Guest pulser Posted January 17, 2010 Report Share Posted January 17, 2010 It's do obvious it didn't dawn on me till I was sleeping! :) Ws should treat no Sim bring inserted exactly the same as an unrecognized sim ie. Automatic lock on boot. Prevents sim removal to cut data link. Also, how about ws storing some of its settings on the sim and SD card too? (copies of course!) The more copies, the more likely that one will survive, and lock the phone before replicating the settings to each location again. Pauls idea of super boot style adding of the apk to system if removed on boot is also good. Would it detect a modified (maliciously) file as needing replaced though? (ie hash check to see I've not swapped it for notepad or something else.) Any other suggestions? Ps. Started new thread as old one was going a bit off topic Link to comment Share on other sites More sharing options...
Guest lemmingzappa Posted January 17, 2010 Report Share Posted January 17, 2010 I agree with both suggested methods :) Link to comment Share on other sites More sharing options...
Guest Vido.Ardes Posted January 17, 2010 Report Share Posted January 17, 2010 As far as I knwo, it does this already. I removed my sim and put it back in again (all while off, didn't turn it on inbetween), turned on the phone and it was locked. I had to put in the PIN Link to comment Share on other sites More sharing options...
Guest shenshang Posted January 17, 2010 Report Share Posted January 17, 2010 could use 256 AES encryption of the settings file with the PIN. Link to comment Share on other sites More sharing options...
Guest pulser Posted January 17, 2010 Report Share Posted January 17, 2010 could use 256 AES encryption of the settings file with the PIN. :) Would you believe it? That's exactly what I was about to suggest right now.I tested the forgot pin feature while locked, and sure enough, it sent an sms to my 'buddy'. So now I'm gonna try and exploit that feature to see if I can 'maliciously' redirect the message to another phone that isn't my buddy. If this is possible, usual details will be provided, as it sounds like ws read these threads and take on the feedback. And full disclosure of 'exploits' like this is usually best (these are all beyond the reach of the most tech-savvy yhuef), and it might get these issues to the attention of the ws devs. @vido.ardes, which version of ws are you running? I haven't tried it on the latest version, but the 43 version which was current till a couple of days ago didn't lock on sim removal. Sounds like they took onboard the feedback from the other thread. :) Link to comment Share on other sites More sharing options...
Guest pulser Posted January 17, 2010 Report Share Posted January 17, 2010 Ok. The buddy details are stored in unencrypted form in an sqlite database in .../databases/WSAndroid (usual path. Getting lazy at typing on hero) Edit it on the pc after a pull, then push back to have modified the buddys number. Now the temp pin is sent to tje thief, and they have full access Link to comment Share on other sites More sharing options...
Guest pulser Posted January 17, 2010 Report Share Posted January 17, 2010 (edited) Sorry for double post :) edit not working for me right now. I have investigated the settings in the new version, and the wsandroid database also contains what I believe are unencrypted keys that are used to decrypt the pin and other encrypted settings. They are 32 character hex strings, and there is an ENC_KEY and a ENC_BASE_KEY along with a ENC_KEY_TYPE (4 char string featuring upper case and lower case with a digit too-maybe a base 62 number, or just a string?) More interestingly, it also contains the imsi numbers of 'allowed SIMs'. As these are plain text, maybe the devs would consider encrypting this data. I won't try it right now, but from my experience, ws always takes data like that at face value, and trusts the potentially modified data. I reckon I could easily add another imsi to the table, and flag it as safe in the database, bypassing the security. Also, the database appears to store the 'SERVER_URL', 'PLAIN_TEXT_LOCATION_SERVER_URL' & 'SERVER_LOGIN_URL'. All point to https addresses on the ws server, some with extra parameter strings like 'service.ashx?text=' and 'l.aspx?L='. Whilst this does not appear to be easily exploitable (all are https), this data should maybe be protected to stop someone redirecting the requests to example.com, thus making connection to the server impossible, preventing a lock reaching the phone, or preventing settings from being downloaded over data network. More observations to follow, I'm sure... :) Edit: I have checked my imsi number for certainty, and it appears that ws is storing it in clear-text. Suggestion for ws devs: could all the data files and databases be encrypted, as shenshang suggested, using AES256 or RSA? Then, a hash of each encrypted setting should be taken, and stored. If either the encrypted data or hash is tampered with (hashes don't match) or deleted, the phone should lock. At that point, an attempt should be made to download settings from the server. Another suggestion: when all the data from ws is removed or tampered with, and no network connection is available (lock anyway if no sim inserted), could the phone generate a challenge code displayed on screen? User then either enters this number on the ws website and gets a response code (the code contains a hash of the imei, so code only generated if imei matches account). Then types this response code into phone, or possibly sends it by sms to the phone, and is validated before telling the user to try and move to a better data signal area, or entering some settings again) In conjunction with multiple locations of data (what about sim storage for sms or phonebook) and encryption of all data stores, with crypto hash validation, that would be one tough to crack system... :) Edited January 17, 2010 by pulser Link to comment Share on other sites More sharing options...
Guest pulser Posted January 18, 2010 Report Share Posted January 18, 2010 I have just contacted WS by email today, as I discovered a slightly more serious vulnerability in WS that allows you to completely bypass the lock screen of a phone using nothing other than ADB. I will not post details here yet (since the method used was not beyond the abilities of the average user, or the moderately intelligent thief). When the issue is resolved, I will post full details as per open-disclosure. In the meantime Paul, if you're interested, I can forward the message to you if you want (I know you have contacts at WS). Hopefully WS will be able to fix this... Link to comment Share on other sites More sharing options...
Guest tomtomtigga Posted August 5, 2010 Report Share Posted August 5, 2010 (edited) hi - i just read that you discovered the key settings in the wavesecure settings file. this flaw HAS been used to hack wavesecure several days ago - a major security flaw, the hacker was able to get the raw PIN of any user by that - just by knowing or guessing their IMEI. Just read this blog: http://secrep5265.blogspot.com it really enlightened me. obviously then the hacker could get access to the online interface with all the user's data in it. critical. they fixed it - but now the hard-reset-proof feature is not working anymore (for rooted phones) - and i read of several problems with registration after that. according to the author, however, the general security architecture of WS is quite unsecure and could be hacked again soon... Edited August 5, 2010 by tomtomtigga Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now