I enjoy breaking things. Telco / mobile and IoT security.
Surfing the information super highway one keystroke at a time.
3 subscribers
May 28 • 15 tweets • 5 min read
When pairing your mobile phone to that Wifi / Bluetooth device and it forces you to grant it location permissions, pause for a moment to think who may be the beneficiaries of this information.
Case in point:
The Dyson app refuses to pair to their devices such as this fan/heater/air purifier - unless you give in and give them your location data.
This is a premium product at a high price point. Surely they are not monetising this ?
What’s the privacy policy say? …
Mar 26 • 19 tweets • 9 min read
If you needed yet another reason not to trust VPN providers or proxy services...
Here Facebook partnered with a bunch of companies to have root certificates installed on people's phones so they could intercept other app's traffic.
I recently found two very interesting Linux binaries uploaded to Virustotal.
I call this malware 'GTPDOOR'.
GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵
One version uploaded from 🇨🇳 has zero detections on VT. The other, uploaded from 🇮🇹 has just one detection.
These were uploaded 4 to 5 months ago.
(2/n)
Feb 20 • 17 tweets • 6 min read
The Chinese APT contractor leak contained a few interesting files; namely:
- CDRs (Call Detail Records)
- LBS (Location Based Services) db records
Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.
Some background: (1/5)🧵
CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.
It's these central databases that are often targeted. Data for a subscriber is generated in many systems:
(2/5)
Feb 10 • 22 tweets • 9 min read
With the (fake) toothbrush botnet story still fresh, Colgate's connected Bluetooth toothbrush caught my eye on discount at the local supermarket.
"Hi there, let's get to know each other"
Sure, let's do this. What will we learn? (1/n) 👇
Happy to see that the Android app has responsibly requested the minimum permissions for BLE scanning. I kind of was expecting it to request my location for this which it didn't. (2/n)
Jul 23, 2023 • 48 tweets • 25 min read
This invasive Bluetooth car battery monitor was found to be sending the following location data to 🇨🇳
- GPS
- Wifi devices
- Cell phone towers
The Apple and Google app stores said no personal data was collected.
A new update has emerged. Let's see what was changed 👇(1/n)
Before we begin the investigation, a coverage map of where these devices have been found across planet earth.
Collected Bluetooth beacon data from reveals they are everywhere. There are likely hundreds of thousands of these roaming about.
A twitter user mentioned the mobile app for their “smart” wifi connected power plug was requesting their location.
The app has more then 1 million downloads.
Curious, I ordered the ‘Meross’ branded device and it’s just arrived.
What will we find? Let’s dig in ..🧵
Let's see how we can pair with the minimum amount of granted permissions.
Discover "nearby devices" with Bluetooth enabled is a mandatory. It then prompts for precise and approx. location.
Hit deny.
We have to manually connect to the device - it's turned into a wifi AP.… https://t.co/fFQzvrJtLrtwitter.com/i/web/status/1…
Jul 5, 2023 • 16 tweets • 8 min read
A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.
The Android grid connect app has 500k+ downloads.
Let’s take a quick look! 🧵
(1/n)
The app has a feature where it can auto discover your BLE devices. Is locations permission needed here? It depends. From Android API SDK v31 things have improved where fine location is not needed for BLE scanning.
The app is forcing this even though we are on v31.