00:30:40,090 --> 00:30:44,379 we follow all those steps were already 493 00:30:42,190 --> 00:30:46,120 in the plane because it gets all the 494 00:30:44,380 --> 00:30:48,400 configuration this is the same as a semi 495 00:30:46,120 --> 00:30:51,820 mode and because the application offers 496 00:30:48,400 --> 00:30:53,920 its it parses it but we offered that 497 00:30:51,820 --> 00:31:09,700 from a different environment so we we 498 00:30:53,920 --> 00:31:11,940 are going to do a mini demo such a great 499 00:31:09,700 --> 00:31:11,940 time 500 00:31:23,350 --> 00:31:32,139 well the thing is that to comment in the 501 00:31:26,080 --> 00:31:36,490 video I have to move over there so the 502 00:31:32,140 --> 00:31:39,220 higher the number of black screens so 503 00:31:36,490 --> 00:31:43,240 top left I will live tonight I will 504 00:31:39,220 --> 00:31:48,820 start an AP then on the right I produced 505 00:31:43,240 --> 00:31:52,650 and searching in pairs whether the 506 00:31:48,820 --> 00:31:55,510 process exists if the process exists I 507 00:31:52,650 --> 00:31:59,860 use Lockhart's to find information about 508 00:31:55,510 --> 00:32:03,280 the process you know that every button 509 00:31:59,860 --> 00:32:06,870 that you press to get seven lines as the 510 00:32:03,280 --> 00:32:11,110 results and we just want us bottom left 511 00:32:06,870 --> 00:32:13,719 we get to see the Python file Oh hold on 512 00:32:11,110 --> 00:32:18,129 this is a mobile app the mobile app Tara 513 00:32:13,720 --> 00:32:23,050 and using is the last one the one that 514 00:32:18,130 --> 00:32:25,240 offer is the report of everything well 515 00:32:23,050 --> 00:32:26,680 anyway they decided not to correct it 516 00:32:25,240 --> 00:32:31,660 don't you change it this is the last 517 00:32:26,680 --> 00:32:35,800 version of the app and it works bottom 518 00:32:31,660 --> 00:32:38,050 right I'll show you so that you can see 519 00:32:35,800 --> 00:32:42,399 how the traffic has been sent and then 520 00:32:38,050 --> 00:32:45,870 we'll change it to have to be so this is 521 00:32:42,400 --> 00:32:49,200 the latest fashion in the market 522 00:32:45,870 --> 00:32:49,199 beautiful thing is 523 00:32:49,870 --> 00:32:53,620 then the AP 524 00:33:06,060 --> 00:33:12,460 I'm starting to send in multicast 525 00:33:08,770 --> 00:33:16,200 traffic as you can see I am sending it 526 00:33:12,460 --> 00:33:21,210 from three IPS to the multicast IP 527 00:33:16,200 --> 00:33:21,210 you're already connected to the Wi-Fi 528 00:33:28,140 --> 00:33:40,090 this hippie dump / / 21 to see what we 529 00:33:32,620 --> 00:33:43,780 can see in there we are really looking a 530 00:33:40,090 --> 00:33:46,929 mobile on whether the processes started 531 00:33:43,780 --> 00:33:50,070 is this the app this is the process of 532 00:33:46,930 --> 00:33:50,070 TP traffic 533 00:33:55,180 --> 00:34:00,150 so the up is serial up 534 00:34:11,070 --> 00:34:17,060 so we'll download the zip we'll process 535 00:34:13,860 --> 00:34:17,060 it it takes some time 536 00:34:34,960 --> 00:34:37,649 come on 537 00:34:44,949 --> 00:34:50,859 now I've run it again occasionally I'm 538 00:34:48,940 --> 00:34:55,630 gonna bring but sometimes when I heard 539 00:34:50,860 --> 00:34:58,240 ferry components working with mobile 540 00:34:55,630 --> 00:35:01,600 apps you have to uninstall them of the 541 00:34:58,240 --> 00:35:03,459 time clearing the cache of wife and 542 00:35:01,600 --> 00:35:07,360 doing other things this is extremely 543 00:35:03,460 --> 00:35:11,410 complicated but I did write reopen it 544 00:35:07,360 --> 00:35:15,190 then the configuration was well loaded 545 00:35:11,410 --> 00:35:17,980 and then the demo mode has not been 546 00:35:15,190 --> 00:35:23,620 loaded I want to show you something in 547 00:35:17,980 --> 00:35:25,780 traffic okay so I have a pointer with me 548 00:35:23,620 --> 00:35:31,470 you may notice there is a JSON here 549 00:35:25,780 --> 00:35:35,200 MSG data there are lots of information 550 00:35:31,470 --> 00:35:38,859 you can see that in 421 but it is not 551 00:35:35,200 --> 00:35:46,240 FTP traffic obviously and actually FTP 552 00:35:38,860 --> 00:35:49,780 server says user and password this is 553 00:35:46,240 --> 00:35:53,080 for you we can't continue emulating on 554 00:35:49,780 --> 00:35:58,200 mimicking these environments in the 555 00:35:53,080 --> 00:35:58,200 latest market application 556 00:36:00,670 --> 00:36:07,740 and these aircraft flies so very good 557 00:36:09,570 --> 00:36:15,940 from here we will take a look at number 558 00:36:13,600 --> 00:36:19,029 of annuities that we found in our 559 00:36:15,940 --> 00:36:21,160 analysis as we were loading the 560 00:36:19,030 --> 00:36:26,530 configuration and XML and I see the word 561 00:36:21,160 --> 00:36:30,160 unloaded the function unfortunately was 562 00:36:26,530 --> 00:36:34,270 not well done we will take a look at the 563 00:36:30,160 --> 00:36:38,190 code a few minutes but basically what 564 00:36:34,270 --> 00:36:40,960 happens here is that we can enter a 565 00:36:38,190 --> 00:36:48,580 cross sectional route when you create 566 00:36:40,960 --> 00:36:52,240 the zip file in Java and other languages 567 00:36:48,580 --> 00:36:55,509 by default they do not sanitize the path 568 00:36:52,240 --> 00:36:58,689 of the entries if you were to do it in 569 00:36:55,510 --> 00:37:00,910 laminates that will be omitted and it 570 00:36:58,690 --> 00:37:07,780 will be written in the file we are 571 00:37:00,910 --> 00:37:10,649 working with so obviously supported 572 00:37:07,780 --> 00:37:16,230 vulnerability we had to do it properly 573 00:37:10,650 --> 00:37:19,000 we have to simulate the environment so 574 00:37:16,230 --> 00:37:21,880 for this reason we can find transversal 575 00:37:19,000 --> 00:37:26,890 routes in the zip we can write if their 576 00:37:21,880 --> 00:37:29,380 permission we could get in the SD card 577 00:37:26,890 --> 00:37:33,540 we could get an e rc 578 00:37:29,380 --> 00:37:37,090 dependent it's not the purpose of this 579 00:37:33,540 --> 00:37:42,070 presentation to get in here see but it 580 00:37:37,090 --> 00:37:45,550 would be nice be nice to buy it over and 581 00:37:42,070 --> 00:37:49,180 send him half the plane this is not the 582 00:37:45,550 --> 00:37:52,170 right place to show you an ELC with an 583 00:37:49,180 --> 00:37:56,230 Android version of the prehistory 584 00:37:52,170 --> 00:37:59,320 anybody can do that but it could follow 585 00:37:56,230 --> 00:38:05,609 two parts one is explosion of everything 586 00:37:59,320 --> 00:38:09,509 like the States fry you know the fine 587 00:38:05,609 --> 00:38:13,170 the pathway user his prone to region and 588 00:38:09,509 --> 00:38:15,599 that was it and then if the application 589 00:38:13,170 --> 00:38:19,739 is multicast because it's has a number 590 00:38:15,599 --> 00:38:23,160 of functions it will turn out to see two 591 00:38:19,739 --> 00:38:24,960 million dots on Dex files so with the 592 00:38:23,160 --> 00:38:27,509 previous versions of Android you would 593 00:38:24,960 --> 00:38:30,420 be able to remember right rewrites 594 00:38:27,509 --> 00:38:39,210 classes in that folder and there you 595 00:38:30,420 --> 00:38:49,440 have yourself so as I was saying the 596 00:38:39,210 --> 00:38:52,380 first I'm using the hetaera tool someone 597 00:38:49,440 --> 00:38:56,940 that applied in black had 15 I think and 598 00:38:52,380 --> 00:39:00,390 what the guy he achieved remote 599 00:38:56,940 --> 00:39:08,539 execution of san through a mistake in 600 00:39:00,390 --> 00:39:11,430 the keyboard which also uploaded a zip I 601 00:39:08,539 --> 00:39:15,269 did this with a PK but we can use it as 602 00:39:11,430 --> 00:39:20,279 a px team basically we say the name of 603 00:39:15,269 --> 00:39:26,819 the file so we noted it could be we load 604 00:39:20,279 --> 00:39:28,109 the destination fund and and so the 605 00:39:26,819 --> 00:39:32,038 vulnerable function I'm going to show 606 00:39:28,109 --> 00:39:34,710 you about is in these classes in these 607 00:39:32,039 --> 00:39:38,999 two places so why is it in these two 608 00:39:34,710 --> 00:39:42,869 places I don't know maybe they're paid 609 00:39:38,999 --> 00:39:48,049 by kilo this is the function the 610 00:39:42,869 --> 00:39:55,220 interesting part is in green basically 611 00:39:48,049 --> 00:40:00,299 trying to create a file F variable and 612 00:39:55,220 --> 00:40:03,180 use an absolute path adding and that is 613 00:40:00,299 --> 00:40:05,750 a bar which is the separator of the OP 614 00:40:03,180 --> 00:40:08,580 cysts 615 00:40:05,750 --> 00:40:16,680 and get name which is the name of the 616 00:40:08,580 --> 00:40:22,880 fire you make some verifications then it 617 00:40:16,680 --> 00:40:26,419 writes the fine according to that and 618 00:40:22,880 --> 00:40:30,410 you we should be able to do something 619 00:40:26,420 --> 00:40:30,410 we'll do another demo now 620 00:40:47,990 --> 00:41:00,569 one more sin one more sin basically you 621 00:40:58,380 --> 00:41:05,190 find the same thing but I'm showing this 622 00:41:00,570 --> 00:41:06,810 or you can see here we have a call to me 623 00:41:05,190 --> 00:41:23,430 item that I used to send it through 624 00:41:06,810 --> 00:41:30,420 multicast we have the AP working with to 625 00:41:23,430 --> 00:41:37,919 make the reset here we get the 626 00:41:30,420 --> 00:41:40,260 permissions I was talking to friends in 627 00:41:37,920 --> 00:41:41,670 the script down there and so I asked 628 00:41:40,260 --> 00:41:44,250 them to write the script on monetization 629 00:41:41,670 --> 00:41:49,230 to see if their changes and you can 630 00:41:44,250 --> 00:41:51,420 execute one one step and list the 631 00:41:49,230 --> 00:41:53,300 content of folder according to what you 632 00:41:51,420 --> 00:41:56,430 need it could be more difficult or less 633 00:41:53,300 --> 00:41:58,860 you can use maybe another day name I'm 634 00:41:56,430 --> 00:42:01,560 not sure the code so basically we have 635 00:41:58,860 --> 00:42:03,780 the list content of that SD and we'll do 636 00:42:01,560 --> 00:42:08,150 the same thing we did before but we will 637 00:42:03,780 --> 00:42:12,840 offer the zip that I talked to you about 638 00:42:08,150 --> 00:42:18,180 we wait for connection as you can see 639 00:42:12,840 --> 00:42:22,140 here's the UDP traffic FTP traffic we 640 00:42:18,180 --> 00:42:25,020 will monitor to find the file and then 641 00:42:22,140 --> 00:42:34,129 we have the folder okay 642 00:42:25,020 --> 00:42:34,130 right now there's only three folders 643 00:42:35,840 --> 00:42:43,130 and it has created a fourth basically 644 00:42:40,310 --> 00:42:44,720 all the laws shown through a to be okay 645 00:42:43,130 --> 00:42:49,670 Wow and also keep them here 646 00:42:44,720 --> 00:42:55,009 and ours are also in the AST so this 647 00:42:49,670 --> 00:42:58,250 version here we have it I think I have 648 00:42:55,010 --> 00:43:07,700 another fun here I'm trying to download 649 00:42:58,250 --> 00:43:14,740 everything the apple fell parts we have 650 00:43:07,700 --> 00:43:14,740 another file in USB so we stopped 651 00:43:21,200 --> 00:43:30,750 yes it is kind of - your mother knows 652 00:43:28,100 --> 00:43:36,029 about it but I got a benefit so we can 653 00:43:30,750 --> 00:43:37,560 see the date' and on that so this is 654 00:43:36,030 --> 00:43:40,890 what we showed the manufacturer and we 655 00:43:37,560 --> 00:43:43,850 say you haven't caught a server 656 00:43:40,890 --> 00:43:47,310 validation and we were able to do this 657 00:43:43,850 --> 00:43:51,330 last night I saw the video I showed you 658 00:43:47,310 --> 00:43:56,370 the spam of the application and you can 659 00:43:51,330 --> 00:43:58,890 see we have tablets on the wall I do 660 00:43:56,370 --> 00:44:03,660 know the user Android or iPad or other 661 00:43:58,890 --> 00:44:06,000 obsess I can't really find out I'll say 662 00:44:03,660 --> 00:44:09,379 things that I don't know for sure but 663 00:44:06,000 --> 00:44:09,380 those are the tablets there 664 00:44:15,670 --> 00:44:31,360 let's see where we're at as I was saying 665 00:44:21,760 --> 00:44:36,730 on the basis of the design of the 666 00:44:31,360 --> 00:44:46,810 application we can broadcast a valid 667 00:44:36,730 --> 00:44:59,770 configuration so this was this would 668 00:44:46,810 --> 00:45:04,620 download defined so these are the things 669 00:44:59,770 --> 00:45:10,710 we could do we could get a faith server 670 00:45:04,620 --> 00:45:13,839 as it has a password we find method 671 00:45:10,710 --> 00:45:19,630 verified in XML to find the site with a 672 00:45:13,840 --> 00:45:22,530 password we could hijack this and to get 673 00:45:19,630 --> 00:45:26,580 the pass therefore we could access 674 00:45:22,530 --> 00:45:29,590 characters that a passenger doesn't have 675 00:45:26,580 --> 00:45:32,529 but bits is better than before I'm 676 00:45:29,590 --> 00:45:37,900 better than nothing other things we 677 00:45:32,530 --> 00:45:42,190 could do if we had access if the Wi-Fi 678 00:45:37,900 --> 00:45:48,250 was open or we had a password broadcast 679 00:45:42,190 --> 00:45:53,020 through a menu my attack controller 680 00:45:48,250 --> 00:45:55,150 music you can have the listen to maluma 681 00:45:53,020 --> 00:45:57,160 the entire flight when in fact you 682 00:45:55,150 --> 00:46:00,340 couldn't but you can just think about it 683 00:45:57,160 --> 00:46:02,879 then which broadcast music any kind that 684 00:46:00,340 --> 00:46:02,880 it can't change 685 00:46:05,330 --> 00:46:11,360 you can do this with the subliminal 686 00:46:09,200 --> 00:46:12,770 recording to get people to vote the 687 00:46:11,360 --> 00:46:14,720 party you want when they get off the 688 00:46:12,770 --> 00:46:18,020 plane so I don't have a lot of 689 00:46:14,720 --> 00:46:26,270 imagination as you can see as I was 690 00:46:18,020 --> 00:46:28,540 saying what can the crew do they could 691 00:46:26,270 --> 00:46:30,800 change we can change the temperature I 692 00:46:28,540 --> 00:46:33,259 understand that all this has manual 693 00:46:30,800 --> 00:46:36,770 controls but it's not bad to play with 694 00:46:33,260 --> 00:46:38,930 it maybe I don't have access to the 695 00:46:36,770 --> 00:46:42,710 device I don't know what what 696 00:46:38,930 --> 00:46:45,859 temperature you can put the plane this 697 00:46:42,710 --> 00:46:49,640 is controlled by the app or by a server 698 00:46:45,860 --> 00:46:57,700 I have and I can change it not but these 699 00:46:49,640 --> 00:46:57,700 are things that I can access obviously 700 00:47:00,580 --> 00:47:07,420 communications are not safe or secure 701 00:47:03,880 --> 00:47:10,190 the application implements a layered 702 00:47:07,420 --> 00:47:13,030 encrypts communications so the attacker 703 00:47:10,190 --> 00:47:16,910 could make the management starts 704 00:47:13,030 --> 00:47:19,940 sensitive some secret if the application 705 00:47:16,910 --> 00:47:22,790 is based on our network without Wi-Fi it 706 00:47:19,940 --> 00:47:24,350 could become the mail in the middle then 707 00:47:22,790 --> 00:47:27,440 I was seen that according to the 708 00:47:24,350 --> 00:47:30,790 connected device form in which you 709 00:47:27,440 --> 00:47:35,090 download the configuration changes 710 00:47:30,790 --> 00:47:37,009 encrusted tablets although we were 711 00:47:35,090 --> 00:47:43,340 discussing earlier if it has the word 712 00:47:37,010 --> 00:47:48,050 SDK Devon Devon I can download it 713 00:47:43,340 --> 00:47:49,600 through HTTP instead of RTP so you just 714 00:47:48,050 --> 00:47:55,210 look for the connection 715 00:47:49,600 --> 00:47:55,210 HTTP 80 path as you can see here 716 00:48:02,330 --> 00:48:18,920 so fixes as we were saying implements a 717 00:48:07,670 --> 00:48:23,240 TLS authentication client-server do 718 00:48:18,920 --> 00:48:26,230 something to make it not easy as issuing 719 00:48:23,240 --> 00:48:28,850 through multicast a password and user 720 00:48:26,230 --> 00:48:32,270 now I found the bag I said hey I'm 721 00:48:28,850 --> 00:48:34,130 sitting I wouldn't you know how to 722 00:48:32,270 --> 00:48:37,509 envelop half of the application or so 723 00:48:34,130 --> 00:48:44,510 there's sufficient knowledge to fix this 724 00:48:37,510 --> 00:48:48,580 the sanitization of the sit it would be 725 00:48:44,510 --> 00:48:48,580 good to review the application in hires 726 00:48:54,770 --> 00:49:01,190 other minor issues 727 00:48:58,070 --> 00:49:03,270 well this information it's in the logcat 728 00:49:01,190 --> 00:49:04,890 it's in the code you put the password 729 00:49:03,270 --> 00:49:09,840 and get it through the locket and you 730 00:49:04,890 --> 00:49:14,490 can save it in the folder fold is the 731 00:49:09,840 --> 00:49:16,730 one we said earlier no one we saw in the 732 00:49:14,490 --> 00:49:16,729 video 733 00:49:21,470 --> 00:49:31,589 so obviously for us when you're using a 734 00:49:25,350 --> 00:49:36,560 complex application everybody uses prim 735 00:49:31,590 --> 00:49:36,560 F's but in this case it's not necessary 736 00:49:49,580 --> 00:50:10,370 joshan is non hack so we find a number 737 00:50:01,290 --> 00:50:10,370 of i/os attacks of the famous XML lol 738 00:50:10,400 --> 00:50:20,100 memory to parse and the application is 739 00:50:14,070 --> 00:50:22,080 overloaded v zip it's the same you can 740 00:50:20,100 --> 00:50:30,380 make a zip with a hundred gigabytes and 741 00:50:22,080 --> 00:50:38,400 that's the end of the app online is 742 00:50:30,380 --> 00:50:44,580 important so February 2018 we discovered 743 00:50:38,400 --> 00:50:49,440 I ulnar ability then they sent an 744 00:50:44,580 --> 00:50:59,279 advisory client March 19 so we found 745 00:50:49,440 --> 00:51:03,450 this we can do all this so we will 746 00:50:59,280 --> 00:51:07,710 coordinate with Bombardier to see it and 747 00:51:03,450 --> 00:51:10,259 this is when we were publishing it I 748 00:51:07,710 --> 00:51:13,100 don't say that we that they haven't 749 00:51:10,260 --> 00:51:13,100 fixed it 750 00:51:14,540 --> 00:51:23,240 we could continue playing to do plane I 751 00:51:21,200 --> 00:51:28,250 don't ask you to remember everything 752 00:51:23,240 --> 00:51:30,080 because I couldn't either this is the 753 00:51:28,250 --> 00:51:32,990 permissions given by the application so 754 00:51:30,080 --> 00:51:42,860 what problems do we have that gentleman 755 00:51:32,990 --> 00:51:47,060 is creating files in a SMD SD this is 756 00:51:42,860 --> 00:51:54,170 the way you fix it fix this for a while 757 00:51:47,060 --> 00:52:00,110 but anyway so the last version of the - 758 00:51:54,170 --> 00:52:11,630 - - remote is here so if we try to do it 759 00:52:00,110 --> 00:52:15,370 we get the error oh my god something is 760 00:52:11,630 --> 00:52:15,370 happening we have two apps 761 00:52:18,040 --> 00:52:23,350 I put the videos on YouTube because I 762 00:52:21,760 --> 00:52:25,780 didn't know if I was gonna be left 763 00:52:23,350 --> 00:52:27,549 without internet so there or whatever's 764 00:52:25,780 --> 00:52:34,900 have the backup of the backup of the 765 00:52:27,550 --> 00:52:38,010 backup this only accept the bombardier 766 00:52:34,900 --> 00:52:38,010 application okay 767 00:52:44,319 --> 00:52:57,459 how are you doing timewise should I show 768 00:52:50,739 --> 00:53:03,239 the video now okay I'll do the demo if 769 00:52:57,459 --> 00:53:03,239 it fails so give me a sec 770 00:53:33,809 --> 00:53:41,609 give me a minute and this is the last 771 00:53:38,890 --> 00:53:41,609 slide actually 772 00:54:07,070 --> 00:54:31,970 malice toward a stocky stocky vamos a 773 00:54:21,030 --> 00:54:31,970 poner Valley 774 00:54:52,099 --> 00:54:59,299 Malibu Curitiba damp vamos para para que 775 00:54:57,440 --> 00:55:02,599 se como el video give me a second cuz I 776 00:54:59,299 --> 00:55:04,749 want to get everything ready to show the 777 00:55:02,599 --> 00:55:04,749 video 778 00:55:21,570 --> 00:55:25,470 so we will connect 779 00:55:30,580 --> 00:56:00,790 Linux just oh yeah 780 00:55:56,050 --> 00:56:00,790 nearly ready please be patient 781 00:56:09,880 --> 00:56:18,860 Palestinian under Sharia I'm trying to 782 00:56:13,400 --> 00:56:22,790 show the mobile on the screen have you 783 00:56:18,860 --> 00:56:40,550 seen any icon around here on the screen 784 00:56:22,790 --> 00:56:47,060 so give me a sec male crew gotta see 785 00:56:40,550 --> 00:56:49,900 Bali see auras male touch cell ok so 786 00:56:47,060 --> 00:56:49,900 what is the shell now 787 00:56:51,420 --> 00:57:00,900 now I can send all this to the screen 788 00:56:54,029 --> 00:57:06,260 there we go weird I don't know is how 789 00:57:00,900 --> 00:57:10,769 can I do it blindly here we have the app 790 00:57:06,260 --> 00:57:23,369 and now I have to raise a small issue 791 00:57:10,769 --> 00:57:26,598 here okay this is the script that lists 792 00:57:23,369 --> 00:57:26,599 the information on the card 793 00:57:32,800 --> 00:57:36,910 we want to start the Wi-Fi 794 00:57:42,120 --> 00:57:49,279 so we're connected no more flight mode 795 00:57:51,170 --> 00:57:59,220 the Bombardier application we don't have 796 00:57:56,280 --> 00:58:08,700 crochet or anything and this is the two 797 00:57:59,220 --> 00:58:15,600 to one version so here we have a UDP 798 00:58:08,700 --> 00:58:22,730 right there's nothing we can see here so 799 00:58:15,600 --> 00:58:22,730 if I do a cat here we get the cold 800 00:58:26,680 --> 00:58:29,680 better 801 00:58:39,390 --> 00:58:51,609 so will you here we can see here the 802 00:58:44,910 --> 00:58:59,170 forseeable UDP traffic so we will put 803 00:58:51,610 --> 00:59:07,300 your TCP X 21 so now we will start the 804 00:58:59,170 --> 00:59:09,990 app is the content of a folder here we 805 00:59:07,300 --> 00:59:12,660 see that the app is not executed and 806 00:59:09,990 --> 00:59:16,450 somebody's messing around with a Wi-Fi 807 00:59:12,660 --> 00:59:19,029 maybe it's some of you but watch it 808 00:59:16,450 --> 00:59:23,759 because I've got all your max addresses 809 00:59:19,030 --> 00:59:23,760 so here we see the app starting up I 810 00:59:26,790 --> 00:59:31,800 don't know if I'm someone who's being 811 00:59:29,560 --> 00:59:35,160 naughty here or what is happening in the 812 00:59:31,800 --> 00:59:35,160 lower part 813 00:59:54,430 --> 01:00:04,839 it says working now what there's we 814 01:00:03,579 --> 01:00:07,079 won't be able to have the video I'm 815 01:00:04,839 --> 01:00:07,078 sorry 816 01:00:23,090 --> 01:00:32,970 bombardier last version the video is 817 01:00:30,290 --> 01:00:37,620 executed in some of the screens of this 818 01:00:32,970 --> 01:00:42,149 computer ok overlook all this jump close 819 01:00:37,620 --> 01:00:46,529 on this this is what you get when you do 820 01:00:42,150 --> 01:00:50,580 tests with Wi-Fi and now the file is 821 01:00:46,530 --> 01:01:01,320 created again loads the latest version 822 01:00:50,580 --> 01:01:05,610 and it writes the file so we do and 823 01:01:01,320 --> 01:01:08,660 there we are so the last version is 824 01:01:05,610 --> 01:01:08,660 still rotating 825 01:01:11,210 --> 01:01:20,970 you don't applaud you give me hand or 826 01:01:13,770 --> 01:01:24,390 anything really look so you were good in 827 01:01:20,970 --> 01:01:26,839 the end so it created a file here we 828 01:01:24,390 --> 01:01:26,839 have it 829 01:01:31,850 --> 01:01:36,190 now here we have the Canton file 830 01:01:37,850 --> 01:01:50,210 I guess he fainted wow you're really a 831 01:01:42,250 --> 01:01:53,200 difficult crowding maybe someone is 832 01:01:50,210 --> 01:01:53,200 gonna connect to the Wi-Fi 833 01:02:01,140 --> 01:02:10,859 I think I have just one slide to go well 834 01:02:08,160 --> 01:02:19,560 I'll put this at the end this wonderful 835 01:02:10,860 --> 01:02:22,910 photo reference and this great video to 836 01:02:19,560 --> 01:02:27,540 thank all of you for putting up with me 837 01:02:22,910 --> 01:02:29,609 routed Khan and my company for giving me 838 01:02:27,540 --> 01:02:30,600 the time to do the research and as soon 839 01:02:29,610 --> 01:02:32,250 as I cut they said 840 01:02:30,600 --> 01:02:36,060 didn't you want to do things with 841 01:02:32,250 --> 01:02:38,700 Android ok look we have app for planes 842 01:02:36,060 --> 01:02:39,750 so that's how it all started thank you 843 01:02:38,700 --> 01:02:42,939 very much 844 01:02:39,750 --> 01:02:42,940 [Applause]