DefCamp_2018_Conference_Chemerkin_Yury_-_full_.pdf
YuryChemerkin
45 views
168 slides
Jul 19, 2024
Slide 1 of 168
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
About This Presentation
This presentation discusses security and privacy risks associated with Internet of Things (IoT) devices, wearable technology, and connected home products. It covers topics like forensic analysis of smartwatches, fitness trackers, and health apps, emphasizing the need for improved risk management in ...
Slide Content
Mobile, IoT, Clouds…
It’s time to hire aRiskManager!
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
CJSC ADVANCED MONITORING
It’s time to hire aRiskManager!
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
CJSC ADVANCED MONITORING
YURY CHEMERKIN
I have ten+ years of experience in information
security. I‘m amulti-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
Ipublished many papers on mobile and cloud
security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: [email protected]
I have ten+ years of experience in information
security. I‘m amulti-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
Ipublished many papers on mobile and cloud
security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: [email protected]
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
UNDERSTANDING THINGS
IoT TAXONOMY& FRAGMENTATION
Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
IoT TAXONOMY
Wearable Tech
Connected Home
Building Blocks & Platforms
Industrial Internet
Healthcare
In-store Retail
Connected Car
Venture Capital Firms
Corporate Investors
Angel Investors
Crowdfunding
Accelerators/Incubators
IoT Acquirers
Notable acquisitions
Wearable Tech
Connected Home
Building Blocks & Platforms
Industrial Internet
Healthcare
In-store Retail
Connected Car
Venture Capital Firms
Corporate Investors
Angel Investors
Crowdfunding
Accelerators/Incubators
IoT Acquirers
Notable acquisitions
NARROW THINGS
Wearable Tech
Connected Home
Healthcare
Wearable Tech
Connected Home
Healthcare
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
WATCHES
WEARABLE TECH
SMARTWATCHES –APPLE WATCH
MITM
Breaking LockScreen
Jailbreak
Backup
SMARTWATCHES –APPLE WATCH
MITM
Breaking LockScreen
Jailbreak
Backup
APPLE WATCH
MITM
The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If
this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple
servers and the iPhone.
Online communication (over Wi-Fi)
[iPhone apps iCloud] –prevents MITM, SSL Pinning
[Apple Watch iCloud] –prevents MITM , SSL Pinning
No way to install SSL to Apple Watch
MITM
The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If
this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple
servers and the iPhone.
Online communication (over Wi-Fi)
[iPhone apps iCloud] –prevents MITM, SSL Pinning
[Apple Watch iCloud] –prevents MITM , SSL Pinning
No way to install SSL to Apple Watch
APPLE WATCH
BREAKING THE LOCKSCREEN
Remove the Passcode Using Your iPhone
Go to a “Settings->General->Reset”
“Erase Apple Watch Content & Settings”
“Keep Plan” if iWatch has a Cellular Plan
Otherwise just “Erase All Content & Settings”
Pair it again
BREAKING THE LOCKSCREEN
Remove the Passcode Using Your iPhone
Go to a “Settings->General->Reset”
“Erase Apple Watch Content & Settings”
“Keep Plan” if iWatch has a Cellular Plan
Otherwise just “Erase All Content & Settings”
Pair it again
APPLE WATCH
BREAKING THE LOCKSCREEN
Removing Your Passcode Without an iPhone
Power Menu Press & hold the side button
Instead of sliding "Power Off", press on it
Tap "Erase all content and settings,"
Tap the green checkmark to confirm
Pair it again
BREAKING THE LOCKSCREEN
Removing Your Passcode Without an iPhone
Power Menu Press & hold the side button
Instead of sliding "Power Off", press on it
Tap "Erase all content and settings,"
Tap the green checkmark to confirm
Pair it again
APPLE WATCH
BREAKING THE LOCKSCREEN
Unpair iWatch via Apple Watch app & Apple Password
Keep your Apple Watch and iPhone close together.
Open the Apple Watch app on iPhone
Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch”
Press “Keep Plan” for a cellular iWatches
Enter your Apple ID password and tap confirm
BREAKING THE LOCKSCREEN
Unpair iWatch via Apple Watch app & Apple Password
Keep your Apple Watch and iPhone close together.
Open the Apple Watch app on iPhone
Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch”
Press “Keep Plan” for a cellular iWatches
Enter your Apple ID password and tap confirm
APPLE WATCH
JAILBREAKS
Jailbreaks for USB
Apple Watch series 1-4 & watchOS5 –no jailbreak
watchOS4.0 -4.1
v0rtex jailbreak for developers only
https://github.com/tihmstar/jelbrekTime
Apple Watch series 1-2 & watchOS3.0 –3.2.3
OverCl0ck jailbreak –still in development
https://github.com/PsychoTea/OverCl0ck
Jail & Bluetooth Connection over SSH
https://speakerdeck.com/mbazaliy/jailbreaking- apple-watch
JAILBREAKS
Jailbreaks for USB
Apple Watch series 1-4 & watchOS5 –no jailbreak
watchOS4.0 -4.1
v0rtex jailbreak for developers only
https://github.com/tihmstar/jelbrekTime
Apple Watch series 1-2 & watchOS3.0 –3.2.3
OverCl0ck jailbreak –still in development
https://github.com/PsychoTea/OverCl0ck
Jail & Bluetooth Connection over SSH
https://speakerdeck.com/mbazaliy/jailbreaking- apple-watch
APPLE WATCH -BACKUP
/mobile/Library/DeviceRegistry.state
/properties.bin
Binary PlistFile –Contains Paired Apple
Watch Specifics incl: Watch Name, Make,
Model, OS, GUID
Synced Data Path with GUID, date, local
Serial Number, UDID, WiFi MAC, SEID
(Secure Element ID), Bluetooth MAC
/mobile/Library/DeviceRegistry.state
/properties.bin
Binary PlistFile –Contains Paired Apple
Watch Specifics incl: Watch Name, Make,
Model, OS, GUID
Synced Data Path with GUID, date, local
Serial Number, UDID, WiFi MAC, SEID
(Secure Element ID), Bluetooth MAC
APPLE WATCH -BACKUP
Plistcontained installed apps on Apple
Watch (2 places)
/mobile/Library/DeviceRegistry /<GUID>/Na
noPreferencesSync/NanoDomains/ com.apple.C
arousel
/mobile/Library/DeviceRegistry /<GUID>
Example:
/mobile/Library/DeviceRegistry /<GUID>/
AddressBook/
Plistcontained installed apps on Apple
Watch (2 places)
/mobile/Library/DeviceRegistry /<GUID>/Na
noPreferencesSync/NanoDomains/ com.apple.C
arousel
/mobile/Library/DeviceRegistry /<GUID>
Example:
/mobile/Library/DeviceRegistry /<GUID>/
AddressBook/
APPLE WATCH
BACKUP
Email -
/mobile/Library/DeviceRegistry/<
GUID>/NanoMail/registry.sqlite
Voicemails -
/mobile/Library/DeviceRegistry/<
GUID>/PreferencesSync/NanoDo
mains/com.apple.mobilephone
Records containing Phone
Numbers and paths to synced
voicemail files
BACKUP
Email -
/mobile/Library/DeviceRegistry/<
GUID>/NanoMail/registry.sqlite
Voicemails -
/mobile/Library/DeviceRegistry/<
GUID>/PreferencesSync/NanoDo
mains/com.apple.mobilephone
Records containing Phone
Numbers and paths to synced
voicemail files
APPLE WATCH
BACKUP -PASSBOOK
/mobile/Library/DeviceRegistry/<
GUID>/NanoPasses/nanopasses.sqli
te3
Pass table
Unique_ID
Type_ID(boarding pass, loyalty
pass)
Encoded pass (value/data)
BACKUP -PASSBOOK
/mobile/Library/DeviceRegistry/<
GUID>/NanoPasses/nanopasses.sqli
te3
Pass table
Unique_ID
Type_ID(boarding pass, loyalty
pass)
Encoded pass (value/data)
APPLE WATCH–BACKUP
APPLE HEALTH
Encrypted (.hfd) in password-protected
/ encrypted backups only
No data out of non-encrypted backup
Export in raw/plaintext
But take a time, we will back to Health
app soon
APPLE HEALTH
Encrypted (.hfd) in password-protected
/ encrypted backups only
No data out of non-encrypted backup
Export in raw/plaintext
But take a time, we will back to Health
app soon
APPLE WATCH
ACCESS ATTACK LOGIC
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE WATCH
SUMMARY
Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available
Online communication (over Wi-Fi)
[iPhone apps iCloud] –prevents MITM, SSL Pinning
[Apple Watch iCloud] –prevents MITM , SSL Pinning
No way to install SSL to Apple Watch
Local data
Not many but jailbreaks are available
Backup still works to access the data
Wallet contains booking, card and other info
Apple Health app
Contains a lot of medical user data
Encrypted if backup is password- protected and out of backup otherwise
Contains non-encrypted basic medical user data and list of app-sources
SUMMARY
Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available
Online communication (over Wi-Fi)
[iPhone apps iCloud] –prevents MITM, SSL Pinning
[Apple Watch iCloud] –prevents MITM , SSL Pinning
No way to install SSL to Apple Watch
Local data
Not many but jailbreaks are available
Backup still works to access the data
Wallet contains booking, card and other info
Apple Health app
Contains a lot of medical user data
Encrypted if backup is password- protected and out of backup otherwise
Contains non-encrypted basic medical user data and list of app-sources
WEARABLE TECH
SMARTWATCHES –ANDROID WATCH
Forensics: Physical, Logical, Network Acquisition
Screen Lock Bypassing Techniques
Root opportunities
Android wear app
SMARTWATCHES –ANDROID WATCH
Forensics: Physical, Logical, Network Acquisition
Screen Lock Bypassing Techniques
Root opportunities
Android wear app
ANDROID WATCH
FORENSICS OF WEARABLE TECH
Physical Acquisition
Logical Acquisition
Network Acquisition (omitted here)
FORENSICS OF WEARABLE TECH
Physical Acquisition
Logical Acquisition
Network Acquisition (omitted here)
ANDROID WATCH
IMAGING A SMARTWATCH DEVICE
The ADB tool should be used to image and explore the Android
smartwatch.
The ddcommand, ddif=/dev/block/mmcblk0p12
of=/sdcard/tmp.image can be used to copy the entire device to an
inserted SD card.
If time is a factor, investigators can copy specific directories by utilizing
the following commands:
DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd
DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd
DD if = /dev/block/mmcblk0p3/efsof = /storage/extSdCard/efs.dd
DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd
IMAGING A SMARTWATCH DEVICE
The ADB tool should be used to image and explore the Android
smartwatch.
The ddcommand, ddif=/dev/block/mmcblk0p12
of=/sdcard/tmp.image can be used to copy the entire device to an
inserted SD card.
If time is a factor, investigators can copy specific directories by utilizing
the following commands:
DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd
DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd
DD if = /dev/block/mmcblk0p3/efsof = /storage/extSdCard/efs.dd
DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd
ANDROID WATCH
BREACHING A LOCK SCREEN
GoogleaccountcredentialsisknownremoteunlockofconnectedwatchesviaGoogle’s
AndroidDeviceManager
Deleting/alteringthegesture.key&settings.dbfilestoremovethelockscreenentirely
adb.exeshell;cd/data/system; rmgesture.key
The“settings.db”filecontainssystemsettingsandcancausesystemwidechangesifmodified
updatesystemsetvalue=0
FlashingamodifiedROM/arebootinsafemode-toleverageathird-partylockscreen
Utilizeadbkeyandadbkey.pubfilesfromothercomputersthathavebeenpreviously
synchronizedwiththeexamineddevicetocreateatrustrelationshipwithanewdevice
/.android/<ADBkeys>-thosefilesareanSSHkey-pairthatallowmetomarkmy
computeras"trusted"tomyphone.
CopyofADBkeysstoredonsynchronizeddevicesinusers/<username>/.android
folders
BREACHING A LOCK SCREEN
GoogleaccountcredentialsisknownremoteunlockofconnectedwatchesviaGoogle’s
AndroidDeviceManager
Deleting/alteringthegesture.key&settings.dbfilestoremovethelockscreenentirely
adb.exeshell;cd/data/system; rmgesture.key
The“settings.db”filecontainssystemsettingsandcancausesystemwidechangesifmodified
updatesystemsetvalue=0
FlashingamodifiedROM/arebootinsafemode-toleverageathird-partylockscreen
Utilizeadbkeyandadbkey.pubfilesfromothercomputersthathavebeenpreviously
synchronizedwiththeexamineddevicetocreateatrustrelationshipwithanewdevice
/.android/<ADBkeys>-thosefilesareanSSHkey-pairthatallowmetomarkmy
computeras"trusted"tomyphone.
CopyofADBkeysstoredonsynchronizeddevicesinusers/<username>/.android
folders
ANDROID WATCHES
ROOT
Root:
5.1.1 -SuperSU-5.1.1.zip
https://supersu.apk.gold/android- 5.1.1
6.0.1 -SuperSU-6.0.1.zip https://supersu.apk.gold/android- 6.0.1
Wear 2.0 -SuperSU-Wear
Wear-SuperSU2.4 -
https://androidfilehost.com/?fid=24269982086990060
Recovery:
TWRP -https://eu.dl.twrp.me/bass/
5.1.1 twrp-3.1.0-0.img
6.0.1 иWear 2.0 twrp- 3.0.0-0.img
ROOT
Root:
5.1.1 -SuperSU-5.1.1.zip
https://supersu.apk.gold/android- 5.1.1
6.0.1 -SuperSU-6.0.1.zip https://supersu.apk.gold/android- 6.0.1
Wear 2.0 -SuperSU-Wear
Wear-SuperSU2.4 -
https://androidfilehost.com/?fid=24269982086990060
Recovery:
TWRP -https://eu.dl.twrp.me/bass/
5.1.1 twrp-3.1.0-0.img
6.0.1 иWear 2.0 twrp- 3.0.0-0.img
ANDROID WATCH
WEAR OS
TizenOS -Samsung
Android Wear OS
Asus Zenwatch, Huawei Watch, LG
Watch and many other
Many root tools & images for
Android Wear up to 2.0
Lack of tools for 2.1 and beyond
Wear app to access data
Android Wear VersionAndroidbaseversionReleasedate
4.4W1 4.4 June 2014
4.4W2 4.4 October 2014
1.0 5.0.1 December 2014
1.1 5.1.1 May 2015
1.3 5.1.1 August 2015
1.4 6.0.1 February2016
1.5 6.0.1 June 2016
2.0 7.1.1 Feb 2017
2.6 7.1.1 Nov 2017
2.6 7.1.1/8.0.0 Dec 2017
2.7 7.1.1/8.0.0 Dec 2017
2.8 7.1.1/8.0.0 Jan 2018
2.9 7.1.1/8.0.0 Feb2018
Wear OS Version Androidbaseversion Releasedate
1.0 7.1.1/8.0.0 Mar 2018
1.1 7.1.1/8.0.0 April 2018
1.2 7.1.1/8.0.0 May 2018
1.3 7.1.1/8.0.0 June 2018
1.4 7.1.1/8.0.0 July 2018
1.5 7.1.1/8.0.0 August 2018
1.6 7.1.1/8.0.0 September 2018
1.7 7.1.1/8.0.0 October 2018
2.0 7.1.1/8.0.0 August 2018
2.1 7.1.1/9.0.0 September 2018
WEAR OS
TizenOS -Samsung
Android Wear OS
Asus Zenwatch, Huawei Watch, LG
Watch and many other
Many root tools & images for
Android Wear up to 2.0
Lack of tools for 2.1 and beyond
Wear app to access data
Android Wear VersionAndroidbaseversionReleasedate
4.4W1 4.4 June 2014
4.4W2 4.4 October 2014
1.0 5.0.1 December 2014
1.1 5.1.1 May 2015
1.3 5.1.1 August 2015
1.4 6.0.1 February2016
1.5 6.0.1 June 2016
2.0 7.1.1 Feb 2017
2.6 7.1.1 Nov 2017
2.6 7.1.1/8.0.0 Dec 2017
2.7 7.1.1/8.0.0 Dec 2017
2.8 7.1.1/8.0.0 Jan 2018
2.9 7.1.1/8.0.0 Feb2018
Wear OS Version Androidbaseversion Releasedate
1.0 7.1.1/8.0.0 Mar 2018
1.1 7.1.1/8.0.0 April 2018
1.2 7.1.1/8.0.0 May 2018
1.3 7.1.1/8.0.0 June 2018
1.4 7.1.1/8.0.0 July 2018
1.5 7.1.1/8.0.0 August 2018
1.6 7.1.1/8.0.0 September 2018
1.7 7.1.1/8.0.0 October 2018
2.0 7.1.1/8.0.0 August 2018
2.1 7.1.1/9.0.0 September 2018
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM (TIZEN)
TizenOS, Bluetooth, USB, No Wi-Fi, Optional Password
Protection
#1 Gain root:
turn on SDB ‘Smart Development Bridge‘,
find a ROM, uses Odin,
reboot to ‘download’ mode –hold down the main button through the
turn off prompt
Sdbshell, sdbroot
SAMSUNG GEAR – ALL OF THEM (TIZEN)
TizenOS, Bluetooth, USB, No Wi-Fi, Optional Password
Protection
#1 Gain root:
turn on SDB ‘Smart Development Bridge‘,
find a ROM, uses Odin,
reboot to ‘download’ mode –hold down the main button through the
turn off prompt
Sdbshell, sdbroot
ANDROID WATCHES
SAMSUNG GEAR –ALL OF THEM
#2 Get Data as an image:
Requires root (see step #1)
Use anything to image the watches, like a Toybox
http://landley.net/toybox/
adbpush toybox/sdcard/download
adbshell; su
mv /sdcard/download/toybox /dev/
chownroot:roottoybox;
chmod755 toybox
cd /dev/block/platform/msm_sdcc ; ls -al by-name
/* image partition with ddand pipe to netcat, -L puts netcatin listening mode */
ddif=/dev/block/mmcblk0p21 | ./toyboxnc-L
/* Port number being listened to on the watch displayed for user */
44477 port displayed
adbforward tcp:44867 tcp:44867
/* Send request to watch on port number 44867 and send it to image file */
nc127.0.0.1 44867 > Samsung.IMG
Here is a user partition
SAMSUNG GEAR –ALL OF THEM
#2 Get Data as an image:
Requires root (see step #1)
Use anything to image the watches, like a Toybox
http://landley.net/toybox/
adbpush toybox/sdcard/download
adbshell; su
mv /sdcard/download/toybox /dev/
chownroot:roottoybox;
chmod755 toybox
cd /dev/block/platform/msm_sdcc ; ls -al by-name
/* image partition with ddand pipe to netcat, -L puts netcatin listening mode */
ddif=/dev/block/mmcblk0p21 | ./toyboxnc-L
/* Port number being listened to on the watch displayed for user */
44477 port displayed
adbforward tcp:44867 tcp:44867
/* Send request to watch on port number 44867 and send it to image file */
nc127.0.0.1 44867 > Samsung.IMG
Here is a user partition
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#3 Results:
Messages -apps.com.samsung.message.data.dbspace/msg-
consumer-server.db
Health/Fitness Data -apps.com.samsung.shealth/ shealth.db
Email -apps.com.samsung.wemail.data.dbspace/wemail.db
Contacts/Address book -dbspace/contacts-svc.db
SAMSUNG GEAR – ALL OF THEM
#3 Results:
Messages -apps.com.samsung.message.data.dbspace/msg-
consumer-server.db
Health/Fitness Data -apps.com.samsung.shealth/ shealth.db
Email -apps.com.samsung.wemail.data.dbspace/wemail.db
Contacts/Address book -dbspace/contacts-svc.db
ANDROID WATCHES
LG WATCH –ALL OF THEM
Android Wear, USB, Bluetooth, No Wi-Fi
#1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to
bootloader & unlock it, and push image
adbreboot-bootloader
fastbootoemunlock
adbpush <SuperSU>.zip /sdcard/download
adbreboot-bootloader
fastbootboot <twrp>.img
Install <SuperSu>.zip, wait for reboot
LG WATCH –ALL OF THEM
Android Wear, USB, Bluetooth, No Wi-Fi
#1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to
bootloader & unlock it, and push image
adbreboot-bootloader
fastbootoemunlock
adbpush <SuperSU>.zip /sdcard/download
adbreboot-bootloader
fastbootboot <twrp>.img
Install <SuperSu>.zip, wait for reboot
ANDROID WATCHES
LG WATCH –ALL OF THEM
#2 Get Data as an image:
Requires root (see step #1)
Use anything to image the watches, like a Toybox
http://landley.net/toybox/
adbpush toybox/sdcard/download
adbshell; su
mv /sdcard/download/toybox /dev/
chownroot:roottoybox;
chmod755 toybox
cd /dev/block/platform/msm_sdcc ; ls -al by-name
/* image partition with ddand pipe to netcat, -L puts netcatin listening mode */
ddif=/dev/block/mmcblk0p21 | ./toyboxnc-L
/* Port number being listened to on the watch displayed for user */
44477 port displayed
adbforward tcp:44867 tcp:44867
/* Send request to watch on port number 44867 and send it to image file */
nc127.0.0.1 44867 > LG.img
Here is a user partition
LG WATCH –ALL OF THEM
#2 Get Data as an image:
Requires root (see step #1)
Use anything to image the watches, like a Toybox
http://landley.net/toybox/
adbpush toybox/sdcard/download
adbshell; su
mv /sdcard/download/toybox /dev/
chownroot:roottoybox;
chmod755 toybox
cd /dev/block/platform/msm_sdcc ; ls -al by-name
/* image partition with ddand pipe to netcat, -L puts netcatin listening mode */
ddif=/dev/block/mmcblk0p21 | ./toyboxnc-L
/* Port number being listened to on the watch displayed for user */
44477 port displayed
adbforward tcp:44867 tcp:44867
/* Send request to watch on port number 44867 and send it to image file */
nc127.0.0.1 44867 > LG.img
Here is a user partition
ANDROID WATCHES
LG WATCH –ALL OF THEM
Results:
Events/Notifications -
data.com.android.providers.calendar.databases/calendar.db
Contacts/Address book -
data.com.android.providers.contacts.databases/contacts2.db
Health/Fitness Data -
data.com.google.android.apps.fitness.databases/pedometer.db
LG WATCH –ALL OF THEM
Results:
Events/Notifications -
data.com.android.providers.calendar.databases/calendar.db
Contacts/Address book -
data.com.android.providers.contacts.databases/contacts2.db
Health/Fitness Data -
data.com.google.android.apps.fitness.databases/pedometer.db
ANDROID WATCHES
ANDROID WEAR
Mobile device paired with all watches in this app
/com.samsung.android.app.watchmanager
/auto_update.xml -a timestamp of the day the Samsung Gear was last
updated.
/com.samsung.android.app.watchmanagerstub/shared
preferences/hmonlinehelppref.xml
/data/com.google.android.wearable.app/databases/ devices.db
list of devices using Android wear which listed the LG G Watch.
ANDROID WEAR
Mobile device paired with all watches in this app
/com.samsung.android.app.watchmanager
/auto_update.xml -a timestamp of the day the Samsung Gear was last
updated.
/com.samsung.android.app.watchmanagerstub/shared
preferences/hmonlinehelppref.xml
/data/com.google.android.wearable.app/databases/ devices.db
list of devices using Android wear which listed the LG G Watch.
ANDROID SMARTWATCHES
ACCESS ATTACK LOGIC
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
ANDROID WATCH
SUMMARY
Forensics
No forensics tools are NOT available for devices, such as Elcomsoft , Cellebrite
Forensics techniques are still available for devices
Forensics of wear-apps works too but no many useful data
Known techniques of breaking Android screenlockworks
OS
TizenOS -Samsung
Android Wear OS -Asus Zenwatch, Huawei Watch, LG Watch and many other
Root & Recovery
Many root tools & images for Android Wear up to 2.0
Lack of tools for 2.1 and beyond
SDB, ADB, Fastbook, OEM Unlock
Data
Contacts, Fitness, Health, Email –in the device
SUMMARY
Forensics
No forensics tools are NOT available for devices, such as Elcomsoft , Cellebrite
Forensics techniques are still available for devices
Forensics of wear-apps works too but no many useful data
Known techniques of breaking Android screenlockworks
OS
TizenOS -Samsung
Android Wear OS -Asus Zenwatch, Huawei Watch, LG Watch and many other
Root & Recovery
Many root tools & images for Android Wear up to 2.0
Lack of tools for 2.1 and beyond
SDB, ADB, Fastbook, OEM Unlock
Data
Contacts, Fitness, Health, Email –in the device
HUAWEI WEAR & HONOR BAND 3 -9C7
•Фоткибраслетаиприложения(ссылкинамагазины)
•Картинкинаспискивкруглыеформывставить??
•Фоткибраслетаиприложения(ссылкинамагазины)
•Картинкинаспискивкруглыеформывставить??
FITNESS TRACKERS
HUAWEI WEAR. HONOR BAND 3-9C7
Device Mac Address & Crash log: DevInfo, debug info -/Documents/hms /oclog/<crash>,<log>
Last Wear’s values: sleep (many params ), wakeup (many params), distance (steps, ride, climb,…), heart rate,
calories
Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options
Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude
User Info: Picture, Name, Birthday, Height, Weight, Gender, Age
Account Details: UDID, Security Token, UserID, SessionID
Bluetooth Keys
HUAWEI WEAR. HONOR BAND 3-9C7
Device Mac Address & Crash log: DevInfo, debug info -/Documents/hms /oclog/<crash>,<log>
Last Wear’s values: sleep (many params ), wakeup (many params), distance (steps, ride, climb,…), heart rate,
calories
Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options
Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude
User Info: Picture, Name, Birthday, Height, Weight, Gender, Age
Account Details: UDID, Security Token, UserID, SessionID
Bluetooth Keys
CRASH LOG: DEVINFO, DEBUG INFO -
/DOCUMENTS/HMS/OCLOG/CRASH
CRASH: *** -[__NSArrayMreplaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond
bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c
<redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw+
56 2 CoreFoundation 0x000000018346bc9c _CFArgv+ 0 3
CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear
0x0000000100319064 HuaweiWear+ 315492 5 HuaweiWear
0x000000010030ffdc HuaweiWear+ 278492 6 libdispatch.dylib
0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib
0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib
0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation
0x000000018347b344 <redacted> + 12 10 CoreFoundation
0x0000000183478f20 <redacted> + 2012 11 CoreFoundation
0x0000000183398c58 CFRunLoopRunSpecific+ 43612 GraphicsServices
0x0000000185244f84 GSEventRunModal+ 100 13 UIKit 0x000000018caf15c4
UIApplicationMain+ 23614 HuaweiWear 0x00000001005b13f8 HuaweiWear+
3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4
ClientVersion:21.0.12 OSVersion:11.2.6
/DOCUMENTS/HMS/OCLOG/CRASH
CRASH: *** -[__NSArrayMreplaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond
bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c
<redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw+
56 2 CoreFoundation 0x000000018346bc9c _CFArgv+ 0 3
CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear
0x0000000100319064 HuaweiWear+ 315492 5 HuaweiWear
0x000000010030ffdc HuaweiWear+ 278492 6 libdispatch.dylib
0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib
0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib
0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation
0x000000018347b344 <redacted> + 12 10 CoreFoundation
0x0000000183478f20 <redacted> + 2012 11 CoreFoundation
0x0000000183398c58 CFRunLoopRunSpecific+ 43612 GraphicsServices
0x0000000185244f84 GSEventRunModal+ 100 13 UIKit 0x000000018caf15c4
UIApplicationMain+ 23614 HuaweiWear 0x00000001005b13f8 HuaweiWear+
3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4
ClientVersion:21.0.12 OSVersion:11.2.6
HUAWEI WEAR – LAST VALUES
/DOCUMENTS/<*.ARCHIVER> FILES
<string>{
"sleepTotalData":{" shallowSleepTime":0,"totalSleepTime":0,"deepSlee
pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim
e":0},
"distance":3940,"lastHeartRate ":0,"steps":4623,"lastHRTimeStamp ":0,"
calories":216,"date ":1537867958.8875299,"totalClimb ":0,"daySport
Info":[]
}</string>
/DOCUMENTS/<*.ARCHIVER> FILES
<string>{
"sleepTotalData":{" shallowSleepTime":0,"totalSleepTime":0,"deepSlee
pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim
e":0},
"distance":3940,"lastHeartRate ":0,"steps":4623,"lastHRTimeStamp ":0,"
calories":216,"date ":1537867958.8875299,"totalClimb ":0,"daySport
Info":[]
}</string>
HUAWEI WEAR: FIRMWARE
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath":
"Nyx_1.5.35.bin.apk","identify ":"38:37:8B:B8:C9:C7","firmWareSize ":1410023,"deviceTyp
e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",
"firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199- 342F-4897-
9577- 59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",
"changeLogContent":"[Optimizations]\nOptimizescalorie counting accuracy while
swimming.\ nFixesan issue where exercise sessions would suddenly exit due to accidental
touches.\nFixesan issue where fitness data would be occasionally cleared.\nOptimizesthe
TrusleepTMdata syncing speed on IOS.\n[Notes]\ n1. New features require that Huawei
Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for
Android.\n2. Before updating, make sure the band is charged to at least 20%.\n","status":1,
"baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1
55123/f1/"}
</string>
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath":
"Nyx_1.5.35.bin.apk","identify ":"38:37:8B:B8:C9:C7","firmWareSize ":1410023,"deviceTyp
e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",
"firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199- 342F-4897-
9577- 59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",
"changeLogContent":"[Optimizations]\nOptimizescalorie counting accuracy while
swimming.\ nFixesan issue where exercise sessions would suddenly exit due to accidental
touches.\nFixesan issue where fitness data would be occasionally cleared.\nOptimizesthe
TrusleepTMdata syncing speed on IOS.\n[Notes]\ n1. New features require that Huawei
Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for
Android.\n2. Before updating, make sure the band is charged to at least 20%.\n","status":1,
"baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1
55123/f1/"}
</string>
HUAWEI WEAR: GEO, SPEED
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"speed":0.63999998569488525,"timestamp ":"2018- 06-
09T05:12:19+0300",
"longitude":41.512356810310401,"latitude ":52.571571199272356,
"totalDistance":0,"verticalAccuracy":4,
"course":10.546875,"duration":0,"distance":0,
"altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5
}
</string>
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"speed":0.63999998569488525,"timestamp ":"2018- 06-
09T05:12:19+0300",
"longitude":41.512356810310401,"latitude ":52.571571199272356,
"totalDistance":0,"verticalAccuracy":4,
"course":10.546875,"duration":0,"distance":0,
"altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5
}
</string>
HUAWEI WEAR: USER INFO
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"headImgLocal":"\/var\/mobile\/Containers \/Data\/Application\/
9B666199- 342F-4897- 9577-
59B68F5CF40F\/Documents \/temp_user\/temp_user.jpg",
"age":29,"unitType":0,"nameIsNil":false,"isDefault":true,
"weight":78,"userName ":"Yury Chemerkin","walkStepLen":77.28,
"birthday":19880605,"height ":184,"modifyTime":0,"runStepLen":92.7
36,"gender":0}
</string>
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"headImgLocal":"\/var\/mobile\/Containers \/Data\/Application\/
9B666199- 342F-4897- 9577-
59B68F5CF40F\/Documents \/temp_user\/temp_user.jpg",
"age":29,"unitType":0,"nameIsNil":false,"isDefault":true,
"weight":78,"userName ":"Yury Chemerkin","walkStepLen":77.28,
"birthday":19880605,"height ":184,"modifyTime":0,"runStepLen":92.7
36,"gender":0}
</string>
HUAWEI WEAR:
/DOCUMENTS/<*.ARCHIVER> FILES
Account
Account details stored in protected way
Device Mac Address
<string>deviceMacAddress</string>
<string>38:37:8B:B8:C9:C7</string>
Bluetooth Keys
/DOCUMENTS/<*.ARCHIVER> FILES
Account
Account details stored in protected way
Device Mac Address
<string>deviceMacAddress</string>
<string>38:37:8B:B8:C9:C7</string>
Bluetooth Keys
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User goals
Device details
User measures
m_7_DataSourceTable_temp_user
m_7_FitnessMergedDataTable_temp_user
m_14_FineSleepDayMergeTable_temp_user
m_7_MotionGoalTable_temp_user
/DOCUMENTS/<WEAR*.DB> FILES
User goals
Device details
User measures
m_7_DataSourceTable_temp_user
m_7_FitnessMergedDataTable_temp_user
m_14_FineSleepDayMergeTable_temp_user
m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
m_14_HeartRateByDay_temp_user
m_14_SportDataByDay_temp_user
m_133_MotionPathDetail_temp_user
m_7_MotionGoalTable_temp_user
/DOCUMENTS/<WEAR*.DB> FILES
User measures
m_14_HeartRateByDay_temp_user
m_14_SportDataByDay_temp_user
m_133_MotionPathDetail_temp_user
m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
m_133_SingleMovementStatistic_temp_user
m_133_SingleMovement_temp_user
/DOCUMENTS/<WEAR*.DB> FILES
User measures
m_133_SingleMovementStatistic_temp_user
m_133_SingleMovement_temp_user
HUAWEI HONOR
SUMMARY
Local data
Credentials is protected
Personal and medical info –plaintext / as it
Communication
Local –encrypted
Online –SSL Pinning for all possible connections, registration,
login and synchronization
SUMMARY
Local data
Credentials is protected
Personal and medical info –plaintext / as it
Communication
Local –encrypted
Online –SSL Pinning for all possible connections, registration,
login and synchronization
XIAOMI MIBAND 2 & MI FIT
Online communication
AWS storages in Ireland (EU) mainly, secondary US
TLS 1.2, No SSL Pinning
Local data
Action Log with detailsincl. URLs
https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t= 1512648130831
https://api-
mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848
https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t= 1512648130805
Online communication
AWS storages in Ireland (EU) mainly, secondary US
TLS 1.2, No SSL Pinning
Local data
Action Log with detailsincl. URLs
https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t= 1512648130831
https://api-
mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848
https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t= 1512648130805
FITNESS APPS
ROAD BIKE, MOUNTAIN BIKE, …
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg& max
speed, upward/downward, heartZonevalues (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday
ROAD BIKE, MOUNTAIN BIKE, …
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg& max
speed, upward/downward, heartZonevalues (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday
FITNESS APPS
DOCUMENTS\DATABASE.SQLITE3
Where to search data:
GPS & location
HeartRate(requires special devices)
Session Data
Speed
User Data
DOCUMENTS\DATABASE.SQLITE3
Where to search data:
GPS & location
HeartRate(requires special devices)
Session Data
Speed
User Data
FITNESS APPS
LOCATION, MAPS AND USER INFO
Location and geo snapshots -
Documents\MapOpenCycleMap.sqlite
User info -Documents\database.sqlite3
LOCATION, MAPS AND USER INFO
Location and geo snapshots -
Documents\MapOpenCycleMap.sqlite
User info -Documents\database.sqlite3
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
FITNESS TRACKERS
SUMMARYAMONG TRACKERS & APPS
Local data
Credentials is usually protected
Personal and medical info –plaintext / as it
Communication
Local –encrypted
Online –SSL Pinning for all possible connections
SUMMARYAMONG TRACKERS & APPS
Local data
Credentials is usually protected
Personal and medical info –plaintext / as it
Communication
Local –encrypted
Online –SSL Pinning for all possible connections
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security & Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security & Tips
6. Risk
Management
APPLE HEALTHСЮДАКАРТИНКИ
УСТРОЙСТВ
УСТРОЙСТВ
HEALTHCARE
APPLE HEALTH
Valuable data encrypted and no public cracks is known
Small amount of data not encrypted in backup
List of app-sources (look here for non-encrypted original data)
However, secure built-in app-aggregator does not mean other app is a
secure in the same way ofcnot
APPLE HEALTH
Valuable data encrypted and no public cracks is known
Small amount of data not encrypted in backup
List of app-sources (look here for non-encrypted original data)
However, secure built-in app-aggregator does not mean other app is a
secure in the same way ofcnot
APPLE HEALTH
WHERE TO FIND DATA?
HealthDomain\MedicalID\MedicalIDData.archive
HealthDomain\Health\healthdb.sqlite
HealthDomain\Health\healthdb_secure.sqlite
HealthDomain\Health\healthdb_secure.hfd
Exported Raw Data –any place chosen by user
WHERE TO FIND DATA?
HealthDomain\MedicalID\MedicalIDData.archive
HealthDomain\Health\healthdb.sqlite
HealthDomain\Health\healthdb_secure.sqlite
HealthDomain\Health\healthdb_secure.hfd
Exported Raw Data –any place chosen by user
APPLE HEALTH
DATA IN DETAILS
Name, User Pic, height (in cm), and mass (in kg)
Geo Tracking (Mainland/City), iOS version
Device Info: UDID, Name, Last connection time
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Medical implants
DATA IN DETAILS
Name, User Pic, height (in cm), and mass (in kg)
Geo Tracking (Mainland/City), iOS version
Device Info: UDID, Name, Last connection time
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Medical implants
APPLE HEALTH
HEALTHDOMAIN\MEDICALID\MEDICALIDDA
TA.ARCHIVE
Name Height Weight Medical implants
HEALTHDOMAIN\MEDICALID\MEDICALIDDA
TA.ARCHIVE
Name Height Weight Medical implants
APPLE HEALTH
HEALTHDOMAIN\ HEALTH\HEALTHDB.SQLITE
Bundle_id, app_name
Device name, device model, vendor, hardware and software, timestamp
HEALTHDOMAIN\ HEALTH\HEALTHDB.SQLITE
Bundle_id, app_name
Device name, device model, vendor, hardware and software, timestamp
APPLE HEALTH
HEALTHDOMAIN\HEALTH\HEALTHDB_SE
CURE.SQLITE
HEALTHDOMAIN\HEALTH\HEALTHDB_SE
CURE.SQLITE
APPLE HEALTH
RAW EXPORT
Recorded by the any Apple Devices & accessed through the Health App.
Detailed activity log with timestamps
Data can be exported in .xml file format without encryption (!) and
even without encrypting of zip file
Extracted data can be stored anywhere
RAW EXPORT
Recorded by the any Apple Devices & accessed through the Health App.
Detailed activity log with timestamps
Data can be exported in .xml file format without encryption (!) and
even without encrypting of zip file
Extracted data can be stored anywhere
APPLE HEALTH -RAW EXPORT
PERSONAL, FITNESS, MEDICAL INFO
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Heart rate data (in count/min) or beats-per-minute (BPM)
Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins)
Blood Pressure Diastolic, Systolic
The exact activity log time (creationDate), and activity start and end times (startDate, endDate)
XML Parser (Free): https://github.com/tdda/applehealthdata
PERSONAL, FITNESS, MEDICAL INFO
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Heart rate data (in count/min) or beats-per-minute (BPM)
Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins)
Blood Pressure Diastolic, Systolic
The exact activity log time (creationDate), and activity start and end times (startDate, endDate)
XML Parser (Free): https://github.com/tdda/applehealthdata
APPLE HEALTH -RAW EXPORT
IN EXAMPLES & DETAILS
IN EXAMPLES & DETAILS
APPLE HEALTH -RAW EXPORT
IN EXAMPLES & DETAILS
IN EXAMPLES & DETAILS
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
HEALTHCARE
SUMMARY
Apple Health App is good protected
Basic info -Date of birth, sex, blood group, skin type,
height (in cm), and mass (in kg)
Exported data is not protected at all
List of app sources & these app’s data is not
protected well
SUMMARY
Apple Health App is good protected
Basic info -Date of birth, sex, blood group, skin type,
height (in cm), and mass (in kg)
Exported data is not protected at all
List of app sources & these app’s data is not
protected well
PICOOCMINI (BT) –
BODY COMPOSITION SMART SCALE
•Vertical fat index, body fat
Fat indexes
•Body weight, bone mass, muscle, skeletal muscle
Mass
•BMR, body water, protein, Metabolic Age
Productivity
•Tracking changes, charts, reports
Delta
BODY COMPOSITION SMART SCALE
•Vertical fat index, body fat
Fat indexes
•Body weight, bone mass, muscle, skeletal muscle
Mass
•BMR, body water, protein, Metabolic Age
Productivity
•Tracking changes, charts, reports
Delta
PICOOCMINI (BT) –
BODY COMPOSITION SMART SCALE
BT Logs: Peripheral Info of nearby devices, and mac of itself (picoocscaler)
Body scale values: body, muscles, productivity, date & time, device mac
Dev Info: Mac, model name, user ID, Device Picture
Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users)
User Info: nick name , userID , height, age, sex, race, type
Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language
Preferences: Local Password, Unlocking method, last active day
BODY COMPOSITION SMART SCALE
BT Logs: Peripheral Info of nearby devices, and mac of itself (picoocscaler)
Body scale values: body, muscles, productivity, date & time, device mac
Dev Info: Mac, model name, user ID, Device Picture
Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users)
User Info: nick name , userID , height, age, sex, race, type
Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language
Preferences: Local Password, Unlocking method, last active day
PICOOC BT LOGS
PICOOC\DOCUMENTS\BLUETOOTHLOG.TEXT
DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE
扫描到设备 –means “Device scanning”
04-14 13:31:36:003 .扫描到设备 name:PeripheralInfo:Name: [TV]
Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A -
45F9DDB731D6 ----.
04-14 13:31:36:453 .扫描到设备 name:PeripheralInfo:Name: honor band
A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3 -0099CF82DF96 ----.
04-14 13:31:37:408 .扫描到设备 name:PeripheralInfo:Name: PICOOC-CQ
RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ----.
info.macAddress= D0:49:00:1D:87:8A
PICOOC\DOCUMENTS\BLUETOOTHLOG.TEXT
DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE
扫描到设备 –means “Device scanning”
04-14 13:31:36:003 .扫描到设备 name:PeripheralInfo:Name: [TV]
Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A -
45F9DDB731D6 ----.
04-14 13:31:36:453 .扫描到设备 name:PeripheralInfo:Name: honor band
A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3 -0099CF82DF96 ----.
04-14 13:31:37:408 .扫描到设备 name:PeripheralInfo:Name: PICOOC-CQ
RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ----.
info.macAddress= D0:49:00:1D:87:8A
PICOOC BT LOGS
PICOOC\DOCUMENTS\BLUETOOTHLOG.TEXT
04-14 13:31:36:003 .扫描到设备 name:PeripheralInfo:Name: [TV] Samsung 6
Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687 -7E2A-45F9DDB731D6 ----
Connect a Galaxy S7 to your Samsung TV with Bluetoothto have a fun and
spread your content
TV with enabled Bluetooth & Samsung Galaxy S7
Open the notification pane on your handset.
Select Quick Connect and then Scan for nearby devices
Select Register TV, Tap the new icon with a TV and an arrow
Tap the Share button and then Smart Viewto play any media you play
on your phone on the TV
PICOOC\DOCUMENTS\BLUETOOTHLOG.TEXT
04-14 13:31:36:003 .扫描到设备 name:PeripheralInfo:Name: [TV] Samsung 6
Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687 -7E2A-45F9DDB731D6 ----
Connect a Galaxy S7 to your Samsung TV with Bluetoothto have a fun and
spread your content
TV with enabled Bluetooth & Samsung Galaxy S7
Open the notification pane on your handset.
Select Quick Connect and then Scan for nearby devices
Select Register TV, Tap the new icon with a TV and an arrow
Tap the Share button and then Smart Viewto play any media you play
on your phone on the TV
BODY VALUES
PICOOC\DOCUMENTS\PICOOC.SQLITE
CREATE TABLE `body_indexs` (
`id`
`weight`
`body_fat`
`visceral_fat_level`
`muscle_race`
`body_age`
`bone_mass`
`basic_metabolism`
`bmi`
`local_time`
`water_race`
`abnormal`
`day_intValue`
`time_period`
`electric_resistance`
`mac`
`body_fat_reference_value`
`skeletal_muscle`);
PICOOC\DOCUMENTS\PICOOC.SQLITE
CREATE TABLE `body_indexs` (
`id`
`weight`
`body_fat`
`visceral_fat_level`
`muscle_race`
`body_age`
`bone_mass`
`basic_metabolism`
`bmi`
`local_time`
`water_race`
`abnormal`
`day_intValue`
`time_period`
`electric_resistance`
`mac`
`body_fat_reference_value`
`skeletal_muscle`);
PICOOC
DEVICE AND PREFERENCES
Dev Info -picooc\documents\picooc.sqlite
Preferences -picooc\Library\Preferences\com.picooc.international.plist
<key>PasswordLockType</key>
<integer>2</integer>
<key>PasswordNumherLockContnet</key>
<string>7124</string>
<key>currendDay</key>
<string>20180922</string>
<key>kStartupUserIdKey</key>
<integer>4611483</integer>
DEVICE AND PREFERENCES
Dev Info -picooc\documents\picooc.sqlite
Preferences -picooc\Library\Preferences\com.picooc.international.plist
<key>PasswordLockType</key>
<integer>2</integer>
<key>PasswordNumherLockContnet</key>
<string>7124</string>
<key>currendDay</key>
<string>20180922</string>
<key>kStartupUserIdKey</key>
<integer>4611483</integer>
USER BASIC INFO –MAIN USER
PICOOC\DOCUMENTS\PLISTFILE\USERINFO.PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plistPUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plistversion="1.0">
<dict>
<key>nickName</key>
<string>Yury Chemerkin</string>
</dict>
</plist>
PICOOC\DOCUMENTS\PLISTFILE\USERINFO.PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plistPUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plistversion="1.0">
<dict>
<key>nickName</key>
<string>Yury Chemerkin</string>
</dict>
</plist>
USER EXTENDED INFO – LAST ADDED USER ONLY
PICOOC\LIBRARY\SENSORSANALYTICS-
SUPER_PROPERTIES.PLIST
current_age_characteristic
current_role_is_athlete
current_role_height
current_language
current_role_age
current_role_sex
app_type
time_zone
current_role_race
current_role_type
3
false
178
英语
58
男
PICOOC国际版
Europe/Moscow
白
使用者
As is
As is
As is
English
As is
Man
PICOOC Worldwide
Version
As is
White
User
PICOOC\LIBRARY\SENSORSANALYTICS-
SUPER_PROPERTIES.PLIST
current_age_characteristic
current_role_is_athlete
current_role_height
current_language
current_role_age
current_role_sex
app_type
time_zone
current_role_race
current_role_type
3
false
178
英语
58
男
PICOOC国际版
Europe/Moscow
白
使用者
As is
As is
As is
English
As is
Man
PICOOC Worldwide
Version
As is
White
User
PICOOC SENSOR VALUES
PICOOC\LIBRARY\SENSORSANALYTICS-
MESSAGE-V2.PLIST.DB
•{"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144
339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白
","current_role_type":"主角色
","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6.
1","current_age_characteristic":3,"$is_first_day":false,"$ model":"iPhone8,4","$device_id":"E
C640161- EC87-4A90-AD99- 5B29A3F86700","$ network_type":"WIFI","$carrier":"Mobile
TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren
t_language":"英语","$ screen_height":568,"app_type":"PICOOC国际版
","time_zone":"Europe\/Moscow","$lib_version":"1.9.3 ","$os_version":"12.0","$is_first_time":
false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男
","current_role_id":"9144339"},"type":"track","lib ":{"$lib_version":"1.9.3 ","$lib":"iOS","$app
_version":"3.6.1 ","$lib_method":"code"}}
PICOOC\LIBRARY\SENSORSANALYTICS-
MESSAGE-V2.PLIST.DB
•{"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144
339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白
","current_role_type":"主角色
","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6.
1","current_age_characteristic":3,"$is_first_day":false,"$ model":"iPhone8,4","$device_id":"E
C640161- EC87-4A90-AD99- 5B29A3F86700","$ network_type":"WIFI","$carrier":"Mobile
TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren
t_language":"英语","$ screen_height":568,"app_type":"PICOOC国际版
","time_zone":"Europe\/Moscow","$lib_version":"1.9.3 ","$os_version":"12.0","$is_first_time":
false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男
","current_role_id":"9144339"},"type":"track","lib ":{"$lib_version":"1.9.3 ","$lib":"iOS","$app
_version":"3.6.1 ","$lib_method":"code"}}
PICOOC
MITM -NOT SSL-PINNED
•Profile URL (public accessible)
https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png
•Request URL - https://api2.picooc-
int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque
st=https://api2.picooc-
int.com/v1/api&roleId=9144339×tamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re
questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to
ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi
ce_id=EC640161-EC87-4A90-AD99 -5B29A3F86700&device_mac=&method=update_role&
•Same URL (public accessible)
https://picoocheadportrait.oss-cn-
beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png
•Request URL - https://picoocheadportrait.oss-cn -beijing.aliyuncs.com
MITM -NOT SSL-PINNED
•Profile URL (public accessible)
https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png
•Request URL - https://api2.picooc-
int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque
st=https://api2.picooc-
int.com/v1/api&roleId=9144339×tamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re
questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to
ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi
ce_id=EC640161-EC87-4A90-AD99 -5B29A3F86700&device_mac=&method=update_role&
•Same URL (public accessible)
https://picoocheadportrait.oss-cn-
beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png
•Request URL - https://picoocheadportrait.oss-cn -beijing.aliyuncs.com
PICOOC
MITM -NOT SSL-PINNED
https://api2.picooc-int.com
GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161 -EC87-4A90-AD99 -
5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token =iOS%3A%3AEC640161-
EC87-4A90-AD99 -
5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe
/Moscow×tamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6
HTTP/1.1
MITM -NOT SSL-PINNED
https://api2.picooc-int.com
GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161 -EC87-4A90-AD99 -
5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token =iOS%3A%3AEC640161-
EC87-4A90-AD99 -
5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe
/Moscow×tamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6
HTTP/1.1
PICOOC
MITM -NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap
i2.picooc-
int.com/v1/api&roleId=9144339×tamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT
hread=0&os=iOS&userId=4611483 &lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b
e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87 -4A90-AD99 -
5B29A3F86700&device_mac=&method=update_role&
MITM -NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap
i2.picooc-
int.com/v1/api&roleId=9144339×tamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT
hread=0&os=iOS&userId=4611483 &lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b
e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87 -4A90-AD99 -
5B29A3F86700&device_mac=&method=update_role&
PICOOC
MITM -NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/account/updateUserPa
ssword?sign=41EE8 B396970992A 85E
9259B134B96BE&urlOfGetRequest=ht
tps://api2.picooc-
int.com/v1/api&roleId=9144339&tim
estamp=1538581202&version=i 3.6.1
&appver=i3.6.1.0&requestByChildThre
ad=0&os=iOS&userId=4611483&lan
g=en&timezone=Europe/Moscow&pus
h_token=iOS::019290ade 677be79f5f
bded930b 2435fa 81eef103d893471
08e265c 0cd984cf2&device_id=EC64
0161- EC87-4A90-AD99-
5B29A3F86700&device_mac=&metho
d=update_user_password&
MITM -NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/account/updateUserPa
ssword?sign=41EE8 B396970992A 85E
9259B134B96BE&urlOfGetRequest=ht
tps://api2.picooc-
int.com/v1/api&roleId=9144339&tim
estamp=1538581202&version=i 3.6.1
&appver=i3.6.1.0&requestByChildThre
ad=0&os=iOS&userId=4611483&lan
g=en&timezone=Europe/Moscow&pus
h_token=iOS::019290ade 677be79f5f
bded930b 2435fa 81eef103d893471
08e265c 0cd984cf2&device_id=EC64
0161- EC87-4A90-AD99-
5B29A3F86700&device_mac=&metho
d=update_user_password&
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
PICOOC
SUMMARY
Body indexes and changes day-by-day
Fat indexes, Mass
Productivity, Delta
Dev Info, Friends results, User data
Network
Data stored on Alibaba servers
Profile, Device Info, Credentials, additionally passwon pass-change tab
Bonus: Bluetooth scanner of near located devices
Preferences: Local Password, Unlocking method, last active day
SUMMARY
Body indexes and changes day-by-day
Fat indexes, Mass
Productivity, Delta
Dev Info, Friends results, User data
Network
Data stored on Alibaba servers
Profile, Device Info, Credentials, additionally passwon pass-change tab
Bonus: Bluetooth scanner of near located devices
Preferences: Local Password, Unlocking method, last active day
~30 mHEALTHAPPS
Google Fit
MyFitnessPal
RunKeeper-GPS
Nike+ Running
WebMD
Blood Pressure (BP) Watch
Water Your Body
Instant Heart Rate
Drugs.com Medication Guide
RuntasticPedometer
NoomWalk Pedometer: Fitness
StravaRunning and Cycling GPS
Bleep Fitness Test
Fitness Buddy: 300+ Exercises
BodySpace- Social Fitness
Walk with Map My Walk
EndomondoRunning Cycling Walking
FitNotes–gym Workout Log
Period Calendar
Period Tracker
My Pregnancy Today
My Baby Today
Calorie Counter by FatSecret
MyNetDiaryCalorie Counter PRO
My Diet Diary Calorie Counter
Calories! Basic –calcounter
Calorie Counter
Lifesum-Calorie Counter
User credentials and pins
Personal details of users
User activities
User location
Activity timestamps
Images
Google Fit
MyFitnessPal
RunKeeper-GPS
Nike+ Running
WebMD
Blood Pressure (BP) Watch
Water Your Body
Instant Heart Rate
Drugs.com Medication Guide
RuntasticPedometer
NoomWalk Pedometer: Fitness
StravaRunning and Cycling GPS
Bleep Fitness Test
Fitness Buddy: 300+ Exercises
BodySpace- Social Fitness
Walk with Map My Walk
EndomondoRunning Cycling Walking
FitNotes–gym Workout Log
Period Calendar
Period Tracker
My Pregnancy Today
My Baby Today
Calorie Counter by FatSecret
MyNetDiaryCalorie Counter PRO
My Diet Diary Calorie Counter
Calories! Basic –calcounter
Calorie Counter
Lifesum-Calorie Counter
User credentials and pins
Personal details of users
User activities
User location
Activity timestamps
Images
~30 mHEALTHAPPS
MYFITNESSPAL
User profile Pics com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard /
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
User details including time zone, gender, date of birth and email
-in tables <user_properties, users> -see a pic
User profile pictures - in table <images>
User personal notes -in table <diary_notes>
User records of exercises, food habits and personal measurements - in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
User last synched items with the server -in table <last_sync_pointers>
User food search history - in table <search_history>
MYFITNESSPAL
User profile Pics com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard /
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
User details including time zone, gender, date of birth and email
-in tables <user_properties, users> -see a pic
User profile pictures - in table <images>
User personal notes -in table <diary_notes>
User records of exercises, food habits and personal measurements - in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
User last synched items with the server -in table <last_sync_pointers>
User food search history - in table <search_history>
~30 mHEALTHAPPS
RUNKEEPER
User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
/ fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
User details including activities, trips
Trips deleted by user - in table <deleted_trips>
Activities posted by user - in table <feed>
List of user’s friends -in table <friends>
Images uploaded during trips by user -in table <status_updates>
User settings for each trip -in table <trip_settings>
Places visited during all the trips -in table <points>
Information about each trip -in table <trips>
More tables
The points table is to locate the map coordinates of a user’s route
RUNKEEPER
User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
/ fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
User details including activities, trips
Trips deleted by user - in table <deleted_trips>
Activities posted by user - in table <feed>
List of user’s friends -in table <friends>
Images uploaded during trips by user -in table <status_updates>
User settings for each trip -in table <trip_settings>
Places visited during all the trips -in table <points>
Information about each trip -in table <trips>
More tables
The points table is to locate the map coordinates of a user’s route
~30 mHEALTHAPPS
PERIOD CALENDAR
•Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC.db. Tables
•User -List of the users with passwords (Plaintext passwords, secret questions
and answers)
•Period -Period start time and length of users
•Note -Diary notes inserted by users
•Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC_PILL.db. Tables
•pill -Pills used by users including date and time
•pill_record-Details about the pills
PERIOD CALENDAR
•Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC.db. Tables
•User -List of the users with passwords (Plaintext passwords, secret questions
and answers)
•Period -Period start time and length of users
•Note -Diary notes inserted by users
•Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC_PILL.db. Tables
•pill -Pills used by users including date and time
•pill_record-Details about the pills
~30 MEDICAL/FITNESS/HEALTH APPS
Usercredentials: Appsmayrequireuserstologinusingtheirusercredentials(e.g.usernameand
password,PIN,andauthenticationtokens)inordertousetheapps.Therefore,usercredentialsshouldbe
anartefactthatforensicinvestigatorsseektolocateduringtheappforensicprocess(e.g.determine
whetherthecredentialsarestoredinandcanberecoveredfromtheapp’sdatabases).
Userpersonaldetails:Userpersonaldetailsincludename,gender,dateofbirth,emailaddress,height,
weightandotherpersonaldatawouldbehelpfulforforensicinvestigatorstopositivelyidentifytheapp
ordeviceusers.
Useractivities:ThemHealthappsrequireuserstoentertheirday-to-dayfoodhabit,healthconditions,
activityorexercisedetails,diagnosisdetails,medicationdetailsandsymptomdetails,etc.
Userlocation:Fitnessappsallowuserstokeeptrackoftheirexercise,running,jogging,cyclingandother
activities.Theseappsgenerallystorethegeographicalcoordinatesoftheuserlocationduringthese
activitieswhichcanprovideusefulevidencetotheinvestigators.
Activitytimestamps:Anotherimportantartefactisthetimestampoftheuseractivity.Forexample,linking
activitytimestampswithcorrespondinguserlocations(e.g.geographicalcoordinates)andotherrelevant
information(e.g.CCTVfeeds)wouldprovideusefulinformationinaninvestigation.
Images:Thisartefactincludesprofileimages,andimagestakenandpostedfromalocation.
Usercredentials: Appsmayrequireuserstologinusingtheirusercredentials(e.g.usernameand
password,PIN,andauthenticationtokens)inordertousetheapps.Therefore,usercredentialsshouldbe
anartefactthatforensicinvestigatorsseektolocateduringtheappforensicprocess(e.g.determine
whetherthecredentialsarestoredinandcanberecoveredfromtheapp’sdatabases).
Userpersonaldetails:Userpersonaldetailsincludename,gender,dateofbirth,emailaddress,height,
weightandotherpersonaldatawouldbehelpfulforforensicinvestigatorstopositivelyidentifytheapp
ordeviceusers.
Useractivities:ThemHealthappsrequireuserstoentertheirday-to-dayfoodhabit,healthconditions,
activityorexercisedetails,diagnosisdetails,medicationdetailsandsymptomdetails,etc.
Userlocation:Fitnessappsallowuserstokeeptrackoftheirexercise,running,jogging,cyclingandother
activities.Theseappsgenerallystorethegeographicalcoordinatesoftheuserlocationduringthese
activitieswhichcanprovideusefulevidencetotheinvestigators.
Activitytimestamps:Anotherimportantartefactisthetimestampoftheuseractivity.Forexample,linking
activitytimestampswithcorrespondinguserlocations(e.g.geographicalcoordinates)andotherrelevant
information(e.g.CCTVfeeds)wouldprovideusefulinformationinaninvestigation.
Images:Thisartefactincludesprofileimages,andimagestakenandpostedfromalocation.
~30 MEDICAL/FITNESS/HEALTH APPS
App Name /Data
User credentials
and pins
Personal details
of users
User activities
User location
Activity
timestamps
Images
Google Fit N N P N F N
MyFitnessPal P F F N F F
RunKeeper-GPS N N F F F N
Nike+ Running N F F N F F
WebMD N N P N N N
Blood Pressure (BP) Watch N P F N F N
Water Your Body N N F N N N
Instant Heart Rate N N N N N N
Drugs.com Medication
Guide
N F N N P N
RuntasticPedometer N N F N F N
App Name /Data
User credentials
and pins
Personal details
of users
User activities
User location
Activity
timestamps
Images
Google Fit N N P N F N
MyFitnessPal P F F N F F
RunKeeper-GPS N N F F F N
Nike+ Running N F F N F F
WebMD N N P N N N
Blood Pressure (BP) Watch N P F N F N
Water Your Body N N F N N N
Instant Heart Rate N N N N N N
Drugs.com Medication
Guide
N F N N P N
RuntasticPedometer N N F N F N
~30 MEDICAL/FITNESS/HEALTH APPS
App Name /Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
NoomWalk Pedometer:
Fitness
N N F N F F
StravaRunning and Cycling
GPS
N F F F F N
Bleep Fitness Test N F F N P N
Fitness Buddy: 300+
Exercises
N N F N F N
BodySpace- Social Fitness N F F N P F
Walk with Map My Walk N F F F F P
EndomondoRunning Cycling
Walking
N N F F F F
FitNotes–gym Workout
Log
N N F N P N
Period Calendar F F F N P N
Period Tracker N N F N P N
My Pregnancy Today P N N N N F
My Baby Today N F N N P N
App Name /Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity
timestamps
Images
NoomWalk Pedometer:
Fitness
N N F N F F
StravaRunning and Cycling
GPS
N F F F F N
Bleep Fitness Test N F F N P N
Fitness Buddy: 300+
Exercises
N N F N F N
BodySpace- Social Fitness N F F N P F
Walk with Map My Walk N F F F F P
EndomondoRunning Cycling
Walking
N N F F F F
FitNotes–gym Workout
Log
N N F N P N
Period Calendar F F F N P N
Period Tracker N N F N P N
My Pregnancy Today P N N N N F
My Baby Today N F N N P N
~30 MEDICAL/FITNESS/HEALTH APPS
App Name /Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity timestamps
Images
Calorie Counter by
FatSecret
N N F N P N
MyNetDiaryCalorie
Counter PRO
N N N N N F
My Diet Diary Calorie
Counter
N P F N F N
Calories! Basic –calcounter N N P N F N
Calorie Counter N F F N F N
Lifesum-Calorie Counter N P F N F F
App Name /Data
User credentials
and pins
Personal details
of users
User
activities
User
location
Activity timestamps
Images
Calorie Counter by
FatSecret
N N F N P N
MyNetDiaryCalorie
Counter PRO
N N N N N F
My Diet Diary Calorie
Counter
N P F N F N
Calories! Basic –calcounter N N P N F N
Calorie Counter N F F N F N
Lifesum-Calorie Counter N P F N F F
~30 MEDICAL/FITNESS/HEALTH APPS
THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY)
3
9
6
8
1
5
2
0
3
4
6
8
5
4
7
9
8
3
7
3333
2
5
3
6
7
0
1
2
3
4
5
6
7
8
9
10
Average Issue Index
THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY)
3
9
6
8
1
5
2
0
3
4
6
8
5
4
7
9
8
3
7
3333
2
5
3
6
7
0
1
2
3
4
5
6
7
8
9
10
Average Issue Index
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
HEALTHCARE
SUMMARY
Native Health App is good protected, however not a basic information
Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Exported data is not protected at all
Source apps (medical, fitness, health, …)
Data contains everything with GPS, timestamp and lot of day-by-day changes
Usually stores data locally, but basic activity over network is intercepted and
credentials gained
Pseudo health apps – usually requires user to handle all data by himself
Friend list, Credentials, secret questions & answers
Body values, timestamp, visited places & geo
Medical periods, schedule, pills and so on
Preferences, searches
SUMMARY
Native Health App is good protected, however not a basic information
Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Exported data is not protected at all
Source apps (medical, fitness, health, …)
Data contains everything with GPS, timestamp and lot of day-by-day changes
Usually stores data locally, but basic activity over network is intercepted and
credentials gained
Pseudo health apps – usually requires user to handle all data by himself
Friend list, Credentials, secret questions & answers
Body values, timestamp, visited places & geo
Medical periods, schedule, pills and so on
Preferences, searches
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE TV – FIVES GENERATIONS
MacOSX, iOS, tvOS
Common ways to break into
Jailbreak tools
Password management
USB Acquisition
Backup
Jailbroken acquisition
Profiling
MacOSX, iOS, tvOS
Common ways to break into
Jailbreak tools
Password management
USB Acquisition
Backup
Jailbroken acquisition
Profiling
APPLE TV – I GENERATION
EASILY TO BREAK
First edition of TV, Mac OS X & HDD makes breaking much easier
All possible ways to break into the first Apple TV 8 years ago:
“Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estisand
Randy Robbins, Def Con 2009
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon- 17-
kevin_estis- apple_tv.pdf
https://www.youtube.com/watch?v=z- WCy3Bdzkc
EASILY TO BREAK
First edition of TV, Mac OS X & HDD makes breaking much easier
All possible ways to break into the first Apple TV 8 years ago:
“Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estisand
Randy Robbins, Def Con 2009
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon- 17-
kevin_estis- apple_tv.pdf
https://www.youtube.com/watch?v=z- WCy3Bdzkc
APPLE TV – II-V GENERATION
EASILY TO BREAK TOO
Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)
Backup contains valuable data (forensics tool works too)
Find a jailbreak to obtain the whole OS
Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube
Get access to App’s data and reveal credentials, card –depend on application
Why Apple TV can be jailbroken (why men jail it)?
Outdated compromised TV 2 with OpenSSH and default password
https://www.tvaddons.co/appletv2-jailbreak-threat/
Direct access to filesystem and file management beyond the backups & cloud
Stream media from devices beyond AirPlayor iOS devices
Sideloading3rd party tools
Kodi, Hulu, LastFM, XBMC, NitoTV, , Pandora Radio, and other apps.
Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies
EASILY TO BREAK TOO
Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)
Backup contains valuable data (forensics tool works too)
Find a jailbreak to obtain the whole OS
Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube
Get access to App’s data and reveal credentials, card –depend on application
Why Apple TV can be jailbroken (why men jail it)?
Outdated compromised TV 2 with OpenSSH and default password
https://www.tvaddons.co/appletv2-jailbreak-threat/
Direct access to filesystem and file management beyond the backups & cloud
Stream media from devices beyond AirPlayor iOS devices
Sideloading3rd party tools
Kodi, Hulu, LastFM, XBMC, NitoTV, , Pandora Radio, and other apps.
Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies
APPLE TV
DATA EXAMINATION & FORENSICS
Apple TV jailbreak support
https://pangu8.com/appletv.html
Apple TV 1 –scripts, ssh, HD extraction and other way
Apple TV 2 –Seas0npass jail for TV running tvOS4.3 -tvOS5.3 (untethered) & tvOS 6.1.2
(tethered)
Apple TV 3 –No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1,
and not beyond 5.0.2
Apple TV 4
Pangu9 jail for TV running tvOS9.0 -tvOS9.0.1
LiberTVjail for TV running tvOS9.1 -tvOS10.1
GreenG0blin jail for TV running tvOS10.2.2
Apple TV 4 / 5
LiberTVjail for TV running tvOS11.0 and 11.1
Apple TV 4 / 5 – Electra jail for TV running tvOS11.2 -tvOS11.3
DATA EXAMINATION & FORENSICS
Apple TV jailbreak support
https://pangu8.com/appletv.html
Apple TV 1 –scripts, ssh, HD extraction and other way
Apple TV 2 –Seas0npass jail for TV running tvOS4.3 -tvOS5.3 (untethered) & tvOS 6.1.2
(tethered)
Apple TV 3 –No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1,
and not beyond 5.0.2
Apple TV 4
Pangu9 jail for TV running tvOS9.0 -tvOS9.0.1
LiberTVjail for TV running tvOS9.1 -tvOS10.1
GreenG0blin jail for TV running tvOS10.2.2
Apple TV 4 / 5
LiberTVjail for TV running tvOS11.0 and 11.1
Apple TV 4 / 5 – Electra jail for TV running tvOS11.2 -tvOS11.3
APPLE TV
DATA EXAMINATION & FORENSICS
USB port is reserved for “service and support” purpose
Vanished since Apple 5
th
Gen (4k)
No password management –we trust you, breakers
Seriously, No Password or Passcode protection at all ! Restrictions instead:
Use Restrictions on your Apple TV
https://support.apple.com/en-md/HT200198
Allow all by default
Restrict blocks by passcode purchases, apps, content, settings and remote pairing
(no one blocks pairing usually)
Account-Password requires for purchases in a way like any Apple device
(
https://support.apple.com/en-us/HT204030)
DATA EXAMINATION & FORENSICS
USB port is reserved for “service and support” purpose
Vanished since Apple 5
th
Gen (4k)
No password management –we trust you, breakers
Seriously, No Password or Passcode protection at all ! Restrictions instead:
Use Restrictions on your Apple TV
https://support.apple.com/en-md/HT200198
Allow all by default
Restrict blocks by passcode purchases, apps, content, settings and remote pairing
(no one blocks pairing usually)
Account-Password requires for purchases in a way like any Apple device
(
https://support.apple.com/en-us/HT204030)
APPLE TV –2
TH
–4
TH
GEN
USB ACQUISITION (USB, MICRO, USB-C)
5
TH
GEN IS OUT OF SCOPE (NO USB)
AFC (Apple File Conduit) service works here
/private/var/mobile/Media
USB Acquisition gives:
Basic device information
Real Time Log (Syslog), Crash Logs
Part of the file system (“Media” folder)
Device information
MAC –WiFi, Bluetooth, Ethernet
Name, Timezone, Serial ID, Model
Ideviceinfo, idevicesyslog
http://www.libimobiledevice.org/
TH
–4
TH
GEN
USB ACQUISITION (USB, MICRO, USB-C)
5
TH
GEN IS OUT OF SCOPE (NO USB)
AFC (Apple File Conduit) service works here
/private/var/mobile/Media
USB Acquisition gives:
Basic device information
Real Time Log (Syslog), Crash Logs
Part of the file system (“Media” folder)
Device information
MAC –WiFi, Bluetooth, Ethernet
Name, Timezone, Serial ID, Model
Ideviceinfo, idevicesyslog
http://www.libimobiledevice.org/
APPLE TV
BACKUP
Real Time Log
Crash Log
MediaLibrary.sqlitedb
iCloud Account Name
iCloud ID
Wi-Fi networks
Device usage timeline
Shopping database
BACKUP
Real Time Log
Crash Log
MediaLibrary.sqlitedb
iCloud Account Name
iCloud ID
Wi-Fi networks
Device usage timeline
Shopping database
APPLE TV – 2
TH
–5
TH
GEN
JAILBREAK
Timezone
/private/var /db/timezone/localtime
Network tcp/iplease
/private/var /db/dhcpclient/leases/
Network wi-fihistory
/private/var /preferences/com.apple.wifi.plist
TH
–5
TH
GEN
JAILBREAK
Timezone
/private/var /db/timezone/localtime
Network tcp/iplease
/private/var /db/dhcpclient/leases/
Network wi-fihistory
/private/var /preferences/com.apple.wifi.plist
APPLE TV – 2
TH
–5
TH
GEN
JAILBREAK
Keyboard dictionary
/private/var/mobile/library/keyboard/dynamic-
text.dat
Accounts
/private/var/mobile/library/accounts/
/private/var/mobile/library/preferences/com.apple.ids
.service.com
User email
User info: email + phone
[email protected]
+79851719122
Network
TH
–5
TH
GEN
JAILBREAK
Keyboard dictionary
/private/var/mobile/library/keyboard/dynamic-
text.dat
Accounts
/private/var/mobile/library/accounts/
/private/var/mobile/library/preferences/com.apple.ids
.service.com
User email
User info: email + phone
[email protected]
+79851719122
Network
APPLE TV – 2
TH
–5
TH
GEN
JAILBREAK
iCloud synced preferences
/var/mobile/Library/SyncedPreferences/
Wi-Fi Access Points
com.apple.wifid.plist
Weather Cities
com.apple.nanoweatherprefsd.plist
Moskva, LianozovoDictrict
55.800149, 37.565483
TH
–5
TH
GEN
JAILBREAK
iCloud synced preferences
/var/mobile/Library/SyncedPreferences/
Wi-Fi Access Points
com.apple.wifid.plist
Weather Cities
com.apple.nanoweatherprefsd.plist
Moskva, LianozovoDictrict
55.800149, 37.565483
APPLE TV – 2
TH
–5
TH
GEN
JAILBREAK
Headboard
/private/var/mobile/library/com.apple.headboard
/apporder.plist
/private/var/mobile/library/caches/com.apple.tvic
onscache/com.apple.headboard
/private/var/mobile/library/caches/com.apple.hea
dboard/ fscacheddata
TH
–5
TH
GEN
JAILBREAK
Headboard
/private/var/mobile/library/com.apple.headboard
/apporder.plist
/private/var/mobile/library/caches/com.apple.tvic
onscache/com.apple.headboard
/private/var/mobile/library/caches/com.apple.hea
dboard/ fscacheddata
APPLE TV – 2
TH
–5
TH
GEN
JAILBREAK
App snapshots
/private/var/mobile/library/caches/com.app
le.pineboard/ assetlibrary/snapshots/
Cached video
/private/var/mobile/library/caches/appletv
/video/
TH
–5
TH
GEN
JAILBREAK
App snapshots
/private/var/mobile/library/caches/com.app
le.pineboard/ assetlibrary/snapshots/
Cached video
/private/var/mobile/library/caches/appletv
/video/
APPLE TV – 2
TH
–5
TH
GEN
JAILBREAK
Installed applications
/private/var /db/lsd/com.apple.lsdidentifiers.plist
Installed applications
/private/var /mobile/containers/bundle/
Installed applications
/private/var /mobile/containers/data/application/
TH
–5
TH
GEN
JAILBREAK
Installed applications
/private/var /db/lsd/com.apple.lsdidentifiers.plist
Installed applications
/private/var /mobile/containers/bundle/
Installed applications
/private/var /mobile/containers/data/application/
APPLE TV – 2
TH
–5
TH
GEN
JAILBREAK
Country, last activity
App snapshots
Youtube
TH
–5
TH
GEN
JAILBREAK
Country, last activity
App snapshots
Youtube
APPLE TV –ANY GEN
PROFILING AS A KIND OF PROTECTION
TV Remote Payload
The TV Remote payload is designated by specifying com.apple.tvremote as the
PayloadTypevalue. If not present, or the list is empty, any device will be allowed
to connect.
Availability: Available in tvOS11.3 and iOS 11.3 and later
AllowedRemotes
AllowedTVs
RemoteDeviceID
TVDeviceID
https://developer.apple.com/enterprise/documentation/Configuration-
Profile-Reference.pdf
PROFILING AS A KIND OF PROTECTION
TV Remote Payload
The TV Remote payload is designated by specifying com.apple.tvremote as the
PayloadTypevalue. If not present, or the list is empty, any device will be allowed
to connect.
Availability: Available in tvOS11.3 and iOS 11.3 and later
AllowedRemotes
AllowedTVs
RemoteDeviceID
TVDeviceID
https://developer.apple.com/enterprise/documentation/Configuration-
Profile-Reference.pdf
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
APPLE TV
SUMMARY
Lot of jailbreaks
Except Apple TV 3
Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac
Password management
No password
No restrictions by default
Restrictions handle the content only
Apple TV 2 –5
Apple TV 2 –4 equipped with USB that gives dev info, timelog , crashlog, media folder
Apple TV 5 does not have USB ports
Jailbroken TV
Timezone, Network Info & History, Keyboard & Account Info
iCloud preferences, Wi-Fi Accent Point, Weather cities (list)easy to remap geo
TVs -Headboard, App snapshots, Cached video
App List, App Data, App Snapshots
SUMMARY
Lot of jailbreaks
Except Apple TV 3
Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac
Password management
No password
No restrictions by default
Restrictions handle the content only
Apple TV 2 –5
Apple TV 2 –4 equipped with USB that gives dev info, timelog , crashlog, media folder
Apple TV 5 does not have USB ports
Jailbroken TV
Timezone, Network Info & History, Keyboard & Account Info
iCloud preferences, Wi-Fi Accent Point, Weather cities (list)easy to remap geo
TVs -Headboard, App snapshots, Cached video
App List, App Data, App Snapshots
AMAZON TV: PREREQUISITE
Amazon Fire TV Stick
Amazon account plus other accounts per app
MITM is out of scope, but wait for Amazon Dot
Forensics tools (no support atm)
Known ways to break into
Root
Data acquisition (streaming, photo, app, sideloaded Android app)
Amazon Fire TV Stick
Amazon account plus other accounts per app
MITM is out of scope, but wait for Amazon Dot
Forensics tools (no support atm)
Known ways to break into
Root
Data acquisition (streaming, photo, app, sideloaded Android app)
AMAZON TV
BREAK OPPORTUNITIES
No support of Forensics tools
Sideloadingis allowed, ADB exists and is off by default
Rooting
many root-apps (like KingRoot) is around of outdated FireOS
such as 5.0.5but not limited it
The rooting requires a keyboard, no support for TV remote
devices
Use ddcommand to obtain an image of Fire TV
BREAK OPPORTUNITIES
No support of Forensics tools
Sideloadingis allowed, ADB exists and is off by default
Rooting
many root-apps (like KingRoot) is around of outdated FireOS
such as 5.0.5but not limited it
The rooting requires a keyboard, no support for TV remote
devices
Use ddcommand to obtain an image of Fire TV
AMAZON TV
ROOT, BOOTLOADER, SIDELOADING
Non-root things
Sideloadingis allowed without root like on Android
Bootloader: 51.1.x.x –non-locked, 5.x.x.x –locked but 5.0.x are unlockable (no info about
older versions)
Downgrading might be possible
Roots
Fire TV 1 –rootablefor 51.1.0.0 -51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 -
5.2.6.3
Fire TV 2 –rootablefor 5.0.0 –5.2.1.1, no root for 5.2.4.0 –5.2.6.3
Fire TV 2 –5.2.6.6 –pre-rooted ROM (
http://www.aftvnews.com/pre-rooted-5-2-6-6-rom-
is-now-available-for-the-fire-tv-2/)
Fire TV 3, Fire TV Cube –no root or pre-rooted ROM
Fire TV Stick 1 –rootablefor 5.0.0 -5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 -
5.2.6.3
Fire TV Stick 2 –no root, except hardware rooting to direct access to the device eMMC
storage (
http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)
Fire TV Edition television –rootablefor 5.2.5.0 and no root for 5.2.5.1-5.2.6.3
ROOT, BOOTLOADER, SIDELOADING
Non-root things
Sideloadingis allowed without root like on Android
Bootloader: 51.1.x.x –non-locked, 5.x.x.x –locked but 5.0.x are unlockable (no info about
older versions)
Downgrading might be possible
Roots
Fire TV 1 –rootablefor 51.1.0.0 -51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 -
5.2.6.3
Fire TV 2 –rootablefor 5.0.0 –5.2.1.1, no root for 5.2.4.0 –5.2.6.3
Fire TV 2 –5.2.6.6 –pre-rooted ROM (
http://www.aftvnews.com/pre-rooted-5-2-6-6-rom-
is-now-available-for-the-fire-tv-2/)
Fire TV 3, Fire TV Cube –no root or pre-rooted ROM
Fire TV Stick 1 –rootablefor 5.0.0 -5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 -
5.2.6.3
Fire TV Stick 2 –no root, except hardware rooting to direct access to the device eMMC
storage (
http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)
Fire TV Edition television –rootablefor 5.2.5.0 and no root for 5.2.5.1-5.2.6.3
AMAZON TV
ROOTED TV
browser.db–Browser History & navigating to websites using
Mozilla Firefox
[root]/data/com.amazon.bueller.photos/files/cmsimages–Pictures
from Amazon cloud drive but formatted for better viewing up to
Fire TV Stick
[root]/data/com.amazon.device.controllermanager/
databases/devices–Bluetooth Devices and their names, MAC
paired with Fire TV (such as, keyboard mouse, Amazon Fire TV
remote)
[root]/data/com.amazon.device.logmanager/files–Amazon Logs
including Log.amazon\main
ROOTED TV
browser.db–Browser History & navigating to websites using
Mozilla Firefox
[root]/data/com.amazon.bueller.photos/files/cmsimages–Pictures
from Amazon cloud drive but formatted for better viewing up to
Fire TV Stick
[root]/data/com.amazon.device.controllermanager/
databases/devices–Bluetooth Devices and their names, MAC
paired with Fire TV (such as, keyboard mouse, Amazon Fire TV
remote)
[root]/data/com.amazon.device.logmanager/files–Amazon Logs
including Log.amazon\main
AMAZON TV
ROOTED TV
/data/data/ = All application data is stored in this directory
com.amazon.venezia/ = Amazon appstoredata
/cache/ = thumbnails & previews for appstoreapps
/databases/ = sqlitefiles in each folder
/contentProvider= Table "Apps" contains app-names("key") with relation
thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory
/locker = workflow, orders, wishlist, applications, cache, content tokens.
/logging = logs for appstoreapplication
com.android.cloud9/ = Amazon browserdata
/cache/webviewcache/ = any cache data
/databases/ = sqlitefiles in each folder
/webview.db= webviewcookies & form data.
/webviewCache.db= association of files in ../cache/webviewcache/ directory to urls.
/browser.db= history & bookmarks also have path to page previews and thumbnails stored in ../files
/files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above)
/shared_prefs= preferences for a cross-access
com.amazon.providers.contacts/databases/contacts2.db = All contacts
ROOTED TV
/data/data/ = All application data is stored in this directory
com.amazon.venezia/ = Amazon appstoredata
/cache/ = thumbnails & previews for appstoreapps
/databases/ = sqlitefiles in each folder
/contentProvider= Table "Apps" contains app-names("key") with relation
thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory
/locker = workflow, orders, wishlist, applications, cache, content tokens.
/logging = logs for appstoreapplication
com.android.cloud9/ = Amazon browserdata
/cache/webviewcache/ = any cache data
/databases/ = sqlitefiles in each folder
/webview.db= webviewcookies & form data.
/webviewCache.db= association of files in ../cache/webviewcache/ directory to urls.
/browser.db= history & bookmarks also have path to page previews and thumbnails stored in ../files
/files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above)
/shared_prefs= preferences for a cross-access
com.amazon.providers.contacts/databases/contacts2.db = All contacts
FORENSIC ANALYSIS METHOD FOR
THE AMAZON FIRE TV STICK
THE AMAZON FIRE TV STICK
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
AMAZON TV: SUMMARY
Several older firmwaresare affected by rooting tools
Rooting requires BT-keyboard that’s is not a big deal for TV
Sideloadingis allowed without root
ADB is possible
Downgrading the Fire TV Stick software/firmware might possible
Personal data is revealed
Credentials of streaming services is found
Netflix, NHL, NBA, Vimeo, … Kodito get access to hundreds, of music, TV, movies
No way to restrict connection and bind TV and device to themselves only
FireOSver5.x is based on Android 5.1.1 Lollipop, ver6.x is based on
Android 7.1 Nougat
Several older firmwaresare affected by rooting tools
Rooting requires BT-keyboard that’s is not a big deal for TV
Sideloadingis allowed without root
ADB is possible
Downgrading the Fire TV Stick software/firmware might possible
Personal data is revealed
Credentials of streaming services is found
Netflix, NHL, NBA, Vimeo, … Kodito get access to hundreds, of music, TV, movies
No way to restrict connection and bind TV and device to themselves only
FireOSver5.x is based on Android 5.1.1 Lollipop, ver6.x is based on
Android 7.1 Nougat
AMAZON ECHO DOT
•Картинкииспецификацию
•Картинкииспецификацию
AMAZON ECHO DOT
Local access
Bootloader
MITM: SSL, MITM, Firmware MITM
Credentials breaks
Local access
Bootloader
MITM: SSL, MITM, Firmware MITM
Credentials breaks
AMAZON ECHO DOT
LOCAL ACCESS, LACK OF ROOT
Alexa doesn’t have ADB, but have a MTK
bus 001 Device 010: ID 0ed8d:2000 MediaTekInc. MT65xx Preloader
However a SP Flash Tool does not work atm
Bootloader –press and keep ‘Uber’ while it is loading, but bootloader is locked
and no unlocking key is available
Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 /
Magic / Tattoo
# fastbootdevices
fastboot
# fastbootgetvarall
lk_build_desc: c1…..
prod: 1
unlock_status: false
serialno: […..]
product: BISCUIT
version-preloader: 0.1.00
version: 0.5
LOCAL ACCESS, LACK OF ROOT
Alexa doesn’t have ADB, but have a MTK
bus 001 Device 010: ID 0ed8d:2000 MediaTekInc. MT65xx Preloader
However a SP Flash Tool does not work atm
Bootloader –press and keep ‘Uber’ while it is loading, but bootloader is locked
and no unlocking key is available
Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 /
Magic / Tattoo
# fastbootdevices
fastboot
# fastbootgetvarall
lk_build_desc: c1…..
prod: 1
unlock_status: false
serialno: […..]
product: BISCUIT
version-preloader: 0.1.00
version: 0.5
AMAZON ECHO DOT
MITM. WHAT ABOUT SSL?
Self signed certificates is allowed on Alexa for devs
https://developer.amazon.com/docs/custom-
skills/configure-web-service-self-signed-certificate.html
https://www.amazon.com/gp/help/customer/display.ht
ml?nodeId=201589180
Change endpoint configuration and region
Make your Alexa installs a SSL from Intercepting tools
No lack, Alexa Echo Dot as a device prevents this shit
Try with Alex app that comes installed by default on the
Kindle Fire Tablets, or download for Android or iOS
devices even (!)
MITM. WHAT ABOUT SSL?
Self signed certificates is allowed on Alexa for devs
https://developer.amazon.com/docs/custom-
skills/configure-web-service-self-signed-certificate.html
https://www.amazon.com/gp/help/customer/display.ht
ml?nodeId=201589180
Change endpoint configuration and region
Make your Alexa installs a SSL from Intercepting tools
No lack, Alexa Echo Dot as a device prevents this shit
Try with Alex app that comes installed by default on the
Kindle Fire Tablets, or download for Android or iOS
devices even (!)
AMAZON ECHO DOT
MITM. FIRST TIME SETUP
Navigate via browser
https://alexa.amazon.com
Up to end of 2017 a redirect to Alexa setup was a http
URL (!)
Expected credentials stolen in plaintext & expiring in
2036 like before, but no lack
before
POST
/ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx&
pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x
xxxx&pf_rd_s=signin-slot HTTP/1.1
Host: www.amazon.com
Content-Length: 1349
“name”: “Set-Cookie”,
“value”: “session-token=\”xx/y//zz==\”; Version=1;
Domain=.amazon.com; Max-Age=630720000; Expires=Sat,
01-Nov-2036 22:39:37 GMT; Path=/”
Now
HTTPS, prevents MITM attack
Certificate expires every 2 years
MITM. FIRST TIME SETUP
Navigate via browser
https://alexa.amazon.com
Up to end of 2017 a redirect to Alexa setup was a http
URL (!)
Expected credentials stolen in plaintext & expiring in
2036 like before, but no lack
before
POST
/ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx&
pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x
xxxx&pf_rd_s=signin-slot HTTP/1.1
Host: www.amazon.com
Content-Length: 1349
“name”: “Set-Cookie”,
“value”: “session-token=\”xx/y//zz==\”; Version=1;
Domain=.amazon.com; Max-Age=630720000; Expires=Sat,
01-Nov-2036 22:39:37 GMT; Path=/”
Now
HTTPS, prevents MITM attack
Certificate expires every 2 years
AMAZON ECHO DOT
MITM. FIRMWARE
Intercepting firmware updates is possible
Here is a bin-firwarehttp request
GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin
HTTP/1.1
Host: amzdigitaldownloads.edgesuite.net
Connection: close
User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC
Build/LVY48F)
Firmware contains build.prop = designed as a Android & have .APKs
ro.build.version.fireos=5.5.0.3
ro.build.version.fireos.sdk=4
Non-Encrypted bin-firmware
-rw-r--r-- boot.img; file_contexts
drwxr-xr-x images; META-INF
-rw-r--r-- ota.prop
drwxr-xr-x system
-rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list
MITM. FIRMWARE
Intercepting firmware updates is possible
Here is a bin-firwarehttp request
GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin
HTTP/1.1
Host: amzdigitaldownloads.edgesuite.net
Connection: close
User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC
Build/LVY48F)
Firmware contains build.prop = designed as a Android & have .APKs
ro.build.version.fireos=5.5.0.3
ro.build.version.fireos.sdk=4
Non-Encrypted bin-firmware
-rw-r--r-- boot.img; file_contexts
drwxr-xr-x images; META-INF
-rw-r--r-- ota.prop
drwxr-xr-x system
-rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list
AMAZON ALEXA APP
Alexa app has a good a solid protection
No sensitive data stored locally
Well encrypted communication (online, internal) and used the TLS 1.2
However, MITM is possible, because no SSL Pinning used
Credentials and all communication compromised
Alexa app has a good a solid protection
No sensitive data stored locally
Well encrypted communication (online, internal) and used the TLS 1.2
However, MITM is possible, because no SSL Pinning used
Credentials and all communication compromised
AMAZON ECHO DOT
ALEXA APP – MITM, NOT PINNED
Credentials
{"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS
x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}
Email, Password from POST action ‘https://www.amazon.com/ap/signin’
Device Info plus token
Metrics -
https://device- metrics-us-2.amazon.com/metricsBatch
HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"
CountryCodeRU"
Profile
Name, Billing Address, Shipping Address
Device IDs, types, Account ID, Device capabilities
First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
ALEXA APP – MITM, NOT PINNED
Credentials
{"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS
x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}
Email, Password from POST action ‘https://www.amazon.com/ap/signin’
Device Info plus token
Metrics -
https://device- metrics-us-2.amazon.com/metricsBatch
HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"
CountryCodeRU"
Profile
Name, Billing Address, Shipping Address
Device IDs, types, Account ID, Device capabilities
First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
AMAZON ALEXA APP
LOCAL
Library\Application Support\device.sqlite–device list with
ID, serials
Library\METRICS_NORMAL\* -Logs &
MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM
2W81,iOS/12.0,Alexa//2.2.233205,DCM)
Library\Preferences\com.amazon.echo.plist–Account Info
Documents\LocalData.sqlite–settings of devices
LOCAL
Library\Application Support\device.sqlite–device list with
ID, serials
Library\METRICS_NORMAL\* -Logs &
MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM
2W81,iOS/12.0,Alexa//2.2.233205,DCM)
Library\Preferences\com.amazon.echo.plist–Account Info
Documents\LocalData.sqlite–settings of devices
AMAZON ECHO DOT
ALEXA APP
Alexa and Echo allow many users to manage devices
Echo has no voice differentiation capabilities nor protection against non-human or repeated speech
Each device locks by 4 digit PIN
The Set of PINs is ~10k values
Two attempts and have to restart but no limit the number of total attempts
Bruteforceit for 2 days
How to break
1.Computer says “wake word” followed by the command to order an Amazon Echo Dot
2.Alexa responds with top Amazon search for and asks if user wants to place the order
3.Computer confirms order
4.Alexa asks for 4-digit PIN
5.Computer guesses next PIN in numerical order
6.Alexa accepts or rejects PIN
7.Computer guesses next PIN in numerical order
Repeat until you break it take up to 48h max
ALEXA APP
Alexa and Echo allow many users to manage devices
Echo has no voice differentiation capabilities nor protection against non-human or repeated speech
Each device locks by 4 digit PIN
The Set of PINs is ~10k values
Two attempts and have to restart but no limit the number of total attempts
Bruteforceit for 2 days
How to break
1.Computer says “wake word” followed by the command to order an Amazon Echo Dot
2.Alexa responds with top Amazon search for and asks if user wants to place the order
3.Computer confirms order
4.Alexa asks for 4-digit PIN
5.Computer guesses next PIN in numerical order
6.Alexa accepts or rejects PIN
7.Computer guesses next PIN in numerical order
Repeat until you break it take up to 48h max
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
AMAZON ECHO DOT& ALEXA APP
SUMMARY
Intercepting firmware updates is possible
Alexa allows to use self- signed SSLs but not accepts Burp/Charles certificate?
True for Alexa Echo Dot
Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert
Not everything is HTTPS
FireOSis based on Android -https://en.wikipedia.org/wiki/Fire_OS
ver5.x –Android 5.1.1 Lollipop. Alexa is still on 5.x
ver6.x –Android 7.1 Nougat
Even hardware root is possible
https://vanderpot.com/Clinton_Cook_Paper.pdf
SUMMARY
Intercepting firmware updates is possible
Alexa allows to use self- signed SSLs but not accepts Burp/Charles certificate?
True for Alexa Echo Dot
Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert
Not everything is HTTPS
FireOSis based on Android -https://en.wikipedia.org/wiki/Fire_OS
ver5.x –Android 5.1.1 Lollipop. Alexa is still on 5.x
ver6.x –Android 7.1 Nougat
Even hardware root is possible
https://vanderpot.com/Clinton_Cook_Paper.pdf
READYFORSKY-???
a
a
CONNECTED HOME
READYFORSKY
Backup
MITM: Hub, Remote
BT MITM: out of scope
READYFORSKY
Backup
MITM: Hub, Remote
BT MITM: out of scope
READYFORSKY
DOCUMENTS\R4S.SQLITE
Device list, models, pairing text
Receipts per device (how to cook, basic details &
requirements)
Username, email
User devices & Mac
DOCUMENTS\R4S.SQLITE
Device list, models, pairing text
Receipts per device (how to cook, basic details &
requirements)
Username, email
User devices & Mac
READYFORSKY
MITM
Firmware version –2.29 -
http://service2.readyforsky.com/firmware/list/148/["2.29"]
Device Pic - http://image-
server.readyforsky.com/i/1899/200x200.png
Recipes –BlackTea, GreenTea, Others
Do smthwith a Kettle
https://content.readyforsky.com/api/program/catalog/id:IN:90,9
7?locale=en
"id": 90,
"protocol_id": 0,
"value": "BOILING", / HEATING
"value": "40", | "value": "55", | "value": "70", | "value": "85", | "value": "95",
MITM
Firmware version –2.29 -
http://service2.readyforsky.com/firmware/list/148/["2.29"]
Device Pic - http://image-
server.readyforsky.com/i/1899/200x200.png
Recipes –BlackTea, GreenTea, Others
Do smthwith a Kettle
https://content.readyforsky.com/api/program/catalog/id:IN:90,9
7?locale=en
"id": 90,
"protocol_id": 0,
"value": "BOILING", / HEATING
"value": "40", | "value": "55", | "value": "70", | "value": "85", | "value": "95",
READYFORSKY
MITM
Credentials, password, tokens
https://content.readyforsky.com/headless/change- password
{"current_password": "1", "plainPassword ": "1"}
{ "error": "invalid_grant ", "error_description": "The access token provided is
invalid."}
{ "access_token":
"YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN
GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",
"expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token":
"YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4
ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }
MITM
Credentials, password, tokens
https://content.readyforsky.com/headless/change- password
{"current_password": "1", "plainPassword ": "1"}
{ "error": "invalid_grant ", "error_description": "The access token provided is
invalid."}
{ "access_token":
"YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN
GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",
"expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token":
"YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4
ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }
READYFORSKY
MITM
User details -
https://content.readyforsky.com/api/user/current
"username": "yurychemerkin",
"username_canonical": "yurychemerkin",
"email": "[email protected]",
"last_login": null,
"enabled": true,
"locked": false,
"expired": false,
"id": 527679
Client Address192.168.1.38:50654 | this port changes
Remote Addresscontent.readyforsky.com/178.62.194.132:443 | fixed port
MITM
User details -
https://content.readyforsky.com/api/user/current
"username": "yurychemerkin",
"username_canonical": "yurychemerkin",
"email": "[email protected]",
"last_login": null,
"enabled": true,
"locked": false,
"expired": false,
"id": 527679
Client Address192.168.1.38:50654 | this port changes
Remote Addresscontent.readyforsky.com/178.62.194.132:443 | fixed port
READYFORSKY
MITM
Device detailshttps://content.readyforsky.com/
api/device/user
“name": "RK-G200S",
"address": "E7:7F:BC:60:C2:2A",
"name": "Gateway XIAOMI Redmi 4X",
"address": "77d3efcf-f627-
402e-bbed-4ee0c8290417",
Client Address192.168.1.38:50654 | this port changes
Remote
Address
content.readyforsky.com/178.62.194.132:443 |
fixed port
MITM
Device detailshttps://content.readyforsky.com/
api/device/user
“name": "RK-G200S",
"address": "E7:7F:BC:60:C2:2A",
"name": "Gateway XIAOMI Redmi 4X",
"address": "77d3efcf-f627-
402e-bbed-4ee0c8290417",
Client Address192.168.1.38:50654 | this port changes
Remote
Address
content.readyforsky.com/178.62.194.132:443 |
fixed port
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
REDMOND
SUMMARY
Communications & MITM
App, Hub, Device IP, Ports including internal info, Device info (name,
model, network info)
Actions, receipts, to-do
Credentials, password, tokens
User details & Login details
Local
Device list, models, pairing text
Receipts per device (how to cook, basic details & requirements)
Username, email
User devices & Mac
SUMMARY
Communications & MITM
App, Hub, Device IP, Ports including internal info, Device info (name,
model, network info)
Actions, receipts, to-do
Credentials, password, tokens
User details & Login details
Local
Device list, models, pairing text
Receipts per device (how to cook, basic details & requirements)
Username, email
User devices & Mac
LIGHTNING
Lightify
IKEA TRÅDFRI
Philips HUE
Lightify
IKEA TRÅDFRI
Philips HUE
LIGHTIFY
Lightifyis the IoT platform with a simplest integration of wireless lighting.
Need to have an Lightify-account
Online communication uses QUIC-protocol with encryption over UDP
Wireshark does not support QUIC decryption at the moment. The drafts
at tools.ietf.org/wg/quicare also not really detailed on the ciphers.
LightifyGateway communicates over TCP completely unencrypted locally,
but via a binary protocol
https://github.com/noctarius/lightify-binary-
protocol#basics-about-the-protocoland here a plugin to manage the
light https://github.com/tfriedel/python-lightify
Credentials stored in a local folder –shared preferences
Lightifyis the IoT platform with a simplest integration of wireless lighting.
Need to have an Lightify-account
Online communication uses QUIC-protocol with encryption over UDP
Wireshark does not support QUIC decryption at the moment. The drafts
at tools.ietf.org/wg/quicare also not really detailed on the ciphers.
LightifyGateway communicates over TCP completely unencrypted locally,
but via a binary protocol
https://github.com/noctarius/lightify-binary-
protocol#basics-about-the-protocoland here a plugin to manage the
light https://github.com/tfriedel/python-lightify
Credentials stored in a local folder –shared preferences
IKEA TRADFRI
Smart lightning and assistant to control it
No online communications except firmware requests in plaintext
GET
http://fw.ota.homesmart.ikea.net/feed/version_info.json
User-Agent: HertzClient/1.0
Host: fm.ota.homesmart.ikea.net
Connection: close
Response : No response
Local communication is DTLS (SSL over UDP)
Pairing via QR code
(Serial Number = Mac Address, Security Code/ pre-shared key)
QR code can be revealed for further decryption
Locally stored data
Encrypted QR- code and store in keystore–need root to get an access
Keystoredoesn’t work for outdated Android (< 4.3)
AES encryption algfor outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”
The Issue here is a patched APK file with a removed strong encryption
Smart lightning and assistant to control it
No online communications except firmware requests in plaintext
GET
http://fw.ota.homesmart.ikea.net/feed/version_info.json
User-Agent: HertzClient/1.0
Host: fm.ota.homesmart.ikea.net
Connection: close
Response : No response
Local communication is DTLS (SSL over UDP)
Pairing via QR code
(Serial Number = Mac Address, Security Code/ pre-shared key)
QR code can be revealed for further decryption
Locally stored data
Encrypted QR- code and store in keystore–need root to get an access
Keystoredoesn’t work for outdated Android (< 4.3)
AES encryption algfor outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”
The Issue here is a patched APK file with a removed strong encryption
PHILIPS HUE
HUE light, lamps and other with a smart assistant and bridge to works over Philips servers
The list of paired Apps and services with timestamp sent across Hue apps
Online communication
[BridgeServers] works over HTTP with additional layer of AES- encryption. Guess they store secret key somewhere
but no lack to find it
[AppServers] works over HTTPS with SSL Pinning
Local communication works over HTTP
PUT
http://192.168.1.38/api/Ds7KfNjjYtC8uN
mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action
Host http://192.168.1.38
Accept *.*
Content-Type: application-json
Content-Length: 11
Json{“on:true”}
Loading malicious firmware over-the-air http://iotworm.eyalro.net/
In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters
http://iotworm.eyalro.net/iotworm.pdf
HUE light, lamps and other with a smart assistant and bridge to works over Philips servers
The list of paired Apps and services with timestamp sent across Hue apps
Online communication
[BridgeServers] works over HTTP with additional layer of AES- encryption. Guess they store secret key somewhere
but no lack to find it
[AppServers] works over HTTPS with SSL Pinning
Local communication works over HTTP
PUT
http://192.168.1.38/api/Ds7KfNjjYtC8uN
mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action
Host http://192.168.1.38
Accept *.*
Content-Type: application-json
Content-Length: 11
Json{“on:true”}
Loading malicious firmware over-the-air http://iotworm.eyalro.net/
In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters
http://iotworm.eyalro.net/iotworm.pdf
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
LIGHTNING
SUMMARY
IoT platforms: Lightify, IFTTT
One account to access all tokens & credentials to manage services, devices
and data
Communication
Online –usually encrypted, MITM sometimes possible
Local –non-protected, custom protocols & encryption –usually analyzed
Firmware –plaintext usually, malicious attacks are possible
Local
Credentials, log, data
SUMMARY
IoT platforms: Lightify, IFTTT
One account to access all tokens & credentials to manage services, devices
and data
Communication
Online –usually encrypted, MITM sometimes possible
Local –non-protected, custom protocols & encryption –usually analyzed
Firmware –plaintext usually, malicious attacks are possible
Local
Credentials, log, data
CONNECTED HOME
SUMMARY
Jailbreaks & roots
Available for popular devices
Sideloadingapps are possible
New in-house manager devices, such as Alexa Dot doesn’t have root tools
Backup & Data
Works for many devices
Works for synchronizing apps, like Alexa
In-house smart manageable things works over app- manager that, in turn
Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content
Doesn’t have a good protection and available over Internet
Has a firmware issues with malicious over-air-attacks
Locally stored lot of data in app installed on the mobile device
Moved in an user’s pocket everywhere
SUMMARY
Jailbreaks & roots
Available for popular devices
Sideloadingapps are possible
New in-house manager devices, such as Alexa Dot doesn’t have root tools
Backup & Data
Works for many devices
Works for synchronizing apps, like Alexa
In-house smart manageable things works over app- manager that, in turn
Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content
Doesn’t have a good protection and available over Internet
Has a firmware issues with malicious over-air-attacks
Locally stored lot of data in app installed on the mobile device
Moved in an user’s pocket everywhere
IoT: CONCEPT, FACTS, ISSUES
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
1. IoT
2. Wearable
Tech
3. Healthcare
4. Connected
Home
5. Security &
Tips
6. Risk
Management
IoT
HOW TO SECURE
Risk Management
Device Profiling –divide your devices according to a critical info & risk score
Use cases –define where and what for are you going to use devices
Compatibility-use devices that are compatible with existing technologystack, and security equipment and
software
Lost of smartphones –avoid devices to be lost or left unattended
In-home Secured Network
Obscure name –NOT for vendor & model names or revealing user identity e.g. personal
Encryption–use up-to-date devices with the latest & strongest encryption schemes
Guest network –setupit if you’re sure but better to Disable guest network access entirely
Two or more different Wi-Fi networks (logically or physically)–one for typical activities (networking,
messaging, etc.), second for IoT, third for critical banking, shopping
Firewall-a stand-alone software or shipped with the router, allow traffic on those specific ports & no others
Limit of public network usage–avoid pairing device or using device apps over public network due to lack
of encryption of data
Password Management
Defaultcredentials–change it for router’s , IoT devices’ password
Unique passwords -use unique, complex passwords made up of letters, numbers, and symbols
HOW TO SECURE
Risk Management
Device Profiling –divide your devices according to a critical info & risk score
Use cases –define where and what for are you going to use devices
Compatibility-use devices that are compatible with existing technologystack, and security equipment and
software
Lost of smartphones –avoid devices to be lost or left unattended
In-home Secured Network
Obscure name –NOT for vendor & model names or revealing user identity e.g. personal
Encryption–use up-to-date devices with the latest & strongest encryption schemes
Guest network –setupit if you’re sure but better to Disable guest network access entirely
Two or more different Wi-Fi networks (logically or physically)–one for typical activities (networking,
messaging, etc.), second for IoT, third for critical banking, shopping
Firewall-a stand-alone software or shipped with the router, allow traffic on those specific ports & no others
Limit of public network usage–avoid pairing device or using device apps over public network due to lack
of encryption of data
Password Management
Defaultcredentials–change it for router’s , IoT devices’ password
Unique passwords -use unique, complex passwords made up of letters, numbers, and symbols
IoT
HOW TO SECURE
Software Management
Settings–change it to default privacy policies & security settings
Features –disable features you don’t need, such as a remote access
Apps–avoid use apps that don’t encrypt data locally or while it’s transferring
Patches–keep all devices & software up-to-date
VPN–stand alone software or shipped with router to protect connections of IoT device that working over Internet
Multifactor & Hubs –use all security settings that require additional actions before it’s being easily hacked
Data
Data Analysis -analyzing data generated by IoT devices to understand what data might be monetized
Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked
Breaking tools
Risky app –avoid apps out of store, junk apps from app store
Broken-don’t break any device in a chain of devices, rely on supported vendor ROMs
Flashed–flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs
Cloud & third party tools
IoT clouds – audit it before using for your personal/business need
Third party services–there are many automation toolsto manage IoT devices. Use secured and audited and be
informed
HOW TO SECURE
Software Management
Settings–change it to default privacy policies & security settings
Features –disable features you don’t need, such as a remote access
Apps–avoid use apps that don’t encrypt data locally or while it’s transferring
Patches–keep all devices & software up-to-date
VPN–stand alone software or shipped with router to protect connections of IoT device that working over Internet
Multifactor & Hubs –use all security settings that require additional actions before it’s being easily hacked
Data
Data Analysis -analyzing data generated by IoT devices to understand what data might be monetized
Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked
Breaking tools
Risky app –avoid apps out of store, junk apps from app store
Broken-don’t break any device in a chain of devices, rely on supported vendor ROMs
Flashed–flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs
Cloud & third party tools
IoT clouds – audit it before using for your personal/business need
Third party services–there are many automation toolsto manage IoT devices. Use secured and audited and be
informed
MOBILE, Io T, CLOUDS…
IT’S TIME TO HIRE A RISK MANAGER!
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN SEND A MAIL TO:
[email protected]
IT’S TIME TO HIRE A RISK MANAGER!
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN SEND A MAIL TO:
[email protected]
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 45
- Slides 168
- Age 519 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
85 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
78 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
76 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
62 views
21
Know for Certain
DaveSinNM
36 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
41 views