Conference:  Defcon 31

Authors: Ryan Johnson Senior Director, R&D at Quokka, Mohamed Elsabagh Senior Director, R&D at Quokka, Angelos Stavrou Founder and Chief Scientist at Quokka

2023-08-01

Prepaid Android smartphones present an attractive option since they can be used and discarded at will without significant financial cost. The reasons for their use are manifold, although some people may use them to dissemble their true identity. Prepaid smartphones offer value, but there may be an additional "cost" for their cheap price. We present an examination of the local attack surface of 21 prepaid Android smartphones sold by American carriers (and 11 unlocked smartphones). While examining these devices, we discovered instances of arbitrary command execution in the context of a "system" user app, arbitrary AT command execution, arbitrary file write in the context of the Android System (i.e., "system_server"), arbitrary file read/write in the context of a "system" user app, programmatic factory reset, leakage of GPS coordinates to a loopback port, numerous exposures of non-resettable device identifiers to system properties, and more. The only user interaction that our threat model assumes is that the user installs and runs a third-party app that has no permissions or only a single "normal" level permission that is automatically granted to the third-party app upon installation. The installed third-party app can leverage flaws in pre-loaded software to escalate privileges to indirectly perform actions or obtain data while lacking the necessary privileges to do so directly. Due to a wide range of local interfaces with missing access control checks and inadequate input validation, a third-party app’s behavior is not truly circumscribed by the permissions that it requests. Due to the common inclusion of pre-loaded software from Android vendors, chipset manufacturers, carriers, and vendor partners, exploit code can have significant breadth. The inter-app communication used to exploit these vulnerabilities may be difficult to classify as inherently malicious in general since it uses the standard communication channels employed by non-malicious apps. We pick up again where we left off from our DEF CON 26 talk … raiding the prepaid Android smartphone aisles at Walmart. We provide another snapshot on the state of security for Android carrier devices. In this talk, we examine 21 different prepaid Android smartphones being sold by the major American carriers, and we also cover 11 unlocked Android devices, which are primarily ZTE smartphones. We identified vulnerabilities in multiple layers of the Android software stack. For each discovered vulnerability, we step through the attack requirements, access vector, and attack workflow in order to help developers and bug hunters identify common software flaws going forward.

Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Aparna Subramanian

2023-04-21

The presentation discusses the use of Kubernetes as a solution for building an internal platform and evaluates its effectiveness from the perspective of platform engineering teams.

• An internal platform is necessary to meet the expectations of application developers, business stakeholders, and platform engineers.
• Before Kubernetes, building an internal platform required an army of experts and took many months to build.
• Kubernetes was a perfect match for building an internal platform due to its scalability, reliability, resiliency, and extensibility.
• Kubernetes has fulfilled its promise and is the engine of productivity for platform teams.
• The CNCF end user developer experience community discusses all things related to building and operating a Kubernetes platform.

Conference:  KubeCon + CloudNativeCon Europe 2022

Authors: Mateusz Pruchniak

2022-05-18

The presentation discusses the use of cloud native tools and approach to build systems compliant with guidelines and regulations in the financial industry.

• The speaker discusses the importance of finding the border between what is cloud agnostic and what is not
• Risk assessment is a time-consuming but crucial part of building compliant systems
• Exit strategies should be comprehensive, documented, and sufficiently tested
• Governance is important and a cloud center of excellence team can help with risk assessment and exit plan creation
• Reference architecture for cloud native design and development is discussed