Forensic Blogs

An aggregator for digital forensics blogs

by

Researching IoT Devices

Art depicting the connectivity of common devices Introduction

It is safe to say that everyone is constantly connected, through our smartphones, social media accounts, and even smart homes. Every day, more and more innovative devices are released to the public. Any device that is able to have a relationship with another is part of Internet of Things (IoT). Forbes goes so far as to state that “the relationship will be between people-people, people-things, and things-things”. While these devices offer easy-to-use functionality and instant access to information, how secure are they? In this blog, students at the Leahy Center will review some common devices and discuss some of their vulnerabilities.

IoT Smart Locks

Smart locks are great for remote access to your home’s doors. They’re a faster way to open them, as well as allow a user to keep a record of each action. However, Katie Hopkins, part of the IoT research team, is in the midst of a deep dive into smart lock vulnerabilities—discovering how to make a device that is supposed to keep your home secure vulnerable to hackers. Her research was specifically on Kwikset Kevo Smart Lock devices. Despite how secure one may think these devices are, Katie found that these vulnerabilities may subvert that expectation.

Image of a smart lock

Some vulnerabilities are very simple, such as a denial of service attack using a smartphone. The InfoSec Handbook, a guide to network security concepts, offers a useful definition. A denial of service attack is one that limits or rejects access due to an overflow of data from an outside device. In this case, an attacker can use the Kevo app to send large amounts of open/close requests to the lock. This confuses the device and causes it to not react to a physical key that comes with the device. Another vulnerability is that the lock’s batteries only last about two weeks. This leaves a window of opportunity for an attacker to gain control of the lock.

Some companies also claim that they encrypt passwords for these devices but end up not doing so; great information for a hacker, bad news for you! There are many more ways to exploit these devices, but these are just a few of the simpler ones. NewSky Security wrote a blog post that breaks down more exploits in detail.

Overall, these locks may be useful for securing your home, but their functionality causes new problems.

Google Home

One of the landmark accomplishments in smart devices has to be the creation of personal assistants. One of the more sophisticated virtual helpers is Google Assistant, a competitor to Apple’s Siri and Amazon’s Alexa personal assistants. This software can exist on most devices with a microphone and a speaker since Google Assistant interacts through voice. The user may give the device commands such as, “set an alarm”, or “open my garage door”.

Google Assistant can also interact with your other smart devices in a smart home. To do this, one can purchase a Google Home. Home runs the Google Assistant software and serves as a hub for all your smart devices. 

Image of a Google Home

IoT team member, Joe McCormack, has been doing research on the Google Home and did not find as many vulnerabilities with the software or hardware as Katie found in her research of the smart locks. But, just like the Kevo Smart Locks, there is always a flaw. Discovered by a group at the University of Michigan, the process which utilizes the microphone and translates it so the Google Assistant can execute those commands can be exploited. By using a low-powered laser, an attacker can shine different frequencies into the Google Home’s microphone and execute commands without a sound. This means a criminal can use this to do things like disarm smart home security systems and open smart locks without a sound. The technology required to do this is fairly complex but can be done by anyone with the proper knowledge.

D-Link WiFi Camera

The best way to catch a criminal is to actually see them in the act of a crime. It is also common for parents to keep an eye on their children while they are working or are left with a babysitter. Security cameras are a great way to automatically record the happenings of an area. Most come with motion detection, night vision, and the ability to record entire days worth of footage. One camera that the IoT Security team has been researching is from D-Link, a reputable manufacturer that specializes in network devices, including security cameras. The D-Link WiFi Camera model (DCS-5030L) is a cheap and effective way to monitor your home or office, but if the user does not update the camera regularly, there can be trouble.

Image of a D-Link wifi camera

Someone who is familiar with code can find specific files online that allow unauthorized access to the camera. That means that a person can gain control of the camera, look at recordings saved in the memory, and even move the position of the camera. However, it is actually pretty easy to prevent an attack. All you have to do is keep your firmware updated as D-Link has fixed many security issues over the lifespan of the device. This is normally the case for many devices.

Conclusion

There are vulnerabilities to most, if not all, of the IoT devices that you might use in your home. A capable hacker can exploit devices that you use every day; from your smart door lock to your smart refrigerator. We must be more aware of the issues that are present with new and exciting technology or our personal data could be compromised. It is always good to keep the device’s firmware up to date and have strong network security. By fortifying your devices and the network it resides on, you can prevent the possibility of an attacker taking control of your smart home, smart camera, or any other smart device. For the sake of your personal information, physical security, as well as privacy, remember that the convenience that smart devices offer might not be worth the risk.

The post Researching IoT Devices appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Mobile App Analysis Part 4

Introduction

The Mobile Application Forensics team has begun to wrap up analysis on their second mobile app, Bumble, and are getting ready to move onto their next set of mobile apps, Facebook Lite for Android and the Weather Channel App for iOS. During analysis, both the iOS and Android team found important digital artifacts left behind by Bumble, which can be viewed in the Analysis section of this blog.

As we have already reached the halfway mark of the school semester, our plan is to examine two more mobile applications within the next month. The iOS team plans to look into the Weather Channel mobile app, and Tumblr, and the android team plans to look at Facebook Lite, and Strava.

Analysis iOS

To find artifacts created by Bumble, the iOS team used UFED to image the iPad Air, and UFED Physical Analyzer to parse through the image. Data for Bumble was located in Sam’s iPad/Applications/com.moxco.bumble. Within /com.moxco.bumble, there is a /Documents/yap-database.sqlite/database2 database, which contained pLists for the Bumble account. Within this database, we found the username for the Bumble account “Sam” within the userName pList, and the user ID “1409166234” for Sam in the userID pList. Both of these pLists can be viewed below.

Within the /yap-database.sqlite/database2 database, we also found a settings pList which contained settings information in regards to generating a list of potential Bumble matches. Within this pList, we found keys for the user’s preferred age group (“fromAgeValue” and “toAgeValue”), radius, in miles, that the user set to search for matches (“distance”), whether the user had Vibee enabled (vibeeEnabled), and the user’s preferred gender (“femaleShown” and “maleShown”).

The “fromAgeValue” and “toAgeValue” key, defined as years, determines how many years the user wants to go below/above from their current age. The value for “distance”, represented in miles, sets the maximum radius for people that get added to the user’s search list. The “vibeeEnabled” key shows whether the user has VIBee status of not. The VIBee feature is designed to connect users who have had positive interactions on Bumble together. The “femaleShown” key and “maleShown” key sets whether the account is looking for a male or female match. The settings pList can be viewed below.

Also within the /yap-database.sqlite/database2 database, we found a pList titled lastLocation, which contained information regarding the last location Bumble logged for our user. This pList can be viewed below.

Android

The Android team found all of their digital artifacts within the com.bumble.app folder inside userdata/Root/data. Within com.bumble.app are three subdirectories (com.bumble.app/files, com.bumble.app/databases, and com.bumble.app/cache) that held the most information relevant for a mobile investigation. The first subdirectory we are going to look at is com.bumble.app/files.

com.bumble.app/files

Within the com.bumble.app/files folder, was a document titled c2V0dGluZ3M= or “settings” (once you throw c2V0dGluZ3M= through a base64 converter, it decodes to “settings”). Inside the settings file, we found profile information such as the user’s username, user’s data of birth, user ID, email associated with the account, and a link to the user’s profile image. Inside this file, there was also information regarding the user’s preferred language and country on profile. It was through finding this information, that we concluded information stored within the /files directory are files that contain user information. Below is a screenshot of the user ID we found within the /settings file inside the com.bumble.apps/files folder.

com.bumble.app/databases

Within the badoo.db database inside com.bumble.apps/databases, we were able to recover the messages sent from the Nexus 5x to the Google Pixel. Along with text-based messages, we were able to see that an image was sent from the Nexus 5x to the Pixel, along with the location of that image on our mobile device. Using the user ID we found in the settings file within the /files folder, we were able to pick out who sent what message. Below, is an image showing the badoo.db database within userdata/Root/data/com.bumble.app/databases that contained the text messages we sent, along with sender and recipient information, and timestamp information.

com.bumble.app/cache

Within the com.bumble.app/cache folder, we found two folders (/decorator and /downloader) and a file that contained links to images on our user’s profile. The /decorator folder contained images that the user directly interacted with, e.g., images sent or received through Bumble, and images stored on the profile the user interacted with. The /downloader folder contained all the images the user saw while they were using the app. Below is an image that was stored inside the /decorator folder, which our user received from the Bumble user on the Google Pixel.

Within the /downloader folder were all the images the user saw the last time they used the app. This includes the profile pictures of other users we saw when using the app. For privacy reasons, a screenshot of this will not be included in this report.

Conclusion

The iOS team found most of their data within pLists inside the /yap-database.sqlite/database2 database in /Applications/com.moxco.bumble. Through looking through the /yap-database.sqlite/database2 database, the iOS team was able to recover username information, the user’s ID, user’s last known location, and account preferences set by the user. Although the iOS team was able to find a lot, we were unable to find any of the messages sent, or received through Bumble.

The Android team was able to find user account data on Bumble, chat data, and images associated with our account, and the accounts we interacted with.

With the Mobile Application Forensic team wrapping up analysis on Bumble, and shifting their focus on their third set of apps, we hope to publish an interesting and informative report at the end of the semester. Stay tuned!

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

The post Mobile App Analysis Part 4 appeared first on The Leahy Center for Digital Investigation.

by

Mobile App Analysis Part 3

Introduction The Mobile Application Forensics team is wrapping up analysis on Signal by Open Whisper Systems, and is starting data generation on the new mobile dating app, Bumble. The iOS team, unfortunately, did not find many artifacts left by Signal. The Android team had better luck, and found some interesting artifacts as seen below. Signal […]

The post Mobile App Analysis Part 3 appeared first on The Leahy Center for Digital Investigation.