Remediate the Pixel4 and Galaxy S10 biometric security flaws with Workspace ONE

I am pretty sure you’ve heard already about the issues with Samsung Galaxy S10 fingerprint sensor and Google Pixel 4 Face Unlock. Both companies have acknowledged the issues and committed to releasing the patches “soon” (Samsung is said to be testing fixes in certain countries already). What can you in the meantime? With Workspace ONE and Android Enterprise is it easy!

(more…)

How long will it take to h@ck y3r Pa$$w0rd?

Ever been annoyed by those password policies that say “One digit, one uppercase, one lowercase” and then cap your password at, say 12 characters? Are those passwords secure these days, when cheap processing power is freely available ? A while ago I’ve stumbled upon an article where, among other info, some really interesting data was shared about how long it takes to crack standard crypto hashes used for password encryption in WLANs, web sites and operating systems. This prompted for a refresher in password security and brute-forcing performance. The numbers are worth sharing.

(more…)

Bypassing Android security via backups (PSK recovery)

In my recent Android trainings and the Android security talk I gave at AppForum 2014 I was asked to provide a sort of a demo that can be easily replicated to explain the importance of maintaining a proper security posture. So I created a script that ‘recovers’ PSKs from the device and displays them.

Before moving on, a brief disclaimer: Android (or iOS, or Windows) are pretty secure, it is up to the user how much of this security is traded for convenience (or ignorance).

(more…)

ShellShock and Motorola WLAN Equipment

A tech support article has been published on Motorola’s support portal regarding ShellShock vulnerability. A brief note:

  • APxxxx, RFSxxxx, WSxxxx, CBxxxx (existing and legacy) – NOT vulnerable, as they don’t have bash at all.
  • NXxxxx and VXxxxx – KIND OF. They have unpatched bash, but it’s not exposed through any APIs/UIs unless you already somehow get the shell (which defeats the purpose of this vulnerability). Nevertheless, “Never say never” and a patch will be released in due time just to be sure, but there’s no rush.

Source: What Motorola products are affected by Bash/Shellshock vulnerability?