This is fun. In the early days of YAFFS, I recall writing code to walk the OOB data to reset bad blocks during my backport efforts (ABI changes lead to incorrectly missmarking blocks bad) and thought then that this would be a great place to hide stuff. I would note that resetting OOB is totally doable to undo this - obviously not consumer friendly tho.
Another cool application for this could be doing it intentionally as a dead drop. Not just for malware, but secret files as well. Mark off NAND, store secrets in it, if anyone steals your phone and tries to examine/clone it, they wont get what you hid.
So don't keep the access program on the device. Also if it's "literally not accessable" then how does his malware access it? It's not paradoxical memory.
he states here he can still call into the memory address, is just the device wont recognize the bit as a good bit and wont read or write to it th-cam.com/video/gKUleWyfut0/w-d-xo.htmlm28s
Wouldn't you need to reverse engineer the nand and data written on it in that case? How can you read it manually if the first thing it asks is "is this block bad? Then it's not here" and refuses to acknowledge it's existence? You would need to program the nand so it doesn't do so, which seems like a fundamental change to how NAND operates as opposed to a defense in regards to how it works now. We're talking convincing an industry to relinquish control of the systems that operate their products. That's not an easy ask.
Major assumption that is utterly broken. No modern phones have NAND exposed anymore. All phones today use eMMC - which is NAND internally, but you can't get at the raw blocks - it pretends to be a perfect block device. This attack only works on raw NAND, not EMMC or SD. Unless your phone is running gingerbread or below - it's not applicable.
He did explain that the source is based on the kernel based nand, I thought that was implying it was "universal" that way.. BTW, did anyone do an "um" count? Lost track lol
He used an Android 4.0.4 device from Sony, which is a "little bit" newer than Gingerbread. It is entirely possible to do this with EMMC too - the controller in EMMC is not stand-alone and the main processor talks to it. Remember the "sudden death" epidemic that plagued the Galaxy SIII and Note 2? That was due to a bug in the EMMC code that ended up frying it if a particular function was called accidentally. Some phones (maybe 20%) could be recovered via a full flash (emergency boot card to put it into Download Mode and complete firmware with PIT file, then IMEI and network repair with z3x box or similar), but most of them had the EMMC fried, and would need a replacement EMMC plus the complete flashing and software repair process to come back to life. It's entirely possible that something like this could have actually been at the root of the issue.
a bug or exploit in something that's been there since day 0 and hasn't been found yet. their relatively common and malicious hackers often log them to sell to someone later for lots of money.
@BlasToise I get annoyed when people chew loudly but seriously can't you firkin compartmentalize that stuff. With all due respect it is super shallow. But I won't hold it against you some people can not filter out annoying repetition or anything else because of chemical imbalances, so in that case I would forgive you. Sorry I've heard people complain about swallowing in the middle of a quantum mechanics lecture and it was just so minor in comparison to the mind shattering reality of the subatomic world.
Can't stand when people say "oh" day and this dudes personality is extra corny. There isn't a single thing sexy about code. What he does is exceptional but he needs to mature on a personal level a whole lot as quickly as possible...
Wow, that's some serious stuff right there! Fuckin awesome presentation.
1337 indeed
Eye opener, great presentation thanks :).
This is fun. In the early days of YAFFS, I recall writing code to walk the OOB data to reset bad blocks during my backport efforts (ABI changes lead to incorrectly missmarking blocks bad) and thought then that this would be a great place to hide stuff. I would note that resetting OOB is totally doable to undo this - obviously not consumer friendly tho.
Another cool application for this could be doing it intentionally as a dead drop. Not just for malware, but secret files as well. Mark off NAND, store secrets in it, if anyone steals your phone and tries to examine/clone it, they wont get what you hid.
+Eric "Ozzy" Osburn Yes, but then they find your program to accvess those files and you're fucked :p
as he said, it's literally not accessable because the system itself can't see it...
So don't keep the access program on the device. Also if it's "literally not accessable" then how does his malware access it? It's not paradoxical memory.
he states here he can still call into the memory address, is just the device wont recognize the bit as a good bit and wont read or write to it th-cam.com/video/gKUleWyfut0/w-d-xo.htmlm28s
Can anyone tell me if this has been looked into by software or the GNU community?
This shit is pretty cool when you can get the gist of what they're saying at... All of this shit is fucking scary.
Mister No, you've obviously never been to DefCon....
That man is a god.
The obvious defense is to walk the OOB table and read the bad blocks manually/compare against malicious checksums, monitor rate of failure, etc.
Wouldn't you need to reverse engineer the nand and data written on it in that case? How can you read it manually if the first thing it asks is "is this block bad? Then it's not here" and refuses to acknowledge it's existence? You would need to program the nand so it doesn't do so, which seems like a fundamental change to how NAND operates as opposed to a defense in regards to how it works now.
We're talking convincing an industry to relinquish control of the systems that operate their products. That's not an easy ask.
Greatest speaker ever.
Major assumption that is utterly broken.
No modern phones have NAND exposed anymore.
All phones today use eMMC - which is NAND internally, but you can't get at the raw blocks - it pretends to be a perfect block device.
This attack only works on raw NAND, not EMMC or SD.
Unless your phone is running gingerbread or below - it's not applicable.
He did explain that the source is based on the kernel based nand, I thought that was implying it was "universal" that way..
BTW, did anyone do an "um" count? Lost track lol
He used an Android 4.0.4 device from Sony, which is a "little bit" newer than Gingerbread. It is entirely possible to do this with EMMC too - the controller in EMMC is not stand-alone and the main processor talks to it.
Remember the "sudden death" epidemic that plagued the Galaxy SIII and Note 2? That was due to a bug in the EMMC code that ended up frying it if a particular function was called accidentally. Some phones (maybe 20%) could be recovered via a full flash (emergency boot card to put it into Download Mode and complete firmware with PIT file, then IMEI and network repair with z3x box or similar), but most of them had the EMMC fried, and would need a replacement EMMC plus the complete flashing and software repair process to come back to life. It's entirely possible that something like this could have actually been at the root of the issue.
So SSDs are pretty much useless if this gets huge..
they first have to get in, right?
YumekuiNeru Exactly, that was his reason for talking about 0-Days, and how the real magic (and fun) is after you get in (hidden persistence).
So if I was making phones and selling phones, I would send out some code that fried the camera or digitizer 1 day after warranty ended.
*bow* great presentation
Damn that's some serious stuff.
This talk is siiiiiiiccckkkkkkkkk!!!!111!!!1!!!!!!!
Scary stuff...anyone looked at the git yet?
Holy. Shit.
Cool name
0 Day? anyone explain without flaming me...?
a bug or exploit in something that's been there since day 0 and hasn't been found yet.
their relatively common and malicious hackers often log them to sell to someone later for lots of money.
@BlasToise I get annoyed when people chew loudly but seriously can't you firkin compartmentalize that stuff. With all due respect it is super shallow. But I won't hold it against you some people can not filter out annoying repetition or anything else because of chemical imbalances, so in that case I would forgive you.
Sorry I've heard people complain about swallowing in the middle of a quantum mechanics lecture and it was just so minor in comparison to the mind shattering reality of the subatomic world.
I'm actually downloading wargames as i watch this... funny
Can't stand when people say "oh" day and this dudes personality is extra corny. There isn't a single thing sexy about code. What he does is exceptional but he needs to mature on a personal level a whole lot as quickly as possible...
Drink some fucking water.
UMM UMM UMM UMM UMM UMM UMM
"oh days", "oh days", "oh days". that's a zero. guy can't read his own damn slides