-
Grand Theft App: Digital Forensics of Vehicle Assistant Apps
Authors:
Simon Ebbers,
Fabian Ising,
Christoph Saatjohann,
Sebastian Schinzel
Abstract:
Due to the increasing connectivity of modern vehicles, collected data is no longer only stored in the vehicle itself but also transmitted to car manufacturers and vehicle assistant apps. This development opens up new possibilities for digital forensics in criminal investigations involving modern vehicles. This paper deals with the digital forensic analysis of vehicle assistant apps of eight car ma…
▽ More
Due to the increasing connectivity of modern vehicles, collected data is no longer only stored in the vehicle itself but also transmitted to car manufacturers and vehicle assistant apps. This development opens up new possibilities for digital forensics in criminal investigations involving modern vehicles. This paper deals with the digital forensic analysis of vehicle assistant apps of eight car manufacturers. We reconstruct the driver's activities based on the data stored on the smartphones and in the manufacturer's backend.
For this purpose, data of the Android and iOS apps of the car manufacturers Audi, BMW, Ford, Mercedes, Opel, Seat, Tesla, and Volkswagen were extracted from the smartphone and examined using digital forensic methods in accordance with lawful government-approved forensics guidelines. Additionally, manufacturer data was retrieved using Subject Access Requests. Using the extensive data gathered, we successfully reconstruct trips and refueling processes, determine parking positions and duration, and track the locking and unlocking of the vehicle.
These findings show that the digital forensic investigation of smartphone applications is a useful addition to vehicle forensics and should therefore be taken into account in the strategic preparation of future digital forensic investigations.
△ Less
Submitted 9 June, 2021;
originally announced June 2021.
-
CORSICA: Cross-Origin Web Service Identification
Authors:
Christian Dresen,
Fabian Ising,
Damian Poddebniak,
Tobias Kappert,
Thorsten Holz,
Sebastian Schinzel
Abstract:
Vulnerabilities in private networks are difficult to detect for attackers outside of the network. While there are known methods for port scanning internal hosts that work by luring unwitting internal users to an external web page that hosts malicious JavaScript code, no such method for detailed and precise service identification is known. The reason is that the Same Origin Policy (SOP) prevents ac…
▽ More
Vulnerabilities in private networks are difficult to detect for attackers outside of the network. While there are known methods for port scanning internal hosts that work by luring unwitting internal users to an external web page that hosts malicious JavaScript code, no such method for detailed and precise service identification is known. The reason is that the Same Origin Policy (SOP) prevents access to HTTP responses of other origins by default. We perform a structured analysis of loopholes in the SOP that can be used to identify web applications across network boundaries. For this, we analyze HTML5, CSS, and JavaScript features of standard-compliant web browsers that may leak sensitive information about cross-origin content. The results reveal several novel techniques, including leaking JavaScript function names or styles of cross-origin requests that are available in all common browsers. We implement and test these techniques in a tool called CORSICA. It can successfully identify 31 of 42 (74%) of web services running on different IoT devices as well as the version numbers of the four most widely used content management systems WordPress, Drupal, Joomla, and TYPO3. CORSICA can also determine the patch level on average down to three versions (WordPress), six versions (Drupal), two versions (Joomla), and four versions (TYPO3) with only ten requests on average. Furthermore, CORSICA is able to identify 48 WordPress plugins containing 65 vulnerabilities. Finally, we analyze mitigation strategies and show that the proposed but not yet implemented strategies Cross-Origin Resource Policy (CORP)} and Sec-Metadata would prevent our identification techniques.
△ Less
Submitted 2 April, 2020;
originally announced April 2020.
-
Re: What's Up Johnny? -- Covert Content Attacks on Email End-to-End Encryption
Authors:
Jens Müller,
Marcus Brinkmann,
Damian Poddebniak,
Sebastian Schinzel,
Jörg Schwenk
Abstract:
We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a…
▽ More
We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages.
△ Less
Submitted 17 April, 2019; v1 submitted 16 April, 2019;
originally announced April 2019.
