What is encryption, anyway?

When we stand in front of someone and speak to that privileged individual “in real life,” we are generally aware of our environment.

We can easily asses that our communication is confidential because we can autonomously choose to speak when unprivileged people are not physically around to listen in.

We know that our communication has perfect integrity because we are physically present, observing and assuring that the speech is not getting messed with.

We also know that our communication is authentic because we are physically near the intended individual actively verifying them.

The foundation to communications confidentiality, integrity, and authenticity is trust, and the only way that we can assure technology-driven communication is trustworthy is with encryption.

Encryption is the technological requirement to assuring the foundation of trust that we fundamentally lose when people cannot be physically near.

Hardware hacking the LG L15G Sunrise

sunrise_complete_2

The Tracfone LG L15G recently dropped to $10 at Walmart, so I picked one up. As expected, the hardware is incredibly simple and accessible.

During my (very easy) work on this, I kept thinking: Why would anyone spend $700 on a “secure phone” (Silent Circle) when I can spend $10 on this one and take the microphone and camera out? It really depends on which security feature we’re looking at, and in this case, with the LG, it’s hardware security. At the very least, Silent Circle should make it very easy to physically remove specific, high-risk sensors. This LG still has Rotation Vector and Accelerometer senors, and I don’t know where those are located. Even still, compared to my Nexus 6, this is an extremely simple device to “secure”.

Ars Technica reviewed the LG Sunrise. While they are quite right about how “cheap” it is, I got the feeling like they have no appreciation for easy to hack devices, especially ones as powerful as Android.

A review of the $10 Walmart phone—better than nothing, but not by much

Reasons to keep a $10 Android around:

The end result, achievable within 5 minutes of work, resulted in the removal of the microphone, the front-facing sensors, the rear camera, and the rear speaker. I could have taken out the primary earphone too.

Processor and Sensors

via “CPU-Z”

CPU: Qualcomm Snapdragon 400
Model: MSM8926
Cores: 2
Architecture: 2x ARM Cortex-A7 @ 1.19 GHz
Revision: r0p3
Process: 28 nm
Clock Speed: 300 MHz – 1.19 GHz
CPU Load: (CPU 1 idles at 300 MHz with the second turned off. Idle load was 10-20%)
GPU Vendor: Qualcomm
GPU Rendered: Adreno 305 @ 400 MHz
GPU Clock Speed: 300 MHz
GPU Load: (Idles at 0%)
Scaling Governor: on demand

Model: LGL15G (y25_trf_us)
Manufacturer: LGE
Brand: lge
Board: y25
Screen Size: 3.46 inches
Screen Resolution: 320 x 480 pixels
Screen Density: 166 dpi
Total RAM: 420 MB
Available RAM: (Idle, 150 MG (35%)
Internal Storage: 1.80 GB
Available Storage: 1.49 GB (82%)

Android Verson: 4.4.2
API Level: 19
Bootloader: unknown
Build ID: KOT49I.LGL15G10f
Java VM: Dalvik 1.6.0
OpenGL ES: 3.0
Kernel Architecture: armv7I
Kernel Version: 3.4.0+(LGL15G10f.1419269528)
Root Access: (I rooted this test device just to see if I could, but I don’t recommend it)

LGE Accelerometer Sensor
LGE Rotation Vector Sensor

The hack

The only tool that I needed to open up the phone and do most of the work was a simple crosshead screwdriver.

sunrise_screwdriver_2

sunrise_screws_2

The disassembly was trivial as I didn’t need any tools (after the screws were removed).

sunrise_fourpart_2

To disconnect the system board from the back of the LCD screen, just disconnect the top right (earphone) and bottom left (home buttons) cables.

sunrise_homebuttons1_2

sunrise_earphone1_2

The rear camera simply disconnects. The front-facing sensors needed a moderate “push” (with the screwdriver) to disconnect.

sunrise_camoff_2

The microphone needed a moderate “pull” (with the pliers) to disconnect.

sunrise_micon_2

sunrise_micoff_2

As the Ars Technica review mentions, the hardware is very simple. The system board demonstrates that.

sunrise_boardfront_2

The rear speaker was easy to disconnect simply by removing the connecting wires. I didn’t have a good reason to remove this speaker. In my defense, I didn’t actually know (or test) if there was another microphone here. Plus, the vibrator is still attached.

sunrise_backspeaker_2

After all this, the phone booted up without issue. Buy a headset and make end-to-end encrypted calls with Signal, with or without using cell service.

sunrise_reinserted_2

sunrise_backwithout_2

StageFright

Android 4.4.2 is pretty bad. Using Signal would help defend against Stagefright.

CVE-2015-1538
CVE-2015-3829
CVE-2015-3828 (not vulnerable)
CVE-2015-3864
CVE-2015-3827
CVE-2015-3876 (not vulnerable)
CVE-2015-6602
CVE-2015-3824
CVE-2015-6575

Apps I was able to disable

Browser
Calendar
Chrome
Cloud Print
com.android.providers.partner
com.lge.sui.widget
ConfigUpdater
Drive
Favorite contacts Widget
Google Backup Transport
Google Calendar Sync
Google Contacts Sync
Google One Time Init
Google Partner Setup
Google Play Books
Google Play Games
Google Play Movies & TV
Google Play Music
Google Play Newsstand
Google Search
Google Text-to-speech Engine
Google+
Hangouts
LG VoiceCommand Speech Pack
Maps
Market Feedback Agent
Mobile Device Management
Multitasking Framework
Music
My Account Downloader
Polaris Office
Setup Wizard
Stret View
TalkBack
Tasks
Voice Command
WAP Service
YouTube

How to: Use Onion Share for Ubuntu

OnionShare is a free software file sharing program created and maintained by Micah lee. OnionShare takes advantage of the Tor network to allow its users to maintain anonymity when sharing digital files.

OnionShare is needed because it works exclusively within the Tor network, meaning it is extremely improbable to track or attribute most network metadata to the people sharing.

If anonymity is your goal, be very careful about how you share the download link. Mainstream email providers, social media platforms, and chat clients all retain metadata and content.

Software tested

Ubuntu 15.10 Desktop x64
Tor Browser 5.0.4
OnionShare 0.8

Getting OnionShare

For those using Ubuntu, Micah made a PPA, or, Personal Package Archive, for easy downloading, installing, and updating. Presuming that you have administrative permissions (sudo), open a terminal window and perform the following:

sudo add-apt-repository ppa:micahflee/ppa
sudo apt-get update
sudo apt-get install onionshare

OnionShare uses a Tor connection made by Tor Browser to keep the OnionShare application as simple as possible. You will need to download Tor Browser from TorProject.org and have Tor Browser running before you launch OnionShare.

Note: More advanced users can use OnionShare in the command line by using the “–transparent” flag to use SOCK5 proxy, but that is out of the scope of this guide.

onionshare01

After OnionShare is installed, you can search for it by using Unity’s application launcher. Click on the “OnionShare” icon.

onionshare02

Using OnionShare

OnionShare will open, ready for you to drag and drop a file or folder into OnionShare. Drag your files or folders directly into OnionShare where it says “Drag and drop files here”.

onionshare03

Once you have selected the files and folders to share, click “Start Sharing”. OnionShare will automatically shrink the files and folders being shared to help reduce the download size. Wait for OnionShare to create a Tor hidden service for your current file share.

onionshare04

onionshare06

onionshare07

Click “Copy URL” to copy the Tor hidden service address. Share this link with someone that has or can download Tor Browser. You can test your own share in Tor Browser, too.

onionshare08

When you or the person you are sharing with tries to download your file via Tor Browser, a warning prompt will display. Be careful when downloading any files from the Internet, even if you trust the person sending them. Because you are the one sharing and testing this file, click “Download File”.

onionshare09

A second prompt will display asking you if you would like to open the file or to save it for later use. For our test, we will simply open the ZIP file with “Archive Manager”. Click “OK” to download and open the file.

onionshare10

Tor Browser will download you file. If you are testing your own file share, this means you are downloading it from yourself but through the Tor network.

onionshare11

The file sharer will be able to see when someone is downloading, or has downloaded, the files they have shared.

onionshare13

Once the download complete, Archive Manager will open, allowing you to extract the file.

onionshare12

OnionShare privacy benefits

  • OnionShare users are not personally identifiable.
  • OnionShare does not reveal user IP addresses or physical locations because of Tor.
  • Files shared over the Tor network are cryptographically authenticated and private.
  • The use of Tor hidden services prevents network traffic from ever leaving the Tor network, thereby preserving anonymity and complicating passive network surveillance.

OnionShare security warnings

  • OnionShare has not been subjected to an independent security audit.
  • An already-compromised computer system will typically defeat the privacy protections that OnionShare offers, such as screen-grabbing or keystroke logging malware.
  • OnionShare does not save share history. Only other operating system logs could provide evidence of sharing.
  • Active and passive surveillance techniques can still tell if you are using the Internet, and when, but not necessarily what you’re doing on the Internet.

Configuring a USB Armory as a reverse SSH server via Tor hidden service

I performed the following on Ubuntu 15.10. My USB Armory (UA) is using the current Debian Jessie image. I used an Anker to format and image my SD card.

usbarmory1

System setup

I use UFW to manage my main system’s iptables firewall, which is always enabled, but we need to allow routed traffic:

sudo ufw default allow routed

sudo ufw reload

When plugging in my UA, I have to verify in the kernel log what Ubuntu is calling the UA:

sudo cat /var/log/kern.log |grep usb0

See “enx1a5589a26942: renamed from usb0”, where enx1a5589a26942 is the name of the UA.

Then:

sudo /sbin/ip link set enx1a5589a26942 up

sudo /sbin/ip addr add 10.0.0.2/24 dev enx1a5589a26942

sudo /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1/32 -o wlan0 -j MASQUERADE

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Now I can SSH to my UA.

Configure the USB Armory

ssh usbarmory@10.0.0.1

Set the locale (I use en_US.UTF-8):

sudo dpkg-reconfigure locales

Create a new user with admin privileges then delete the default UA user:

sudo adduser yawnbox

sudo adduser yawnbox sudo

sudo su yawnbox

sudo deluser --remove-home usbarmory

Then I configure the time. ntp is obsolete, use Jake’s tlsdate.

sudo apt-get update

sudo apt-get dist-upgrade -V

sudo apt-get remove --purge ntp -y

sudo apt-get install tlsdate -y

sudo tlsdate -V

Now we need to assure that the system time is going to be updated every time it boots.

sudo crontab -e

I <3 vim. Then add this line to the bottom:

@reboot tlsdate -V -n -H encrypted.google.com

Install tor:

sudo vim /etc/apt/sources.list

Add:

deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main
deb http://deb.torproject.org/torproject.org tor-experimental-0.2.7.x-jessie main
deb-src http://deb.torproject.org/torproject.org tor-experimental-0.2.7.x-jessie main

Then:

gpg --keyserver keys.gnupg.net --recv 886DDD89

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Then install:

sudo apt-get update

sudo apt-get install tor deb.torproject.org-keyring

Configure your hidden service:

sudo vim /etc/tor/torrc

Uncomment these two lines only:

HiddenServiceDir /var/lib/tor/other_hidden_service/

HiddenServicePort 22 127.0.0.1:22

Restart tor:

sudo service tor restart

Get (and document it somewhere) your onion address:

sudo cat /var/lib/tor/other_hidden_service/hostname

Configure openssh-server :

sudo vim /etc/ssh/sshd_config

Comment out these lines:

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Edit these lines:

ServerKeyBits 4096
PermitRootLogin no

Test access

Edit your openssh-client to torify your SSH:

sudo vim /etc/ssh/ssh_config

Add (under “Host *”)

proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Then:

sudo service ssh restart

Then SSH to the hidden service address hosted on your UA:

ssh yawnbox@2f4ov33h7utnjs.onion

Other thoughts

When inserting the UA into a Windows 7 client, it auto installs a driver for a “USB Ethernet/RNDIS Gadget”. Windows assigns it a non-routable 169.254.* address, but the UA will send out over 100 packets within the first 5 minutes. Tor and tlsdate can’t wait to touch the net 😉

Create an anonymous document drop with any Android

Honestly I have no idea why I didn’t think about this before. I’m sorry it’s taken so long. This guide will show you how to use any Android to host a Tor hidden service and send it files from anywhere in the world with SSH or SCP. I tested this with a Nexus 6 (shamu) running Android 6 but I will test this on Android 4.4.4 soon. Root is not needed, you could perform these steps on any Android. Play around with this. I do not currently have a lot of confidence (stability) in an Android (Wifi), SSHelper (app), Orbot (app), and Tor (circuit) hidden-service combination. But I’ll try this out on an extra Android and see if I can still access it after a week or so and update the post.

Much wow.

There are several amazing things about this setup:

1. Easy. It’s so easy, omg. Even securing the Android is super easy with this narrow of use case.

2. Cheap. Like, as little as $10 cheap, or, “can I have your old Android for free, please” cheap.

3. You could drop a burner Android, using any Wifi you can connect to, in so many places. And if you don’t have a wall outlet where it could sit and charge forever, you could have several days or weeks worth of uptime before it dies.

Guide

0. Buy a cheap Android in person with cash, you may prefer one with an SD card slot for additional storage. Go to a coffee shop you’ve never been that has free Wifi. Turn on your Android and connect to the public Wifi. Create a new Google account with an unattributable username and password. Put the phone into airplane mode then reactivate the Wifi. Disable any apps and services not needed (dependent on the device) then install any Android OS or app updates that are necessary. Ensure the Android’s storage is encrypted, and ensure that devices access requires a long passphrase for boot and for device entry.

Note on “buy any Android” — some burners that I’ve purchased before, like a $30 one from Verizon, forces you to activate the device as soon as you turn it on, making it extremely difficult to control any aspect of Android until phoning home to Verizon and activating with a phone number. If you want to be sure you don’t have to deal with carrier crap, spend a little more and go with an unlocked Moto E for $120. The 1st Gen and 2nd Gen Moto E’s conveniently support a 32GB microSD.

1. Download “Orbot: Proxy with Tor” (by: The Tor Project) from the Play Store. Open “Orbot”. Go into settings and scroll down to “Hidden Service Hosting” and enable “Hidden Service Hosting”. Tap “Hidden Service Ports” and enter “2222”. Back out of settings and long-press the power button to connect to the Tor network. Go back into settings then scroll down and tap “.Onion Hostname” to view your hidden service address. Document that address on your laptop with Tails or Torified SSH ready to go.

2. Download “SSHelper” (by: Paul Lutus) from the Play Store. Open the “SSHelper” app. That’s it. The default user is “admin”, default password is “admin”. The default ssh, scp, and rsync directory is your normal user’s home directory, which is one below the virtualized (or real) “SDCard”. I was able to connect with an ECDSA key pair.

3. Download “NetGuard – no-root firewall” (by: Marcel Bokhorst) from the Play Store. Open “NetGuard”. In the top right corner are three vertically aligned dots. Tap that button to enter into the Settings menu. Activate “Block Wi-Fi by default”, “Block mobile by default”, and “Manage system applications”. Click back to save the settings changes. Now scroll down and find “Orbot” and tap the orange Wifi icon (it will turn from a striked-out orange icon to a green icon) which will allow it to access the network over Wifi only. Scroll down a little bit more to “SSHelper” and tap the orange Wifi icon to give it Wifi access too. Now at the very top, to the right of “NetGuard”, tap the switch icon to activate your firewall rules. Accept (OK) the two prompts that follow.

Your Android is now ready to go.

4. From your Linux or OS X command line interlace (CLI), you should now be able to send it any files. It only took 22 seconds for me to transfer an 8 MB PDF:

scp -P 2222 bulletproof-ssl-and-tls.pdf admin@c3dznupj493fgtd5j.onion:.

Torify SSH (Ubuntu) for connecting to hidden service addresses

Install tor and openssh-client. Then:

sudo vim /etc/ssh/ssh_config

Add (under “Host *”)

proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Then:

sudo service ssh restart