Year in Review

I noticed I haven't posted anything new here for some time and wanted to start off with a retrospective on the last year and about some upcomming projects.

In 2014 I moved to a new job with a company which specialises in breaking security for clients in a wide range of fields and technologies. The change was good, to say the least. As much as I love the mobile app security field, gaining a fresh perspective on it I can see the reality of the security problems belies the noise companies and researchers are making about it. It simply pales into insignificance when compared with the security challenges most clients are faced with. Still, there is no doubt mobile will continue to evolve and play a more important role in the future, and so it behoves us to stay current with mobile app security research and best practices. Perhaps even develop some legitimate and realistic techniques for network penetration via mobile which can form part of red-teaming assignments.

Once the work/life balance had returned to normal I was able to resume some favourite pastimes. Below you can see a photo of my hand-built T-Copter almost finished and ready to fly. I have since finished the build and tuned it. It flies very fast and smooth!

T-Copter

The frame is made out of thin plywood and the arms are square wooden dowel. Wood is lightweight enough, absorbs vibrations, and is inexpensive to replace. 3D diagrams of the parts needed for the frame can be found in my GitHub project.

My old Bank Vault hacking challenge got a complete revamp. It was rewritten in Python to emulate a Linux system with some more interesting challenges. This ran on a Raspberry Pi integrated with a real steel safe, and participants connected via ssh and attempted to escalate privileges and achieve an unlock. Below you can see it under construction.

Pi-Vault

This challenge was used at the company stand for the 2014 44CON security conference in London. In the photo below you can see the legendary CTFer @psifertex taking part (and subsequently winning!)

Pi-Vault CTF

I also enjoyed spending time with my wife over the last year as we explored the British countryside, beaches and history:

Leafy Arch

Beach

Looking forward to this year I have a couple of projects I'm in the middle of. Firstly I'm part way through my build of a solder reflow oven to make surface mount projects easier. It is nothing that hasn't been done before. Secondly I've been designing a hardware password/key safe to keep my passwords, encryption keys and OTP tokens offline. It is the size of a credit card, has an OLED screen, capacitive touch buttons, and uses a hardware crypto chip. I got some hardware crypto chips from Atmel in my latest package of samples and I'm testing out one which I can use for on-device PBKDF2-SHA256 to generate a key to decrypt flash storage.

Mobile Hackers on Tour!

February I find myself in South Korea for an on-site mobile security engagement. We have a great, hard working team here. On our only day off we decided we had to go to Gangnam, as the Gangnam Style craze had just taken off back home.

Gangnam Style!

DEF CON 20 Talk - Into the Droid

I was honoured to be a speaker at the 20th anniversary of DEF CON in Las Vegas. My talk was about how to get into Android devices from a hacker/forensic perspective and extract the data. Video below.

View slides at Speaker Deck and some source code on GitHub

Interview with BBC Watchdog about contactless cards

After the Channel 4 News piece the BBC wanted to film a Watchdog segment about it, including a live demonstration of lifting someone's details in a crowded place. Video below.

Source code wasn't released but check out this related project on GitHub