Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered...
Transcript of Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered...
![Page 1: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/1.jpg)
Security Through Obscurity... powered by HTTPS!
Peter Frühwirt, SBA ResearchSebastian Schrittwieser, FH St. Pölten
redacted version
![Page 2: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/2.jpg)
Live-Demo onWowtalk
![Page 3: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/3.jpg)
ServerAttackerPhone
1. (HTTPS): Request
2b. (HTTPS): PIN
TargetPhone
2a. (SMS): PIN
SMS Proxy
![Page 4: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/4.jpg)
SSL != protection against protocol analysis
![Page 5: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/5.jpg)
SSL interception enables man-in-the-middle attacks
for protocol analysis purposes
![Page 6: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/6.jpg)
transport layer encryption cannot replace good protocol design!
![Page 7: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/7.jpg)
Certificates?
![Page 8: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/8.jpg)
http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c
![Page 9: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/9.jpg)
Quizduell
![Page 10: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/10.jpg)
extremely popular in Germany
![Page 11: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/11.jpg)
extremely popular in Germany
![Page 12: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/12.jpg)
Let’s play a round of Quizduell ;)
![Page 13: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/13.jpg)
Curiosity
![Page 14: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/14.jpg)
November 2012 - May 2013
![Page 15: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/15.jpg)
326 layers
![Page 16: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/16.jpg)
69 billion small cubes
![Page 17: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/17.jpg)
4 million players
![Page 18: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/18.jpg)
3,000,000,000 coins for a diamond chisel
![Page 19: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/19.jpg)
Bonus points for clearing the entire screen!
![Page 20: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/20.jpg)
Parameter for multiplieris set by the server!
![Page 21: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/21.jpg)
[...]&backgroundColor=blue&backgroundText=Curiosity&bonusMultiplier=10&hardwareID=<UDID>&[...]
10000000
![Page 22: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/22.jpg)
![Page 23: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/23.jpg)
Photoswap
![Page 24: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/24.jpg)
http://www.server.com/images/12345.jpghttp://www.server.com/images/12347.jpghttp://www.server.com/images/12349.jpghttp://www.server.com/images/12351.jpghttp://www.server.com/images/12353.jpg
![Page 25: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/25.jpg)
for;i;in;{1..12345};;dowget;Ak;http://www.server.com/images/$i.jpg;done
![Page 26: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/26.jpg)
Demo
![Page 27: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/27.jpg)
Countermeasures?
![Page 28: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/28.jpg)
Certificate Pinning
Verification if particular certificate is used
![Page 29: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/29.jpg)
Reduced costs
Increased security
Less flexibility
![Page 30: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/30.jpg)
75 %
25 %
Facebook Messenger
Shazam
eBay
ÖBB Scotty
AntiVirus Security
Tango
Google Earth
LOVOO
Geizhals
Geizhals
Stocard
AutoScout24wetter.com
LogoQuizWhatsapp
Snapchat
Tinder
NavigonRuntastic
iMessage
Quizduell
AppStore
Viber
certificate pinningno certificate pinning
HikeRublys
![Page 31: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/31.jpg)
E-Banking apps?
Bank Austria
Erste BankSparkasse
Commerzbank
Eniteo DZ Bank
ING Diba
Raiffeisen Bank
Postbank
Union Bank
Volksbank
Volksbanken Raiffeisenbanken
Deutsche Bank
UBS Mobile Banking
Alpha Bank
Westpack Banking
BNI Internet Banking
BPN Paribas
Bank Republic
Targobank
![Page 32: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/32.jpg)
never ever trust the client (even if it’s your own client)!
server-side validation of every client request
(the 80’s called and want their advice back)
![Page 33: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/33.jpg)
secure side channel
establish a trusted second channel
![Page 34: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/34.jpg)
Conclusions
![Page 35: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/35.jpg)
‣ Many smartphone applications implement insecure protocols
‣ These protocols are hidden behind transport encryption, which does not prevent protocol analysis
‣ Don’t rely on Security through Obscurity
![Page 36: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/36.jpg)
Peter Frühwirt
IT-Sicherheitsforscher, SBA Research
Doktoratsstudent TU Wien
Mobile Security | Digital forensics in Databases
Peter Frühwirt
IT-Sicherheitsforscher, SBA Research
Doktoratsstudent TU Wien
Mobile Security | Digital forensics in Databases
![Page 37: Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten](https://reader036.fdocuments.in/reader036/viewer/2022062506/5f053e647e708231d411ff02/html5/thumbnails/37.jpg)
Sebastian Schrittwieser
Dozent Fachhochschule St. Pölten
Doktoratsstudent TU Wien
Code obfuscation | Fingerprinting of anonymized microdata
Mobile security | Digital forensics | Research ethics
Sebastian Schrittwieser
Dozent Fachhochschule St. Pölten
Doktoratsstudent TU Wien
Code obfuscation | Fingerprinting of anonymized microdata
Mobile security | Digital forensics | Research ethics