My scooter was stolen last week. Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. Here’s how it all went down:
3) Act quickly, before the anti-stalking feature kicks in. Damage done to my handlebars was likely in response to the regular noises from the Airtag.
4) Limit your in-person interactions and always involve the police. Don’t try to retrieve your stolen goods until you have backup.
Here are a few lessons learned if you’re using Airtags for theft recovery:
1) Use an Airtag adhesive that blends in and muffles noise. It’s clear my thief was looking for them.
2) Do not turn on Lost Mode. It immediately alerts the thief they’re being tracked.
I filled out a report at the precinct, and my two patrolmen get a parade of high fives from their peers. No one can remember the last time they solved an e-bike crime! I teach them all how to use Airtags, then hop in a Lyft home.
@NinebotGlobal
agrees to RMA the scooter ♥️.
I immediately encountered resistance:
1) go back to where it was stolen and call 911
2) that’s not our precinct
3) we can’t help you if it’s inside a residence
4) I’m not familiar with your voodoo magic^H^H^H Airtags
As I further inspect the scooter, the cops start asking questions: Do you sell used e-bikes? Do you collect info from the seller? Do you ask they prove ownership? What is the contact info for the person who dropped this scooter off? No, No, No, and we don’t know.
An employee inside realizes we're investigating further. He immediately becomes agitated: I should be happy I got my scooter back and leave. It’s my fault for getting it stolen. I’m screwing up his day. This isn’t how we do things in Brooklyn. More joined in.
It’s at this point that I noticed there were cameras indoors. In hushed tones, I excitedly told the cops, “Ask for video from last Tuesday at noon.” As I walked the scooter outside, I further reiterated, “they’ll delete it if you don’t get video now.”
I move outside while one cop retrieves the evidence, but the most aggressive employee followed me. He says, “All you’re doing is making enemies.” Gets closer to me, and pantomimes shooting me. He implies I’d get murdered if he sees me again.
At this point, one mechanic started making excuses for the current state of it: the woman who brought it in had complained about the brakes, so he cut the power line to the handlebars and then removed them. This is not how to repair brakes:
Seconds later, I walked right into it. My scooter! The employees were in disbelief: How did I know it was mine? I played sounds from an Airtag. Not good enough. I paired to it with the Ninebot iOS app. This convinced the last holdouts.
No fear! The most important part of IR is preparation, and I hid two Airtags inside the scooter: one “decoy” in the wheel well and a second, more subtle, one inside the stem. Covered in black duct tape, they’re hard to see.
I also had NYPD meet me at the nearest street corner but they were resistant to helping. They weren’t familiar with Airtags, thought I might be enlisting them to steal something, and refused to walk with me if I knocked on a door or into a store.
I was patient, upbeat, and demonstrated with the Airtags on my keys. I reiterated I didn’t want them to do anything illegal to help me, made a joke about it only costing $800 so it’s no felony, and insisted it would get solved within an hour. It worked!
I do my best “How to Win Friends” and find things to agree with him on. To their credit, the employees not harassing me outside cooperated and provided the video. It’s a woman, and they claim she didn’t leave a phone number.
I received a UWB ping as I walked in the door. It’s 13ft away! I gestured to keep walking, it’s here. The store was unkempt with piles of scooters. There was not a single new scooter in the store, every item on sale was second-hand.
iPhone users automatically receive a push notification if an unknown Airtag has been “following” them, without its owner, for a random time between 8 and 24 hours. The Airtag itself will also start making sounds w/ a built-in speaker.
With a willing 2-man patrol and me in the backseat, we drove to the current location, I pointed out the apartments, and then it dawned on all of us… there’s an e-bike store directly next door! In we walked to survey the merchandise.
With only 1hr to hunt, I couldn’t find its precise location and left thinking it was in these apartments. I boarded my flight to Blackhat, expecting I’d never see my scooter again. Why? Apple’s anti-stalking features.
Luckily, the Airtags didn’t move for the whole week. I thought up a new game plan to recover it as soon as I got off my redeye flight this morning. First stop, the 79th Precinct to try convincing the cops to help me, again.
The theft occurred on Monday night. I went out to dinner and locked it to a grate with motorcycle handcuffs. I find them easier to use than a cable lock, but apparently I forgot to lock one cuff. It was gone after ~2 hours.
I resolved to find it the next day but I’d be short on time: I had to catch a flight to Blackhat. I biked to where the scooter was located with an extra lock in-hand, hoping I could see it on the street and lock it to the nearest object for later retrieval.
If you have an Intel CPU with the "PCID" feature, then the security fix for Spectre/Meltdown will have less performance overhead. On macOS, check if you have PCID by opening a terminal and running: `sysctl machdep.cpu.features | grep -o PCID`
1. You can't "pass" a security audit
2. You can't pentest an app secure
3. It's not independent if you paid for it
4. You should advise clients to say otherwise
See the
@trailofbits
guidelines for public citations of our work:
Here's the most correct recap of what's happening with OpenSea right now.
tl;dr The security of web3 platforms depend entirely on wallets with universally poor security UX, and there's very little the platforms can do about it.
This company is going to use photos and video from
@BlackHatEvents
to legitimize themselves for months. Blackhat should exercise copyright over their logo to take it all down.
Google sure is good at plagiarizing my work. I released
@AlgoVPN
, an open-source, self-hosted VPN solution, in 2016. I find it hard to believe
@Jigsaw
was unaware since I’ve met their engineers more than once.
I didn’t plan it this way, but rather than send a single person to RSA,
@trailofbits
sent 60 employees and their SOs to a retreat at the Whistler/Blackcomb ski resort this whole week.
Given one arbitrary binary (without source code), we can recreate any number of new versions of it with equivalent functionality but divergent exploitation properties. It works, and it's amazing.
In the end, this is another reminder that a cloud product is only as good as its operators. If you want a cloud MDM where incompetent management can impulsively nuke their clients without explanation and violate their license terms, then by all means please use Kandji.
Trail of Bits has an iOS security toolkit out today: iVerify. Grab it from the app store here:
Read about it in
@Motherboard
:
and the
@trailofbits
blog:
We re-read 23 smart contract audits and found:
- 78% of high impact, easily exploitable findings are discoverable with automated analysis tools
- 50% of all findings will never be found with automated tools
- Unit testing _has no impact on security_
Great news for Blackhat: hotel doors at Mandalay Bay use ASSA ABLOY Seos hardware, which stock Flipper Zeros can't touch. You need an add-on board to do anything:
We're hired to provide industry-best advice
@trailofbits
, and that's exactly what we provided to
@HegicOptions
. How, then, were bugs found in their code mere hours after they deployed it to mainnet? (1/n)
Nearly all code for Bulletproofs, PlonK, and Girault’s proof of knowledge (crucial for zero knowledge proofs) were broken due to insecure randomness, recommended in the original academic papers for them. Rekt!
Your code might be vulnerable! Our cryptography team has discovered a number of Fiat-Shamir vulnerabilities affecting proof systems such as Bulletproofs and PlonK. Check out this blog series for details and contact us if you think your codebase might be…
So this business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
The embargo has been lifted!
@GeminiDotCom
is launching a US regulator-approved, fiat-collateralized, ERC20 stablecoin: the Gemini dollar. I’m pleased to announce that
@trailofbits
completed a security review of it. You can find our public report here:
Before anyone freaks out about "efail", realize that using it would be:
1) extremely easy to detect
2) archived in your target's email
As an attacker, I could not care less about this technique. It's intellectually neat, but operationally stupid.
It’s now been a week, and we still haven’t received an explanation nor do we expect to! Even if it were explained, this behavior is unacceptable for any cloud service and truly malicious for a cloud security company. cc
@badthingsdaily
I read this paper with my team. We have serious reservations about their methodology, and think their claims about impact are grossly overstated. Thread follows.
The next day, Kandji pulled the plug on our entire installation and used a kill-switch to silently un-enroll all our devices. This violated their own license agreement, which requires prior notice, an option to cure, and preserving our data, like any good cloud service.
When you hire
@trailofbits
, you typically get innovative automated security tests back. We've systematized this process internally, and are now sharing it publicly.
Here's how we use
@semgrep
for great results, quickly:
We’re thrilled to announce our new Testing Handbook, which gathers insights we gained over years of experience using static and dynamic analysis tools. It goes beyond standard documentation, focusing on giving the right answers rather than all the answers.
A few months ago Cellebrite announced that they would begin parsing data from Signal in their extraction tools. It seems they're not doing that very carefully.
Exploiting vulnerabilities in Cellebrite's software, from an app's perspective:
From maintaining Slither alone,
@trailofbits
impact on blockchain security since 2017 is pretty dramatically large. If we win this silly poll, we'll make it even larger by open-sourcing 5 of our private detectors for everyone to use. ☺️
Most people are now aware that
@trailofbits
conducted a security review of the Bitcoin Cash client on behalf of
@BitcoinSVNode
. While we cannot release our report in its entirety yet, I wanted to share a few details of what we found…
MDM is a pain in the ass, and we’ve been looking for a new vendor since Fleetsmith was acquired by Apple (and then disabled 90% of their product). Their agent barely worked, and frequently mishandled security updates.
Writing security tests for clients is a big part of the future of
@trailofbits
. First blockchain, then CodeQL, Semgrep, AFL++, and more! Keep an eye on the Automated Testing Handbook for previews... ()
We’re launching a new service: invariant development. We’ll identify, implement, and test security-critical invariants to prevent bugs & secure your codebase over the long term. Plus, we’ll upskill your team to write their own invariants!
Yan saved the company from the brink of failure in 2013, built the foundation for our research practice, and spearheaded the development of one of our core technologies. It was a privilege to work with him.
Intern projects released this week
@trailofbits
:
✅Designed a featureful, high performance C++ SQLite wrapper
✅Automated analysis of crashes from KRF with Binary Ninja
✅Ported KLEE to work on binary code
Almost died driving in Ft Lauderdale tonight. 1am, in an Uber, and someone is on the wrong side of the road driving straight towards us. Driver calmly moved out of the way and we missed by a few feet. Buckle up and avoid cars when possible!
We should prepare for a future where everyone's DNA is public (e.g., laws against abuse of data). There's little sense in preserving privacy, we're just 1 or 2 hacks away from the data being public forever.
.
@trailofbits
reviewed the Voatz mobile, blockchain voting system used in real elections in Colorado, Utah, Oregon, and West Virginia. We published the report in full today, with 79 security issues identified.
At
@trailofbits
, the standard for knowing you’re in trouble has been Googling a question and finding 1 result: a mailing list post from yourself asking the exact same question 4 years ago.
I'm staffing up our DARPA AIxCC team! You'll have full access to the team and resources
@trailofbits
, and join our existing stellar team to compete and win.
Here’s me wrapping up my lesson on computer architecture and software exploits to a class at my old high school. I take one day off every year to spend time teaching.
Hunt for bugs in binaries with advanced static analysis techniques. In this post, Josh reliably finds Heartbleed-type bugs without access to source code.
It's easy to find bugs when you know how to build the right tools. Check out our blog to learn how to model vulnerabilities with Binary Ninja's MLIL and SSA form.
Three months ago, we released the Whitehat Safe Harbor Agreement, a legal framework to protect whitehats who intercept and return funds.
One of the most common questions we got was, "what happens if someone threatens to sue me anyways"?
Periodic reminder that NYC has a mature, vibrant security ecosystem. There are dozens of startups, teams, investors, and events, and I'm proud
@trailofbits
is among them. Browse through the full listing here:
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
🎉🎉 Big news -- iVerify is leaving the nest!After incubating at
@trailofbits
, we're setting out on our own to become the first mobile threat hunting company dedicated to rooting out mobile spyware without compromising privacy!