YURY_CHEMERKIN_DefCon_2013_Conference.pdf
YuryChemerkin
10 views
42 slides
Jul 18, 2024
Slide 1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
About This Presentation
Presented by Alexander Antukh and Yury Chemerkin at DefCon 2013, this document provides an in-depth analysis of the BlackBerry Z10. It covers the BlackBerry OS architecture, shell access methods, firmware analysis, browser security, application-level security, and MDM capabilities. The presentation ...
Slide Content
Dissecting Blackberry Z10:
2-in-1
By Alexander Antukh &
YuryChemerkin
Jun 30, 2013
2-in-1
By Alexander Antukh &
YuryChemerkin
Jun 30, 2013
/whoami
Alexander Antukh
Security Consultant
Offensive Security Certified Expert
Interests: kittens and stuff
Alexander Antukh
Security Consultant
Offensive Security Certified Expert
Interests: kittens and stuff
/whoami
YuryChemerkin
Experienced in :
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparency
and Security Writing
YuryChemerkin
Experienced in :
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparency
and Security Writing
Dissecting Blackberry Z10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
4
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
4
Dissecting Blackberry Z10
Blackberry OSreview
Built on QNX!
5
Tiny
Micro-kernel architecture
Virtual memory allocfor each process
POSIX-compilant
QNX = MK + PM + processes
Blackberry OSreview
Built on QNX!
5
Tiny
Micro-kernel architecture
Virtual memory allocfor each process
POSIX-compilant
QNX = MK + PM + processes
Dissecting Blackberry Z10
Blackberry OSreview
That’s how the system looks like:
6
Blackberry OSreview
That’s how the system looks like:
6
Dissecting Blackberry Z10
Blackberry OSreview
That’s how the microkernel looks like:
7
Blackberry OSreview
That’s how the microkernel looks like:
7
Dissecting Blackberry Z10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
8
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
8
Dissecting Blackberry Z10
Shell Access
Extremely easy!
9
development mode on
generate a 4096-bit RSA key (ssh-keygen/putty)
blackberry-connect <t> -password <p> -sshPublicKey<k>
ssh169.254.0.1 nuts
Even easier:
Dingleberrynuts
/accounts/devuser/
Shell Access
Extremely easy!
9
development mode on
generate a 4096-bit RSA key (ssh-keygen/putty)
blackberry-connect <t> -password <p> -sshPublicKey<k>
ssh169.254.0.1 nuts
Even easier:
Dingleberrynuts
/accounts/devuser/
Dissecting Blackberry Z10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
10
Dissecting Blackberry Z10
The Approaches
1. General permissions
11
SUID/SGID
-rwxrwsrwx 1 root root
Writable files and folders
"find all suidfiles" => "find / -type f -perm -04000 –ls”
"find all sgidfiles" => "find / -type f -perm -02000 –ls”
"find config* files" => "find / -type f -name \"config*\””
"find all writable folders and files" => "find / -perm -2 –ls”
"find all writable folders and files in current dir" => "find . -perm -2 -ls"
The Approaches
1. General permissions
11
SUID/SGID
-rwxrwsrwx 1 root root
Writable files and folders
"find all suidfiles" => "find / -type f -perm -04000 –ls”
"find all sgidfiles" => "find / -type f -perm -02000 –ls”
"find config* files" => "find / -type f -name \"config*\””
"find all writable folders and files" => "find / -perm -2 –ls”
"find all writable folders and files in current dir" => "find . -perm -2 -ls"
Dissecting Blackberry Z10
The Approaches
2. Fuzzers
12
IOCTL fuzzing
•no params
•overlong strings
•pre-determined DWORDs
Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11
ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000
Binary bit-/byteflipping(EDB-ID #7823)
The Approaches
2. Fuzzers
12
IOCTL fuzzing
•no params
•overlong strings
•pre-determined DWORDs
Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11
ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000
Binary bit-/byteflipping(EDB-ID #7823)
Dissecting Blackberry Z10
The Approaches
3.1. System utilities. BOFs
13
Many missing: setuidgid, id, dumpifs…
Many interesting:
•confstr–current configuration including path, architecture and network
info
•dmc–digital media controller
•fsmon–file system monitor
•jsc–JavaScript engine for Webkitused on a device
•ldo-msm–LDO Driver
•mkdosfs–format a DOS filesystem(FAT-12/16/32)
•mkqnx6fs–format a filesystem(for QNX6, however, is presented in
Blackberry OS)
•and also tools such as mount, on, nfcservice, nvs_write_binanddisplayctl.
The Approaches
3.1. System utilities. BOFs
13
Many missing: setuidgid, id, dumpifs…
Many interesting:
•confstr–current configuration including path, architecture and network
info
•dmc–digital media controller
•fsmon–file system monitor
•jsc–JavaScript engine for Webkitused on a device
•ldo-msm–LDO Driver
•mkdosfs–format a DOS filesystem(FAT-12/16/32)
•mkqnx6fs–format a filesystem(for QNX6, however, is presented in
Blackberry OS)
•and also tools such as mount, on, nfcservice, nvs_write_binanddisplayctl.
Dissecting Blackberry Z10
The Approaches
3.1. System utilities. BOFs
14
Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11
ip=788293d2(/base/usr/lib/graphics/msm8960/displayHAL-
r086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008
Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11
ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000
Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11
ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c.
ref=00000028
Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11
ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15)
mapaddr=00001c3e. ref=ffffffff
The Approaches
3.1. System utilities. BOFs
14
Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11
ip=788293d2(/base/usr/lib/graphics/msm8960/displayHAL-
r086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008
Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11
ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000
Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11
ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c.
ref=00000028
Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11
ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15)
mapaddr=00001c3e. ref=ffffffff
Dissecting Blackberry Z10
The Approaches
3.2. System utilities. Vulnerable syscalls. displayctl.
15
The Approaches
3.2. System utilities. Vulnerable syscalls. displayctl.
15
Dissecting Blackberry Z10
The Approaches
3.2. System utilities. Vulnerable syscalls. nvs_write_bin.
16
Nonvolatile (sometimes written as "non-volatile")
storage (NVS) -also known as nonvolatile memory or
nonvolatile random access memory (NVRAM) -is a
form of static random access memory whose
contents are saved when a computer is turned off or
loses its external power source. NVS is implemented
by providing static RAM with backup battery power
or by saving its contents and restoring them from an
electrically erasable programmable ROM (EPROM)
The Approaches
3.2. System utilities. Vulnerable syscalls. nvs_write_bin.
16
Nonvolatile (sometimes written as "non-volatile")
storage (NVS) -also known as nonvolatile memory or
nonvolatile random access memory (NVRAM) -is a
form of static random access memory whose
contents are saved when a computer is turned off or
loses its external power source. NVS is implemented
by providing static RAM with backup battery power
or by saving its contents and restoring them from an
electrically erasable programmable ROM (EPROM)
Dissecting Blackberry Z10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
17
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
17
Dissecting Blackberry Z10
Firmware from the inside
Firmware update? Yes, please!
MFCQ QNX image
18
Firmware from the inside
Firmware update? Yes, please!
MFCQ QNX image
18
Dissecting Blackberry Z10
Firmware from the inside
Tools to deal with:
19
qfcm_parser.pypartitions!
chkqnx6fs info about the images
dumpifsIFS dump
https://github.com/intrepidusgroup/pbtools
Firmware from the inside
Tools to deal with:
19
qfcm_parser.pypartitions!
chkqnx6fs info about the images
dumpifsIFS dump
https://github.com/intrepidusgroup/pbtools
Dissecting Blackberry Z10
Firmware from the inside
Pearls inside:
20
ALL the scripts and configscan be read now!
.script (starting up)
ifs_variables.sh(sysvars)
os_device_image_check
Microkernel itself
Firmware from the inside
Pearls inside:
20
ALL the scripts and configscan be read now!
.script (starting up)
ifs_variables.sh(sysvars)
os_device_image_check
Microkernel itself
Dissecting Blackberry Z10
Firmware from the inside
21
Pearls inside:
Protected tools can be launched now!
BootromVersion: 0x0523001D (5.35.0.29)
DeviceString: RIM BlackBerry Device
BuildUserName: ec_agent
BuildDate: Nov 3 2012
…
IsInsecureDevice: false
HWVersionOffset: 0x000000D4
NumberHWVEntries: 0x00000014
MemCfgTableOffset: 0x000000FC
MemCfgTableSize: 0x00000100
Drivers: 0x00000010 [ MMC ]
LDRBlockAddr: 0x2E02FE00
BootromSize: 0x00080000
BRPersistAddr: 0x2E0AFC00
persist-tool:
insecure syscalls
can be reproduced
(read/dump data)
Firmware from the inside
21
Pearls inside:
Protected tools can be launched now!
BootromVersion: 0x0523001D (5.35.0.29)
DeviceString: RIM BlackBerry Device
BuildUserName: ec_agent
BuildDate: Nov 3 2012
…
IsInsecureDevice: false
HWVersionOffset: 0x000000D4
NumberHWVEntries: 0x00000014
MemCfgTableOffset: 0x000000FC
MemCfgTableSize: 0x00000100
Drivers: 0x00000010 [ MMC ]
LDRBlockAddr: 0x2E02FE00
BootromSize: 0x00080000
BRPersistAddr: 0x2E0AFC00
persist-tool:
insecure syscalls
can be reproduced
(read/dump data)
Dissecting Blackberry Z10
Firmware from the inside
22
Pearls inside:
Funny comments (code reviewers will like it)
function setScreenScaling(width, height) { ...
//ZOOM TO POINT IS FULL OF BUGS -Docs state that coordinates should only ever be in center
of screen
// TODO: Once the QML bug about not being to access the page values that are provided as a
parameter to this slot is fixed ...
// The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushortformat requires 0
<= number <= USHRT_MAX
// Too many bytes for PNG signature. Potential overflow in png_zalloc()
… and more
Firmware from the inside
22
Pearls inside:
Funny comments (code reviewers will like it)
function setScreenScaling(width, height) { ...
//ZOOM TO POINT IS FULL OF BUGS -Docs state that coordinates should only ever be in center
of screen
// TODO: Once the QML bug about not being to access the page values that are provided as a
parameter to this slot is fixed ...
// The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushortformat requires 0
<= number <= USHRT_MAX
// Too many bytes for PNG signature. Potential overflow in png_zalloc()
… and more
Dissecting Blackberry Z10
Firmware from the inside
23
Pearls inside:
Facebook –too much;)
IDs
Emails
Mobile phones
Secrets
Passwords
Plaintext!
Firmware from the inside
23
Pearls inside:
Facebook –too much;)
IDs
Emails
Mobile phones
Secrets
Passwords
Plaintext!
Dissecting Blackberry Z10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
24
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
24
Dissecting Blackberry Z10
Playing with the browser
Webkitrendering engine
Vulnerabilities are just the same (i.e. as for Google
Chrome)
25
Playing with the browser
Webkitrendering engine
Vulnerabilities are just the same (i.e. as for Google
Chrome)
25
Dissecting Blackberry Z10
Playing with the browser
Local file access from the browser
26
HTML page as an email
attachment
file:// nuts
Currently the vulnerability is removed
Playing with the browser
Local file access from the browser
26
HTML page as an email
attachment
file:// nuts
Currently the vulnerability is removed
Dissecting Blackberry Z10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
27
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
27
Dissecting Blackberry Z10
Security on the Application Level
BlackBerryZ10–VulnerabilityinBlackBerryProtect
Limited:
bytheinabilityofapotentialattackertoforce
exploitationofthevulnerabilitywithoutsignificant
customerinteractionandphysicalaccesstothedevice
Affected Software
BlackBerry 10 OS version 10.0.10.261 and earlier,
except version 10.0.9.2743
BlackBerry Z10 smartphone only
28
Currently the vulnerability is removed
Security on the Application Level
BlackBerryZ10–VulnerabilityinBlackBerryProtect
Limited:
bytheinabilityofapotentialattackertoforce
exploitationofthevulnerabilitywithoutsignificant
customerinteractionandphysicalaccesstothedevice
Affected Software
BlackBerry 10 OS version 10.0.10.261 and earlier,
except version 10.0.9.2743
BlackBerry Z10 smartphone only
28
Currently the vulnerability is removed
Dissecting Blackberry Z10
Security on the Application Level
Specialartifacts“.all”asakindoflogs
PATH:/pps/system/<name>/.all
Browsers:history
Networking:ID,flags,MACs
DeviceIDs:Hardware,PIN,Name,Serials,etc.
VideoChats:params,calldetails:
BlackBerryBridge
SapphireProxy
Status,name,address,authtoken,key
Autostartparam
Routes:BB,BIS,BER:127.0.0.2:188/189/187
Results:accesstointernalnetwork,internalstorage,media
files,therest(contacts,cal,.etc)incaseofnon-QNXdevice
29
Currently there is no details if it is solved
Author’s opinion : can’t be solved or cracked in similar ways
Security on the Application Level
Specialartifacts“.all”asakindoflogs
PATH:/pps/system/<name>/.all
Browsers:history
Networking:ID,flags,MACs
DeviceIDs:Hardware,PIN,Name,Serials,etc.
VideoChats:params,calldetails:
BlackBerryBridge
SapphireProxy
Status,name,address,authtoken,key
Autostartparam
Routes:BB,BIS,BER:127.0.0.2:188/189/187
Results:accesstointernalnetwork,internalstorage,media
files,therest(contacts,cal,.etc)incaseofnon-QNXdevice
29
Currently there is no details if it is solved
Author’s opinion : can’t be solved or cracked in similar ways
Dissecting Blackberry Z10
Agenda
30
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Agenda
30
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Dissecting Blackberry Z10
Funny with APIs
Usefulideasthatmakenoenoughsense
Mergingpermissionsintoonegroup
Nowaytoemulatehardwareinputsbutresultsof
pressingarestronglyrestrictedifthereare
Sandbox
Malwareisapersonalapplicationsubtypeinterms
ofblackberry’ssecurity
Sandboxprotectsonlyappdata,whileuserdata
storedinsharedfolders
31
Funny with APIs
Usefulideasthatmakenoenoughsense
Mergingpermissionsintoonegroup
Nowaytoemulatehardwareinputsbutresultsof
pressingarestronglyrestrictedifthereare
Sandbox
Malwareisapersonalapplicationsubtypeinterms
ofblackberry’ssecurity
Sandboxprotectsonlyappdata,whileuserdata
storedinsharedfolders
31
Dissecting Blackberry Z10
Funny with APIs
Non-controlledactivitybyanypermission
Accessingtodatapassedthroughtheclipboard
Accessto‘Accounts’leadstoa‘read’accessto
contacts,messages,notebooks,calendarbydefault
MediaPlayerisagreatwaytoaccesstotheFS
Accesstofilesysteminmanywaysandmostcases
managingdevice’sresources
Cameraactivity,
Contactphotos
Calendareventattachments
Messageattachments(Email,BBM)
Savingrecords(cameraphotos,video,audios)
32
Funny with APIs
Non-controlledactivitybyanypermission
Accessingtodatapassedthroughtheclipboard
Accessto‘Accounts’leadstoa‘read’accessto
contacts,messages,notebooks,calendarbydefault
MediaPlayerisagreatwaytoaccesstotheFS
Accesstofilesysteminmanywaysandmostcases
managingdevice’sresources
Cameraactivity,
Contactphotos
Calendareventattachments
Messageattachments(Email,BBM)
Savingrecords(cameraphotos,video,audios)
32
Dissecting Blackberry Z10
Agenda
33
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Agenda
33
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Dissecting Blackberry Z10
Agenda
34
BlackBerry Old iOS BlackBerry QNX Android
Quantity of Groups 55 16 7 4
Average perm per group 20 5 7 4
Efficiency 80,00 38,46 31,82 10,26
Totall permissions 1100 80 49 16
55
16
7 4
20
5 7 4
80,00
38,46
31,82
10,26
1100
80
49
16
0
200
400
600
800
1000
1200
0
10
20
30
40
50
60
70
80
90
100
BlackBerry MDM
Quantity of Groups Average perm per group Efficiency Totall permissions
Agenda
34
BlackBerry Old iOS BlackBerry QNX Android
Quantity of Groups 55 16 7 4
Average perm per group 20 5 7 4
Efficiency 80,00 38,46 31,82 10,26
Totall permissions 1100 80 49 16
55
16
7 4
20
5 7 4
80,00
38,46
31,82
10,26
1100
80
49
16
0
200
400
600
800
1000
1200
0
10
20
30
40
50
60
70
80
90
100
BlackBerry MDM
Quantity of Groups Average perm per group Efficiency Totall permissions
Dissecting Blackberry Z10
Agenda
35
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Agenda
35
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Dissecting Blackberry Z10
Efficiency of security features
Activity
CommonMin/Average/Maxquantity::2/8/34
AdditionalMin/Average/Maxquantity::0/2/7
DerivedMin/Average/Maxquantity::3/31/116
Permission
CommonMin/Average/Maxquantity::0–1–3
AdditionalMin/Average/Maxquantity::1–0–1
DerivedMin/Average/Maxquantity::4–4–8
APIs
Common/Significantquantity::100–61
ThemostsecurityunitisLEDactivity
36
Efficiency of security features
Activity
CommonMin/Average/Maxquantity::2/8/34
AdditionalMin/Average/Maxquantity::0/2/7
DerivedMin/Average/Maxquantity::3/31/116
Permission
CommonMin/Average/Maxquantity::0–1–3
AdditionalMin/Average/Maxquantity::1–0–1
DerivedMin/Average/Maxquantity::4–4–8
APIs
Common/Significantquantity::100–61
ThemostsecurityunitisLEDactivity
36
Dissecting Blackberry Z10
Efficiency of security features
37
6
21
5
34
7
18
6
3
17
3
4
2
44
8
3
4
2
14
1
4
3
2
111
222
1111
4
1
2
5
1
0
5
10
15
20
25
30
35
Ratio of common activities to permissions
Q. of m.+a. activityQ. of m.+a. permission
Efficiency of security features
37
6
21
5
34
7
18
6
3
17
3
4
2
44
8
3
4
2
14
1
4
3
2
111
222
1111
4
1
2
5
1
0
5
10
15
20
25
30
35
Ratio of common activities to permissions
Q. of m.+a. activityQ. of m.+a. permission
Dissecting Blackberry Z10
Efficiency of security features
38
6
116
24
59
7
89
16
23
47
3
11
3
19
46
9
2425
2
27
1
433
1
3
12221211
8
12
5
10
20
40
60
80
100
120
Ratio of derived activities to permissions
Q. of derived activitiesQ. of derived perm
Efficiency of security features
38
6
116
24
59
7
89
16
23
47
3
11
3
19
46
9
2425
2
27
1
433
1
3
12221211
8
12
5
10
20
40
60
80
100
120
Ratio of derived activities to permissions
Q. of derived activitiesQ. of derived perm
Dissecting Blackberry Z10
Efficiency of security features
39
16,67
19,05
60,00
5,88
14,29
5,56
16,67
66,67
11,76
66,67
25,00
50,00
25,0025,00
50,00
33,33
50,00
250,00
7,14
16,67
3,45
12,50
5,08
14,29
3,37
6,25
8,70
4,26
66,67
9,09
66,67
5,26
2,17
88,89
4,17
8,00
250,00
3,70
0,00
50,00
100,00
150,00
200,00
250,00
% m+a activity vs perm% m+a derived activity vs perm
Efficiency of security features
39
16,67
19,05
60,00
5,88
14,29
5,56
16,67
66,67
11,76
66,67
25,00
50,00
25,0025,00
50,00
33,33
50,00
250,00
7,14
16,67
3,45
12,50
5,08
14,29
3,37
6,25
8,70
4,26
66,67
9,09
66,67
5,26
2,17
88,89
4,17
8,00
250,00
3,70
0,00
50,00
100,00
150,00
200,00
250,00
% m+a activity vs perm% m+a derived activity vs perm
Dissecting Blackberry Z10
Agenda
40
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Agenda
40
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security on the application level
Funny with APIs
MDM capabilities
Efficiency of security features
Future research
Dissecting Blackberry Z10
Future research
41
Image parser fuzzing
Jailbreak
IOCTL / syscallsfurther research
Play more with SSH
Blackberry Balance is not available yet
Permission collision
Overpemissioningby system applications and
services
Bypassing MDM features by both of previous
Future research
41
Image parser fuzzing
Jailbreak
IOCTL / syscallsfurther research
Play more with SSH
Blackberry Balance is not available yet
Permission collision
Overpemissioningby system applications and
services
Bypassing MDM features by both of previous
Dissecting Blackberry Z10
Full articles
… are available here (no SMS to send is required! Free for
a very limited time!)
42
http://goo.gl/dP9iRBlackberry Z10 research
http://goo.gl/PpXxgBlackberry and more
Full articles
… are available here (no SMS to send is required! Free for
a very limited time!)
42
http://goo.gl/dP9iRBlackberry Z10 research
http://goo.gl/PpXxgBlackberry and more
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10
- Slides 42
- Age 501 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views