Students score big at Hack in the Box SecConf (01/06/2014)

Students of the Master education in System and Network Engineering (SNE) of the University of Amsterdam have participated in several events surrounding the Hack in the Box Security Conference (HitB) held in Amsterdam 27-30 May 2014.

There were several different events organised around the HitB conference, such as a Mozilla Firefox OS HackWEEKDAY, A Facebook API challenge, a Capture the Flag hacking context, and many more.

The Mozilla Firefox OS challenge has been won by SNE students Cedric Van Bockhaven and Jan Laan. Several students participated in different teams at the CTF challenge, but due to the stiff competition they fell short of the prizes. Thijs Houtenbos and Jan Laan did win the overal challenge, grabbing the title of `Most 1337 coders' at the event.

Most 1337 coders of HITB

Students find flaws in dating app Grindr

Students of the Master education in System and Network Engineering (SNE) of the University of Amsterdam evaluated the Grindr dating app to see how sensitive user information is protected. Results are astounding, as documented in this report.

Grindr, “the world's biggest mobile network of guys”, is a dating app for homosexual men. The Android, iOS and BlackBerryOS app provides users with user and location information of the 24 closest users that are also looking for a partner. In 2012 a number of weaknesses were discovered. According to Grindr the weaknesses were resolved with an update that was published within days. Reality proved to be rather different.

Breaking encryption

After the 2012 update all messages are encrypted to prevent eavesdropping of user and location info. Encryption is implemented using AES. However the used key can be recovered quite easily as a result of weaknesses in the key exchange mechanism. After decrypting Grindr network traffic with the recovered key it became clear that the underlying protocol is vulnerable for several attacks.

Eavesdropping and impersonation

The mechanism that is used to transfer the 24 closest users contains a token that points to the profile of the 24 users. In other words: it's used as an identifier. However the token can also be used to logon to the profile of the users. In other words: the user profiles are not protected by a password or other shared secret. With an eavesdropped token it is possible to access and change all - including non-public - profile information. The underlying chat system uses the same system. As a result all chat messages can be eavesdropped and an attacker can impersonate a user by sending messages on their behalf.

Location monitoring

The mechanism that is used to transfer the 24 closest users also contains the distance to other users. This system is based on the user's current GPS location. An attacker can spoof GPS locations of the requesting account. By systematically scanning all possible GPS coordinates it is possible to identify all Grindr users. Furthermore it is possible to pinpoint the location of a user after measuring the distance from several (spoofed) GPS locations. If this process is performed continuously, users can be tracked in near real-time. Results can be plotted on a map, including a profile picture.

Risks

Even in countries with a liberal gay policy we are occasionally startled by anti-gay violence. In many other countries the impact of having a homosexual orientation can have even more serious consequences, e.g. the Russian gay propaganda law or the death penalty in some countries in Africa and the Middle East. The risks involved need to be addressed by the software publisher according to the researchers.

Solution

The University of Amsterdam contacted Grindr with the issues. Grindr took action immediately. Both parties agreed upon a "responsible disclosure" procedure. During the agreed timeframe results were not shared with other parties and Grindr got the time to resolve the reported problems. On September 30 Grindr launched a new version of the app that - according to Grindr - fixed all issues. Grindr users are urged to install the update as soon as possible.

UvA SNE scores as the best Dutch Computer Science master

In the new 2013 Keuzegids masters System and network engineering scores as the best Computer Science master. It states translated from Dutch:

“Again the System and Network Engineering master at the UvA gets the best assessment. The students are very complimentary about the facilities. The program is very well organized, especially the focus on skills in the education is valued, as is the career preparation. The latter is okay everywhere but the UvA is the only master to score above-average on this point.

10 Year Anniversary

In May the OS3 master will exist 10 years. We will celebrate this on May 31st. Put this date in your agenda.

UvA SNE Students discover weakness in banking app

ebanking

Students of the UvA master System and Network Engineering discovered a serious weakness in the ABN AMRO mobile banking Android app. During a practical assignment in the course Security of Systems and Networks they discovered the possibility of a man-in-the-middle attack. The vulnerability allowed to intercept and decrypt the secret pin code and user account data. It was even possible to change transactions on the wire and adjust the amount and account number money was transferred to.

ABN AMRO was notified in a responsible disclosure procedure. The vulnerability was demonstrated to them at the UvA where a possible fix was discussed. The bank responded very quickly and delivered a fixed version of the app The students visited the bank to test these fixes.

The new version of the app was available to users in the Google app store on December 17th only a few days after being notified which is very commendable.

Users who didn't update the app since are still vulnerable. These users might not be aware of the risk. The release notes only state:

“This is a security update which will make Mobiel Bankieren even more secure”.

You can read the report with the findings of Thijs Houtenbos, Jurgen Kloosterman, Javy de Koning en Bas Vlaszaty.

SNE Master doubled in size

SNE lab

The SNE master doubled in size we now have a double group and a new lab C3.154 close to the SNE research group.

More SNE/OS3 news

This topic does not exist yet

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.