chinese police cloudpets
play

Chinese Police & CloudPets DeepSec November 28-29, 2019 - PowerPoint PPT Presentation

Jan 29, 2023 •113 likes •1.05k views

Chinese Police & CloudPets DeepSec November 28-29, 2019 Vienna, Austria Presented by : Abraham Aranguren > admin@7asecurity.com > @7asecurity > @7a_ > @owtfp [ OWASP OWTF - owtf.org ] + 7asecurity.com Who am I?

  1. Chinese Police & CloudPets DeepSec November 28-29, 2019 – Vienna, Austria Presented by : Abraham Aranguren > admin@7asecurity.com > @7asecurity > @7a_ > @owtfp [ OWASP OWTF - owtf.org ] + 7asecurity.com

  2. Who am I? ★ Director at 7ASecurity , public reports, presentations, etc. here: 7asecurity.com/publications ★ Former Team Lead & Penetration Tester at Cure53 and Version 1 ★ Co-Author of hands-on 7ASecurity courses: ○ Pwn & Fix JS apps, shells, injections and fun! a Node.js & Electron course ○ Hacking Android, iOS and IoT a Mobile App Security course ★ Author of Practical Web Defense , a hands-on attack & defense course: www.elearnsecurity.com/PWD ★ Founder and leader of OWASP OWTF , and OWASP flagship project : owtf.org ★ Some presentations: www.slideshare.net/abrahamaranguren/presentations ★ Some sec certs : CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+ ★ Some dev certs : ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified Associate, MySQL 5 CMDev, MCTS SQL Server 2005

  3. Public Mobile Pentest Reports - I Smart Sheriff mobile app mandated by the South Korean government: Public Pentest Reports: → Smart Sheriff: Round #1 - https://7asecurity.com/reports/pentest-report_smartsheriff.pdf → Smart Sheriff: Round #2 - https://7asecurity.com/reports/pentest-report_smartsheriff-2.pdf Presentation :“Smart Sheriff, Dumb Idea, the wild west of government assisted parenting” Slides:https://www.slideshare.net/abrahamaranguren/smart-sheriff-dumb-idea-the-wild-west-of-gov ernment-assisted-parenting Video: https://www.youtube.com/watch?v=AbGX67CuVBQ Chinese Police Apps Pentest Reports: → “Study the Great Nation” 09.2019 https://7asecurity.com/reports/analysis-report_sgn.pdf → "BXAQ" (OTF) 03.2019 - https://7asecurity.com/reports/analysis-report_bxaq.pdf → "IJOP" (HRW) 12.2018 - https://7asecurity.com/reports/analysis-report_ijop.pdf

  4. Public Mobile Pentest Reports - II Other reports: → Exodus iOS Mobile App - https://7asecurity.com/reports/pentest-report_exodus.pdf → imToken Wallet - https://7asecurity.com/reports/pentest-report_imtoken.pdf → Whistler Apps - https://7asecurity.com/reports/pentest-report_whistler.pdf → Psiphon - https://7asecurity.com/reports/pentest-report_psiphon.pdf → Briar - https://7asecurity.com/reports/pentest-report_briar.pdf → Padlock - https://7asecurity.com/reports/pentest-report_padlock.pdf → Peerio - https://7asecurity.com/reports/pentest-report_peerio.pdf → OpenKeyChain - https://7asecurity.com/reports/pentest-report_openkeychain.pdf → F-Droid / Baazar - https://7asecurity.com/reports/pentest-report_fdroid.pdf → Onion Browser - https://7asecurity.com/reports/pentest-report_onion-browser.pdf More here: https://7asecurity.com/publications

  5. Agenda 3 different security audits with interesting backgrounds: 1. CloudPets: ■ Preliminary work & epic track record ■ What we found ■ What happened afterwards 2. “ IJOP ” Chinese Police app: ■ Police enter data manually, fill out forms 3. “ BXAQ ” Chinese Police app: ■ Police install an app that grabs data from a phone " BXAQ " and " IJOP " are related to surveillance of ethnic minorities, but in different ways.

  6. PART 1: CloudPets

  7. What are CloudPets? https://www.youtube.com/watch?v=11gvtRg3_V8

  8. How do CloudPets work? https://www.youtube.com/watch?v=kgyRvO0sgcE

  9. CloudPets Summary - I Intended usage: → Parent (far from home) sends messages to children using a mobile app → Children receive these messages on the Soft Toy → Children can send messages via the Soft Toy → Parent receives messages on the mobile app The Toys: → Use Bluetooth LE → To communicate with the mobile app → Have a Microphone → Have a speaker

  10. CloudPets Summary - II Mobile app on parent phone = Away from the toy → Sends/Receives messages to/from: CloudPets servers and Amazon S3 Mobile app on children device = Close to the toy → Sends/Receives messages to/from: CloudPets servers and Amazon S3 → Uploads/Downloads messages to/from Toy via: Bluetooth LE

  11. What could possibly go wrong? Any ideas?

  12. Previous Work: #1 - Mongo DB without auth Full access to all messages ever sent between parents and children! Summary: → Mongo DB exposed to the internet without authentication → Unauthorized parties downloaded the database → 3 Ransom requests → Indexed by Shodan → 821k user records at risk. → Spiral Toys (CloudPets’s company) claimed to never have found evidence of any breach…..

  13. Previous Work: #1 - Mongo DB without auth

  14. Previous Work: #1 - Mongo DB without auth Password hashes, emails, links to all voice recordings from children and parents, etc. https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

  15. Previous Work: #2 - First Ransom “ You DB is backed up on our servers , send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your ip address to email:kraken0@india.com” https://twitter.com/nmerrigan/status/817289743817998337/photo/1 https://pastebin.com/BgJADkqW

  16. Previous Work: #3 - Initial Timeline 2016.12.30 - 2017.01.04: Multiple security researchers alert to CloudPets via multiple means 2017.01.07: Ransom #1 : Original databases deleted + ransom demand left on the system via "PLEASE_READ" message 2017.01.08: Ransom #2 : Demand left for "README_MISSING_DATABASES" Ransom #3 : Demand left for "PWNED_SECURE_YOUR_STUFF_SILLY" 2017.01.13: No databases were found to still be publicly accessible https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

  17. Previous Work #4: Toy Security Paul Stone’s research: https://www.contextis.com/en/blog/hacking-unicorns-web-bluetooth The Toy has: → No built-in Bluetooth security features. → No authentication for bonding/pairing between the device and phone . → Anyone can connect to the toy as long as it is switched on . (!) → Unencrypted firmware upgrades only validation is a CRC16 checksum. → Possible to remotely modify the toy’s firmware .

  18. Previous Work #4: Paul Stone’s demo https://youtu.be/5pQt6Aa3AVs

  19. Previous Work #5: Vendor Response → Write-ups on lack of the security of the toy and lack of use of built-in security features published. → All attempts to warn Spiral Toys fail . → Spiral Toys confirms that they did not reply to the data breach emails , and rather decided to fix them.

  20. Question: What did they fix?

  21. Mozilla asks: Are toys safe now?

  22. Our Work: Viking Style

  23. Unicorn Analysis:

  24. What could possibly go wrong?

  25. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) CloudPets app directs users to http://mycloudpets.com/tour for tutorials and help. → Domain is currently on sale . → Anybody can purchase the domain and influence users. → i.e. prompting users for their CloudPets credentials . → i.e. prompt users to download malicious apps .

  26. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) Also: → The page is requested via clear-text HTTP. → This makes it easier for a malicious attacker on the local network (i.e. Public WIFI) to trivially modify the Tour page . → Allows attackers to target users. → i.e. ask for user credentials. → i.e. prompt users to download malicious apps .

  27. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) Taps on the help icon:

  28. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) Demo

  29. PET-01-002 Toy: Authless attacks via Bluetooth remain possible (Critical) Paul Stone’s public PoC remains working without any changes : https://github.com/pdjstone/cloudpets-web-bluetooth https://pdjstone.github.io/cloudpets-web-bluetooth/index.html → Strangers can still connect to the toys without authentication. → Push audio & play it on the Toy: Anyone can interact with the child: i.e. “Open the door…” → Download audio from the toy: Turns the toys into spy devices .

  30. PET-01-003 Toy: No firmware protections is in place ( High ) Lack of adequate firmware verification remains: → A discovery was made during the initial setup of the device . → Firmware is installed into the device from the app via BLE . → The installation process still has no verification : ○ NO signature or integrity checks in place. → The only “ protection” is a CRC16 checksum .

  31. PET-01-004 Backend: CloudPets voice recordings world-reachable ( High ) → Audio recordings created from the device are still being saved at cloudpet-prod.s3.amazonaws.com . → When users upload a new avatar or message, the application will post the data through the API and carries out a DNS lookup to cloudpet-prod.s3.amazonaws.com. → The S3 Bucket has no authorization or authentication in place. → There are no limitations when it comes to accessing the files placed in the basket.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Higher Institute of Police Sciences and Internal Security is the only Police University in

The Higher Institute of Police Sciences and Internal Security is the only Police University in

The Higher Institute of Police Sciences and Internal Security is the only Police University in Portugal and one of the 14 Police Universities in Europe accredited to Bologna and delivering a Master Degree on Police Sciences for Senior Police

254 views • 3 slides
WELCOME CHINESE Your Access Channel to the Chinese Market Welcome Chinese mission statement

WELCOME CHINESE Your Access Channel to the Chinese Market Welcome Chinese mission statement

WELCOME CHINESE Your Access Channel to the Chinese Market Welcome Chinese mission statement Mission statement The Role of Welcome Chinese Welcome Chinese is the exclusive group which creates Guarantee better services to Chinese tourists

752 views • 33 slides
EUTR Chinese Plywood Project Chinese Plywood Project Presentation 15.04.15 Why Chinese plywood?

EUTR Chinese Plywood Project Chinese Plywood Project Presentation 15.04.15 Why Chinese plywood?

EUTR Chinese Plywood Project Chinese Plywood Project Presentation 15.04.15 Why Chinese plywood? High risk - Species (face) - Countries of origin Whistle blowing Composite material Source: http://www.duediligencetimber.eu/UK.htm

148 views • 13 slides
Police Services November 9, 2017 Police Services T H E H A R B O U R C I T Y BCs

Police Services November 9, 2017 Police Services T H E H A R B O U R C I T Y BCs

T H E H A R B O U R C I T Y Police Services November 9, 2017 Police Services T H E H A R B O U R C I T Y BCs Police Act requires all municipalities over 5,000 population to provide for police services

182 views • 15 slides
investors Do You Want: To raise money from Chinese EB-5 investors? To partner with Chinese EB-5

investors Do You Want: To raise money from Chinese EB-5 investors? To partner with Chinese EB-5

Direct access to Chinese EB-5 investors Do You Want: To raise money from Chinese EB-5 investors? To partner with Chinese EB-5 immigration agencies? To prepare professional marketing materials? EB-5 Supermarket can assist you with all of

598 views • 23 slides
Police and Crime Panel 4 th June 2020 Performance Overview ILTSHIRE POLICE 27/05/20 1 1

Police and Crime Panel 4 th June 2020 Performance Overview ILTSHIRE POLICE 27/05/20 1 1

Police and Crime Panel 4 th June 2020 Performance Overview ILTSHIRE POLICE 27/05/20 1 1 @wiltshirepolice ud to serve and protect our communities Police and Crime Plan Scorecard Q4 2019-20 Microsoft Excel Worksheet Please doub click

416 views • 16 slides
Vancouver Police Department Overview Vancouver Police Department Chief James McElvain

Vancouver Police Department Overview Vancouver Police Department Chief James McElvain

Vancouver Police Department Overview Vancouver Police Department Chief James McElvain 190 Police Officers 24.5 Non-Sworn Staff Annual Budget $38.6 M Vancouver Police Department Mission We partner with the community to

619 views • 43 slides
2 2013- 14 Key Accomplishments Established new substation in downtown core to provide higher police

2 2013- 14 Key Accomplishments Established new substation in downtown core to provide higher police

2015-2016 Proposed Biennial Budget October 29, 2014 Presented by Andy J. Hwang, Chief of Police 1 POLICE DEPARTMENT Andy J. Hwang Chief of Police 1. 0 FTE Department Total: 155. 0 FTE s Executive Management of the Department Planning and

341 views • 13 slides
- Norwegian practice by police prosecutor , Kristel Lee Hgslett NATIONAL POLICE IMMIGRATION

- Norwegian practice by police prosecutor , Kristel Lee Hgslett NATIONAL POLICE IMMIGRATION

NATIONAL POLICE IMMIGRATION SERVICE Legal and practical measures towards irregular migrants pending return - Norwegian practice by police prosecutor , Kristel Lee Hgslett NATIONAL POLICE IMMIGRATION SERVICE Police role of immigration

201 views • 5 slides
Scot Haug, Post Falls, ID, Police Department, Chief of Police (retired) Rodney Monroe,

Scot Haug, Post Falls, ID, Police Department, Chief of Police (retired) Rodney Monroe,

Scot Haug, Post Falls, ID, Police Department, Chief of Police (retired) Rodney Monroe, Charlotte-Mecklenburg, NC, Police Department, Chief of Police (retired) Dan Zehnder, Las Vegas, NV, Metropolitan Police Department, Captain (retired) Jeff

544 views • 29 slides
Welcome, Chinese and Chinese-American community of Lexington! Im Fiona, and Im excited to

Welcome, Chinese and Chinese-American community of Lexington! Im Fiona, and Im excited to

Welcome, Chinese and Chinese-American community of Lexington! Im Fiona, and Im excited to talk to you today about the new AoPS Academy opening up near you, as well as my own educational experiences as a Chinese-American woman who grew up

593 views • 13 slides
PEOPLE FRIENDLY POLICE STATIONS Presentation by: DR. ISH KUMAR Director (Trg), BPR&D on

PEOPLE FRIENDLY POLICE STATIONS Presentation by: DR. ISH KUMAR Director (Trg), BPR&D on

PEOPLE FRIENDLY POLICE STATIONS Presentation by: DR. ISH KUMAR Director (Trg), BPR&D on 24.09.2013 at RPA, Jaipur 1 QUESTIONS TO BE ASKED / ANSWERED (1) Is Indian Police People friendly? (2) Is common man scared of Police? (3) Are Police

638 views • 36 slides
Police education and training in the Netherlands Dr. JBA Prins Strategical consultant

Police education and training in the Netherlands Dr. JBA Prins Strategical consultant

Police education and training in the Netherlands Dr. JBA Prins Strategical consultant Presentation Police in the Netherlands Police Academy Innovation of Police education and training Authority Financing Police

326 views • 7 slides
POLICE NARCOTICS BUREAU Presented by Director / Police Narcotics Bureau Seizure of 111 Kg of

POLICE NARCOTICS BUREAU Presented by Director / Police Narcotics Bureau Seizure of 111 Kg of

POLICE NARCOTICS BUREAU Presented by Director / Police Narcotics Bureau Seizure of 111 Kg of Heroin by Police Narcotics Bureau On 31.03.2016 The PNB received an information from undercover agent that regarding the large scale drug

501 views • 38 slides
Hometown Recruiting Program History and Update AISD Police Academy AISD Police Academy : A

Hometown Recruiting Program History and Update AISD Police Academy AISD Police Academy : A

Hometown Recruiting Program History and Update AISD Police Academy AISD Police Academy : A capstone course promoting the Arlington Police Departments Vision, Values and Goals to students working to pursue a career in law enforcement

380 views • 11 slides
Board Governance and the Role of the Police Services Board Greater Sudbury Police Services Board

Board Governance and the Role of the Police Services Board Greater Sudbury Police Services Board

Board Governance and the Role of the Police Services Board Greater Sudbury Police Services Board Glenn P. Christie, January 14, 2015 Overview of the Police Services Act The Statute: Police Services Boards are created by statute Members have the

410 views • 25 slides
+ + ArrayList n Constructors ArrayList lst1 = new ArrayList(); ArrayList lst2 = new

+ + ArrayList n Constructors ArrayList lst1 = new ArrayList(); ArrayList lst2 = new

4/26/16 + + ArrayList n Constructors ArrayList lst1 = new ArrayList(); ArrayList lst2 = new ArrayList(int initialSize ); ArrayList<String> strList = new ArrayList(); n Parameterized type n use if you

201 views • 5 slides
Do you need a Full-Text Search in PostgreSQL ? Oleg Bartunov Postgres Professional, Moscow

Do you need a Full-Text Search in PostgreSQL ? Oleg Bartunov Postgres Professional, Moscow

Do you need a Full-Text Search in PostgreSQL ? Oleg Bartunov Postgres Professional, Moscow University obartunov@postgrespro.ru PGConf.eu, Oct 26, 2018, Lisbon Oleg Bartunov, major PostgreSQL contributor since Postgres95 What is a Full Text

863 views • 84 slides
Abstract The synthesis, structure, physico-chemical and thermal investigation studies of some

Abstract The synthesis, structure, physico-chemical and thermal investigation studies of some

Synthesis, Characterization and Thermal Study of Some Transition M etal Complexes with Bi dentate Lewis Bases derived from 3-Acetyl Cumarine. TaghreedM.Musa 1 , Mahmoud N.Al-j ibouri 2 ,Nahid Hasani 3 ,BayaderF.Abbas 4 . Chemistry

444 views • 17 slides
Novel scintillator arrays David Jenkins w ith thanks to Franco Camera, Oli Roberts, Giulia Hull,

Novel scintillator arrays David Jenkins w ith thanks to Franco Camera, Oli Roberts, Giulia Hull,

Novel scintillator arrays David Jenkins w ith thanks to Franco Camera, Oli Roberts, Giulia Hull, Roman Gernhaeuser, Paul Davies Funding from NuPNET GANAS, STFC and TSB 1 State of the art: Gamma-ray tracking 2 Typical scintillation detector

374 views • 34 slides
A Geostationary Microwave Sounder A Geostationary Microwave Sounder Design and Applications

A Geostationary Microwave Sounder A Geostationary Microwave Sounder Design and Applications

National Aeronautics and National Aeronautics and GEOSTAR Space Administration Space Administration Jet Propulsion Laboratory Jet Propulsion Laboratory California Institute of Technology California Institute of Technology Pasadena,

379 views • 37 slides
Preparing for the analysis of Gaias astrometric data releases. William van Altena Yale

Preparing for the analysis of Gaias astrometric data releases. William van Altena Yale

Preparing for the analysis of Gaias astrometric data releases. William van Altena Yale University Gaias general goals Investigate the origin and subsequent evolution of the Milky Way. Census of 10 9 stars in our Galaxy Develop

684 views • 30 slides
What is nuclear energy? How do we harness it? Types of radiation

What is nuclear energy? How do we harness it? Types of radiation

What is nuclear energy? How do we harness it? Types of radiation https://en.wikipedia.org/wiki/File:Alfa_beta_gamma_radiation_penetration.svg Nuclear chain reaction Coal trains in Norfolk, VA World capacity: 5.5 hopper cars of coal per second

626 views • 29 slides
ENVIRONMENTAL GEOMECHANICS CE-641 Lecture No. 22 Prof. D N Singh Department of Civil

ENVIRONMENTAL GEOMECHANICS CE-641 Lecture No. 22 Prof. D N Singh Department of Civil

ENVIRONMENTAL GEOMECHANICS CE-641 Lecture No. 22 Prof. D N Singh Department of Civil Engineering 6.11.2019 Lecture No. 22 Lecture Name: Geomaterial Characterization Sub-topics

413 views • 20 slides

More recommend