Special Guests Bernie Lampe & Joanna Doute, Ask Us Anything About Android
Our listeners want to know more about Grayshift, our mission, and the knowledgeable people who work here creating powerful digital forensics tools. Our guest today is Bernie Lampe, Vice President of Research at Grayshift, and we’re talking about all things Android.
GrayKey has developed as a standout, game-changing leader in iOS access and extraction, but many people don’t realize that Grayshift also supports Android devices. So this episode is dedicated to talking about the Android capabilities related to GrayKey.
[01:53] Profile of this episode’s guest: Bernie Lampe, Vice President of Research – Grayshift
- Has experience in both government and the private sector
- Joined the Air Force in 1999
- He has presented at conferences and universities, and his research has been published.
- For the last several years, he has been working with government organizations on various projects, including remote sensing and vulnerability research
[10:54] When did Grayshift first release support for Android devices?
- Bernie was hired in May 2020, and in January 2021, Grayshift released the S20
- Android is meant to be more flexible than iOS. While iOS has a lineage version number, Android spider webs
- Since the S20, Grayshift has focused on Samsung because the company is the biggest provider of vendor Android phones
- Grayshift has also made its way into the Moto space
[17:16] How to find good vulnerability researchers
- A good vulnerability researcher has to have reverse engineering skills.
- Code auditing experience is essential.
- Many people have the right things on their resumes, but they don’t necessarily have a practitioner’s level of working knowledge.
- The best people at this job are creative thinkers.
[24:29] Attack surfaces have become more complicated over time
- A researcher has to invest a lot of time and effort into understanding a particular narrow problem set that is complicated.
- While there is some crossover between Android and iOS, understanding each well requires individual focus.
- Encryption schemes are constantly changing, and the work people did years ago is less relevant now.
- Someone must be deeply invested in understanding what’s going on with one particular attack surface to devise techniques that no one else would know.
[35:23] Some of the biggest vulnerabilities in Android
- Vendors have added various security and ad hoc security mechanisms that have been poorly implemented and have become sources of vulnerabilities themselves.
- Android has a lag time between finding a bug and perfectly patching it because of infighting between different companies or the company itself.
- One of the biggest problems with computer science in general in the software industry is that there are no standards.
[41:07] Strategies for learning new devices
- The first step is finding the firmware and understanding the different pieces.
- The next step is researching by trying to find any open-source documentation, looking at the data, and looking at other online information about how people have approached this technology.
- One of the biggest challenges is knowing where to spend time in research. If a lot of information is available online, that route might not be a fertile attack surface because it has been vetted.
- If you can ask a question that no one has asked before, then typically, asking the right question leads to an answer quickly.
[50:21] How long does it take to research and develop a solution for Grayshift to add a phone to its support matrix?
- The timeframe can vary from months to years. While bugs are constantly found, the bugs aren’t necessarily usable.
- Grayshift’s exploit engineering team has done an amazing job of building automated systems to port-forward bugs.
- If some phones are similar, they might have bugs that are portable. Support for those phones might be almost immediate. Because of fragmentation, each phone is configured differently, so they won’t have the same bugs and won’t be supported as quickly.
- The time between finding a vulnerability and actually finding an exploit can be long, but Grayshift is trying to speed that up by encapsulating fragmentation.
[01:11:15] Advice for someone wanting to start a career in software vulnerability research
- Not everyone has the temperament for research. People need to be prepared to fail and learn from failing.
- Someone is always on the other side trying to pull the bricks out of the bridge you’re trying to build, and then you have to start all over again.
- Learning how to learn is critical.
- The Art of Doing Science and Engineering: Learning to Learn: Richard W. Hamming, Bret Victor
- Richard Hamming: “Learning to Learn” – YouTube