So the output of my QRCode is

bbm:20fe2f6059cc5086Sheran Gunasekera

Okay, breaking it down, the first 4 characters, “bbm:” indicate the protocol (BlackBerry Messenger).  The next 8 characters is my PIN.  Still trying to figure out what the remaining 8 characters are, and then lastly, my name.

Then I thought I’d create my own QRCode and try to see what I can make the handheld.  I visited Kaywa and generated my own QRCodes and had the BlackBerry Messenger read it in.  Here are my results:

Changing the PIN:

I changed the PIN to various numbers, letters and characters.  The BBM only read a QRCode where the PIN was a Hex number.  It would then immediately send a Invite to the specific PIN number that I had entered.

Changing the remaining 8 Hex characters:

When I changed the 8 characters adjacent to the PIN, the invitation would go out normally.  I tried with non Hex characters and it still went through.  When I changed the characters to ones like “¡™£¢∞§¶•” made using the Alt key and numbers on my Mac, nothing happened; meaning the QRCode was not read by the BBM.

Changing the name:

I changed my name and nothing really happened.  When I did the special characters like the ones from above, the QRCode was not read.  I’m still wondering if this is as a result of the Kawaya QRCode generator or because the BBM is explicitly told to ignore these characters.

I tried to generate a long name by filling the name field with all A’s.  The BBM read the code without much of an issue.  I think as per QRCode standards, the amount of data you can store in one is limited anyway.  The official QRCode site lists the Maximum amount of data you can store on a QRCode (Binary/Byte) is 2953 characters.  I set out to find a generator that can build me a QRCode of that size.  I downloaded the trial version of the Java Barcode generator from BarCodeLib.com.  Using their tool to generate a QRCode, the maximum size I was successfully able to read was 106 characters.  Granted I only tried a small percentage of the features available to me, but for this post, I’ll go with this amount.  I will continue to test and post results whenever I feel like it.  For now that’s as good as it gets.

So in summary: The BBM QRCode reader has a specific format for invites.  It is not possible to alter these values to a certain extent.  It is not possible to inject data long enough to cause any overflows.  It is also not possible to inject unexpected characters.  On a sort of related note, the new BBM 5.0 sucks.  Its file transfer for photos is the worst thing RIM have ever done.  Since I upgraded, I have not been able to successfully send my contacts a photo from my BB.

I will be speaking on the security of the BlackBerry handhelds and how it’s strong security leaves only one weak link to target: the user.  I will also demo the legal interception PoC (maybe release a toolkit? still debating) and give a live demo on how your handheld can get pwned and what sneaky social engineering tricks can be employed to do so.  I’ll also talk about what risks you face if you get pwned by similar spyware and how you can detect and prevent such attacks in the future.

If you haven’t already done so, you should check out HITB.  If you haven’t already been to one of the cons, you should go.  Its a fantastic place to learn about the latest research, vulnerabilities, developments and other assorted hackery in the security industry.  Unafraid of pulling any punches, L33tdawg does not shy away from hosting in-depth technical talks at his con.  A 2 day Technical Training track precedes the con and is another great way of picking up some m4d l33t sk1llz.  I wrote a post on Burp Suite that talked a little bit about the Web Application Hackers Handbook and one of its authors; well the other author, Marcus Pinto, will be one of the trainers this year talking about Web Application (in)Security.

And after all is said and done, there’s usually one kick-ass party to wrap things up.  So get your asses on down to HITB this year and come say hi, it’ll be a blast!

This is my Mac. There are many like it, but this one is mine. My Mac is my best friend. It is my life. I must master it as I master my life. My Mac, without me, is useless. Without my Mac, I am useless. I must pwn responsibly with my Mac. I must pwn more ethically than any blackhat who is trying to pwn for profit. I must educate the masses before he takes advantage of unpatched boxes. I will….

My Mac and myself know that what counts in this war are not the hot chicks we meet, the noise of our bragging, nor the press releases we make. We know that it is the good pwn that counts. We will pwn…

My Mac is human, even as I, because it is my life. Thus, I will learn it as a brother. I will learn its weakness, its strength, its OS, its accessories, its isight and its all-glass trackpad. I will keep my Mac clean and ready, even as I am clean and ready. We will become part of each other. We will…

Before God I swear this creed. My Mac and myself are the defenders of users. We are the masters of our enemy. We are the saviors of root. So be it, until victory is ours and there is no enemy, but Security.

Mac OS X has PDF support built-in.  I love that I can save a Word or Pages document directly to PDF.  I need no additional software to accomplish this.  Mac OS X uses the Preview Application to read PDF files.  Given that the majority of the OS X users will rely on Preview, I constrained myself to only use Preview for testing.

I started at the top.  Examining the structure of a PDF file.  Although, in my case, I looked at how OS X creates a basic PDF file and attempted to draw parallels with the structure Didier presents in his post.  So I opened up the OS X standard text editor TextEdit, created my “Hello World!” document and saved it as a PDF.  There was no “Save As” to PDF, so I just used the “Print” option and saved it as a PDF.  When opened back in TextEdit, the PDF file looked like this:

The first thing I noticed was that the PDF versions were different.  Didier had version 1.1 and mine was 1.3.  My file also had quite a few extra objects.  While Didier’s had 7 objects in the xref, I had 17.  I probably need to keep in mind, however that he did his article in mid-2008, over a year ago.  The overall structure of the PDF, however, seems to have not changed:

• Header
• Objects
• Xref
• Trailer

I wanted to try my hand at adding another object to a PDF file.  So I tried to add a URI with OpenAction similar to Didier in this post.  I opened the new file in Preview; absolutely nothing.  Knowing that I had to be more thorough, I fired up my XP VM and Adobe Acrobat Reader 9.1.0.  Sure enough, I receive the request asking if I want to connect to http://chirashi.zensay.com

So the OpenAction does not work on OS X’s Preview Application.  Kind of a good thing I guess.  Especially when you see some of the threats out there.  Next I wanted to find out if Preview handles JavaScript in the same way.  You did know that you can trigger JavaScript as PDF actions as well, right?  Of course you did!

Sure enough, Preview does not honor the JavaScript execution, but Adobe Acrobat 9.1.0 and 9.1.2 does so with a nice little Warning window.  Not sure how useful the Warning window is considering the JavaScript was executed already.  I recall reading some WebSense blog posts regarding similar PDF based attacks here and a newer one here.

A question I want to pose here is do we really need all this functionality anyway?  I have used Preview for over 3 years now (Mac convert for that long) and I have not had to deal with any breakage in functionality or a different user-experience when dealing with PDF files.  Does anyone USE Adobe JavaScript?  You might as well turn off your JavaScript by going into Edit->Preferences->JavaScript and uncheck the Enable Acrobat JavaScript.

Once again for the sake of being thorough, I downloaded and installed Foxit 3.0 for XP just to give it a shot.  Wow, so, while I’m here ranting about Adobe, guess what Foxit does?  It directly opens the URL in your default browser.  I am not kidding   Try the JavaScript file and it doesn’t do anything.  Maybe it can’t do an alert box.  I need to research further and post results.  I think I’m going to stop for now and write another post about the actual file embedding research that I did.

What can we take away from here?  I think the idea of keeping things simple is the way to go, Preview clearly does this.  I’m sure that there are people who use all the bells and whistles of Acrobat, but really, I mean how many people could there be?  No, that’s a legitimate question.  How many of you do?

Files that I used to run these tests can be found here