Smartphone Insecurity

Click to edit the outline text format

Second Outline Level

Third Outline Level Fourth Outline

Level Fifth Outline

Level Sixth

Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline LevelPresenter Title



Third Outline Level

Fourth Outline Level

Fifth Outline Level

Sixth Outline Level



Ninth Outline LevelDate

Smartphone Insecurity

• Georgia Weidman




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Agenda

Smartphone Security Basics

Common Attack Vectors and Examples

Mitigation Strategies

Common vulnerabilities in 3rd party apps

Attack strategies against apps

Secure coding practices for developing apps




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




What is a smartphone?




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




What’s on your phone

Personal info

Work info

Location info

Account info




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Do We Need Privacy? (SMS examples)

“Hi meet me for lunch”

“Meet me for lunch while my wife is out”

“Here is your bank account credentials”




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Attacks on Privacy (Infrastructure)

Cell Network




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level





Cell Network

Encryption??




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Is GSM traffic encrypted?

SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Is GSM traffic encrypted?

Sending Number: 1-571-435-4881 Data: hellohello




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




2G(EDGE)

Bad crypto:

Up to the base station

Algorithms breakable

No authentication of base stations




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level





Cell Network

Research by: Chris Pagent




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Breaking 2G Crypto

Break session key to get on the network

A5/2 trivial to break

Karsten Nohl broke A5/1 in 2009 in minutes




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level





Cell Network

Research by: Chris Pagent




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Who cares about EDGE anyway?

Still deployed

By default phones will drop back to EDGE

Is anyone on EDGE right now?




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Mitigation Strategies

Replace 2G

Option to turn off 2G on phones

Encrypt data on phones before sending




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Attacks on Privacy (Platform)

=Attackers know how to attack these platforms




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Rooting/Jailbreaking

Exploiting kernel/platform flaws

Client side attacks

Gain system level privileges similarly to PC platforms




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




JailbreakMe 3.0

iPhone jailbreak

Client side flaw in PDF (Mobile Safari)

Kernel exploit

Research by Comex




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Rootstrap

Android app loads kernel exploits

Loads code dynamically

Runs native code

Packaged with interesting app

Research by: Jon Oberheide




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




DroidDream

Android app in the market

Rooted phones via kernel exploits

Stole information

Ran up charges

In the Wild




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Payload example: SMS botnet




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




SMS PDU

SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




How the Botnet Works

1. Bot Receives a Message

1. Bot Decodes User Data

1. Checks for Bot Key

1. Performs Functionality




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level







1. Checks for Bot Key (Swallows Message)





Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level







1. Checks for Bot Key





Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Demo

Demo of Botnet Payload




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Mitigations for Platform Attacks

Updating

Better sandboxing

Vigilance from users




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




App attacks on privacy




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




App Stores

iPhone

Expensive

Closed

Identity verified

Android

Cheap

Self Signed

Open

Anonymous




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Android Permission Model

Specifically request permissions

Users must accept at install

Send SMS, Receive SMS, GPS location




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




App attacks on privacy

Is this system working? Are users making good decisions about apps?




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Top Android App of All Time




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Demo

Demo: App Abusing Permissions




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




App Attacks Mitigations

Oversight on apps

Analysis of permissions

User awareness




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Vulnerabilities in Android Apps

No coding standards for Android apps

Badly coded apps

Data Leak

Permission Leak




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Data Leak

Access to sensitive data

Insecure storage

sdcard

World readable

Stored in source code




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Return to the Source

Free tools available

Complete source available

Don’t store secrets here




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Demo

DEMO: Abusing bad storage practices




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Mitigating this risk

Store sensitive data privately

Don’t use the sdcard

Don’t put secrets in source code




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Permission leak through components

Other apps can call public components

That’s a reason Android is awesome

If not used safely, this can be dangerous




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Demo

DEMO: Stealing permissions from exposed components




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Mitigating This Risk

Require permissions to access components

Use custom permissions

Don’t have dangerous functionality accessible without user interaction




Level Fifth Outline

Level Sixth

Outline Level






Third Outline Level


Fifth Outline Level

Sixth Outline Level




Contact

Georgia Weidman

Security Consultant, Researcher, Trainer

Website: http://www.georgiaweidman.com

Slides: http://www.slideshare.net/georgiaweidman

Email:[email protected]

Twitter: @georgiaweidman

Smartphone Insecurity

Technology

Transcript of Smartphone Insecurity