Lots of websites like the BBC use riddle.com to poll their readers’ opinions. It doesn’t seem like Riddle creates a nonce or token for any new vote so it’s simple AF to game it. All you need is Chrome Dev Tools and a Bash terminal.
From today’s research I noticed a BBC page with a poll. The user could cast their opinion on a scale of -3 to 3 of whether they agree or not. So I opened Dev Tools and went to the Network tab. When I clicked on 3 I seen the two POST requests that the page made.
The body of the message we care about contains the riddleId which is the particular poll on the site, and the data which is the riddleId.sentiment.6 (6 is +3, or strongly agree).
I right-clicked the request and copied as cURL (bash):
I went to my Windows Terminal (which is awesome btw) and from my favourite DO droplet, in bash I started writing the for loop:
for i in {1..666}; do { *curl command here* ; } done
I’m not saying I pressed the return key but this WILL cast the vote 666 times, or however often you want.
Lately I’ve been heavily involved in assessments on a couple of different medical devices. I can’t lay down specifics on the types of device or the companies at the moment but you can use your imagine. The devices are of the ‘smart’ genre and the end-user is a patient with health concerns.
These assessments have been really interesting. When we get down to the nitty-gritty, studying the docs with a fine-toothed comb, applying the knowledge we’ve gained from years of mobile app development and hardware curiosity, it’s really satisfying. We’ve done threat modelling exercises and full risk assessments of these devices, discovering issues with things like the proprietary software design approaches and with lack of tamper detection.
One of the most important parts of my work on the initial assessments has been the literature review, especially when FDA regulations are involved. I’ve found the details of exactly what is required to get the products through the FDA approval process.
Of course the initial assessments are succeeded by the BEST part, the penetration test! Pentesting smart medical devices in my experience involves attempts at dumping firmware – usually from Android hardware, sniffing traffic, dumping memory, and lots more exciting stuff. In the future I hope I can do a write-up and a conference talk on something juicy.
If you are developing an IoT device, it doesn’t have to be a medical device, you need a cybersecurity assessment. Threat modelling, full risk assessment, regulatory compliance, and pentest. Drop me an e-mail and let’s talk!
I’ve worked on a couple of threat modelling jobs for Wire-Security. We take a STRIDE approach to the methodology. You’ll come across many resources online from other bloggers etc. that will be a much more comprehensive guide for some people but I’m going to keep it simple here, and hopefully satisfying, and write about what works for us.
STRIDE comes in great for a guide to writing part of your report however we also need to add a graphic.
Flow Diagram
Your flow diagram is going to be the first thing you do after reading the documentation. You will probably come back to it numerous times to refresh it, add more vectors etc. but this visualisation is paramount and will keep your mind focused as you work through your report.
STRIDE
STRIDE stands for:
Spoofing
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of service
Elevation of privilege
With this you are going to consider various theoretical attacks that you can group under each heading. Below is a breakdown of the guidance we use when approaching a threat modelling exercise with a STRIDE methodology.
Spoofing
In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage. This category is concerned with authenticity.
Tampering
Tampering refers to malicious modification of data or processes. Tampering may occur on data in transit, on data at rest, or on processes. This category is concerned with integrity.
Repudiation
Repudiation refers to the ability of denying that an action or an event has occurred. This category is concerned with non-repudiation.
Information Disclosure
Information Disclosure refers to data leaks or data breaches. This could occur on data in transit, data at rest, or even to a process. This category is concerned with confidentiality.
Denial of Service
Denial of Service refers to causing a service or a network resource to be unavailable to its intended users. This category is concerned with availability.
Elevation of Privileges
Elevation of Privileges refers to gaining access that one should not have. This category is concerned with authorization.
The process used to develop a threat model is dependent on product/service documentation, and knowledge and insight from developers, product owners, expert users, etc. Usually gathered through interviews.
One or more visual representations of the target system(s) to ensure that the team’s understanding of the system is aligned with the purpose of the threat modelling exercise. From there, threats are listed, documented, and weighted for relevance. Additionally, potential mitigation actions, if any, are identified. A threat modelling exercise is not a risk assessment. The evaluation of probability, which is critical for a risk qualification, is not a formal part of threat modelling. As such information collected during a threat modelling exercise can augment a risk assessment but should never be considered an expression of risk on its own.
Conclusion
Thank you so much for reading. As of right now most of us are in lockdown due to the 2019-nCoV Coronavirus so if you have some knowledge to share with the community then please do! There’s loads of videos, streams, talks, blogs, etc. coming from everyone in #InfoSec and it’s lovely to see.
I’m James and I’m a consultant here at Wire Security. I’ve been an app developer since 2012 and I’m just getting started in my career in security. I’ve always felt like a hacker and these days I’m over the moon to actually be one! I’m going to be writing more articles here regularly so please remember to check back and keep an eye on our company Twitter feed: @Wire_Sec
Old News
Over the years other people in the industry have developed guides and tools to forensically analyse mobile apps which made pentesting easier. Unfortunately many of those tools were dependant on specific Android/iOS releases or other factors which make them no longer usable.
On a recent engagement with Wire Security I took the lead on an Android and iOS app report where the items in scope were:
1) The app sandbox on rooted/jailbroken devices and on non-compromised devices too,
2) External network communication, and
3) Device memory
We were interested in sensitive user data, any credentials being leaked, etc. The client gave us the source code. After stumbling through many outdated mobile pentesting guides and lists of tools, I took a step back to consider my requirements carefully. The approach I used in the end was very simple.
Simple New Approach
With most guides and toolsets published on GitHub being out of date, or not working on the latest iOS and Android versions, I had to manually do most of the work where my goal was to analyse memory, the app sandbox, and key storage. These targets are going to be very similar in most mobile app penetration tests in 2020 and beyond so if I can help you lay down a simple, standard attack process then you can take that forward and own it, and play with it as you like. Alongside my no-frills methodology I had two important devices, which were a jailbroken iPad Mini 4 and a rooted Huawei P20 Pro. You don’t need physical devices when services like Corellium exist (for now), but they are nice. Note: the Android Emulator (AVD) has support for root.
MEMORY ANALYSIS
On Android you can use adb shell am dumpheap <pid> This command gives a dump of the memory heap of the chosen app or process. Use ps -aux <package name> to find the PID. Very handy with breakpoints in the source code. If you pass the output to a file then you can open with vim or your favourite text editor to search for interesting nuggets like apiKeys. In vim you can use :%!xxd to view the hex output. You can also use strings to filter interesting human-readable text from the file. Android Studio has awesome built-in functionality for memory profiling. DZone done a write-up on the usage of Android Studio.
On iOS Xcode also has a fantastic collection of memory tools including heap analysis. ZenDesk Engineering wrote a great piece on this.
APP SANDBOX
On rooted Android you can use a file manager like File Explorer Root Browser to browse the app sandbox storage.
With a jailbroken iOS device you can install Terminal from Cydia or SSH into your device and explore the app sandbox storage.
KEY STORAGE
With Elcomsoft tools, on Android you can browse Google Drive backups (which can contain app data), and on iOS you can browse the KeyChain backed up by iTunes.
Outro
Thanks for taking the time to read! If you have any comments you can reach me on Twitter: @Jabo_SCO
