CoreTech Summer Internship: Jamie

I’m Jamie, an intern in the Operational Research team at CoreTech. This summer I worked at CoreTech for 9 weeks on a variety of projects ranging from hardware teardowns to secure software development. These projects were part of the CoreTech Academy, a continuous training programme that you will take part in during your time at CoreTech. This blog post will take you through a bit about my background, my time at CoreTech, and some advice that I picked up over the summer.

I’m a Computer Science student at the University of Glasgow. During my first year I made sure to get involved in a wide range of things outside of my course, one of them being Formula Student. I’m a member of UGRacing Driverless, the University of Glasgow’s Formula Student AI team. Driverless develops software for an autonomous car which we compete with at Silverstone each summer. During my time on the team, I’ve had the opportunity to improve my programming skills, particularly in Python and C++.

I also developed an interest in cybersecurity during first year. Websites like TryHackMe were a great way to implement and solidify the knowledge I was gaining through watching videos and reading up on the topic.

When it was time to start looking for internships, I was keen to combine these two topics. A placement at CoreTech seemed like a perfect fit, allowing me to further my programming skills whilst focusing on cybersecurity. Soon after applying I interviewed on Teams, discussing my background before working through an informal code review question. After receiving an offer, I was invited to the office to meet my buddy and some of the other people on the team. We all went out to get lunch before coming back to the office for a look around. 

On my first day I set up my laptop, met even more people, and started to familiarise myself with the work I would be doing. During my internship I worked with Fred, the other intern, on two Academy projects. The first of these focused on the Android APK for a suspicious children’s fitness tracker. After installing the app on a phone, the first red flag was the number of unexplained permissions that it required – access to the camera, call logs, etc. Why would a £20 kid’s fitness tracker ever need access to a camera? On top of this, the app was constantly running in the background. To fully disable it the user must force close it from the Android settings. 

This project was my first taste of vulnerability research (VR), one of Coretech’s three specialties. After decompiling the APK with JadX and Ghidra, Fred and I split the workload. Our main goal was to retrieve firmware by intercepting an over-the-air (OTA) update, so initially I focused on dynamic analysis of the app’s network traffic using Wireshark and Burp. Strangely, the app never seemed to call out for a firmware update, even when the UI was displaying an ‘updating’ message. 

This led us to the next stage – trying to develop an understanding of the APK using more reverse engineering techniques. Once we knew a bit about how it worked, we’d be able to try and force the update ourselves. This meant using the Frida API to instantiate the OtaEntity class and invoke its downloadOtaInfo method. Before this project I'd not had much experience with Java, let alone Frida, so there was a big learning curve. The introduction to a completely new skillset and mindset around software made for a very interesting project.

We succeeded in what we set out to do with Frida and successfully called a method on a class that we instantiated ourselves. However, after getting this working we discovered some bad news: the APK we were targeting was just a reskinned version of lots of others. This meant that, whilst the app seemed to support OTA updates and even displayed the watch’s firmware version, the manufacturer hadn’t fully implemented the ability to update the watch.

After hitting a dead-end trying to hook the APK with Frida, the next step was to tear down the watch and try and get the firmware in that way. During the summer CoreTech’s new hardware lab was under construction so, when it was finished, we got in there to make a start. We followed the hardware team’s standard process to tear down the watch, making sure to photograph and document everything as we made progress. Once the teardown was complete, we moved on to learning a bit about radio frequency (RF). This was so we could understand how you would go about sniffing the Bluetooth signals between the watch and the app. We used a HackRF One and gqrx to receive signals from public radio stations, Bluetooth devices, and even a car’s key-fob (one of our own, of course!) and work out their similarities and differences.

The couple of days in the hardware lab were really fun and, again, showed an entirely different side to security. Fred has written a blog post talking more about the rest of our hardware work as well as covering our second Academy project, which involved writing and cross-compiling a native binary for Android.

There was plenty of opportunity to get to know people and socialise during the summer. The office is open-plan and has a large kitchen which makes meeting new people easy. The CoreTech VR Club was also set up this summer and provided another ideal way to meet new people. About 15 of us stayed after work one night for the first meeting, where we had pizza and beer whilst starting to set up our VR environment. The team is working to find bugs in Valorant, Riot Games’ anti-cheat software, with any bounties we might win going to charity. The evenings are a brilliant opportunity to learn more about VR approaches and methodologies, and I’m looking forward to staying involved remotely when I’m back at uni. 

During my time here I realised another big advantage of working at CoreTech: the intermeshing between the three teams. Whilst you might join Vulnerability Research, Operational Research, or Software Engineering, all three teams collaborate extremely closely. This means that, if you’re not entirely sure on what you want to specialise in, there is massive flexibility to try new things out. 

My final point is directed more towards people applying for their first internship. Applying for any internship can seem daunting, but especially so at a company renowned for having some of the world’s best. The idea of working here excited me, but I was slightly nervous that I would struggle with the work having only completed first year at uni. As it turned out, there was no need for this worry. Throughout the summer, everyone at the company was more than happy to help Fred and I with our projects, and people showed a real interest in what we were up to – solidifying in my mind that I was part of the team.