07 November 2018

181107 - Swedish Digital Bank-ID hacked again - How secure is e-krona - open letter to the Swedish State

181107 - Swedish Digital Bank-ID hacked again - How secure is e-krona - open letter to the Swedish State

Stefan.Ingves@riksbanken.se
registratorn@riksbank.se
registrator.riksdagsforvaltningen@riksdagen.se
finansdepartementet.registrator@regeringskansliet.se

Reference:

Swedish Digital Bank-ID hacked again:
https://zenosloim.blogspot.com/2018/10/swedish-digital-bank-id-hacked-again.html

Swedish Digital Identification System BankID from Finansiell ID-Teknik BID AB byepassed on Android:
https://zenosloim.blogspot.com/2017/06/170607-swedish-digital-identification.html


In theory Swedish Digital Bank-ID should be unique, impossible to copy or restore on another device (smartphone, tablet, etc.)
In practice, despite permanent updates and higher security requirements, it is still hackable even on latest versions of Android and ... unrooted phones!
Hence the legitimate question: How secure is a non-cash payment system?

Risk factors: international conflicts, cyberwarfare, dependency of foreign powers, all affecting Sweden national independence as a sovereign state.

Above 2 reference articles just want to expose how vulnerable is a non-cash payment system based on Internet traffic, foreign powers and naive trust in completely digitally solutions.

Björn Eriksson already showed the danger of nedmonteringen av kontantsystemet in sk Kontant Uppröret.

All digital payment systems are based on US companies and Swedish private banks totally controlled by big foreign actors.
The duty of Sveriges Riksbank is to protect the interest of Swedish people and Swedish National Interests.
What happens in case of a military conflict or natural disaster which cuts the digital communication lines?

How can Swedbank or Nordea then guarantee a sustainable paying system for all swedish citizens?
How can VISA or Master Card guarantee a working payment system?
How can e-krona exist if communications are disrupted?
How can e-krona be used in foreign countries?
Unpleasant questions.

They all say today cash paying is too expensive! Really? Or todays banks greed is too big and the banking system has become an Overstate inside the State?
The actual banking system is not yet capable of having a 100% secure paying system and 100% secure digital identification system!
Yet the banking system is working fully for a total dependence of The National State versus Banking System!
This is no longer Democracy but a return to early stage of 1800 Capitalism.

It is the duty of Sveriges Riksbank and Swedish Government to guarantee a working all-situations payment system, totally independent from Private Banking System and Foreign powers. Only the existence of cash-payment system can guarantee the same freedom to all swedish ciitzens, independent of external conflicts, cyberwar, greedy foreign actors and states.
It is total madness and inconscience to believe in a cashless paying system, which is totally vulnerable and can make a country to lose its national independence.
Nathan Rothschild: "Give me control of a nation's money and I care not who makes its laws" is more actual than ever.


Zeno Sloim
IT Security Expert
LinkedIn: https://www.linkedin.com/in/zeno-sloim-6121a6136
IT Security Blog: https://zenosloim.blogspot.com/
Twitter: https://twitter.com/ZenoSloim
Email: zeno.sloim@gmail.com
Mobile: +46 720 329614
Mobile: +46 739 532539

10 October 2018

Swedish digital Bank-ID "hacked" again

It was last year when I managed to "hack" Swedish digital Bank-ID,  which is the most widespread digital identification and signing/certifying method in Scandinavia and other European countries.

Platform was Android 4.x Samsung Note 4 rooted.

Titanium Backup was used for hacking.

I cooperated with the Swedish company Finansiell Bank-ID AB, the developer and maintainer of the product.

The backdoor was corrected by eliminating Android 4.x as accepted OS, demanding at least Android 5.x and using TPM.

Well, it was sufficient for almost 1 year, until now.

Test platform was Android 6.x Samsung Note 4 rooted and Android 8.x Motorola G6 Plus rooted.

Swedbank latest version Android app and Finansiell Bank-ID latest version Android app. 

Test was done today 2018-10-10, against Finansiell Bank-ID auth server.

A special modified TWRP recovery was the "tool".

Conclusion:

It seems that new security demands must be asked and following the actual trend:

- SuperSU sold to bogus "chinese" company in USA and abandoned developing

- SuperSU totally eliminated from Google Play

- Huawei no-longer giving bootloader unlocking codes

It seems that it will be a harsh race between Rooting a device and using that device for banking operations or digital authentication.



01 October 2018

AppListo App Cloner 1.5.5 activated via same backdoor in DexProtector

Again same test done with AppListo App Cloner 1.5.5.

Using same backdoor in DexProtector.

Red dot indicates New Premium options available.

Premium


Commercial use

Add-ons

Bundle app data

Custom certificate 

Headphones events

Power events

Red dot General Premium options

Red dot Launching Premium options

Remove launcher icon shortcuts

S-Pen events

Show Bring up to front notification



27 September 2018

DexProtector for Android bypassed

One of the most known anti-tampering solutions for Android developers is DexProtector.
Used by well-known Applisto App Cloner developer from Switzerland.
Until now DexProtector was unhackable, alike DexGuard.
Well...not anymore.
I tested DexProtector bypassing on latest version of Applisto App Cloner 1.5.4.
And I underline: not hacked, but ... bypassed.
Which is worse.
A backdoor in DexProtector made this possible.
I managed to activate with "custom made license"   the latest version 1.5.4 to Premium Commercial  License.
The original installed apk is intact. But a suitable license was artificially created using the backdoor in DexProtector.

Commercial use

Premium

Build props

Custom certificate

Custom package name

Disable USB events

Flush Logcat buffer on exit

Headphones events

Power events

Remove launcher icon shortcuts

S-Pen events

Stealth mode fingerprint

WebView safe browsing

Add-ons