Lately I’ve been heavily involved in assessments on a couple of different medical devices. I can’t lay down specifics on the types of device or the companies at the moment but you can use your imagine. The devices are of the ‘smart’ genre and the end-user is a patient with health concerns.
These assessments have been really interesting. When we get down to the nitty-gritty, studying the docs with a fine-toothed comb, applying the knowledge we’ve gained from years of mobile app development and hardware curiosity, it’s really satisfying. We’ve done threat modelling exercises and full risk assessments of these devices, discovering issues with things like the proprietary software design approaches and with lack of tamper detection.
One of the most important parts of my work on the initial assessments has been the literature review, especially when FDA regulations are involved. I’ve found the details of exactly what is required to get the products through the FDA approval process.
Of course the initial assessments are succeeded by the BEST part, the penetration test! Pentesting smart medical devices in my experience involves attempts at dumping firmware – usually from Android hardware, sniffing traffic, dumping memory, and lots more exciting stuff. In the future I hope I can do a write-up and a conference talk on something juicy.
If you are developing an IoT device, it doesn’t have to be a medical device, you need a cybersecurity assessment. Threat modelling, full risk assessment, regulatory compliance, and pentest. Drop me an e-mail and let’s talk!
And how to make normality better than it was before the lockdown.
Like me you’ve probably been stuck at home for at least a week. These can be trying times but they can also be a lot of fun. We as a community have been trying to entertain ourselves and our friends more than ever by gaming more, chatting on IRC and Discord more, basically being on Twitter 24 hours a day, and churning out content. This is all awesome and will help us feel less lonely, and kinda productive. Some of you guys reading this might be feeling stuck or bored if you’re used to going to the office every day and seeing your colleagues in real life, so here’s some things that you could do to occupy yourself:
Pick a topic you’ve never had the time to study and get on YouTube and find somebody talking about it. Great examples include hardware hacking videos by @cybergibbons and bug bounties (mostly web and mobile AppSec) by @nahamsec
Learn a language like Chinese. YoYoChinese has some of the best content and learning some rudimentary Chinese and knowing how to type with PinYin will open up new avenues in your career in the future IMO.
Blog about your life, things you’ve done at work, wee things you know how to do that most people might not. Use WordPress and set up a site like mine.
If you’re working from home (WFH) and your employer or client doesn’t mind too much, stream what you’re doing on your screen via Twitch. You might only get a couple viewers but show them what you’re doing, talk through it, and you might get a bit of satisfaction knowing you’ve taught somebody something.
Read that book (or use Audible) that you’ve always wanted to. I’ve been learning about the Gulag Archipelago by Aleksandr Solzhenitsyn by watching Jordan Peterson talking about it, I’m hopefully gonna get around to reading it too.
Take up photography. I recently bought a used Canon EOS 500D and a new 50mm lens. It makes for some beautiful photos, much better than anything I can do with my iPhone.
Any of the above will help you stave off boredom and, especially the learning points, will help you improve yourself a little bit during the lockdown.
If you’re ever bored reach out to me on FreeNode, my nick is Jabo, or on my Twitter @Jabo_SCO. I’m always up for a chat.
I’ve worked on a couple of threat modelling jobs for Wire-Security. We take a STRIDE approach to the methodology. You’ll come across many resources online from other bloggers etc. that will be a much more comprehensive guide for some people but I’m going to keep it simple here, and hopefully satisfying, and write about what works for us.
STRIDE comes in great for a guide to writing part of your report however we also need to add a graphic.
Your flow diagram is going to be the first thing you do after reading the documentation. You will probably come back to it numerous times to refresh it, add more vectors etc. but this visualisation is paramount and will keep your mind focused as you work through your report.
STRIDE stands for:
Information disclosure (privacy breach or data leak)
Denial of service
Elevation of privilege
With this you are going to consider various theoretical attacks that you can group under each heading. Below is a breakdown of the guidance we use when approaching a threat modelling exercise with a STRIDE methodology.
In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage. This category is concerned with authenticity.
Tampering refers to malicious modification of data or processes. Tampering may occur on data in transit, on data at rest, or on processes. This category is concerned with integrity.
Repudiation refers to the ability of denying that an action or an event has occurred. This category is concerned with non-repudiation.
Information Disclosure refers to data leaks or data breaches. This could occur on data in transit, data at rest, or even to a process. This category is concerned with confidentiality.
Denial of Service
Denial of Service refers to causing a service or a network resource to be unavailable to its intended users. This category is concerned with availability.
Elevation of Privileges
Elevation of Privileges refers to gaining access that one should not have. This category is concerned with authorization.
The process used to develop a threat model is dependent on product/service documentation, and knowledge and insight from developers, product owners, expert users, etc. Usually gathered through interviews.
One or more visual representations of the target system(s) to ensure that the team’s understanding of the system is aligned with the purpose of the threat modelling exercise. From there, threats are listed, documented, and weighted for relevance. Additionally, potential mitigation actions, if any, are identified. A threat modelling exercise is not a risk assessment. The evaluation of probability, which is critical for a risk qualification, is not a formal part of threat modelling. As such information collected during a threat modelling exercise can augment a risk assessment but should never be considered an expression of risk on its own.
Thank you so much for reading. As of right now most of us are in lockdown due to the 2019-nCoV Coronavirus so if you have some knowledge to share with the community then please do! There’s loads of videos, streams, talks, blogs, etc. coming from everyone in #InfoSec and it’s lovely to see.
I’m James and I’m a consultant here at Wire Security. I’ve been an app developer since 2012 and I’m just getting started in my career in security. I’ve always felt like a hacker and these days I’m over the moon to actually be one! I’m going to be writing more articles here regularly so please remember to check back and keep an eye on our company Twitter feed: @Wire_Sec
Over the years other people in the industry have developed guides and tools to forensically analyse mobile apps which made pentesting easier. Unfortunately many of those tools were dependant on specific Android/iOS releases or other factors which make them no longer usable.
On a recent engagement with Wire Security I took the lead on an Android and iOS app report where the items in scope were:
1) The app sandbox on rooted/jailbroken devices and on non-compromised devices too,
2) External network communication, and
3) Device memory
We were interested in sensitive user data, any credentials being leaked, etc. The client gave us the source code. After stumbling through many outdated mobile pentesting guides and lists of tools, I took a step back to consider my requirements carefully. The approach I used in the end was very simple.
Simple New Approach
With most guides and toolsets published on GitHub being out of date, or not working on the latest iOS and Android versions, I had to manually do most of the work where my goal was to analyse memory, the app sandbox, and key storage. These targets are going to be very similar in most mobile app penetration tests in 2020 and beyond so if I can help you lay down a simple, standard attack process then you can take that forward and own it, and play with it as you like. Alongside my no-frills methodology I had two important devices, which were a jailbroken iPad Mini 4 and a rooted Huawei P20 Pro. You don’t need physical devices when services like Corellium exist (for now), but they are nice. Note: the Android Emulator (AVD) has support for root.
On Android you can use adb shell am dumpheap <pid> This command gives a dump of the memory heap of the chosen app or process. Use ps -aux <package name> to find the PID. Very handy with breakpoints in the source code. If you pass the output to a file then you can open with vim or your favourite text editor to search for interesting nuggets like apiKeys. In vim you can use :%!xxd to view the hex output. You can also use strings to filter interesting human-readable text from the file. Android Studio has awesome built-in functionality for memory profiling. DZone done a write-up on the usage of Android Studio.
On iOS Xcode also has a fantastic collection of memory tools including heap analysis. ZenDesk Engineering wrote a great piece on this.