IM Telegram Replay Attack - Android

Hopefully, readers will have had the opportunity and time to read about WhatsApp here at the trewmte.blogspot:

WhatsApp network forensics - http://trewmte.blogspot.co.uk/2017/06/whatsapp-network-forensics.html
Whisper Signal WhatsApp - http://trewmte.blogspot.co.uk/2017/06/whisper-signal-whatsapp.html

So it's time to move on to the next instant messaging app known as Telegram. It is relevant to mention this app at this time as it appears the Russians are targeting this app as well -

http://www.bbc.co.uk/news/world-europe-40404842 - and the thought must be what will they discover by way of a flaw or vulnerability or do they what they are already?

 

The IM Telegram Replay Attack - Android uncovered from the following research published in Tomáš Sušánka thesis can be found here:  https://www.susanka.eu/files/master-thesis-final.pdf .

 

As a primer, a replay attack is an attack where an attacker sniffs data sent by the application and then resends them at a different time with a malicious intent. Unlike WhatsApp where all accounts are controlled by source; Telegram relies upon some third party developers to implement security updates that Telegram has informed them about; if developers don't update after that many devices using Telegram could be unsafe even today potentially enabling attacks across networks.

 

Deobfuscator.cpp file

 

To gain a background understanding to IM and security related issues the thesis considers other IM apps, including WhatsApp, and noted security issues with them.

 

One interesting comment noted in a paragraph in the conclusion reveals the influences foreign policy subjects itself on software developers regarding censorship: "We have scrutinized the code base of the official application for Android and concluded that the state of the application is at serious odds with the documentation. This concerns mainly the undocumented obfuscation method Telegram uses. The MTProto traffic is encrypted one more time with the key and IV prepended to the data. This has no effect on the data security and is easily debunked by the deobfuscation program we have implemented. When the Telegram team was confronted with these claims, they noted the method is used to circumvent some of the less sophisticated methods of censorship in certain countries."

The author's research relating to apparent Telegram vulnerability, that has been published, he has also provided his background research e.g. source code etc., (so you better get it before it goes) https://www.susanka.eu/files/master-thesis-cd.zip :

 

CD's directory structure is:

-  data
- Telegram source code
-  src 

- Telegram Deobfuscator
- Telegram Extractor

- Trudy Go module
- LaTeX source codes
- diagrams source codes
- text
- appendices
- thesis.pdf

Excellent research and discovery!

 

U-N-I update on posts

- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- ICMP-DHCP-DNS.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Appication Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)

https://www.linkedin.com/groups/13536130

Whisper Signal WhatsApp

Following on from this post WhatsApp network forensics 2017/06/whatsapp-network-forensics.html you may know WhatsApp changed the protocol to 'Open Whisper System's Signal Protocol end-to-end encryption'. A useful analysis of "Signal" can be found here regarding capturing the “ratcheting” key update structure:

A Formal Security Analysis of the Signal Messaging Protocol
https://eprint.iacr.org/2016/1013.pdf.

Vulnerability attacks have already started to determine Signal weaknesses. The "last resort key" looks interesting as does internal messaging attacks that have produced some results:

HUNTING FOR VULNERABILITIES IN SIGNAL - HITBSECCONF2017
https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Markus%20Vervier%20-%20Hunting%20for%20Vulnerabilities%20in%20Signal.pdf


WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages
https://sci-hub.io/
http://www.sciencedirect.com/science/article/pii/S1742287615000985?via%3Dihub

Universal Network Investigations

Just started a new LinkedIn group called 'Universal Network Investigations (UNI)'. It is a group only for those involved in the wider area of fixed, mobile and large-scale computer networks. The group exists to assist cyber, forensics and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.) If you are a member of LinkedIn and want to participate in the group here is the link: https://www.linkedin.com/groups/13536130

Mobile Forensic Metamodel

Previous studies have mostly discussed mobile forensics only in data acquisition terms and only in a problem solving scenario, as a subset to computer forensics. These studies did not take mobile forensics beyond the paradigm that is known as computer forensics. Additionally, they have not addressed the elements of MF comprehensively, and the previous research in the MF domain did not focus on modeling the case domain information involved in investigations.

This paper develops a Mobile Forensic Metamodel (MFM) in order to clarify all the necessary activities required by investigators for conducting their task. In addition, it creates a unified view of mobile forensic in the form of a metamodel that can be seen as a language for this domain. A metamodeling approach is applied to ensure that the metamodel which is the outcome is complete and consistent.

A metamodel for mobile forensics investigation domain
CLICK TO DOWNLOAD .PDF

WhatsApp network forensics

With many companies allowing employees to use their own smartphones in the workplace it has been noted confidential information maybe being unwitting leaked as users take to using their smartphone cameras to take photos of Whiteboard content, potentially risking disclosure (mentioned by the Information Security Community). Smartphones can also scan data, reducing the need for organisation to require Whiteboard printouts (thus saving money?). Whilst a user might not intentionally leak information, WhatsApp does provide for exchange of information during in-party calls, potentially allowing confidential data to be circulated.

However, let us avoid that scare story of sending confidential information and the story at work with the situation where a WhatsApp user has called another WhatsApp user and discloses Global Organisation X is in talks with World Dominant Corp. B to take them over. Both are on the Stock Exchange and both hold Worldwide Patents used in the medical industry. Such a leak could wrongfully 'influence' the markets. Could a WhatsApp call leak be possible? Maybe, but is that relevant to WhatsApp network forensics and this article? No. Finding out potential avenues where information leakage might take place enables pre-planning, handling risk and helps in designing a rescue plan.

Screen from my desktop using Wireshark

What is relevant is that for those conducting network forensics, accordingly to F. Karpisek, I. Baggili, F. Breitinger (ISSN 1742-2876, http://dx.doi.org/10.1016/j.diin.2015.09.002) they were able to "...decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination." From a network investigators point of view essential information producing evidential artifacts of identifying network activity. Taking this further, PenTesters might even find this information useful, also. Even where security flaws get updated, doesn't stop modified attacks occurring creating further vulnerabilities; so learning is the name of the game. 
 
Often we read from articles/reports about vulnerabilities etc. but only the content in the articles/reports are available. What is extremely helpful here F. Karpisek, I. Baggili, F. Breitinger have made available 'trace data' so that when combined with the tools referred to in 'WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages', enables Investigators and PenTesters to gain experience and refine testing approaches. Access to the trace information is here: https://www.dropbox.com/s/szrk5f3axwt5bi7/reference_files_WhatsApp.zip . You may want to get a copy soon as often with dropbox downloads they get deleted by the dropbox user after a time.

iPhone - TDEL034 Tool Testing

Many discussions take place during training which unearth useful guidance for practices and procedures. Also, tips and tricks are also revealed. From the MTEB Tool Testing training papers 2015 - iPhone TDEL034 (test device entry level) strategies and pre-planning - it is used to illustrate potential stages for obtaining images that produce a baseline test data to enable repeated testing to identify possible changes in the working operation of forensic tool suites importing a pre-existing test image.

However, TDEL034 is, as stated above, for strategies and pre-planning. Acquisition tools and Analysis (reader/reveal) tools are dealt with later in the training. What is uncovered during discussions are peoples perceptions given their involvement within the examination process. 

It is in these sessions during training the reality dawns as to the time and expense it takes just to deal with one brand-name 'Make' of smartphone and then adding into the equation the various models that have been created and may be created in the future. If that isn't enough, there is then the various versions of OS implemented in various models (https://en.wikipedia.org/wiki/IOS_version_history).

The discovery doesn't end there. Tasks involving removal of barriers and revelation equally may impact when discussing discovery (https://en.wikipedia.org/wiki/IOS_jailbreaking).

Digital forensics is a reality and not a junk science. This field of endeavour is unlike traditional sciences incl. many forensic sciences. How many traditional sciences can you identify evolve and update rapidly e.g. every 6mths-12mths? It is against this backdrop that digital forensics is expected to function and operate across a digital arena of many makes/models of devices and services. Understanding the fantastic job that people do working in digital forensics and battling with constant change illustrates how digital forensics is highly unique.

Generic standards do not work as well with digital forensics as would 'specific' standards. That is because with generic standards they are tantamount to informing everyone this is what has been created and it is your responsibility to make it work. This is analogous to an organisation purchasing a SATNAV and Driving Route System which when operational fails to inform the driver of 'No Entry' roads, dead end roads, instructing a driver to take the action even when the sign states 'No Left Turn' or using as-the-crow-flies navigation so the driver is placed at a point e.g. x-miles from true destination, because the system doesn't understand vehicles cannot drive through people houses, gardens or buildings to get to the other side. The organisation then expects the driver to workout the problems so that when reaching the destination it looks like the SATNAV and Driving Route System was working correctly.

This is why training is essential not just at the tool level, but also at the conceptual level to assist in the design of an examination approach that fits the need of the device and at the same time relieve the pressure placed on the tools that are expected to, alone, get it right. Having the right digital forensic standard should provide the baseline and should define process approach to assist achieve results.

I will return to this subject to offer observations a little later, but for now other matters are now pressing and need attention.

Do Cyber Events Follow A Philosophy

I was intending to raise this point some months back but due to other pressing issues I had forgotten to do so. It relates to a quote used in a presentation from Nokia 'The known unknowns of SS7 and beyond: Evolution of Telco Attacks'.

 Are cyber events such as DDoS, Malware, SS7 attacks, Dirty/Nasty USSD, dirty data_ark  and so on following some sort of noble objectives to be comprehended from quotes e.g. Sun Tze's philosophy "The supreme art of war is to subdue the enemy without fighting"?

Even if that were correct or true how does it help define which events are isolated and which events are or have characteristics of intended aggregation to bring about a sustained campaign of subjugation?

Not Comfortable Fit for Digital Forensics - ISO17025

Within the digital forensics arena there is discomfort amongst labs, academia, businesses and practitioners that ISO/IEC 17025 'General requirements for the competence of testing and calibration laboratories' is not a comfortable fit for digital forensics. Very few digital forensics laboratories and businesses have been accredited so far. To get an understanding of concerns obtained from a pretty good base-data of opinion from replies to UK ISO 17025 Digital Forensics Survey 4/24/2017 created by Professor Peter Sommer, the results have been published and are available here http://goo.gl/KP0HOn .

Not to second guess the Forensic Science Regulator (FSR) there is , of course, the October 2017 deadline looming and the outcomes of that deadline might impact on the way forward. However, I regularly keep an eye on Lab Accreditation and Best Practice Guides (as you can see from some of the pdf tabs open in the above screen shot) in context with digital forensics in order to note the changing approach to digital forensics. The new breeze appears to suggest digital forensics blowing towards ISO standards e.g.

ISO/IEC 27042: 2015. Information Technology - Security Techniques - Guidelines for the Analysis and Interpretation of Digital Evidence.

ISO/IEC 27037: 2012. Information Technology - Security Techniques - Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence.

Currently, but this may change, these standards are not substitutes for accreditation. That does not mean though digital forensics may not branch off and have its own unique accreditation and standards. It may well be the British Standards Institute (BSI) may need to produce an equivalent standard for the UK based upon an example of the old BS5750 approach. BS5750 and ISO9000 do enable the UK Government's requirement to be met for "inclusion" of single-person organisations and SMEs to play apart in the economy and not be excluded from it due to globalism or restraint of trade practices or over-burdensome control measures.

Previously, I drew attention to how in the US, Karin Athanas, Program Manager at the American Association for Laboratory Accreditation (A2LA), produced an article titled "Accreditation for the One-Person Organization - The smallest laboratories can teach us the biggest lessons.". This article defined that smaller business entities could achieve accreditation to ISO/IEC17025: http://trewmte.blogspot.co.uk/2016/10/isoiec-1702517020-one-person.html

The UK ISO 17025 Digital Forensics Survey 4/24/2017 isn't the first time attention has been drawn to ISO/IEC17025 that it should works for all, not the few. If the latter accreditation doesn't work then maybe another route will need to be found.