Mobile, IoT, Clouds…

It’s time to hire a Risk Manager!

YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT

CJSC ADVANCED MONITORING

 YURY CHEMERKIN
I have ten+ years of experience in information
security. I‘m a multi-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
I published many papers on mobile and cloud
security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.

LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN

TWITTER: @YURYCHEMERKIN

EMAIL: YURY.S@CHEMERKIN.COM
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
UNDERSTANDING THINGS
 IoT TAXONOMY & FRAGMENTATION

Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
IoT TAXONOMY

 Wearable Tech  Venture Capital Firms

 Connected Home
 Building Blocks & Platforms
 Industrial Internet
 Healthcare
 In-store Retail
 Connected Car
 Corporate Investors
 Angel Investors
 Crowdfunding
 Accelerators/Incubators
 IoT Acquirers
 Notable acquisitions
NARROW THINGS

Wearable Tech

Connected Home

Healthcare
 IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
WATCHES
WEARABLE TECH
SMARTWATCHES – APPLE WATCH

MITM

Breaking LockScreen

Jailbreak

Backup
APPLE WATCH
MITM
The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If
this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple
servers and the iPhone.
Online communication (over Wi-Fi)
 [iPhone apps  iCloud] – prevents MITM, SSL Pinning
 [Apple Watch iCloud] – prevents MITM , SSL Pinning
 No way to install SSL to Apple Watch
APPLE WATCH
BREAKING THE LOCKSCREEN
Remove the Passcode Using Your iPhone

Go to a “Settings->General->Reset”
 “Erase Apple Watch Content & Settings”
 “Keep Plan” if iWatch has a Cellular Plan
 Otherwise just “Erase All Content & Settings”
 Pair it again
APPLE WATCH
BREAKING THE LOCKSCREEN
Removing Your Passcode Without an iPhone

 Power Menu  Press & hold the side button

 Instead of sliding "Power Off", press on it
 Tap "Erase all content and settings,"
 Tap the green checkmark to confirm
 Pair it again
APPLE WATCH
BREAKING THE LOCKSCREEN
Unpair iWatch via Apple Watch app & Apple Password

 Keep your Apple Watch and iPhone close together.

 Open the Apple Watch app on iPhone
 Tap “My Watch tab”, “iWatch name”, “Unpair Apple Watch”
 Press “Keep Plan” for a cellular iWatches
 Enter your Apple ID password and tap confirm
APPLE WATCH
JAILBREAKS
Jailbreaks for USB
 Apple Watch series 1- 4 & watchOS 5 – no jailbreak
 watchOS 4.0 - 4.1
 v0rtex jailbreak for developers only
https://github.com/tihmstar/jelbrekTime
 Apple Watch series 1- 2 & watchOS 3.0 – 3.2.3
 OverCl0ck jailbreak – still in development
https://github.com/PsychoTea/OverCl0ck

Jail & Bluetooth Connection over SSH

 https://speakerdeck.com/mbazaliy/jailbreaking-apple-watch
APPLE WATCH - BACKUP

 /mobile/Library/DeviceRegistry.state
/properties.bin
 Binary Plist File – Contains Paired Apple
Watch Specifics incl: Watch Name, Make,
Model, OS, GUID
 Synced Data Path with GUID, date, local
 Serial Number, UDID, WiFi MAC, SEID
(Secure Element ID), Bluetooth MAC
APPLE WATCH - BACKUP
 Plist contained installed apps on Apple
Watch (2 places)
 /mobile/Library/DeviceRegistry/<GUID>/Na
noPreferencesSync/NanoDomains/com.apple.C
arousel
 /mobile/Library/DeviceRegistry/<GUID>

 Example:
/mobile/Library/DeviceRegistry/<GUID>/
AddressBook/
APPLE WATCH
BACKUP
 Email -
/mobile/Library/DeviceRegistry/<
GUID>/NanoMail/registry.sqlite
 Voicemails -
/mobile/Library/DeviceRegistry/<
GUID>/PreferencesSync/NanoDo
mains/com.apple.mobilephone
 Records containing Phone
Numbers and paths to synced
voicemail files
APPLE WATCH
BACKUP - PASSBOOK
/mobile/Library/DeviceRegistry/<
GUID>/NanoPasses/nanopasses.sqli
te3
Pass table
Unique_ID
Type_ID (boarding pass, loyalty
pass)
Encoded pass (value/data)
APPLE WATCH – BACKUP
APPLE HEALTH
 Encrypted (.hfd) in password-protected
/ encrypted backups only
 No data out of non-encrypted backup
 Export in raw/plaintext

 But take a time, we will back to Health

app soon 
APPLE WATCH
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
APPLE WATCH
SUMMARY
Apple Watch communicates via Bluetooth or Wi-Fi if BT is not available
Online communication (over Wi-Fi)
 [iPhone apps  iCloud] – prevents MITM, SSL Pinning
 [Apple Watch iCloud] – prevents MITM , SSL Pinning
 No way to install SSL to Apple Watch

Local data
 Not many but jailbreaks are available
 Backup still works to access the data
 Wallet contains booking, card and other info
 Apple Health app
 Contains a lot of medical user data
 Encrypted if backup is password-protected and out of backup otherwise
 Contains non-encrypted basic medical user data and list of app-sources
WEARABLE TECH
SMARTWATCHES – ANDROID WATCH

Forensics: Physical, Logical, Network Acquisition

Screen Lock Bypassing Techniques

Root opportunities

Android wear app

ANDROID WATCH
FORENSICS OF WEARABLE TECH

Physical Acquisition

Logical Acquisition

Network Acquisition (omitted here)

ANDROID WATCH
IMAGING A SMARTWATCH DEVICE
 The ADB tool should be used to image and explore the Android
smartwatch.
 The dd command, dd if=/dev/block/mmcblk0p12
of=/sdcard/tmp.image can be used to copy the entire device to an
inserted SD card.
 If time is a factor, investigators can copy specific directories by utilizing
the following commands:
 DD if = /dev/block/mmcblk0p12/data of = /storage/extSdCard/data.dd
 DD if = /dev/block/mmcblk0p8/cache of = /storage/extSdCard/cache.dd
 DD if = /dev/block/mmcblk0p3/efs of = /storage/extSdCard/efs.dd
 DD if = /dev/block/mmcblk0p09/system of = /storage/extSdCard/system.dd
ANDROID WATCH
BREACHING A LOCK SCREEN
 Google account credentials is known  remote unlock of connected watches via Google’s
Android Device Manager

 Deleting / altering the gesture.key & settings.db files  to remove the lock screen entirely
 adb.exe shell; cd /data/system; rm gesture.key

 The “settings.db” file contains system settings and can cause system wide changes if modified
 update system set value =0
 Flashing a modified ROM / a reboot in safe mode - to leverage a third-party lock screen
 Utilize adbkey and adbkey.pub files from other computers that have been previously
synchronized with the examined device to create a trust relationship with a new device
 /.android/<ADB keys> - those files are an SSH key-pair that allow me to mark my
computer as "trusted" to my phone.
 Copy of ADB keys stored on synchronized devices in users/<user name>/.android
folders
ANDROID WATCHES
ROOT
Root:
 5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1
 6.0.1 - SuperSU-6.0.1.zip https://supersu.apk.gold/android-6.0.1
 Wear 2.0 - SuperSU-Wear
 Wear-SuperSU 2.4 -
https://androidfilehost.com/?fid=24269982086990060

Recovery:
 TWRP - https://eu.dl.twrp.me/bass/
 5.1.1 twrp-3.1.0-0.img
 6.0.1 и Wear 2.0 twrp-3.0.0-0.img
ANDROID WATCH
WEAR OS Android Wear Version
4.4W1
4.4W2
Android base version
4.4
4.4
Release date
June 2014
October 2014
1.0 5.0.1 December 2014

 Tizen OS - Samsung 1.1

1.3
5.1.1
5.1.1
May 2015
August 2015
1.4 6.0.1 February 2016
 Android Wear OS 1.5 6.0.1 June 2016
 Asus Zenwatch, Huawei Watch, LG 2.0 7.1.1 Feb 2017
2.6 7.1.1 Nov 2017
Watch and many other 2.6 7.1.1/8.0.0 Dec 2017

 Many root tools & images for 2.7

2.8
7.1.1/8.0.0
7.1.1/8.0.0
Dec 2017
Jan 2018
Android Wear up to 2.0 2.9 7.1.1/8.0.0 Feb 2018

 Lack of tools for 2.1 and beyond Wear OS Version

1.0
Android base version
7.1.1/8.0.0
Release date
Mar 2018

 Wear app to access data 1.1

1.2
7.1.1/8.0.0
7.1.1/8.0.0
April 2018
May 2018
1.3 7.1.1/8.0.0 June 2018
1.4 7.1.1/8.0.0 July 2018
1.5 7.1.1/8.0.0 August 2018
1.6 7.1.1/8.0.0 September 2018
1.7 7.1.1/8.0.0 October 2018
2.0 7.1.1/8.0.0 August 2018
2.1 7.1.1/9.0.0 September 2018
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM (TIZEN)

Tizen OS, Bluetooth, USB, No Wi-Fi, Optional Password

Protection

#1 Gain root:
 turn on SDB ‘Smart Development Bridge‘,
 find a ROM, uses Odin,
 reboot to ‘download’ mode – hold down the main button through the
turn off prompt
 Sdb shell, sdb root
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image the watches, like a Toybox http://landley.net/toybox/
 adb push toybox /sdcard/download
 adb shell; su
 mv /sdcard/download/toybox /dev/
 chown root:root toybox;
 chmod 755 toybox
 cd /dev/block/platform/msm_sdcc; ls -al by-name
 /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
 dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
 /* Port number being listened to on the watch displayed for user */
 44477 port displayed
 adb forward tcp:44867 tcp:44867
 /* Send request to watch on port number 44867 and send it to image file */
 nc 127.0.0.1 44867 > Samsung.IMG
Here is a user partition
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#3 Results:
 Messages - apps.com.samsung.message.data.dbspace/msg-
consumer-server.db
 Health/Fitness Data - apps.com.samsung.shealth/shealth.db
 Email - apps.com.samsung.wemail.data.dbspace/wemail.db
 Contacts/Address book - dbspace/contacts-svc.db
ANDROID WATCHES
LG WATCH – ALL OF THEM
Android Wear, USB, Bluetooth, No Wi-Fi

#1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to
bootloader & unlock it, and push image
 adb reboot-bootloader
 fastboot oem unlock
 adb push <SuperSU>.zip /sdcard/download
 adb reboot-bootloader
 fastboot boot <twrp>.img
 Install <SuperSu>.zip, wait for reboot
ANDROID WATCHES
LG WATCH – ALL OF THEM
#2 Get Data as an image:
 Requires root (see step #1)
 Use anything to image the watches, like a Toybox http://landley.net/toybox/
 adb push toybox /sdcard/download
 adb shell; su
 mv /sdcard/download/toybox /dev/
 chown root:root toybox;
 chmod 755 toybox
 cd /dev/block/platform/msm_sdcc; ls -al by-name
 /* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
 dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
 /* Port number being listened to on the watch displayed for user */
 44477 port displayed
 adb forward tcp:44867 tcp:44867
 /* Send request to watch on port number 44867 and send it to image file */
 nc 127.0.0.1 44867 > LG.img
Here is a user partition
ANDROID WATCHES
LG WATCH – ALL OF THEM
Results:
 Events/Notifications -
data.com.android.providers.calendar.databases/calendar.db
 Contacts/Address book -
data.com.android.providers.contacts.databases/contacts2.db
 Health/Fitness Data -
data.com.google.android.apps.fitness.databases/pedometer.db
ANDROID WATCHES
ANDROID WEAR
Mobile device paired with all watches in this app
/com.samsung.android.app.watchmanager
 /auto_update.xml - a timestamp of the day the Samsung Gear was last
updated.

/com.samsung.android.app.watchmanagerstub/shared
preferences/hmonlinehelppref.xml

/data/com.google.android.wearable.app/databases/devices.db
 list of devices using Android wear which listed the LG G Watch.
ANDROID SMARTWATCHES
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
ANDROID WATCH
SUMMARY
 Forensics
 No forensics tools are NOT available for devices, such as Elcomsoft, Cellebrite
 Forensics techniques are still available for devices
 Forensics of wear-apps works too but no many useful data
 Known techniques of breaking Android screenlock works
 OS
 Tizen OS - Samsung
 Android Wear OS - Asus Zenwatch, Huawei Watch, LG Watch and many other
 Root & Recovery
 Many root tools & images for Android Wear up to 2.0
 Lack of tools for 2.1 and beyond
 SDB, ADB, Fastbook, OEM Unlock
 Data
 Contacts, Fitness, Health, Email – in the device
HUAWEI WEAR & HONOR BAND 3-9C7

• Фотки браслета и приложения (ссылки на магазины)

• Картинки на списки в круглые формы вставить??

FITNESS TRACKERS
HUAWEI WEAR. HONOR BAND 3-9C7

Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/<crash>,<log>

Last Wear’s values: sleep (many params), wakeup (many params), distance (steps, ride, climb,…), heart rate,
calories

Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options

Geo: Speed, Timestamp, Longitude, Latitude, Distance, Course, Duration, Altitude

User Info: Picture, Name, Birthday, Height, Weight, Gender, Age

Account Details: UDID, Security Token, UserID, SessionID

Bluetooth Keys
CRASH LOG: DEVINFO, DEBUG INFO -
/DOCUMENTS/HMS/OCLOG/CRASH
CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond
bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c
<redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw +
56 2 CoreFoundation 0x000000018346bc9c _CFArgv + 0 3
CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear
0x0000000100319064 HuaweiWear + 315492 5 HuaweiWear
0x000000010030ffdc HuaweiWear + 278492 6 libdispatch.dylib
0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib
0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib
0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation
0x000000018347b344 <redacted> + 12 10 CoreFoundation
0x0000000183478f20 <redacted> + 2012 11 CoreFoundation
0x0000000183398c58 CFRunLoopRunSpecific + 436 12 GraphicsServices
0x0000000185244f84 GSEventRunModal + 100 13 UIKit 0x000000018caf15c4
UIApplicationMain + 236 14 HuaweiWear 0x00000001005b13f8 HuaweiWear +
3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4
ClientVersion:21.0.12 OSVersion:11.2.6
HUAWEI WEAR – LAST VALUES
/DOCUMENTS/<*.ARCHIVER> FILES
<string>{
"sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":0,"deepSlee
pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim
e":0},
"distance":3940,"lastHeartRate":0,"steps":4623,"lastHRTimeStamp":0,"
calories":216,"date":1537867958.8875299,"totalClimb":0,"daySport
Info":[]

}</string>
HUAWEI WEAR: FIRMWARE
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
 {"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath":
"Nyx_1.5.35.bin.apk","identify":"38:37:8B:B8:C9:C7","firmWareSize":1410023,"deviceTyp
e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",
 "firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199-342F-4897-
9577-59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",
 "changeLogContent":"[Optimizations]\nOptimizes calorie counting accuracy while
swimming.\nFixes an issue where exercise sessions would suddenly exit due to accidental
touches.\nFixes an issue where fitness data would be occasionally cleared.\nOptimizes the
TrusleepTM data syncing speed on IOS.\n[Notes]\n1. New features require that Huawei
Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for
Android.\n2. Before updating, make sure the band is charged to at least 20%.\n","status":1,
 "baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1
55123/f1/"}
</string>
HUAWEI WEAR: GEO, SPEED
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"speed":0.63999998569488525,"timestamp":"2018-06-
09T05:12:19+0300",
"longitude":41.512356810310401,"latitude":52.571571199272356,
"totalDistance":0,"verticalAccuracy":4,
"course":10.546875,"duration":0,"distance":0,
"altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5
}

</string>
HUAWEI WEAR: USER INFO
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"headImgLocal":"\/var\/mobile\/Containers\/Data\/Application\/
9B666199-342F-4897-9577-
59B68F5CF40F\/Documents\/temp_user\/temp_user.jpg",
"age":29,"unitType":0,"nameIsNil":false,"isDefault":true,
"weight":78,"userName":"Yury Chemerkin","walkStepLen":77.28,
"birthday":19880605,"height":184,"modifyTime":0,"runStepLen":92.7
36,"gender":0}

</string>
HUAWEI WEAR:
/DOCUMENTS/<*.ARCHIVER> FILES
 Account
 Account details stored in protected way
 Device Mac Address
<string>deviceMacAddress</string>
<string>38:37:8B:B8:C9:C7</string>
 Bluetooth Keys
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User goals
Device details
User measures
 m_7_DataSourceTable_temp_user
 m_7_FitnessMergedDataTable_temp_user
 m_14_FineSleepDayMergeTable_temp_user
 m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES

User measures
 m_14_HeartRateByDay_temp_user
 m_14_SportDataByDay_temp_user
 m_133_MotionPathDetail_temp_user
 m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES

User measures
 m_133_SingleMovementStatistic_temp_user
 m_133_SingleMovement_temp_user
HUAWEI HONOR
SUMMARY
Local data
 Credentials is protected
 Personal and medical info – plaintext / as it
Communication
 Local – encrypted
 Online – SSL Pinning for all possible connections, registration,
login and synchronization
XIAOMI MI BAND 2 & MI FIT
Online communication
 AWS storages in Ireland (EU) mainly, secondary US
 TLS 1.2, No SSL Pinning
Local data
 Action Log with details incl. URLs
 https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t=1512648130831
 https://api-
mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848
 https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t=1512648130805
FITNESS APPS
ROAD BIKE, MOUNTAIN BIKE, …
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps

Session Data: timestamp (start, end), distance, duration, avg & max
speed, upward/downward, heartZone values (need special device)

Speed Data: timestamp, speed, duration, distance

User Data: email, password, weight, height, gender, name, birthday

FITNESS APPS
DOCUMENTS\DATABASE.SQLITE3
Where to search data:
 GPS & location
 HeartRate (requires special devices)
 Session Data
 Speed
 User Data
FITNESS APPS
LOCATION, MAPS AND USER INFO
 Location and geo snapshots -
Documents\MapOpenCycleMap.sqlite

 User info - Documents\database.sqlite3

IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
FITNESS TRACKERS
SUMMARY AMONG TRACKERS & APPS
Local data
 Credentials is usually protected
 Personal and medical info – plaintext / as it
Communication
 Local – encrypted
 Online – SSL Pinning for all possible connections
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & Tips

6. Risk
Home Management
APPLE HEALTH СЮДА КАРТИНКИ
УСТРОЙСТВ
HEALTHCARE
APPLE HEALTH

Valuable data encrypted and no public cracks is known

Small amount of data not encrypted in backup

List of app-sources (look here for non-encrypted original data)

However, secure built-in app-aggregator does not mean other app is a

secure in the same way  ofc not 
APPLE HEALTH
WHERE TO FIND DATA?
HealthDomain\MedicalID\MedicalIDData.archive

HealthDomain\Health\healthdb.sqlite

HealthDomain\Health\healthdb_secure.sqlite

HealthDomain\Health\healthdb_secure.hfd

Exported Raw Data – any place chosen by user

APPLE HEALTH
DATA IN DETAILS
Name, User Pic, height (in cm), and mass (in kg)

Geo Tracking (Mainland/City), iOS version

Device Info: UDID, Name, Last connection time

Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)

Medical implants
 APPLE HEALTH
HEALTHDOMAIN\MEDICALID\MEDICALIDDA
TA.ARCHIVE

 Name  Height  Weight  Medical implants

APPLE HEALTH
HEALTHDOMAIN\HEALTH\HEALTHDB.SQLITE
 Bundle_id, app_name
 Device name, device model, vendor, hardware and software, timestamp
APPLE HEALTH
HEALTHDOMAIN\HEALTH\HEALTHDB_SE
CURE.SQLITE
APPLE HEALTH
RAW EXPORT

Recorded by the any Apple Devices & accessed through the Health App.

Detailed activity log with timestamps

Data can be exported in .xml file format without encryption (!) and
even without encrypting of zip file

Extracted data can be stored anywhere

APPLE HEALTH - RAW EXPORT
PERSONAL, FITNESS, MEDICAL INFO

Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)

Heart rate data (in count/min) or beats-per-minute (BPM)

Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins)

Blood Pressure Diastolic, Systolic

The exact activity log time (creationDate), and activity start and end times (startDate, endDate)

XML Parser (Free): https://github.com/tdda/applehealthdata

APPLE HEALTH - RAW EXPORT
IN EXAMPLES & DETAILS
APPLE HEALTH - RAW EXPORT
IN EXAMPLES & DETAILS
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
HEALTHCARE
SUMMARY

Apple Health App is good protected

 Basic info - Date of birth, sex, blood group, skin type,
height (in cm), and mass (in kg)
 Exported data is not protected at all
 List of app sources & these app’s data is not
protected well
PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE

Fat indexes
• Vertical fat index, body fat

Mass
• Body weight, bone mass, muscle, skeletal muscle

Productivity
• BMR, body water, protein, Metabolic Age

Delta
• Tracking changes, charts, reports
PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scaler)

Body scale values: body, muscles, productivity, date & time, device mac

Dev Info: Mac, model name, user ID, Device Picture

Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users)

User Info: nick name , userID, height, age, sex, race, type

Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language

Preferences: Local Password, Unlocking method, last active day

PICOOC BT LOGS
PICOOC\DOCUMENTS\BLUETOOTHLOG.TEXT

 DISCOVER INDIRECTLY WHAT DEVICES DOES YOUR NEIGHBORS HAVE 

 扫描到设备 – means “Device scanning”

 04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV]
Samsung 6 Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-
45F9DDB731D6 ---- .
 04-14 13:31:36:453 .扫描到设备 name:Peripheral Info:Name: honor band
A1 RSSI: -84 UUID: 626E22D2-AE05-4695-A0D3-0099CF82DF96 ---- .

 04-14 13:31:37:408 .扫描到设备 name:Peripheral Info:Name: PICOOC-CQ

RSSI: -66 UUID: 8C8E3EDA-7B8C-189F-3865-0A3B9B2C5744 ---- .
 info.macAddress = D0:49:00:1D:87:8A
PICOOC BT LOGS
PICOOC\DOCUMENTS\BLUETOOTHLOG.TEXT

04-14 13:31:36:003 .扫描到设备 name:Peripheral Info:Name: [TV] Samsung 6

Series (49) RSSI: -85 UUID: 592ABA7A-F4A4-D687-7E2A-45F9DDB731D6 ----

Connect a Galaxy S7 to your Samsung TV with Bluetooth to have a fun and

spread your content 
 TV with enabled Bluetooth & Samsung Galaxy S7
 Open the notification pane on your handset.
 Select Quick Connect and then Scan for nearby devices
 Select Register TV, Tap the new icon with a TV and an arrow
 Tap the Share button and then Smart View to play any media you play
on your phone on the TV
BODY VALUES
PICOOC\DOCUMENTS\PICOOC.SQLITE
CREATE TABLE `body_indexs` ( `local_time`
`id` `water_race`
`weight` `abnormal`
`body_fat` `day_intValue`
`visceral_fat_level` `time_period`
`muscle_race` `electric_resistance`
`body_age` `mac`
`bone_mass` `body_fat_reference_value`
`basic_metabolism` `skeletal_muscle`);
`bmi`
PICOOC
DEVICE AND PREFERENCES
Dev Info - picooc\documents\picooc.sqlite
Preferences - picooc\Library\Preferences\ com.picooc.international.plist
 <key>PasswordLockType</key>
 <integer>2</integer>
 <key>PasswordNumherLockContnet</key>
 <string>7124</string>
 <key>currendDay</key>
 <string>20180922</string>
 <key>kStartupUserIdKey</key>
 <integer>4611483</integer>
USER BASIC INFO – MAIN USER
PICOOC\DOCUMENTS\PLISTFILE\USERINFO.PLIST

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>nickName</key>
<string>Yury Chemerkin</string>
</dict>
</plist>
USER EXTENDED INFO – LAST ADDED USER ONLY
PICOOC\LIBRARY\SENSORSANALYTICS-
SUPER_PROPERTIES.PLIST

 current_age_characteristic  3  As is
 current_role_is_athlete  false  As is
 current_role_height  178  As is
 current_language  英语  English
 current_role_age  58  As is
 current_role_sex  男   Man
 app_type  PICOOC国际版   PICOOC Worldwide
Version
 time_zone  Europe/Moscow
 As is
 current_role_race  白
  White
 current_role_type  使用者
  User
PICOOC SENSOR VALUES
PICOOC\LIBRARY\SENSORSANALYTICS-
MESSAGE-V2.PLIST.DB
• {"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144
339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白
","current_role_type":"主角色
","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6.
1","current_age_characteristic":3,"$is_first_day":false,"$model":"iPhone8,4","$device_id":"E
C640161-EC87-4A90-AD99-5B29A3F86700","$network_type":"WIFI","$carrier":"Mobile
TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren
t_language":"英语","$screen_height":568,"app_type":"PICOOC国际版
","time_zone":"Europe\/Moscow","$lib_version":"1.9.3","$os_version":"12.0","$is_first_time":
false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男
","current_role_id":"9144339"},"type":"track","lib":{"$lib_version":"1.9.3","$lib":"iOS","$app
_version":"3.6.1","$lib_method":"code"}}
PICOOC
MITM - NOT SSL-PINNED
• Profile URL (public accessible)
https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png
• Request URL - https://api2.picooc-
int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque
st=https://api2.picooc-
int.com/v1/api&roleId=9144339&timestamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re
questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to
ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi
ce_id=EC640161-EC87-4A90-AD99-5B29A3F86700&device_mac=&method=update_role&

• Same URL (public accessible) https://picoocheadportrait.oss-cn-

beijing.aliyuncs.com/head%2F201810%2F03%2F20181003_181034000_50589.png
• Request URL - https://picoocheadportrait.oss-cn-beijing.aliyuncs.com
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-int.com
GET /v1/api/email/getVerifyStatus?appver=i3.6.1.0&device_id=EC640161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&lang=en&method=meishayong&os=iOS&push_token=iOS%3A%3AEC640161-
EC87-4A90-AD99-
5B29A3F86700&roleId=9144339&sex=1&sign=5FB8BF2A5A7664591ECFFC52F5810E84&stimezone=Europe
/Moscow&timestamp=1538579363&userId=4611483&verifyUserId=4611483&version=i3.6.1&webver=6
HTTP/1.1
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/role/updateRole?sign=2A082A983A3238FBEA7B66AEBF88B706&urlOfGetRequest=https://ap
i2.picooc-
int.com/v1/api&roleId=9144339&timestamp=1538580721&version=i3.6.1&appver=i3.6.1.0&requestByChildT
hread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_token=iOS::019290ade677b
e79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&device_id=EC640161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&method=update_role&
PICOOC
MITM - NOT SSL-PINNED
https://api2.picooc-
int.com/v1/api/account/updateUserPa
ssword?sign=41EE8B396970992A85E
9259B134B96BE&urlOfGetRequest=ht
tps://api2.picooc-
int.com/v1/api&roleId=9144339&tim
estamp=1538581202&version=i3.6.1
&appver=i3.6.1.0&requestByChildThre
ad=0&os=iOS&userId=4611483&lan
g=en&timezone=Europe/Moscow&pus
h_token=iOS::019290ade677be79f5f
bded930b2435fa81eef103d893471
08e265c0cd984cf2&device_id=EC64
0161-EC87-4A90-AD99-
5B29A3F86700&device_mac=&metho
d=update_user_password&
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
PICOOC
SUMMARY
Body indexes and changes day-by-day
 Fat indexes, Mass
 Productivity, Delta
Dev Info, Friends results, User data
Network
 Data stored on Alibaba servers
 Profile, Device Info, Credentials, additionally passw on pass-change tab
 Bonus: Bluetooth scanner of near located devices
Preferences: Local Password, Unlocking method, last active day
~30 mHEALTH APPS
 User credentials and pins
 Personal details of users
 User activities
 Google Fit
 MyFitnessPal
 RunKeeper - GPS
 Nike+ Running
 WebMD
 Blood Pressure (BP) Watch
 Water Your Body
 Instant Heart Rate
 Drugs.com Medication Guide
 Runtastic Pedometer
 Noom Walk Pedometer: Fitness
 Strava Running and Cycling GPS
 Bleep Fitness Test
 Fitness Buddy: 300+ Exercises
 User location
 Activity timestamps
 Images
 BodySpace- Social Fitness
 Walk with Map My Walk
 Endomondo Running Cycling Walking
 FitNotes – gym Workout Log
 Period Calendar
 Period Tracker
 My Pregnancy Today
 My Baby Today
 Calorie Counter by FatSecret
 MyNetDiary Calorie Counter PRO
 My Diet Diary Calorie Counter
 Calories! Basic – cal counter
 Calorie Counter
 Lifesum- Calorie Counter
~30 mHEALTH APPS
MYFITNESSPAL
User profile Pics  com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard/

/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
 User details including time zone, gender, date of birth and email
- in tables <user_properties, users> - see a pic
 User profile pictures - in table <images>
 User personal notes - in table <diary_notes>
 User records of exercises, food habits and personal measurements - in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
 User last synched items with the server - in table <last_sync_pointers>
 User food search history - in table <search_history>
~30 mHEALTH APPS
RUNKEEPER
 User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
 / fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
 User details including activities, trips
 Trips deleted by user - in table <deleted_trips>
 Activities posted by user - in table <feed>
 List of user’s friends - in table <friends>
 Images uploaded during trips by user - in table <status_updates>
 User settings for each trip - in table <trip_settings>
 Places visited during all the trips - in table <points>
 Information about each trip - in table <trips>

 More tables
 The points table is to locate the map coordinates of a user’s route
~30 mHEALTH APPS
PERIOD CALENDAR

• Personal info –/data/data/ fitnesskeeper.runkeeper.pro

/databases/PC.db. Tables
• User - List of the users with passwords (Plaintext passwords, secret questions
and answers )
• Period - Period start time and length of users
• Note - Diary notes inserted by users
• Personal info –/data/data/ fitnesskeeper.runkeeper.pro
/databases/PC_PILL.db. Tables
• pill - Pills used by users including date and time
• pill_record - Details about the pills
~30 MEDICAL/FITNESS/HEALTH APPS
 User credentials: Apps may require users to login using their user credentials (e.g. username and
password, PIN, and authentication tokens) in order to use the apps. Therefore, user credentials should be
an artefact that forensic investigators seek to locate during the app forensic process (e.g. determine
whether the credentials are stored in and can be recovered from the app’s databases).

 User personal details: User personal details include name, gender, date of birth, email address, height,
weight and other personal data would be helpful for forensic investigators to positively identify the app
or device users.

 User activities: The mHealth apps require users to enter their day-to-day food habit, health conditions,
activity or exercise details, diagnosis details, medication details and symptom details, etc.

 User location: Fitness apps allow users to keep track of their exercise, running, jogging, cycling and other
activities. These apps generally store the geographical coordinates of the user location during these
activities which can provide useful evidence to the investigators.

 Activity timestamps: Another important artefact is the timestamp of the user activity. For example, linking
activity timestamps with corresponding user locations (e.g. geographical coordinates) and other relevant
information (e.g. CCTV feeds) would provide useful information in an investigation.

 Images: This artefact includes profile images, and images taken and posted from a location.
 ~30 MEDICAL/FITNESS/HEALTH APPS
User credentials Personal details User User Activity
App Name / Data Images
and pins of users activities location timestamps
Google Fit N N P N F N

MyFitnessPal P F F N F F

RunKeeper - GPS N N F F F N

Nike+ Running N F F N F F

WebMD N N P N N N

Blood Pressure (BP) Watch N P F N F N

Water Your Body N N F N N N

Instant Heart Rate N N N N N N

Drugs.com Medication
N F N N P N
Guide
Runtastic Pedometer N N F N F N
 ~30 MEDICAL/FITNESS/HEALTH APPS
User credentials Personal details User User Activity
App Name / Data Images
and pins of users activities location timestamps
Noom Walk Pedometer:
N N F N F F
Fitness
Strava Running and Cycling
N F F F F N
GPS
Bleep Fitness Test N F F N P N
Fitness Buddy: 300+
N N F N F N
Exercises
BodySpace- Social Fitness N F F N P F
Walk with Map My Walk N F F F F P
Endomondo Running Cycling
N N F F F F
Walking
FitNotes – gym Workout
N N F N P N
Log
Period Calendar F F F N P N
Period Tracker N N F N P N
My Pregnancy Today P N N N N F
My Baby Today N F N N P N
 ~30 MEDICAL/FITNESS/HEALTH APPS

User credentials Personal details User User Activity

App Name / Data Images
and pins of users activities location timestamps
Calorie Counter by
N N F N P N
FatSecret
MyNetDiary Calorie
N N N N N F
Counter PRO
My Diet Diary Calorie
N P F N F N
Counter

Calories! Basic – cal counter N N P N F N

Calorie Counter N F F N F N

Lifesum- Calorie Counter N P F N F F

 ~30 MEDICAL/FITNESS/HEALTH APPS
THE VALUE IS HIGHER, THE MORE DATA STORED LOCALLY)

Average Issue Index

10 9 9
9 8 8 8
8 7 7 7
7 6 6 6
6 5 5 5
5 4 4
4 3 3 3 3 3 3 3 3
3 2 2
2 1
1 0
0
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
HEALTHCARE
SUMMARY
Native Health App is good protected, however not a basic information
 Basic info - Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
 Exported data is not protected at all

Source apps (medical, fitness, health, …)

 Data contains everything with GPS, timestamp and lot of day-by-day changes
 Usually stores data locally, but basic activity over network is intercepted and
credentials gained

Pseudo health apps – usually requires user to handle all data by himself
 Friend list, Credentials, secret questions & answers
 Body values, timestamp, visited places & geo
 Medical periods, schedule, pills and so on
 Preferences, searches
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
APPLE TV – FIVES GENERATIONS
MacOS X, iOS, tvOS
Common ways to break into

Jailbreak tools

Password management

USB Acquisition

Backup

Jailbroken acquisition

Profiling
APPLE TV – I GENERATION
EASILY TO BREAK

First edition of TV, Mac OS X & HDD makes breaking much easier

All possible ways to break into the first Apple TV 8 years ago:
 “Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and
Randy Robbins, Def Con 2009
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-
kevin_estis-apple_tv.pdf
https://www.youtube.com/watch?v=z-WCy3Bdzkc
 APPLE TV – II-V GENERATION
EASILY TO BREAK TOO
 Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)
 Backup contains valuable data (forensics tool works too)

 Find a jailbreak to obtain the whole OS

 Look for user content: Netflix, iTunes, NHL, NBA, Vimeo, YouTube
 Get access to App’s data and reveal credentials, card – depend on application

 Why Apple TV can be jailbroken (why men jail it)?

 Outdated compromised TV 2 with OpenSSH and default password
https://www.tvaddons.co/appletv2-jailbreak-threat/
 Direct access to filesystem and file management beyond the backups & cloud
 Stream media from devices beyond AirPlay or iOS devices
 Sideloading 3rd party tools
 Kodi, Hulu, LastFM, XBMC, Nito TV, , Pandora Radio, and other apps.
 Don’t pay $100 for dev license and get access to hundreds, of music, TV, movies
APPLE TV
DATA EXAMINATION & FORENSICS
 Apple TV jailbreak support https://pangu8.com/appletv.html
 Apple TV 1 – scripts, ssh, HD extraction and other way
 Apple TV 2 – Seas0npass jail for TV running tvOS 4.3 - tvOS 5.3 (untethered) & tvOS 6.1.2
(tethered)
 Apple TV 3 – No jailbreak, many scams, probably Snow3rd jail works for TV running 5.0, 5.0.1,
and not beyond 5.0.2
 Apple TV 4
 Pangu9 jail for TV running tvOS 9.0 - tvOS 9.0.1
 LiberTV jail for TV running tvOS 9.1 - tvOS 10.1
 GreenG0blin jail for TV running tvOS 10.2.2
 Apple TV 4 / 5
 LiberTV jail for TV running tvOS 11.0 and 11.1
 Apple TV 4 / 5 – Electra jail for TV running tvOS 11.2 - tvOS 11.3
APPLE TV
DATA EXAMINATION & FORENSICS
 USB port is reserved for “service and support” purpose
 Vanished since Apple 5th Gen (4k)
 No password management – we trust you, breakers 
 Seriously, No Password or Passcode protection at all ! Restrictions instead:
 Use Restrictions on your Apple TV https://support.apple.com/en-md/HT200198
 Allow all by default
 Restrict blocks by passcode purchases, apps, content, settings and remote pairing
(no one blocks pairing usually)
 Account-Password requires for purchases in a way like any Apple device
(https://support.apple.com/en-us/HT204030)
APPLE TV – 2TH – 4TH GEN
USB ACQUISITION (USB, MICRO, USB-C)
5TH GEN IS OUT OF SCOPE (NO USB)
AFC (Apple File Conduit) service works here
 /private/var/mobile/Media
USB Acquisition gives:
 Basic device information
 Real Time Log (Syslog), Crash Logs
 Part of the file system (“Media” folder)
Device information
 MAC – WiFi, Bluetooth, Ethernet
 Name, Timezone, Serial ID, Model
Ideviceinfo, idevicesyslog http://www.libimobiledevice.org/
APPLE TV
BACKUP
 Real Time Log  iCloud ID

 Crash Log  Wi-Fi networks

 MediaLibrary.sqlitedb  Device usage timeline

 iCloud Account Name  Shopping database

APPLE TV – 2TH – 5TH GEN
JAILBREAK
Timezone
 /private/var/db/timezone/localtime
Network tcp/ip lease
 /private/var/db/dhcpclient/leases/
Network wi-fi history
 /private/var/preferences/com.apple.wifi.plist
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Keyboard dictionary
 /private/var/mobile/library/keyboard/dynamic-
text.dat
Accounts
 /private/var/mobile/library/accounts/
 /private/var/mobile/library/preferences/com.apple.ids
.service.com

Network

User info: email + phone

yury.chemerkin@icloud.com
+79851719122

User email
APPLE TV – 2TH – 5TH GEN
JAILBREAK
iCloud synced preferences
 /var/mobile/Library/SyncedPreferences/
Wi-Fi Access Points
 com.apple.wifid.plist
Weather Cities
 com.apple.nanoweatherprefsd.plist

Moskva, Lianozovo Dictrict

55.800149, 37.565483
 APPLE TV – 2TH – 5TH GEN
JAILBREAK
Headboard
 /private/var/mobile/library/com.apple.headboard
/apporder.plist
 /private/var/mobile/library/caches/com.apple.tvic
onscache/com.apple.headboard
 /private/var/mobile/library/caches/com.apple.hea
dboard/fscacheddata
 APPLE TV – 2TH – 5TH GEN
JAILBREAK
App snapshots
 /private/var/mobile/library/caches/com.app
le.pineboard/assetlibrary/snapshots/

Cached video
 /private/var/mobile/library/caches/appletv
/video/
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Installed applications
 /private/var/db/lsd/com.apple.lsdidentifiers.plist
Installed applications
 /private/var/mobile/containers/bundle/
Installed applications
 /private/var/mobile/containers/data/application/
APPLE TV – 2TH – 5TH GEN
JAILBREAK
 Country, last activity
 App snapshots
 Youtube
APPLE TV – ANY GEN
PROFILING AS A KIND OF PROTECTION

TV Remote Payload
 The TV Remote payload is designated by specifying com.apple.tvremote as the
PayloadType value. If not present, or the list is empty, any device will be allowed
to connect.
Availability: Available in tvOS 11.3 and iOS 11.3 and later
 AllowedRemotes
 AllowedTVs
 RemoteDeviceID
 TVDeviceID
https://developer.apple.com/enterprise/documentation/Configuration-
Profile-Reference.pdf
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
APPLE TV
SUMMARY
Lot of jailbreaks
 Except Apple TV 3
 Apple TV 1 is based on Mac OS X, so breaking is the same way like Mac
Password management
 No password
 No restrictions by default
 Restrictions handle the content only
Apple TV 2 – 5
 Apple TV 2 – 4 equipped with USB that gives dev info, timelog, crashlog, media folder
 Apple TV 5 does not have USB ports
Jailbroken TV
 Timezone, Network Info & History, Keyboard & Account Info
 iCloud preferences, Wi-Fi Accent Point, Weather cities (list) easy to remap geo
 TVs - Headboard, App snapshots, Cached video
 App List, App Data, App Snapshots
AMAZON TV: PREREQUISITE

Amazon Fire TV Stick

Amazon account plus other accounts per app

MITM is out of scope, but wait for Amazon Dot 

Forensics tools (no support atm)

Known ways to break into

Root

Data acquisition (streaming, photo, app, sideloaded Android app)

AMAZON TV
BREAK OPPORTUNITIES
 No support of Forensics tools
 Sideloading is allowed, ADB exists and is off by default
 Rooting
many root-apps (like KingRoot) is around of outdated FireOS
such as 5.0.5 but not limited it
The rooting requires a keyboard, no support for TV remote
devices

 Use dd command to obtain an image of Fire TV

AMAZON TV
ROOT, BOOTLOADER, SIDELOADING
Non-root things
 Sideloading is allowed without root like on Android
 Bootloader: 51.1.x.x – non-locked, 5.x.x.x – locked but 5.0.x are unlockable (no info about
older versions)
 Downgrading might be possible
Roots
 Fire TV 1 – rootable for 51.1.0.0 - 51.1.6.3, 5.0.3, 5.0.5, and no root for 5.0.5.1, 5.2.1.0 -
5.2.6.3
 Fire TV 2 – rootable for 5.0.0 – 5.2.1.1, no root for 5.2.4.0 – 5.2.6.3
 Fire TV 2 – 5.2.6.6 – pre-rooted ROM (http://www.aftvnews.com/pre-rooted-5-2-6-6-rom-
is-now-available-for-the-fire-tv-2/)
 Fire TV 3, Fire TV Cube – no root or pre-rooted ROM
 Fire TV Stick 1 – rootable for 5.0.0 - 5.2.1.1 and no root 54.1.2.3 and older, 5.2.1.2 -
5.2.6.3
 Fire TV Stick 2 – no root, except hardware rooting to direct access to the device eMMC
storage (http://www.aftvnews.com/amazon-fire-tv-hardware-root-demonstrated/)
 Fire TV Edition television – rootable for 5.2.5.0 and no root for 5.2.5.1 - 5.2.6.3
AMAZON TV
ROOTED TV
 browser.db – Browser History & navigating to websites using
Mozilla Firefox
 [root]/data/com.amazon.bueller.photos/files/cmsimages – Pictures
from Amazon cloud drive but formatted for better viewing up to
Fire TV Stick
 [root]/data/com.amazon.device.controllermanager/
databases/devices – Bluetooth Devices and their names, MAC
paired with Fire TV (such as, keyboard mouse, Amazon Fire TV
remote)
 [root]/data/com.amazon.device.logmanager/files – Amazon Logs
including Log.amazon\main
AMAZON TV
ROOTED TV
 /data/data/ = All application data is stored in this directory
 com.amazon.venezia/ = Amazon appstore data
/cache/ = thumbnails & previews for appstore apps
/databases/ = sqlite files in each folder
/contentProvider = Table "Apps" contains app-names("key") with relation
thumbnails("thumbnailUri"), Preview("previewUri") found in ../cache directory
/locker = workflow, orders, wishlist, applications, cache, content tokens.
/logging = logs for appstore application

 com.android.cloud9/ = Amazon browser data

/cache/webviewcache/ = any cache data
/databases/ = sqlite files in each folder
/webview.db = webview cookies & form data.
/webviewCache.db = association of files in ../cache/webviewcache/ directory to urls.
/browser.db = history & bookmarks also have path to page previews and thumbnails stored in ../files
/files/ = page previews & thumbnails stored as JPEG (crosslink to ‘browser.db’ above)
/shared_prefs = preferences for a cross-access

 com.amazon.provid ers.contacts/databases/conta cts2.db = All contacts

FORENSIC ANALYSIS METHOD FOR
THE AMAZON FIRE TV STICK
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
AMAZON TV: SUMMARY
 Several older firmwares are affected by rooting tools
 Rooting requires BT-keyboard that’s is not a big deal for TV
 Sideloading is allowed without root
 ADB is possible
 Downgrading the Fire TV Stick software/firmware might possible
 Personal data is revealed
 Credentials of streaming services is found
 Netflix, NHL, NBA, Vimeo, … Kodi to get access to hundreds, of music, TV, movies
 No way to restrict connection and bind TV and device to themselves only
 FireOS ver 5.x is based on Android 5.1.1 Lollipop, ver 6.x is based on
Android 7.1 Nougat
AMAZON ECHO DOT

• Картинки и спецификацию
AMAZON ECHO DOT

Local access

Bootloader

MITM: SSL, MITM, Firmware MITM

Credentials breaks
AMAZON ECHO DOT
LOCAL ACCESS, LACK OF ROOT
 Alexa doesn’t have ADB, but have a MTK
 bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx Preloader
 However a SP Flash Tool does not work atm
 Bootloader – press and keep ‘Uber’ while it is loading, but bootloader is locked
and no unlocking key is available
 Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 /
Magic / Tattoo
 # fastboot devices
fastboot
 # fastboot getvar all
lk_build_desc: c1…..
prod: 1
unlock_status: false
serialno: […..]
product: BISCUIT
version-preloader: 0.1.00
version: 0.5
AMAZON ECHO DOT
MITM. WHAT ABOUT SSL?
Self signed certificates is allowed on Alexa for devs
 https://developer.amazon.com/docs/custom-
skills/configure-web-service-self-signed-certificate.html
 https://www.amazon.com/gp/help/customer/display.ht
ml?nodeId=201589180

Change endpoint configuration and region

Make your Alexa installs a SSL from Intercepting tools
 No lack, Alexa Echo Dot as a device prevents this shit 
 Try with Alex app that comes installed by default on the
Kindle Fire Tablets, or download for Android or iOS
devices even (!)
AMAZON ECHO DOT
MITM. FIRST TIME SETUP
 Navigate via browser https://alexa.amazon.com
 Up to end of 2017 a redirect to Alexa setup was a http
URL (!)
 Expected credentials stolen in plaintext & expiring in
2036 like before, but no lack
before
 POST
/ap/signin?ie=UTF8&pf_rd_r=yyyyyyy&pf_rd_m=xxxxxx&
pf_rd_t=6301&pf_rd_i=amzn_dp_project_dee&pf_rd_p=x
xxxx&pf_rd_s=signin-slot HTTP/1.1
 Host: www.amazon.com
 Content-Length: 1349
 “name”: “Set-Cookie”,
 “value”: “session-token=\”xx/y//zz==\”; Version=1;
Domain=.amazon.com; Max-Age=630720000; Expires=Sat,
01-Nov-2036 22:39:37 GMT; Path=/”
Now
 HTTPS, prevents MITM attack
 Certificate expires every 2 years
 AMAZON ECHO DOT
MITM. FIRMWARE
Intercepting firmware updates is possible
Here is a bin-firware http request
 GET /obfuscated-otav3-9/…/update-kindle-full_biscuit-XXXX_user_[XXXXXXXXX].bin
HTTP/1.1
 Host: amzdigitaldownloads.edgesuite.net
 Connection: close
 User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC
Build/LVY48F)

Firmware contains build.prop = designed as a Android & have .APKs

 ro.build.version.fireos=5.5.0.3
 ro.build.version.fireos.sdk=4
Non-Encrypted bin-firmware
-rw-r--r-- boot.img; file_contexts
drwxr-xr-x images; META-INF
-rw-r--r-- ota.prop
drwxr-xr-x system
-rw-r--r-- system.new.dat; system.patch.dat; system.transfer.list
AMAZON ALEXA APP
Alexa app has a good a solid protection
No sensitive data stored locally
Well encrypted communication (online, internal) and used the TLS 1.2
However, MITM is possible, because no SSL Pinning used
 Credentials and all communication compromised
AMAZON ECHO DOT
ALEXA APP – MITM, NOT PINNED
Credentials
 {"Credentials":{"AccessKeyId":"ASIAXHE6EPSWNVIGFBVP","Expiration":1.538588872E9,"SecretKey":"+8gS
x7/H.....U="},"IdentityId":"us-east-1:503e25f6-2302-4dcd-8cb2-64a0e888f76b"}
 Email, Password from POST action ‘https://www.amazon.com/ap/signin’
 Device Info plus token

Metrics - https://device-metrics-us-2.amazon.com/metricsBatch
 HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"
 CountryCode RU"

Profile
 Name, Billing Address, Shipping Address
 Device IDs, types, Account ID, Device capabilities

First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
AMAZON ALEXA APP
LOCAL
 Library\Application Support\device.sqlite – device list with
ID, serials
 Library\METRICS_NORMAL\* - Logs &
MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM
2W81,iOS/12.0,Alexa//2.2.233205,DCM)

 Library\Preferences\com.amazon.echo.plist – Account Info

 Documents\LocalData.sqlite – settings of devices
 AMAZON ECHO DOT
ALEXA APP
Alexa and Echo allow many users to manage devices
 Echo has no voice differentiation capabilities nor protection against non-human or repeated speech
Each device locks by 4 digit PIN
 The Set of PINs is ~10k values
 Two attempts and have to restart but no limit the number of total attempts
 Bruteforce it for 2 days
How to break
1. Computer says “wake word” followed by the command to order an Amazon Echo Dot
2. Alexa responds with top Amazon search for and asks if user wants to place the order
3. Computer confirms order
4. Alexa asks for 4-digit PIN
5. Computer guesses next PIN in numerical order
6. Alexa accepts or rejects PIN
7. Computer guesses next PIN in numerical order
Repeat until you break it  take up to 48h max
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
 AMAZON ECHO DOT & ALEXA APP
SUMMARY

Intercepting firmware updates is possible

Alexa allows to use self-signed SSLs but not accepts Burp/Charles certificate?
 True for Alexa Echo Dot
 Alexa app that relies on TLS 1.2 but affected to MITM attack with self signed cert
Not everything is HTTPS
FireOS is based on Android - https://en.wikipedia.org/wiki/Fire_OS
 ver 5.x – Android 5.1.1 Lollipop. Alexa is still on 5.x
 ver 6.x – Android 7.1 Nougat
Even hardware root is possible
https://vanderpot.com/Clinton_Cook_Paper.pdf
READYFORSKY - ???

a
CONNECTED HOME
READYFORSKY

Backup

MITM: Hub, Remote

BT MITM: out of scope

READYFORSKY
DOCUMENTS\R4S.SQLITE
 Device list, models, pairing text
 Receipts per device (how to cook, basic details &
requirements)
 Username, email
 User devices & Mac
READYFORSKY
MITM
 Firmware version – 2.29 -
http://service2.readyforsky.com/firmware/list/148/["2.29"]
 Device Pic - http://image-
server.readyforsky.com/i/1899/200x200.png
 Recipes – BlackTea, GreenTea, Others
 Do smth with a Kettle
 https://content.readyforsky.com/api/program/catalog/id:IN:90,9
7?locale=en
 "id": 90,
 "protocol_id": 0,
 "value": "BOILING", / HEATING
 "value": "40", | "value": "55", | "value": "70", | "value": "85", |
"value": "95",
READYFORSKY
MITM
Credentials, password, tokens
 https://content.readyforsky.com/headless/change-password
 {"current_password": "1", "plainPassword": "1"}
 { "error": "invalid_grant", "error_description": "The access token provided is
invalid."}
 { "access_token":
"YjNhYmEwOWM1ZDcwYTk0ODU1ODhmZDZiMDRjNjA5NzUyN2YzM2VhN
GUyMjBhYzc0ZjBhYWRhY2IzZmNjMzdiOA",
 "expires_in": 86400, "token_type": "bearer", "scope": "r4s", "refresh_token":
"YzE4ZGUwN2NkMzdiMDBlYmM5NGQwMGVjYmU4YThkYTVkMGE1ZTc4
ODQ2MDRkNjhhZWY4NGIxZjlkODRhZGI3MQ“ }
READYFORSKY
MITM
User details - https://content.readyforsky.com/api/user/current
 "username": "yurychemerkin",
 "username_canonical": "yurychemerkin",
 "email": "yury.chemerkin@gmail.com",
 "last_login": null,
 "enabled": true,
 "locked": false,
 "expired": false,
 "id": 527679
Client Address 192.168.1.38:50654 | this port changes
Remote Address content.readyforsky.com/178.62.194.132:443 | fixed port
 READYFORSKY
MITM
Device details
 https://content.readyforsky.com/
api/device/user
 “name": "RK-G200S",
 "address": "E7:7F:BC:60:C2:2A",
 "name": "Gateway XIAOMI
Redmi 4X",
 "address": "77d3efcf-f627-
402e-bbed-4ee0c8290417",
Client Address 192.168.1.38:50654 | this port changes
Remote content.readyforsky.com/178.62.194.132:443 |
Address fixed port
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
REDMOND
SUMMARY
Communications & MITM
 App, Hub, Device IP, Ports including internal info, Device info (name,
model, network info)
 Actions, receipts, to-do
 Credentials, password, tokens
 User details & Login details
Local
 Device list, models, pairing text
 Receipts per device (how to cook, basic details & requirements)
 Username, email
 User devices & Mac
LIGHTNING

Lightify

IKEA TRÅDFRI

Philips HUE
 LIGHTIFY
 Lightify is the IoT platform with a simplest integration of wireless lighting.

 Need to have an Lightify-account

 Online communication uses QUIC-protocol with encryption over UDP

 Wireshark does not support QUIC decryption at the moment. The drafts
at tools.ietf.org/wg/quic are also not really detailed on the ciphers.

 Lightify Gateway communicates over TCP completely unencrypted locally,

but via a binary protocol https://github.com/noctarius/lightify-binary-
protocol#basics-about-the-protocol and here a plugin to manage the
light https://github.com/tfriedel/python-lightify

 Credentials stored in a local folder – shared preferences

 IKEA TRADFRI
Smart lightning and assistant to control it

No online communications except firmware requests in plaintext

 GET http://fw.ota.homesmart.ikea.net/feed/version_info.json
 User-Agent: HertzClient/1.0
 Host: fm.ota.homesmart.ikea.net
 Connection: close
 Response : No response

Local communication is DTLS (SSL over UDP)

 Pairing via QR code
(Serial Number = Mac Address, Security Code/ pre-shared key)
 QR code can be revealed for further decryption

Locally stored data

 Encrypted QR-code and store in keystore – need root to get an access
 Keystore doesn’t work for outdated Android (< 4.3)
 AES encryption alg for outdated Android and built APK with encryption key “Bar12345Bar12345” as a resource in “key_file.txt”
 The Issue here is a patched APK file with a removed strong encryption
PHILIPS HUE
 HUE light, lamps and other with a smart assistant and bridge to works over Philips servers
 The list of paired Apps and services with timestamp sent across Hue apps
 Online communication
 [BridgeServers] works over HTTP with additional layer of AES-encryption. Guess they store secret key somewhere
but no lack to find it
 [AppServers] works over HTTPS with SSL Pinning

 Local communication works over HTTP

 PUT http://192.168.1.38/api/Ds7KfNjjYtC8uN
mU8azGBiOSj-uacXI0q0JKaTs/groups/1/action
 Host http://192.168.1.38
 Accept *.*
 Content-Type: application-json
 Content-Length: 11
 Json {“on:true”}

 Loading malicious firmware over-the-air http://iotworm.eyalro.net/

 In 2016, researchers hacked Hue lights via ZigBee over a distance of more than 200 meters
http://iotworm.eyalro.net/iotworm.pdf
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
LIGHTNING
SUMMARY
IoT platforms: Lightify, IFTTT
 One account to access all tokens & credentials to manage services, devices
and data

Communication
 Online – usually encrypted, MITM sometimes possible
 Local – non-protected, custom protocols & encryption – usually analyzed
 Firmware – plaintext usually, malicious attacks are possible
Local
 Credentials, log, data
 CONNECTED HOME
SUMMARY
Jailbreaks & roots
 Available for popular devices
 Sideloading apps are possible
 New in-house manager devices, such as Alexa Dot doesn’t have root tools
Backup & Data
 Works for many devices
 Works for synchronizing apps, like Alexa
In-house smart manageable things works over app-manager that, in turn
 Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content
 Doesn’t have a good protection and available over Internet
 Has a firmware issues with malicious over-air-attacks
 Locally stored lot of data in app installed on the mobile device
 Moved in an user’s pocket everywhere
IoT: CONCEPT, FACTS, ISSUES

1. IoT 2. Wearable 3. Healthcare

Tech

4. Connected 5. Security & 6. Risk

Home Tips Management
 IoT
HOW TO SECURE
Risk Management
 Device Profiling – divide your devices according to a critical info & risk score
 Use cases – define where and what for are you going to use devices
 Compatibility - use devices that are compatible with existing technology stack, and security equipment and
software
 Lost of smartphones – avoid devices to be lost or left unattended
In-home Secured Network
 Obscure name – NOT for vendor & model names or revealing user identity e.g. personal
 Encryption – use up-to-date devices with the latest & strongest encryption schemes
 Guest network – setup it if you’re sure but better to Disable guest network access entirely
 Two or more different Wi-Fi networks (logically or physically) – one for typical activities (networking,
messaging, etc.), second for IoT, third for critical banking, shopping
 Firewall - a stand-alone software or shipped with the router, allow traffic on those specific ports & no others
 Limit of public network usage – avoid pairing device or using device apps over public network due to lack
of encryption of data

Password Management
 Default credentials – change it for router’s , IoT devices’ password
 Unique passwords - use unique, complex passwords made up of letters, numbers, and symbols
 IoT
HOW TO SECURE
Software Management
 Settings – change it to default privacy policies & security settings
 Features – disable features you don’t need, such as a remote access
 Apps – avoid use apps that don’t encrypt data locally or while it’s transferring
 Patches – keep all devices & software up-to-date
 VPN – stand alone software or shipped with router to protect connections of IoT device that working over Internet
 Multifactor & Hubs – use all security settings that require additional actions before it’s being easily hacked

Data
 Data Analysis - analyzing data generated by IoT devices to understand what data might be monetized
 Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked
Breaking tools
 Risky app – avoid apps out of store, junk apps from app store
 Broken - don’t break any device in a chain of devices, rely on supported vendor ROMs
 Flashed – flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs
Cloud & third party tools
 IoT clouds – audit it before using for your personal/business need
 Third party services – there are many automation tools to manage IoT devices. Use secured and audited and be
informed
MOBILE, IoT, CLOUDS…
IT’S TIME TO HIRE A RISK MANAGER!
YURY CHEMERKIN
SEND A MAIL TO: YURY.S@CHEMERKIN.COM

HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN