Comments on: Hacker or hooker? http://rdist.root.org/2008/07/21/hacker-or-hooker/ Embedded security, crypto, software protection Mon, 08 Mar 2010 21:19:29 +0000 http://wordpress.com/ hourly 1 By: wunderbarb http://rdist.root.org/2008/07/21/hacker-or-hooker/#comment-4737 wunderbarb Wed, 06 Aug 2008 16:52:25 +0000 http://rdist.wordpress.com/?p=151#comment-4737 I have another explanation why encryption is not universal. Data recovery when user has lost his/her passphrase/password. And he will forget it, believe me. Then either you provide a trapdoor (and then we are back to initial place from the point of view of hacker) or he will definitively loose his/her data. <a href="http://eric-diehl.com/index.php?lang=En&page=lois" rel="nofollow">Law 6: You are the weakest link</a>. Handling of passwords are a difficult task. By the way, nice blog. You will hear from me often. #;-) I have another explanation why encryption is not universal. Data recovery when user has lost his/her passphrase/password. And he will forget it, believe me. Then either you provide a trapdoor (and then we are back to initial place from the point of view of hacker) or he will definitively loose his/her data.

Law 6: You are the weakest link. Handling of passwords are a difficult task.

By the way, nice blog. You will hear from me often. #;-)

]]> By: Gastroid http://rdist.root.org/2008/07/21/hacker-or-hooker/#comment-4701 Gastroid Mon, 21 Jul 2008 18:01:30 +0000 http://rdist.wordpress.com/?p=151#comment-4701 I may be talking out of a random orifice, but I would guess encryption is not universal because it hurts performance too much on system with a 300 MHz processor. How easy is it to patch flash without JTAG? Company Blackberries do have required passwords and auto-lock screens (mine locked after 1 minute inactivity, or as soon as I put it in holster). I think the 'consumer' variety don't do that, but I've never had one so I'm not sure. I may be talking out of a random orifice, but I would guess encryption is not universal because it hurts performance too much on system with a 300 MHz processor.

How easy is it to patch flash without JTAG?

Company Blackberries do have required passwords and auto-lock screens (mine locked after 1 minute inactivity, or as soon as I put it in holster). I think the ‘consumer’ variety don’t do that, but I’ve never had one so I’m not sure.

]]> By: Nate Lawson http://rdist.root.org/2008/07/21/hacker-or-hooker/#comment-4700 Nate Lawson Mon, 21 Jul 2008 16:50:22 +0000 http://rdist.wordpress.com/?p=151#comment-4700 I have a dumb question. Why isn't encryption built-in with no option to enable or disable it? There's an easy way to add encryption at the factory. I'm looking at this teardown of the <a href="http://www.mobilehandsetdesignline.com/howto/baseband_multimedia_processing/showArticle.jhtml?articleID=191801614" rel="nofollow">Blackberry 8700</a>. It has an Intel PXA (was XScale) processor with NOR flash and SDRAM in the same package. So, when you install the OS for the first time in the factory, it would create a random encryption key and all data that was written to the external, bulk storage flash could be encrypted with it. That key would then be encrypted with the default password ("password"?) and written to the internal flash. When a user took delivery of the device, they could change the password and thus the encrypted key. As long as no one had dumped the internal NOR flash before the user set a password, the original key would just be decrypted with the default and re-encrypted with the new passphrase. If the user was paranoid, they could request re-encryption of all the data under a new key instead. Some day that will be expected of manufacturers. As for attacking a Blackberry today, it's likely that the device does not auto-lock and require a password so you can transfer data off it just like the user would. To catch dumb thieves, it would probably suffice to review Blackberry server logs for outgoing messages. For hardware attacks, it seems the external flash is NOR as well. That is not as cheap as NAND so it's possible they execute directly out of it. If that's the case, pick a binary and patch it to get root. I have a dumb question. Why isn’t encryption built-in with no option to enable or disable it? There’s an easy way to add encryption at the factory.

I’m looking at this teardown of the Blackberry 8700. It has an Intel PXA (was XScale) processor with NOR flash and SDRAM in the same package. So, when you install the OS for the first time in the factory, it would create a random encryption key and all data that was written to the external, bulk storage flash could be encrypted with it. That key would then be encrypted with the default password (“password”?) and written to the internal flash.

When a user took delivery of the device, they could change the password and thus the encrypted key. As long as no one had dumped the internal NOR flash before the user set a password, the original key would just be decrypted with the default and re-encrypted with the new passphrase. If the user was paranoid, they could request re-encryption of all the data under a new key instead.

Some day that will be expected of manufacturers. As for attacking a Blackberry today, it’s likely that the device does not auto-lock and require a password so you can transfer data off it just like the user would. To catch dumb thieves, it would probably suffice to review Blackberry server logs for outgoing messages.

For hardware attacks, it seems the external flash is NOR as well. That is not as cheap as NAND so it’s possible they execute directly out of it. If that’s the case, pick a binary and patch it to get root.

]]> By: Gastroid http://rdist.root.org/2008/07/21/hacker-or-hooker/#comment-4699 Gastroid Mon, 21 Jul 2008 15:11:18 +0000 http://rdist.wordpress.com/?p=151#comment-4699 Talking about defenses against attackers with possession of the device, you might notice that even if you still someone's Blackberry, you're not home free to getting the data off of it. It wipes the data if you try the wrong password 10 times. So assuming the user didn't have its native encryption turned on (articles seem to imply that Mr Downing Street Casanova didn't), you still have to have 0day to beat the lock, or else you have to open it up to take the flash off the board (anyone know how easy/hard this is?). I have heard from friends who play with this sort of thing that Blackberries don't have JTAG exposed. Talking about defenses against attackers with possession of the device, you might notice that even if you still someone’s Blackberry, you’re not home free to getting the data off of it.

It wipes the data if you try the wrong password 10 times. So assuming the user didn’t have its native encryption turned on (articles seem to imply that Mr Downing Street Casanova didn’t), you still have to have 0day to beat the lock, or else you have to open it up to take the flash off the board (anyone know how easy/hard this is?). I have heard from friends who play with this sort of thing that Blackberries don’t have JTAG exposed.

]]> By: Evan S http://rdist.root.org/2008/07/21/hacker-or-hooker/#comment-4698 Evan S Mon, 21 Jul 2008 15:03:10 +0000 http://rdist.wordpress.com/?p=151#comment-4698 This post reminds me of a quote attributed to Bob Morris (the elder). Paraphrasing: When considering the security of information, don't forget about the 3 B's: Blackmail, Bribery, and Burglary. Typically, it is the cheapest of those three that ends up getting the job done. This post reminds me of a quote attributed to Bob Morris (the elder). Paraphrasing: When considering the security of information, don’t forget about the 3 B’s: Blackmail, Bribery, and Burglary. Typically, it is the cheapest of those three that ends up getting the job done.

]]>