±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35745
New Yesterday: 2 Visitors: 96

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Huawei Spying

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

xandstorm
Member
 

Re: Huawei Spying

Post Posted: Feb 05, 19 14:03

- TinyBrain

The forensic question remains. How can this being detected?


No offence what so ever taken.

I don't think this is possible in a forensically sound manner.
At least not for us outsiders.

What is agreed upon in a QOS or SLA agreement is one thing, what's on a nation state controlled telco's hidden agenda is another.
In all honesty the only way you might get some answers is to recruit someone wihtin the technical department of the telco in question. Which is a total different ballgame then digital forensics.

Saludos,
Lex  
 
  

UnallocatedClusters
Senior Member
 

Re: Huawei Spying

Post Posted: Feb 05, 19 19:46

Hello all,

Thoughts on forensic analysis vectors:

1. On smartphones, identify which processes are running at the time smartphone evidence is being accessed and converted to an encrypted text file on the smartphone itself by "malware".

2. On smartphones, identify specific folder location and file name the encrypted stolen evidence is being stored on a smartphone.

I saw an excellent SANS video recently wherein the expert analyst was describing how she had to use multiple text decoders to "unmask" the text file data being exfiltrated and to which IP address. The malware authors had used Base64, then Base 32, then some other text conversion method, so basically, what originally appears as nonsense characters in the file are unmasked as plain English text after being converted correctly.

** Has anyone tried one of these tool on a smartphone forensic extraction?:

cuckoosandbox.org/

www.lastline.com/solut...nspection/

** Has anyone tried placing a smartphone in a "sandbox" environment" Is sandbox software even applicable to smartphones?  
 
  

TinyBrain
Senior Member
 

Re: Huawei Spying

Post Posted: Feb 08, 19 04:24

Lex, you are right somehow but we here think differently.

Spying nowadays is like finding a tiny fish in a data ozean. As long as he swims in open water its hard to find but the gate we look for is where he goes home who he is gona meet.

A large R&D institution with Paul in its name has a huge datacenter and highly protected. Normally after installation no manufacturer support is required and all keys are handed over to the IT guys for security reasons. And there we got involved. Employess are free by BYOD and running OWA for UCC. The device in question was a Huawei P20 Pro.

For good reasons an engineer travelled to P.R.C. to join a conference. Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken. This woman is blessed by sleeping well but the third night she woke unexpected at 02:00h local time and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state.

An this SIM is in our lab.  
 
  

UnallocatedClusters
Senior Member
 

Re: Huawei Spying

Post Posted: Feb 08, 19 05:02

On a smartphone, are there equivalents of computer Ports?

On smartphones are there the equivalents of Windows processes?

I saw one SANS video wherein the malware used a basic Windows process to send data to a specific IP address. The malware code was obscured by multiple layers of text encoding, but a well crafted PERL script was able to turn the malware to plain text thus unmasking the Windows Powershell conmand and remote unfriendly IP server address.

Question: could one use a Harris Corporation Stingray device to trick your Huawei phone and SIM card into thinking the phone was pinging a Chinese cell tower.

I have never personally done it before but I bet I could dissect a Cellebrite extraction of your Huawei phone and compare a timeline of phone activity to data being captured by the Stingray to match specific transmissions to specific time points to specific file activity on the phone. Perhaps a chip off extraction performed as well to see if there are any embedded systems on a chip located on the phone’s motherboard that might bypass Android or iOS.  
 
  

TinyBrain
Senior Member
 

Re: Huawei Spying

Post Posted: Feb 08, 19 05:29

Good questions, really. I am just cryptographer.

Its a plain sight problem and the risk of searching too far away the biggest problem.  
 
  

xandstorm
Member
 

Re: Huawei Spying

Post Posted: Feb 09, 19 02:27

- TinyBrain

For good reasons an engineer travelled to P.R.C. to join a conference. Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken. This woman is blessed by sleeping well but the third night she woke unexpected at 02:00h local time and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state.

An this SIM is in our lab.


I know us techies have a tendency to exclusively assess matters from our technical fields of expertise and solve our puzzels like that. We need to however take into consideration that technology was and still is, just a supportive matter when it comes to spying on an emphatically targeted single person.

There are many non technical factors in this specific scenario that we should take into consideration as well.

From the defensive perspective, the primary question here could be, how plausible is it to specifically target this particular person for espionage purposes. The next question would be: does the country she is traveling to, have both the capabilities and intentions to acquire the data we are trying to protect. There is a big difference between targeting 1 specific person and acquiring general phone usage related data for big data analysis by retail organizations following their customers based on phone usage.

On the offensive side, the alleged agressor(s) will have asked themselves the same question. Will it pay off to specifically target this person. You can have all the technology and data acquistion means in the world, spy on everything and everyone, however the big dilemma is, you need to process and analyse all that acquired data. When it comes to targetting a specific person, determining the intrinsic value of what you actually acquired is still a manual process.

What I am trying to say here is that in the event the agressors have determined your engineer is worth it to be spied upon, there are most likely more efforts pending or already executed to "bring her home" then just trying to get into her phone. The phone issue is just 1 of probably multiple efforts / actions to acquire the confidential data she has under her control.

From the technical perspective, were you able to determine if the charging related malfunctioning and heat issues could be related to anything else then an offensive attempt to acquire data from and / or access to, the device in question? This could in essence be nothing more then an ordinary battery malfunction issue.

On a more general note, if your customer, by the nature of their business, could be the target of nation state initiated economic espionage, my advise would be to contact the responsible intelligence or security service. For your country that would probably be the FIS.

Saludos,
Lex  
 
  

UnallocatedClusters
Senior Member
 

Re: Huawei Spying

Post Posted: Feb 09, 19 03:30

A better question perhaps is why your client did not travel to PRC with burner phones and computers?

I have been told to assume one's electronic devices will be compromised and copied upon entry to the PRC in an automated fashion.

A very capable Android smartphone and laptop computer can both be purchased for a total of US$300.00 (banggood dot com or gearbest dot com).

What if your client's Huawei phone has a chip built in, that once connected to the PRC domestic Internet, generates a mobile backup automatically?

To assume your client was singled out by the PRC, without any supporting evidence, is a bit weak, in my opinion.

An even better question would be what specific Intellectual Property (IP) your client took to the PRC on their laptop and Huawei phone?

IP can be defined as something which the IP owner takes reasonable steps to protect such as future prototype CAD drawing files.

"Not-IP" can be defined as the company's founder's mother's chocolate chip recipe that the company gives out for free to customers.

Personally, I would be much more concerned to find out my company's future business prototype was exfiltrated.

If you use Oxygen/Cellebrite/XRY/BlackLight to collect your client's Huawei phone, you should look at both human generated and system generated file system activities, logs, SQLite database files, data transmission logs UP 3.5 kb / DOWN 4.5 kb for the night your client was in her hotel room in the PRC.

If your client's phone held a 500mb AutoCad .DWG file of the company's future product, then examine that file and any interaction which may have taken place with that file on the phone the nights in the PRC hotel.

** I know next to nothing about Cryptography - what should members here at Forensicfocus.com know about Cryptography forensics?  
 

Page 2 of 5
Page Previous  1, 2, 3, 4, 5  Next