blog

Digging into the Android SystemUI Crash from a JPEG

In late May 2020, we were asked to help triage the root cause of a bug where an image, when parsed by Android SystemUI, caused the Android process to crash. This could cause a boot loop if, for example, the image was set as the phone’s background. We quickly identified the root cause which we found interesting from an ecosystem perspective.

This blog shares parts of our analysis, and covers our trace of the relevant code path and diagnosis of the root cause. We describe how the fixes work, and then dive into why this bug was only seen relatively recently. Finally, we break down the file’s JPEG and ICC structures, and what impacts these may have on the parsers.

Continue reading

Analysis Methods and Tooling for Parsers

This is the first post in a series that describes how we built tools to rapidly identify and characterize “format extensions”: modifications and new feature additions in parsers of complex formats. In this puzzle, we were given a set of binaries and a few input files – in this instance PDFs. Our task was to precisely characterize any new feature(s) present in the binaries and describe how the input files triggered them. Moreover, our goal was to build tools to enable a human to do this faster and/or more completely than they could previously. Our approach was to make the best use of the inputs that triggered modified behaviors, with a combination of fine-grained static binary diffing and execution trace and memory trace analysis.

Continue reading

Analyzing Data Use by the DJI Mimo App

The Chinese drone manufacturer, Da Jiang Innovations, Inc. (DJI), recently donated hundreds of unmanned aircraft and accessories to US law enforcement organizations to help enforce stay-at-home orders during the COVID-19 pandemic. Police in 22 states accepted these drones and began using them. This move has stirred up longstanding concerns and allegations that DJI works with the Chinese Communist Party (CCP) to spy on Americans. Claims of this kind of espionage have caused controversy for several years.

Continue reading

Hardware Hacking 101: Identifying and Dumping eMMC Flash

Introduction Welcome back to our introduction to hardware hacking series! In this post we will be covering embedded MultiMediaCard (eMMC) flash chips and the standard protocol they use. eMMC is a form of managed flash storage typically used in phones, tablets, and many IoT devices because of its low power consumption and high performance. If you haven’t already, make sure to check out our other intro to hardware hacking posts on our blog.

Continue reading

Hardware Hacking 101: Interfacing With SPI

Introduction Welcome back to our series on an introduction to hardware hacking! In this post we will be covering the Serial Peripheral Interface (SPI) protocol, a commonly used serial bus protocol which allows hardware components to communicate with each other. The goal of this post is to serve as a guide for security researchers and hardware hackers to easily interface with target devices. Many embedded devices use SPI to access persistent data stored on flash memory.

Continue reading

Hardware Hacking 101: Getting a root shell via UART

Welcome to an introduction to hardware hacking! This series will discuss the basics of interacting with an embedded device though various hardware interfaces. Our team performs penetration testing on IoT / embedded devices every day, and we’re excited to share some of our knowledge and experiences to help those getting started with hardware security learn the ropes. This is a multi-part series which discusses the fundamental concepts, useful tools, and practical techniques which you can use to approach a basic hardware assessment.

For our first blog post in this series, we will focus on a very common type of debug serial communication protocol that can be used to obtain low-level access to a wide range of devices.

Continue reading

Hashashin: Using Binary Hashing to Port Annotations

In our previous blog, we described some examples of where binary hashing can help solve problems and compared a number of algorithms for both basic block and graph aware hashing. Today we are releasing a tool, Hashashin, which combines some of these algorithms to allow security researchers to port Binary Ninja annotations from one binary to another.

Continue reading

Binary Hashing: Motivations and Algorithms

As security researchers, we often spend a lot of time looking into the internals of libraries in products we are assessing. With this come some common time sinks, such as identifying library versions. While library version identification is relatively straightforward on the surface, other tasks are clearly more challenging – such as applying signatures to stripped binaries, porting defined types across libraries, and similar codebases.

Continue reading

RF4CE Security: An Overview

In this post, we continue our series on RF4CE by discussing the mechanisms the protocol uses for security. We encourage you to read the first post for background on the purpose of this post and discussion of security levels and keying techniques. This post will explain how RF4CE devices pair and how payloads are encrypted and protected. Additionally, we’ll explain some of the problems with RF4CE security, and discuss potential remediations.

Continue reading

The real costs of being reactive – and a way forward

My team talks a lot about “proactive security” – the concept of baking cybersecurity measures into architecture and design as opposed to responding to vulnerabilities and breaches when they occur. However, I lacked a quantitative answer when recently asked: “how do you convince businesses to start being proactive?”

Continue reading