chinese police cloudpets
play

Chinese Police & CloudPets DeepSec November 28-29, 2019 - PowerPoint PPT Presentation

Jan 29, 2023 •113 likes •1.05k views

Chinese Police & CloudPets DeepSec November 28-29, 2019 Vienna, Austria Presented by : Abraham Aranguren > admin@7asecurity.com > @7asecurity > @7a_ > @owtfp [ OWASP OWTF - owtf.org ] + 7asecurity.com Who am I?

  1. Chinese Police & CloudPets DeepSec November 28-29, 2019 – Vienna, Austria Presented by : Abraham Aranguren > admin@7asecurity.com > @7asecurity > @7a_ > @owtfp [ OWASP OWTF - owtf.org ] + 7asecurity.com

  2. Who am I? ★ Director at 7ASecurity , public reports, presentations, etc. here: 7asecurity.com/publications ★ Former Team Lead & Penetration Tester at Cure53 and Version 1 ★ Co-Author of hands-on 7ASecurity courses: ○ Pwn & Fix JS apps, shells, injections and fun! a Node.js & Electron course ○ Hacking Android, iOS and IoT a Mobile App Security course ★ Author of Practical Web Defense , a hands-on attack & defense course: www.elearnsecurity.com/PWD ★ Founder and leader of OWASP OWTF , and OWASP flagship project : owtf.org ★ Some presentations: www.slideshare.net/abrahamaranguren/presentations ★ Some sec certs : CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+ ★ Some dev certs : ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified Associate, MySQL 5 CMDev, MCTS SQL Server 2005

  3. Public Mobile Pentest Reports - I Smart Sheriff mobile app mandated by the South Korean government: Public Pentest Reports: → Smart Sheriff: Round #1 - https://7asecurity.com/reports/pentest-report_smartsheriff.pdf → Smart Sheriff: Round #2 - https://7asecurity.com/reports/pentest-report_smartsheriff-2.pdf Presentation :“Smart Sheriff, Dumb Idea, the wild west of government assisted parenting” Slides:https://www.slideshare.net/abrahamaranguren/smart-sheriff-dumb-idea-the-wild-west-of-gov ernment-assisted-parenting Video: https://www.youtube.com/watch?v=AbGX67CuVBQ Chinese Police Apps Pentest Reports: → “Study the Great Nation” 09.2019 https://7asecurity.com/reports/analysis-report_sgn.pdf → "BXAQ" (OTF) 03.2019 - https://7asecurity.com/reports/analysis-report_bxaq.pdf → "IJOP" (HRW) 12.2018 - https://7asecurity.com/reports/analysis-report_ijop.pdf

  4. Public Mobile Pentest Reports - II Other reports: → Exodus iOS Mobile App - https://7asecurity.com/reports/pentest-report_exodus.pdf → imToken Wallet - https://7asecurity.com/reports/pentest-report_imtoken.pdf → Whistler Apps - https://7asecurity.com/reports/pentest-report_whistler.pdf → Psiphon - https://7asecurity.com/reports/pentest-report_psiphon.pdf → Briar - https://7asecurity.com/reports/pentest-report_briar.pdf → Padlock - https://7asecurity.com/reports/pentest-report_padlock.pdf → Peerio - https://7asecurity.com/reports/pentest-report_peerio.pdf → OpenKeyChain - https://7asecurity.com/reports/pentest-report_openkeychain.pdf → F-Droid / Baazar - https://7asecurity.com/reports/pentest-report_fdroid.pdf → Onion Browser - https://7asecurity.com/reports/pentest-report_onion-browser.pdf More here: https://7asecurity.com/publications

  5. Agenda 3 different security audits with interesting backgrounds: 1. CloudPets: ■ Preliminary work & epic track record ■ What we found ■ What happened afterwards 2. “ IJOP ” Chinese Police app: ■ Police enter data manually, fill out forms 3. “ BXAQ ” Chinese Police app: ■ Police install an app that grabs data from a phone " BXAQ " and " IJOP " are related to surveillance of ethnic minorities, but in different ways.

  6. PART 1: CloudPets

  7. What are CloudPets? https://www.youtube.com/watch?v=11gvtRg3_V8

  8. How do CloudPets work? https://www.youtube.com/watch?v=kgyRvO0sgcE

  9. CloudPets Summary - I Intended usage: → Parent (far from home) sends messages to children using a mobile app → Children receive these messages on the Soft Toy → Children can send messages via the Soft Toy → Parent receives messages on the mobile app The Toys: → Use Bluetooth LE → To communicate with the mobile app → Have a Microphone → Have a speaker

  10. CloudPets Summary - II Mobile app on parent phone = Away from the toy → Sends/Receives messages to/from: CloudPets servers and Amazon S3 Mobile app on children device = Close to the toy → Sends/Receives messages to/from: CloudPets servers and Amazon S3 → Uploads/Downloads messages to/from Toy via: Bluetooth LE

  11. What could possibly go wrong? Any ideas?

  12. Previous Work: #1 - Mongo DB without auth Full access to all messages ever sent between parents and children! Summary: → Mongo DB exposed to the internet without authentication → Unauthorized parties downloaded the database → 3 Ransom requests → Indexed by Shodan → 821k user records at risk. → Spiral Toys (CloudPets’s company) claimed to never have found evidence of any breach…..

  13. Previous Work: #1 - Mongo DB without auth

  14. Previous Work: #1 - Mongo DB without auth Password hashes, emails, links to all voice recordings from children and parents, etc. https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

  15. Previous Work: #2 - First Ransom “ You DB is backed up on our servers , send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your ip address to email:kraken0@india.com” https://twitter.com/nmerrigan/status/817289743817998337/photo/1 https://pastebin.com/BgJADkqW

  16. Previous Work: #3 - Initial Timeline 2016.12.30 - 2017.01.04: Multiple security researchers alert to CloudPets via multiple means 2017.01.07: Ransom #1 : Original databases deleted + ransom demand left on the system via "PLEASE_READ" message 2017.01.08: Ransom #2 : Demand left for "README_MISSING_DATABASES" Ransom #3 : Demand left for "PWNED_SECURE_YOUR_STUFF_SILLY" 2017.01.13: No databases were found to still be publicly accessible https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

  17. Previous Work #4: Toy Security Paul Stone’s research: https://www.contextis.com/en/blog/hacking-unicorns-web-bluetooth The Toy has: → No built-in Bluetooth security features. → No authentication for bonding/pairing between the device and phone . → Anyone can connect to the toy as long as it is switched on . (!) → Unencrypted firmware upgrades only validation is a CRC16 checksum. → Possible to remotely modify the toy’s firmware .

  18. Previous Work #4: Paul Stone’s demo https://youtu.be/5pQt6Aa3AVs

  19. Previous Work #5: Vendor Response → Write-ups on lack of the security of the toy and lack of use of built-in security features published. → All attempts to warn Spiral Toys fail . → Spiral Toys confirms that they did not reply to the data breach emails , and rather decided to fix them.

  20. Question: What did they fix?

  21. Mozilla asks: Are toys safe now?

  22. Our Work: Viking Style

  23. Unicorn Analysis:

  24. What could possibly go wrong?

  25. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) CloudPets app directs users to http://mycloudpets.com/tour for tutorials and help. → Domain is currently on sale . → Anybody can purchase the domain and influence users. → i.e. prompting users for their CloudPets credentials . → i.e. prompt users to download malicious apps .

  26. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) Also: → The page is requested via clear-text HTTP. → This makes it easier for a malicious attacker on the local network (i.e. Public WIFI) to trivially modify the Tour page . → Allows attackers to target users. → i.e. ask for user credentials. → i.e. prompt users to download malicious apps .

  27. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) Taps on the help icon:

  28. PET-01-001 Backend: Tour domain is for sale and used over clear-text HTTP ( High ) Demo

  29. PET-01-002 Toy: Authless attacks via Bluetooth remain possible (Critical) Paul Stone’s public PoC remains working without any changes : https://github.com/pdjstone/cloudpets-web-bluetooth https://pdjstone.github.io/cloudpets-web-bluetooth/index.html → Strangers can still connect to the toys without authentication. → Push audio & play it on the Toy: Anyone can interact with the child: i.e. “Open the door…” → Download audio from the toy: Turns the toys into spy devices .

  30. PET-01-003 Toy: No firmware protections is in place ( High ) Lack of adequate firmware verification remains: → A discovery was made during the initial setup of the device . → Firmware is installed into the device from the app via BLE . → The installation process still has no verification : ○ NO signature or integrity checks in place. → The only “ protection” is a CRC16 checksum .

  31. PET-01-004 Backend: CloudPets voice recordings world-reachable ( High ) → Audio recordings created from the device are still being saved at cloudpet-prod.s3.amazonaws.com . → When users upload a new avatar or message, the application will post the data through the API and carries out a DNS lookup to cloudpet-prod.s3.amazonaws.com. → The S3 Bucket has no authorization or authentication in place. → There are no limitations when it comes to accessing the files placed in the basket.

Recommend

The Higher Institute of Police Sciences and Internal Security is the only Police University in

The Higher Institute of Police Sciences and Internal Security is the only Police University in

The Higher Institute of Police Sciences and Internal Security is the only Police University in Portugal and one of the 14 Police Universities in Europe accredited to Bologna and delivering a Master Degree on Police Sciences for Senior Police

254 views • 3 slides
WELCOME CHINESE Your Access Channel to the Chinese Market Welcome Chinese mission statement

WELCOME CHINESE Your Access Channel to the Chinese Market Welcome Chinese mission statement

WELCOME CHINESE Your Access Channel to the Chinese Market Welcome Chinese mission statement Mission statement The Role of Welcome Chinese Welcome Chinese is the exclusive group which creates Guarantee better services to Chinese tourists

752 views • 33 slides
EUTR Chinese Plywood Project Chinese Plywood Project Presentation 15.04.15 Why Chinese plywood?

EUTR Chinese Plywood Project Chinese Plywood Project Presentation 15.04.15 Why Chinese plywood?

EUTR Chinese Plywood Project Chinese Plywood Project Presentation 15.04.15 Why Chinese plywood? High risk - Species (face) - Countries of origin Whistle blowing Composite material Source: http://www.duediligencetimber.eu/UK.htm

148 views • 13 slides
Police Services November 9, 2017 Police Services T H E H A R B O U R C I T Y BCs

Police Services November 9, 2017 Police Services T H E H A R B O U R C I T Y BCs

T H E H A R B O U R C I T Y Police Services November 9, 2017 Police Services T H E H A R B O U R C I T Y BCs Police Act requires all municipalities over 5,000 population to provide for police services

182 views • 15 slides
investors Do You Want: To raise money from Chinese EB-5 investors? To partner with Chinese EB-5

investors Do You Want: To raise money from Chinese EB-5 investors? To partner with Chinese EB-5

Direct access to Chinese EB-5 investors Do You Want: To raise money from Chinese EB-5 investors? To partner with Chinese EB-5 immigration agencies? To prepare professional marketing materials? EB-5 Supermarket can assist you with all of

598 views • 23 slides
Police and Crime Panel 4 th June 2020 Performance Overview ILTSHIRE POLICE 27/05/20 1 1

Police and Crime Panel 4 th June 2020 Performance Overview ILTSHIRE POLICE 27/05/20 1 1

Police and Crime Panel 4 th June 2020 Performance Overview ILTSHIRE POLICE 27/05/20 1 1 @wiltshirepolice ud to serve and protect our communities Police and Crime Plan Scorecard Q4 2019-20 Microsoft Excel Worksheet Please doub click

416 views • 16 slides
Vancouver Police Department Overview Vancouver Police Department Chief James McElvain

Vancouver Police Department Overview Vancouver Police Department Chief James McElvain

Vancouver Police Department Overview Vancouver Police Department Chief James McElvain 190 Police Officers 24.5 Non-Sworn Staff Annual Budget $38.6 M Vancouver Police Department Mission We partner with the community to

619 views • 43 slides
2 2013- 14 Key Accomplishments Established new substation in downtown core to provide higher police

2 2013- 14 Key Accomplishments Established new substation in downtown core to provide higher police

2015-2016 Proposed Biennial Budget October 29, 2014 Presented by Andy J. Hwang, Chief of Police 1 POLICE DEPARTMENT Andy J. Hwang Chief of Police 1. 0 FTE Department Total: 155. 0 FTE s Executive Management of the Department Planning and

341 views • 13 slides
- Norwegian practice by police prosecutor , Kristel Lee Hgslett NATIONAL POLICE IMMIGRATION

- Norwegian practice by police prosecutor , Kristel Lee Hgslett NATIONAL POLICE IMMIGRATION

NATIONAL POLICE IMMIGRATION SERVICE Legal and practical measures towards irregular migrants pending return - Norwegian practice by police prosecutor , Kristel Lee Hgslett NATIONAL POLICE IMMIGRATION SERVICE Police role of immigration

201 views • 5 slides
Scot Haug, Post Falls, ID, Police Department, Chief of Police (retired) Rodney Monroe,

Scot Haug, Post Falls, ID, Police Department, Chief of Police (retired) Rodney Monroe,

Scot Haug, Post Falls, ID, Police Department, Chief of Police (retired) Rodney Monroe, Charlotte-Mecklenburg, NC, Police Department, Chief of Police (retired) Dan Zehnder, Las Vegas, NV, Metropolitan Police Department, Captain (retired) Jeff

544 views • 29 slides
Welcome, Chinese and Chinese-American community of Lexington! Im Fiona, and Im excited to

Welcome, Chinese and Chinese-American community of Lexington! Im Fiona, and Im excited to

Welcome, Chinese and Chinese-American community of Lexington! Im Fiona, and Im excited to talk to you today about the new AoPS Academy opening up near you, as well as my own educational experiences as a Chinese-American woman who grew up

593 views • 13 slides
PEOPLE FRIENDLY POLICE STATIONS Presentation by: DR. ISH KUMAR Director (Trg), BPR&D on

PEOPLE FRIENDLY POLICE STATIONS Presentation by: DR. ISH KUMAR Director (Trg), BPR&D on

PEOPLE FRIENDLY POLICE STATIONS Presentation by: DR. ISH KUMAR Director (Trg), BPR&D on 24.09.2013 at RPA, Jaipur 1 QUESTIONS TO BE ASKED / ANSWERED (1) Is Indian Police People friendly? (2) Is common man scared of Police? (3) Are Police

638 views • 36 slides
Police education and training in the Netherlands Dr. JBA Prins Strategical consultant

Police education and training in the Netherlands Dr. JBA Prins Strategical consultant

Police education and training in the Netherlands Dr. JBA Prins Strategical consultant Presentation Police in the Netherlands Police Academy Innovation of Police education and training Authority Financing Police

326 views • 7 slides
POLICE NARCOTICS BUREAU Presented by Director / Police Narcotics Bureau Seizure of 111 Kg of

POLICE NARCOTICS BUREAU Presented by Director / Police Narcotics Bureau Seizure of 111 Kg of

POLICE NARCOTICS BUREAU Presented by Director / Police Narcotics Bureau Seizure of 111 Kg of Heroin by Police Narcotics Bureau On 31.03.2016 The PNB received an information from undercover agent that regarding the large scale drug

501 views • 38 slides
Hometown Recruiting Program History and Update AISD Police Academy AISD Police Academy : A

Hometown Recruiting Program History and Update AISD Police Academy AISD Police Academy : A

Hometown Recruiting Program History and Update AISD Police Academy AISD Police Academy : A capstone course promoting the Arlington Police Departments Vision, Values and Goals to students working to pursue a career in law enforcement

380 views • 11 slides
Board Governance and the Role of the Police Services Board Greater Sudbury Police Services Board

Board Governance and the Role of the Police Services Board Greater Sudbury Police Services Board

Board Governance and the Role of the Police Services Board Greater Sudbury Police Services Board Glenn P. Christie, January 14, 2015 Overview of the Police Services Act The Statute: Police Services Boards are created by statute Members have the

410 views • 25 slides
Police & Crime Panel 29 June 2017 Police and Crime Plan 2017-2021 Martyn Underhill,

Police & Crime Panel 29 June 2017 Police and Crime Plan 2017-2021 Martyn Underhill,

Police & Crime Panel 29 June 2017 Police and Crime Plan 2017-2021 Martyn Underhill, Dorset Police and Crime Commissioner Police and Crime Plan Police and Crime Plan 2017-2021 A high level statement of strategic intent supported by

354 views • 11 slides
Keeping Our Kids Safe By Master Police Officer Lisa Bunn Biography 1997-2000 Tampa Police

Keeping Our Kids Safe By Master Police Officer Lisa Bunn Biography 1997-2000 Tampa Police

Keeping Our Kids Safe By Master Police Officer Lisa Bunn Biography 1997-2000 Tampa Police Communications Technician II 2000-2001 University of South Florida Communication Operator 2001 St. Petersburg Police Department Police

796 views • 43 slides
James Knott Primary Mini Police Mini Police What is it all about? An interactive

James Knott Primary Mini Police Mini Police What is it all about? An interactive

James Knott Primary Mini Police Mini Police What is it all about? An interactive volunteering opportunity for 9-11 year olds Follows a three step approach - Education, Community and Reward The objective is to get the children

189 views • 16 slides
Police & Crime Commissioner Police & Crime Commissioner Transition Transition Briefing

Police & Crime Commissioner Police & Crime Commissioner Transition Transition Briefing

Police & Crime Commissioner Police & Crime Commissioner Transition Transition Briefing Briefing Shelley Bosson, Chief Executive Gwent Police Authority Outline of Presentation Outline of Presentation The role of the Police and

316 views • 17 slides
Pittsburgh Bureau of Police (REPP) Community Policing/ Problem Solving Effort The police

Pittsburgh Bureau of Police (REPP) Community Policing/ Problem Solving Effort The police

Pittsburgh Bureau of Police (REPP) Community Policing/ Problem Solving Effort The police chose a neighborhood with an historical prostitution problem The police enlisted community support to ensure success with this endeavor

253 views • 3 slides
Ego-Centric Relational-Events: 2 nd Data Set From WTC, OKC Events taken from police reports,

Ego-Centric Relational-Events: 2 nd Data Set From WTC, OKC Events taken from police reports,

Ego-Centric Relational-Events: 2 nd Data Set From WTC, OKC Events taken from police reports, firefighter oral history interviews 168 police in WTC (8722), 30 firefighters for WTC (3817), 30 police for OKC (1678) Movement,

147 views • 4 slides
Access & Accountability: An Analysis of Police Records of Police Violence Shannon ONeill //

Access & Accountability: An Analysis of Police Records of Police Violence Shannon ONeill //

Access & Accountability: An Analysis of Police Records of Police Violence Shannon ONeill // @BarnardArchives New England Archivists Fall Meeting 220 Bay Street, Staten Island, NY Google Maps October 14, 2016 1400 E. Interstate 20,

411 views • 19 slides
Savannah Police Department 2020 Violent Crime Reduction Presentation Roy Minter, Chief of Police

Savannah Police Department 2020 Violent Crime Reduction Presentation Roy Minter, Chief of Police

Savannah Police Department 2020 Violent Crime Reduction Presentation Roy Minter, Chief of Police Savannah Police Department 1 2019 Non-Fatal Shooting Victims by Age Total Jurisdiction 118 Incidents* 18 Self-Inflicted 7 Accidental Shootings

417 views • 16 slides

More recommend