Original URL: http://www.theregister.co.uk/2012/03/13/jester_qr_exploits/

Jester hacker brags of mobe attack on Anonymous, baby-kisser

Pwned by QR code - or wind-up?

By John Leyden

Posted in Security, 13th March 2012 14:38 GMT

A hacker known as The Jester claims to have siphoned personal information from prominent members of Anonymous, a US politician and other assorted "enemies" after running a mobile malware-based attack that relied on the curiosity of his intended victims. The raid is unconfirmed.

In a blog post reminiscent of the penultimate act of a James Bond movie, the Jester described "how he done it".

The Jester said he laid a trap for intended victims by changing the icon for his Twitter account (@th3j35t3r) to a QR-code, just after news of last week's Anonymous/LulzSec arrests broke.

Victims induced "by their own curiosity" to scan this QR-code into their mobile phones were taken to a website loaded with mobile browser exploits that targeted both Android and iPhone users. The exploits reportedly relied on security bugs lodged inside the WebKit framework that is used by several mobile browsers.

According to the hacker, malicious code he used in the "attack" handed over the compromised users' Twitter credentials via a netcat command to the so-called patriot hacker. The Jester claims he checked these credentials against a list of known targets before moving on to the next phase of the attack: further exploitation.

"Enemies" of the hacker listed as targets included @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol (the Twitter address of sometime Anonymous spokesman Barrett Brown) and @RepDanGordon (Rhode Island State Representative Dan Gordon) and others. Gordon made it onto The Jester's hit list for his comments on Twitter referencing Anonymous in what The Jester saw as a sign of approval for the hacktivist group.

The Jester, previously most famous for claiming credit for an application-based DDoS attack against WikiLeaks and for disrupting pro-Jihadist websites, said he raised his permissions on each exploited device. iOS has a default username/password combination of root/alpine, making this step of the process simple on iPhones.

The process is more complicated on Android but even there a variety of attack tools exist. After obtaining these elevated privileges, the Jester then allegedly extracted data from databases on compromised devices, which he claimed allowed him to obtain SMS, voicemail, call logs, and email*.

That's the theory. In practice the hack would have involved taking the next steps in exploits already demonstrated by famed white-hat hacker Charlie Miller and others. In addition, the assault would have relied on users sticking to default SMS and email applications, as explained in an informative commentary of the attack by Johannes Ullrich, a security researcher at the SANS Institute's Internet Storm Centre here.

Damage analysis

It's unclear whether the attack, clever though it was, actually claimed any victims. It's quite possible that the hack was entirely unsuccessful and The Jester is only claiming otherwise in a bid to wind up his enemies and possibly induce them into making a security lapse that he can exploit.

The Jester has wasted little time taunting his intended victims in messages that set out to justify his hijinks, which pose obvious privacy worries for regular smartphone users, as carefully targeted against known "bad guys".

"I had a list of 'targets' twitter usernames I was interested in, these were comprised of usernames of: Islamic Extremists, Al Qaeda Supporters, Anonymous Members, Lulz/Antisec Members," The Jester writes in a blog post entitled Curiosity Pwned the Cat.

"EVERYONE else without exception was left totally 'untouched' so to speak. This was a proof of concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. I do not feel sorry for them.

"In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How's that for 'lulz'?"

The Jester posted a PGP data file from his Webkit Exploit op on Monday night. Since the data is encrypted it could be anything, or nothing. The Jester claims more than 1,200 curious netizens scanned the QR code – of which 500 devices "reverse shelled back to the listening server" (stage one of the attack. He claims that a "significant number" of these 500 were on his 'shit-list' and as such treated as valid targets. The patriot hacker doesn't say how many were compromised, if any.

US state representative Dan Gordon (Republican) reportedly reacted angrily to news that he might have been targeted, threatening to report the patriot hacker to the feds for offences ranging from threatening a state official to hacking the mobile phone of an elected politician. Gordon later said he had not scanned the Jester's QR code and thus could n't possibly have been hacked, via a succession of Twitter updates on Monday pointing to posts that cast doubt on the plausibility of the supposed attack. "@m4yH3mKITTEH @th3j35t3r/fag @ChronicleSU bit.ly/zwevPv More nonsense. Plus, couldn't have executed if I never scanned it, right?", one such Tweet said. ®

Bootnote

* The database for Tweetie holds "Twitter username, recent searches, device UDIDs, among other information", which would make it trivial for The Jester to identify iPhone users who happen to use the default Twitter application on iOS, the ISC explains.