BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Still Vulnerable Out of the Box: Revisiting the Secu rity of\n Prepaid Android Carrier Devices\n When: Friday\, Aug 11\, 12 :00 - 12:45 PDT\n Where: Caesars Forum - Forum - 109-119\, 138-139 - Tra ck 2 - [1]Map\n Speakers:Angelos Stavrou\,Mohamed Elsabagh\,Ryan Johnson \n\n SpeakerBio:Angelos Stavrou \, Founder and Chief Scientist at Quokka \n Dr. Angelos Stavrou is Founder and Chief Scientist of Quokka (formerl y\n Kryptowire)\, a Virginia based Mobile Security company. He is also a \n Professor at the Bradley Department of Electrical & Computer\n Engi neering at Virginia Tech. Dr. Stavrou has served as principal\n investig ator on research awards from NSF\, DARPA\, IARPA\, DHS\, AFOSR\,\n ARO\, ONR. He is an active member of NIST's Mobile Security team and\n has wr itten more than 130 peer-reviewed conference and journal\n articles. Dr. Stavrou received his M.Sc. in Electrical Engineering\,\n M.Phil. and Ph .D. (with distinction) in Computer Science all from\n Columbia Universit y. He also holds an M.Sc. in theoretical Computer\n Science from the Uni versity of Athens and a B.Sc. in Physics with\n distinction from the Uni versity of Patras\, Greece. Stavrou is an\n Associate Editor of IEEE Tra nsactions on Computers\, IEEE Security &\n Privacy\, and IEEE Internet C omputing magazines and a previous co-chair\n of the IEEE Blockchain init iative. Over the past few years\, Dr.\n Stavrou's research has focused o n two aspects of security: Systems'\n Security and Reliability. Dr. Stav rou is a member of USENIX\, and a\n senior member of ACM and IEEE.\n\n SpeakerBio:Mohamed Elsabagh \, Senior Director\, R&D at Quokka\n Dr. Mo hamed Elsabagh leads the research and development efforts at\n Quokka (f ormerly Kryptowire). He specializes in automated\n static/dynamic binary security analysis and reverse engineering for\n Android\, ARM\, and x86 platforms. He has created several tools that\n helped detect and preven t hundreds of zero-day vulnerabilities in the\n wild. Mohamed holds a Ph D in CS during which he developed automated\n binary hardening technique s for COTS systems.\n\n SpeakerBio:Ryan Johnson \, Senior Director\, R&D at Quokka\n Dr. Ryan Johnson is a Senior Director\, R&D at Quokka (form erly\n Kryptowire). His research interests are static and dynamic analys is of\n Android apps and reverse engineering. He is a co-founder of Quok ka and\n has presented at DEF CON\, Black Hat (USA\, Asia\, & MEA)\, IT- Defense\,\n and @Hack. His research in Android security has been assigne d dozens\n of CVEs and is responsible for discovering the Adups spyware that\n affected millions of Android smartphones.\n\n Description:\n Prepaid Android smartphones present an attractive option since they\n ca n be used and discarded at will without significant financial cost.\n Th e reasons for their use are manifold\, although some people may use\n th em to dissemble their true identity. Prepaid smartphones offer\n value\, but there may be an additional "cost" for their cheap price. We\n prese nt an examination of the local attack surface of 21 prepaid\n Android sm artphones sold by American carriers (and 11 unlocked\n smartphones). Whi le examining these devices\, we discovered instances\n of arbitrary comm and execution in the context of a "system" user app\,\n arbitrary AT com mand execution\, arbitrary file write in the context of\n the Android Sy stem (i.e.\, "system_server")\, arbitrary file read/write\n in the conte xt of a "system" user app\, programmatic factory reset\,\n leakage of GP S coordinates to a loopback port\, numerous exposures of\n non-resettabl e device identifiers to system properties\, and more.\n\n The only user interaction that our threat model assumes is that the\n user installs an d runs a third-party app that has no permissions or\n only a single "nor mal" level permission that is automatically granted\n to the third-party app upon installation. The installed third-party\n app can leverage fla ws in pre-loaded software to escalate privileges\n to indirectly perform actions or obtain data while lacking the\n necessary privileges to do s o directly. Due to a wide range of local\n interfaces with missing acces s control checks and inadequate input\n validation\, a third-party app†™s behavior is not truly circumscribed\n by the permissions that it requ ests. Due to the common inclusion of\n pre-loaded software from Android vendors\, chipset manufacturers\,\n carriers\, and vendor partners\, exp loit code can have significant\n breadth. The inter-app communication us ed to exploit these\n vulnerabilities may be difficult to classify as in herently malicious\n in general since it uses the standard communication channels employed\n by non-malicious apps.\n\n We pick up again where we left off from our DEF CON 26 talk …\n raiding the prepaid Android smartphone aisles at Walmart. We provide\n another snapshot on the state of security for Android carrier devices.\n In this talk\, we examine 21 different prepaid Android smartphones\n being sold by the major America n carriers\, and we also cover 11\n unlocked Android devices\, which are primarily ZTE smartphones. We\n identified vulnerabilities in multiple layers of the Android software\n stack. For each discovered vulnerabilit y\, we step through the attack\n requirements\, access vector\, and atta ck workflow in order to help\n developers and bug hunters identify commo n software flaws going\n forward.\n\n REFERENCES\n\n [2]https://supp ort.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664\n [3] https://www.bleepingcomputer.com/news/security/oneplus-phones-come-preinst alled-with-a-factory-app-that-can-root-devices/\n [4]https://source.andr oid.com/docs/security/features/selinux#background\n [5]https://en.wikipe dia.org/wiki/Confused_deputy_problem [6]https://github.com/thanuj10/Nokia- Debloater\n [7]https://developer.android.com/training/articles/user-data -ids#best-practices-android-identifiers\n [8]https://android.googlesourc e.com/platform/hardware/ril/+/master/include/telephony/ril.h\n [9]https: //github.com/lbule/android_hardware_mediatek [10]https://security.tecno.co m/SRC/blogdetail/99?lang=en_US\n [11]https://extensionpublications.unl.e du/assets/pdf/ec157.pdf [12]https://android.googlesource.com/platform/fram eworks/base/+/master/core/java/android/service/persistentdata/PersistentDa taBlockManager.java#143\n [13]https://github.com/ptoomey3/evilarc/blob/m aster/evilarc.py [14]https://android.googlesource.com/platform/frameworks/ base/+/master/packages/SystemUI/\n [15]https://android.googlesource.com/ platform/packages/apps/Settings/+/refs/heads/master\n\n '\n\n 1. #Caes arsForumBR\n 2. https://support.zte.com.cn/support/news/LoopholeInfoDeta il.aspx?newsId=1030664\n 3. https://www.bleepingcomputer.com/news/securi ty/oneplus-phones-come-preinstalled-with-a-factory-app-that-can-root-devic es/\n 4. https://source.android.com/docs/security/features/selinux#backg round\n 5. https://en.wikipedia.org/wiki/Confused_deputy_problem\n 6. https://github.com/thanuj10/Nokia-Debloater\n 7. https://developer.andro id.com/training/articles/user-data-ids#best-practices-android-identifiers\ n 8. https://android.googlesource.com/platform/hardware/ril/+/master/inc lude/telephony/ril.h\n 9. https://github.com/lbule/android_hardware_medi atek\n 10. https://security.tecno.com/SRC/blogdetail/99?lang=en_US\n 1 1. https://extensionpublications.unl.edu/assets/pdf/ec157.pdf\n 12. http s://android.googlesource.com/platform/frameworks/base/+/master/core/java/a ndroid/service/persistentdata/PersistentDataBlockManager.java#143\n 13. https://github.com/ptoomey3/evilarc/blob/master/evilarc.py\n 14. https:/ /android.googlesource.com/platform/frameworks/base/+/master/packages/Syste mUI/\n 15. https://android.googlesource.com/platform/packages/apps/Setti ngs/+/refs/heads/master\n\n\n DTEND:20230811T194500Z DTSTART:20230811T190000Z LOCATION:DC - Caesars Forum - Forum - 109-119\, 138-139 - Track 2 SUMMARY:Still Vulnerable Out of the Box: Revisiting the Security of Prepaid Android Carrier Devices END:VEVENT END:VCALENDAR