Herding smartphones

48
Stratum Security Innovative Risk Solutions Herding Smartphones ISSA Tampa Bay - March 18, 2011

description

Smartphone security presentation from ISSA Tampa Bay chapter meeting on 3/18/2011.

Transcript of Herding smartphones

Page 1: Herding smartphones

Stratum Security

Innovative Risk Solutions

Herding SmartphonesISSA Tampa Bay - March 18, 2011

Page 2: Herding smartphones

Stratum Security

Justin Morehouse, Principal Consultant

• Stratum Security

• Security Operations and Consulting

• Co-author ‘Securing the Smart Grid’

• OWASP Tampa Chapter Founder & Leader

• Presented at DEF CON, ShmooCon, OWASP, and more

About Me

Page 3: Herding smartphones

Stratum Security

• Since 2008 I’ve owned, modified, and hacked the following:

• BlackBerry Bold 9700 & 8820

• T-Mobile (HTC) Dash (Windows Mobile 6.5)

• iPhone, 3G, 3GS (All iOS version)

• Motorola Droid (Android 2.1, 2.2, 2.3)

• Samsung Galaxy S (Android 2.1)

My Love (Hate) Relationship w/ Smartphones

Page 4: Herding smartphones

Stratum Security

Smartphones...

Page 5: Herding smartphones

Stratum Security

...are everywhere

Page 6: Herding smartphones

Stratum Security

Question

Page 7: Herding smartphones

Stratum Security

Smartphones outsold PCs in Q4

Page 8: Herding smartphones

1,000,000,000+ smartphone users by 2013

Page 9: Herding smartphones

...do amazing things

Page 10: Herding smartphones

Video Conferencing

Page 11: Herding smartphones

GPS Navigation

Page 12: Herding smartphones

Watch streaming videos

Page 13: Herding smartphones

...and are

constantly evolving

Page 14: Herding smartphones

Motorola Atrix

Page 15: Herding smartphones

Near Field Communications (NFC)

Page 16: Herding smartphones

Question

Page 17: Herding smartphones

How we use smartphones...

Page 18: Herding smartphones
Page 19: Herding smartphones

...as a phone

Page 20: Herding smartphones

...to check email

Page 21: Herding smartphones

...personal digital assistant

Page 22: Herding smartphones

...what about personal use?

Page 23: Herding smartphones

...entertainment

Page 24: Herding smartphones

...social networking

Page 25: Herding smartphones

...and more

Page 26: Herding smartphones

think about your mobile footprint

Page 27: Herding smartphones

Hackers do...

Page 28: Herding smartphones

...money talks

Page 29: Herding smartphones

objective based

Page 30: Herding smartphones

Attack Vectors...

Page 31: Herding smartphones

...phishing

Page 32: Herding smartphones

...rogueapplications

Page 33: Herding smartphones

...drive-by downloads

Page 34: Herding smartphones

Examples...

Page 35: Herding smartphones

Demonstration(http://vimeo.com/18668105)

Page 36: Herding smartphones

Apps Gone Wild!!!

Page 37: Herding smartphones

50+ malicious (rogue) applications identified

Available for download in the Official Android Market

Applications published by 3 “developers”

Post IMEI & IMSI to website in California

Contains code to steal “sensitive information”

Google remotely “wiping” rogue applications

“Taking steps” to prevent this from happening again

DroidDream

Page 38: Herding smartphones

pwn2own 2011

Page 39: Herding smartphones

CanSecWest

Vincenzo Iozzo, Willem Pinckaers & Ralf Philipp Weinmann

WebKit Vulnerability in BlackBerry OS 6+

Setup ‘rigged’ website

Downloaded contacts, images & wrote file

Same vulnerability used to hack iPhone 4 (same team as well)

BlackBerry “fix” = disable javascript

BlackBerry Torch 9800

Page 40: Herding smartphones

Mitigation Steps...

Page 41: Herding smartphones

The sky is not falling...

Page 42: Herding smartphones

but attacks are increasing...

Page 43: Herding smartphones

strong policies & procedures

Page 44: Herding smartphones

Leverage existing technologies...

Page 45: Herding smartphones

...and evaluate new solutions

Page 46: Herding smartphones

Stratum Security

• Only install applications from trusted sources

• Review permissions that applications ask for

• Utilize free/cheap tools

• Install updates (Platform & Apps)

ProSumer Recommendations

Page 47: Herding smartphones

Stratum Security

ProSumer Recommendations

• Don’t click on unsolicited links

• Set a strong password or pattern

• Install remote wipe/lock/locate apps