Tricking Android Smart Lock with Bluetooth

The Smart Lock Feature allows Android users (Android version 5.0 and later) to automatically unlock their smartphone whenever a trusted device, Wi-Fi network or geo location is in close proximity. Trusted devices could either be NFC tags or Bluetooth devices. Looking at Bluetooth devices, it turned out that the Smart Lock implementation had at least one security issue that got resolved. Early implementations of Smart Lock implied that when a trusted Bluetooth device was connected to the phone it was safe to unlock the respective device. The method upon which the connected Bluetooth device was identified did miss an important point, though. Read the rest of this entry »

Auditing Samsung Smart-TV Apps

In a recent assignment, I was asked to do an IT security audit of a Samsung Smart-TV app. It took me some time to find the (for me) ideal solution to do the audit with my usual setup of tools. Since Smart-TV apps are based on javascript, they run on a fancy browser in the Smart-TV device. Consequently, using the same auditing techniques for Smart-TV apps as for web applications makes sense.  So the goal was to get all the requests and responses from the emulator through a proxy – in my case BurpSuite. I hope to help fellow IT security auditors to save some time with this little write-up. Read the rest of this entry »

Analytics and HbbTV Revisited

In the last blog-post on this blog,  I focussed on the use of Google analytics in HbbTV applications. After almost two months, the situation has changed quite a bit. Read the rest of this entry »

HbbTV update on the use of Google Analytics

After yesterdays talk at 30C3, a very intersting question was asked by a person the audience. The question was, whether the stations that use Google analytics in order to track their viewers are using it in a legal way. In order to use Analytics legally, the tracking code has to be used with the anonymizeIp parameter. So I took some time and checked the stations red button pages in order to find out, whether the tracking code complies with the law. Read the rest of this entry »

Spooofticker – Spoofing Newstickers with HbbTV

Since attackers could modify the information that is being displayed on HbbTV capable SmartTVs, there is now a project that overlaps the news ticker section of some stations’ program. Read the rest of this entry »

Meet HAL – Your new Best Friend

HAL – to serve and protect

Major players in the entertainment industry specified a standard that defines a way for connected Smart TVs to access additional content from the Internet. This so-called HbbTV standard (Hybrid broadcast broadband Television) uses portions of the DVB broadcast stream (DSM-CC) in order to embed references to online resources. As it turned out, many HbbTV-capable devices offer little or no protection against malicious content that is eventually loaded down from the Internet by Smart TVs. Possible attack vectors are shown in my earlier Blog post.
Read the rest of this entry »

Security concerns with HbbTV

OMG – our Smart TV got pr0wn3d!

A large amount of the TV sets currently available for sale belong to the group of “Connected TVs” or “Smart TVs”. These devices have the capability to access the contents of online media libraries and allow users to access Internet-pages via an integrated web-browser. Mostly for the European market, the available devices have a feature called HbbTV. HbbTV stands for Hybrid Broadcast Broadband TV and defines a standard for TV sets to access station-specific online contents. Read the rest of this entry »

Linksammlung: PechaKucha-Vortrag zu Vorratsdatenspeicherung in Österreich

In diesem Post habe ich einfach die Links zusammengeschrieben, die mir bei meinen Recherchen zum Vortrag positiv aufgefallen sind bzw. aus meiner Sicht relevante Informationen beinhalten. Die Links sind relativ unsortiert und haben meistens nur eine kurze Inhaltsüberschrift.

Wer das hier gut findet und das ohne viel Zutun unterstützen möchte, setzt sich am Besten ein Bookmark auf diese Seite und klickt vor jedem Einkauf bei amazon.de auf das Amazon.de-Logo auf der linken Seite. Vielen Dank 🙂

UPDATE: Das Video vom Vortrag ist jetzt online!

Linkliste:

Österreichische Unterschriftenaktion gegen VDS (mitmachen und weitersagen!)
https://zeichnemit.at/

AnonBox-Projekt des CCC
https://anonbox.net/index.de.html

DuckDuckGo (Diskrete Suchmaschine)
http://duckduckgo.com/

Wikipedia-Eintrag zu Vorratsdatenspeicherung
http://de.wikipedia.org/wiki/Vorratsdatenspeicherung

Digitalks Social Graph (Beispiel für Netzwerk Visualisierung)
http://www.youtube.com/watch?v=x6FvzUrxnNY

InterVPN – Übersicht mit vielen VPN-Anbietern
http://www.intervpn.com/

Tor – The Onion Router
https://www.torproject.org/

TKG 2003
http://www.rtr.at/de/tk/tkg2003

Icons
http://www.iconarchive.com

Verfassungsklage gegen Vorratsdatenspeicherung
http://www.tt.com/Nachrichten/4566923-2/verfassungsklage-gegen-vorratsdatenspeicherung.csp

Österreichische Prepaid-Handies
http://prepaid.de/oesterreich–schweiz/uebersicht-oesterreich.php

ARGE Daten zur Vorratsdatenspeicherung
http://www.argedaten.at/php/cms_monitor.php?q=PUB-TEXT-ARGEDATEN&s=90239zeu

Umsatzgrenze
http://recht.extrajournal.net/2012/03/29/vorratsdatenspeicherung-startet-am-1-april-schon-jetzt-massiv-unter-beschuss-20689/

Privacy-Handbuch
https://www.awxcnx.de/handbuch.htm

VDS – Verstoß gegen Grundrechte
http://www.euractiv.de/digitale-agenda/artikel/vorratsdatenspeicherung—verstoss-gegen-grundrechte-004958

IF WE DON’T, REMEMBER ME. (Living Stills)
http://iwdrm.tumblr.com

fuck you very much – Blog (immer eine gute Inspiration)
http://fuckyouverymuch.dk

Richtlinie 2006/24/EG über die Vorratsspeicherung von Daten
http://de.wikipedia.org/wiki/Richtlinie_2006/24/EG_%C3%BCber_die_Vorratsspeicherung_von_Daten

Zypern (Balls of Steel)
http://netzpolitik.org/2011/oberstes-gericht-von-zypern-kippt-vorratsdatenspeicherung/

Irland und Slowakei dagegen
http://www.taz.de/!49123/

Sehr gut reflektierte Beiträge zum Thema
http://netzpolitik.org/?s=vorratsdatenspeicherung&searchsubmit=Suchen

Polen
http://www.piratenpartei.de/2012/04/10/neue-zahlen-zur-vorratsdatenspeicherung-in-polen-fur-2011-veroffentlicht-vorratsdaten-wurden-18-millionen-mal-abgefragt/

CCC-Studie zur VDS
http://ccc.de/de/updates/2012/mythos-schutzluecke

Arbeits-Kreis Vorratsdatenspeicherung Österreich
http://www.akvorrat.at/
http://wiki.akvorrat.at/doku.php

Richtlinie 2006/24/EG über die Vorratsspeicherung von Daten
http://de.wikipedia.org/wiki/Richtlinie_2006/24/EG_%C3%BCber_die_Vorratsspeicherung_von_Daten

Asterisk with FreePBX

When I first played around with asterisk in 2006, I was overwhelmed by all the different options and features that this full fledged open source PBX comes with. Back then I installed an administration front-end called FreePBX. This freely available UI helps you configuring all different and complicated scenarios easily. You don’t have to touch the text-based asterisk config files.

Due to some stupid errors on my behalf, I had to do a new setup of my telephony system, recently. Again, I decided to use FreePBX as a management interface, but this time with Asterisk Version 1.6 underneath. The documentation always refers to the older 1.2 version, but using Asterisk 1.6 (compiled from source) works without problems with FreePBX.

Now, it is very easy to configure features like conference rooms, waiting queues, voice menus and blacklists (for those annoying phone marketers). In order to receive calls, I registered a bunch of numbers (for different purposes) at sipgate. In Germany, it is necessary (since ) to proof that you are living in the respective location you are registering the number for. Sipgate Germany solves this via verification letter or fax.

If you got interested in playing around with your own installation, then check out the following pages:

• FreePBX (http://www.freepbx.org/)
• Asterisk – The Open Source Telephony Project (http://www.asterisk.org/)

Tell me about your experiences… especially if and how you got fax working 😉

fuck you very much, please!

Out of personal dedication to a genius photo blog, I decided to do one of my first Android applications for fuckyouverymuch.dk. The fuck you very much widget is a home screen widget that randomly displays miniatures of the photos along with the comments as posted on this blog. If one clicks on the widget, all the actual photos can be flipped through in a slideshow-like view. The application updates the feed on an hourly basis and has a fall-back mechanism for times when tumblr happens to be offline.

Keep in mind that this application – due to the mildly erotic content – would never become available for iPhones (except for jail-broken ones). So enjoy your freedom being an Android user and install this free app from the market by scanning the code with the Barcode Scanner app on your Android phone (Android version 1.6 and above).

For my part: I love this photo blog and find it very entertaining. You definitely should give it a chance – even if you are not owner of an Android phone.