Sunday, November 21, 2010

How to return an iPhone to its owner with the security passcode enabled.

I was recently contacted by a friend who had found an iPhone in his front lawn. My first thoughts was - 'ahh...that sucks for whoever lost it!'.

Since this friend has no idea how to use an iPhone and I am 'the computer/phone guy' for this person, he was hoping I could help get the phone back to its owner.

The following outlines the steps I took to reunite the iPhone with its owner.

Challenge one: No power.
Solution one: Plug it in.

Yeah...no brainer there! However, it does speak to the problems associated with propietary charging solutions. Fortunately, I have several iStuff products...

Challenge two: Passcode enabled.
Solution two: Pull the SIM out. Put it into my iPhone and import the contacts.

I would imagine most people would not have considered this as an option. The idea of a SIM card is foriegn for most people and even that you have the option of importing the contacts from the SIM card is probably just as foriegn. Ironically, my 9 year old daughter was the first to mention it. I am not sure what that means - perhaps all my geekiness is really rubbing off. However, she was very wise in stating this method of data retrieval. As a result, I was able to retrieve the phone number associated with the iPhone and obtain a list of people who know the owner of the iPhone.

From a privacy/security this is a bit of a concern because anyone who finds an iPhone can learn a lot about the owner - despite the security protocols they put in place on their phone. The user could have protected their SIM data with an additional PIN. Ironically, if they would have enabled this protection, they would not have gotten their phone back.

Challenge three: Finding the owner!
Solution three: Call people...

I started by calling the person at the top of the list. This proved to be confusing, and amusing as people who I did not know answered. I quickly discovered that the phone must belong to a teenager...

Unfortunately, none of the people I called (starting with A) knew who the phone belonged to. Then I considered the logical - Dad/Mom/Home. Of interest, all three were in the list. I started with Dad and immediately found the person who could help.

So, to recap, if you find an iPhone and want to return it to the owner, just import the SIM contacts into your own iPhone. I never considered the impact that enabling the passcode would have on my chances of getting my lost iPhone back into my hands. As a result of this experience, I will be embedding a contact number into the wallpaper in the hope that if I lose my iPhone it will be found by an honest person who will want to return it back to me!

Friday, September 3, 2010

Hack is Wack is Hacked

Snoop Dogg is putting his rapper muscle behind Symantec and taking hacker on...I think...if I understand the site http://hackiswack.com correctly.

It should be no surprise that the security of the site is going to come under some scrutiny. The Register already has one article about the issues someone found.

I took a few minutes and check the site out myself and found another issue.

If you look in the source code you see a link embedded in the javascript that looks like this...

/index.php?option=com_jfbconnect&task=logout
&return=aW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9OCZJdGVtaWQ9Mg==
 
The interesting part is this: 
aW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9OCZJdGVtaWQ9Mg==
 
If we decode this base64 encoded string, we get this: 
index.php?option=com_content&view=article&id=8&Itemid=2
 
So, lets encode our own string and create a new URL that looks like this: 
http://www.hackiswack.com/index.php?option=com_jfbconnect&task=logout&return=aHR0cDovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PW9IZzVTSllSSEEw



Yeah. That would be yet another RickRoll...
  
 
 

Friday, August 20, 2010

Spoofing Facebook – How to use Places to create an alibi


If you haven't heard, Places is the latest anti-privacy feature that has been added by Facebook to completely expose your every move. PCWorld has a great writeup on the issues surrounding this...

There are numerous privacy issues with Places (your boss knowing you are not at home when sick, your 'friends' knowing when you are out so they can rob you, etc.). However, what if you could spoof your location and turn Facebook Places into your alibi?


Turns out this isn't all that difficult! The following lists the steps to do this...all from your browser!


1. Setup a proxy PC using CAT, Burp, etc. This will allow you to capture the request coming from your mobile device as it passes to Facebook. I used CAT in this situation.


2. Configure your browser to point to the proxy port. The following illustrates this in both Firefox and the iPhone. Note: If you use the iPhone, you will have to allow the proxy to bind to your network interface, as shown below.















3. Setup your proxy to intercept the request. This is easy to do with CAT – just click the 'Intercept Request' checkbox.







4. Log into http://touch.facebook.com and click on the new Places tab or the new icon representing the map pointer next to the "What's on your mind?" field and allow your browser to share your location.


5. Use http://itouchmap.com/latlong.html to find an interesting place and obtain the GPS coordinates.


6. In the Places page, click on the Add button. This will generate a request that the proxy will capture and looks something like the following. Allow this request to pass through.







7. Enter a unique name (description optional), hit the Add button and intercept the request. This will generate two requests. The first contains the new location as part of the POST data. Modify the GPS coordinates in this request to the acquired coordinates you have obtained. In the second post, update the GPS coordinates in the URL. Finally, let the browser finish up with a few requests and you will be rewarded with a new location. The following images show the updates and the final location.









8. Finally, click the Check In button to set your Profile to the new location. NOTE: Facebook has some logic built into the backend to prevent globe hopping. However, it is fairly flexible. You will again have to modify the POST request details to your preferred GPS coordinates.







If you hover over or click on the location, you will see a map of the area – both of these are sitting off the coast of New Jersey…


So, with a little URL request modification you can create a new location, move yourself to that location, and tell the world where you are! Keep this in mind if you ever have the need to convince the world that 'Yes, you really were at that rally' or "No, I wasn't with so-and-so! See, Facebook had me in another town!". Oh the fun.