VULNERABILITY ELIMINATION BY FORCE OF
NEW MOBILE OS
SECURITY RESEARCHER / PhD.
YURY CHEMERKIN
CONFidence‘2013
[ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkin

http://sto-strategy.com

 Experienced in :
 Reverse Engineering & ...
BLACKBERRY SECURITY ENVIRONMENT
BLACKBERRY EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESS A CAPABILITY
BLACKB...
KNOWN ISSUES
MALWARE BOUNDSBECOME UNCLEAR…
 BLACKBERRY HANDLES SEVERAL TECHNOLOGIES


NATIVE
 BLACKBERRY 10, BLACKBERY ...
BLACKBERRY CAPABILITES - ANDROID
CONTROLLEDFOUR GROUPSONLY by BlackBerry
 CAMERA AND VIDEO
 HIDE THE DEFAULT CAMERA APPL...
BLACKBERRY CAPABILITES - iOS
CONTROLLED16 GROUPS ONLY by BlackBerry




BROWSER



that‘s QUITE SIMLIAR to APPLE MDM S...
BLACKBERRY CAPABILITES – BLACKBERRY (QNX)
CONTROLLED7 GROUPS ONLY by BlackBerry


that‘s NOT ENOUGH TO MANAGE ALL APIs

...
BLACKBERRY CAPABILITES – BLACKBERRY (OLD)
INCREDIBLE AMOUNT OF GROUPS, UNITS AND PERMISSIONS ARE CONTROLELD BY MDM AND DEV...
BlackBerry MDM
100

120
1100

90
80

100

80,00

70
60

800
55

50

600

38,46

10,26

31,82

40
16

16

30

49

20

5

20...
ISSUES : USELESS SOLUTIONS - I
USERFULL IDEASAT FIRST GLANCE

BUT INSTEADMAKE NO SENSE

 OLD BB: MERGING PERMISSIONS INTO...
ISSUES : USELESS SOLUTIONS - II
USERFULL IDEASAT FIRST GLANCE

BUT INSTEADMAKE NO SENSE

 OLD BB: SECURE & INSECURE IM CH...
ISSUES : USELESS SOLUTIONS – III
THE GUI EXPLOITATION (OLD BB) –NATIVE APPs


INITIALLY BASED ON AUTHORIZED API COVERED

...
CONCLUSION - I
PRIVILEGEDGENERAL PERMISSIONS

OWN APPs, NATIVE & 3RD PARTY APPs FEATURES

 DENIAL OF SERVICE

 GENERAL P...
CONCLUSION - II
THE VENDOR SECURITY VISION














HAS NOTHING WITH REALITY

AGGRAVATEDBY SIMPLICITY

S...
Q&A
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
Upcoming SlideShare
Loading in...5
×

(Pdf) yury chemerkin _confidence_2013

262

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
262
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Pdf) yury chemerkin _confidence_2013

  1. 1. VULNERABILITY ELIMINATION BY FORCE OF NEW MOBILE OS SECURITY RESEARCHER / PhD. YURY CHEMERKIN CONFidence‘2013
  2. 2. [ Yury Chemerkin ] www.linkedin.com/in/yurychemerkin http://sto-strategy.com  Experienced in :  Reverse Engineering & AV  Software Programming & Documentation  Mobile Security and MDM  Cyber Security & Cloud Security  Compliance & Transparency  and Security Writing  Hakin9 Magazine, PenTest Magazine, eForensics Magazine,  Groteck Business Media  Participation at conferences  InfoSecurityRussia, NullCon, AthCon, PHDays  CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec  ICITST, CyberTimes, ITA, I-Society yury.chemerkin@gmail.com
  3. 3. BLACKBERRY SECURITY ENVIRONMENT BLACKBERRY EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESS A CAPABILITY BLACKBERRY ENTERPRISE SERVICE HELPS MANAGE AND PROTECT BLACKBERRY, IOS, AND ANDROID DEVICES. UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE DESIGNED TO HELP PROTECT DATA THAT IS IN TRANSIT AT ALL POINTS AS WELL IS IN MEMORY AND STORAGE ENHANCED BY A CONTROL OF THE BEHAVIOR OF THE DEVICE PROTECTION OF APPLICATION DATA USING SANDBOXING MANAGEMENT OF PERMISSIONS TO ACCESS CAPABILITIES BB EVALUATES EVERY REQUEST THAT APP MAKES – BUT LEAD AWAY FROM ANY DETAILS AND APIs
  4. 4. KNOWN ISSUES MALWARE BOUNDSBECOME UNCLEAR…  BLACKBERRY HANDLES SEVERAL TECHNOLOGIES  NATIVE  BLACKBERRY 10, BLACKBERY PLAYBOOK  OLD BLACKBERRY DEVICES  THIRD PARTY  ADOBE AIR FOR NEW BB DEVICES  ANDROID APPLICATIONS & DEVICES  IOS DEVICES  ALL CONTROLLED OBJECTS ARE LIMITED BY    SANDBOX PERMISSIONS SECURITY FEATURES ON DEVICEs & MDMs COMPLIANCE BRINGS USELESS RECOMMENDATIONS  USER-MODE MALWARE    SPYWARE ROOTKITS EXPLOTS & ATTACKS  REVERSING NETWORK LAYER  PARTIALLY RECOVERING DATA VS. SANBOX  MDM vs. COMPLIANCE    A FEW RECOMMENDATIONS SET IS LESSER THAN SET OF MDM FEATURES YOUNG STANDARDS  FIRST REVISIONS  DRAFT REVISIONS
  5. 5. BLACKBERRY CAPABILITES - ANDROID CONTROLLEDFOUR GROUPSONLY by BlackBerry  CAMERA AND VIDEO  HIDE THE DEFAULT CAMERA APPLICATION  PASSWORD  DEFINE PASSWORD PROPERTIES  REQUIRE LETTERS (incl. case)  REQUIRE NUMBERS  REQUIRE SPECIAL CHARACTERS  DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER  INCORRECT PASSWORD ATTEMPTS  DEVICE PASSWORD  ENABLE AUTO-LOCK CONTROLLED 74 OUT 200 APIs ONLY by Android     LIMIT PASSWORD AGE LIMIT PASSWORD HISTORY RESTRICT PASSWORD LENGTH MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED  ENCRYPTION  APPLY ENCRYPTION RULES  ENCRYPT INTERNAL DEVICE STORAGE  TOUCHDOWN SUPPORT  MICROSOFT EXCHANGE SYNCHRONIZATION  EMAIL PROFILES  ACTIVESYNC
  6. 6. BLACKBERRY CAPABILITES - iOS CONTROLLED16 GROUPS ONLY by BlackBerry   BROWSER   that‘s QUITE SIMLIAR to APPLE MDM SOLUTIONS DEFAULT APP, AUTOFILL, COOKIES, JAVASCRIPT, POPUPS MESSAGING (DEFAULT APP)   BACKUP / DOCUMENT PICTURE / SHARING ONLINE STORE  CAMERA, VIDEO, VIDEO CONF  CERTIFICATES (UNTRUSTED CERTs)  MESSAGING (DEFAULT APP)  CLOUD SERVICES  PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)  PHONE AND MESSAGING (VOICE DIALING)  CONNECTIVITY      OUTPUT, SCREEN CAPTURE, DEFAULT APP BACKUP / DOCUMENT / PICTURE / SHARING ONLINE STORES , PURCHASES, PASSWORD DEFAULT STORE / BOOK / MUSIC APP  PROFILE & CERTs (INTERACTIVE INSTALLATION) NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING  SOCIAL (DEFAULT APP) CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS    CONTENT      DIAGNOSTICS AND USAGE (SUBMISSION LOGS) STORAGE AND BACKUP   SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION VOICE ASSISTANT (DEFAULT APP)
  7. 7. BLACKBERRY CAPABILITES – BLACKBERRY (QNX) CONTROLLED7 GROUPS ONLY by BlackBerry  that‘s NOT ENOUGH TO MANAGE ALL APIs     GENERAL   MOBILE HOTSPOT AND TETHERING PLANS APP, APPWORLD  PASSWORD (THE SAME WITH ANDROID, iOS)  BES MANAGEMENT (SMARTPHONES, TABLETS)  SOFTWARE      OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK SECURITY       CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC WI-FI PROFILES    WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION EMAIL PROFILES     NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK VPN PROFILES    PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS
  8. 8. BLACKBERRY CAPABILITES – BLACKBERRY (OLD) INCREDIBLE AMOUNT OF GROUPS, UNITS AND PERMISSIONS ARE CONTROLELD BY MDM AND DEVICE     THERE 55 GROUPS CONTROLLED IN ALL EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’ EACH EVENT IS  CONTROLLED BY CERTAIN PERMISSION  ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE  DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS  EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF  ‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY  SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)  SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN
  9. 9. BlackBerry MDM 100 120 1100 90 80 100 80,00 70 60 800 55 50 600 38,46 10,26 31,82 40 16 16 30 49 20 5 20 7 4 4 200 80 10 0 7 400 BlackBerry Old iOS BlackBerry QNX Android Quantity of Groups 55 16 7 4 Average perm per group 20 5 7 4 Efficiency 80,00 38,46 31,82 10,26 Totall permissions 1100 80 49 16 Quantity of Groups Average perm per group Efficiency Totall permissions 0
  10. 10. ISSUES : USELESS SOLUTIONS - I USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE  OLD BB: MERGING PERMISSIONS INTO GROUPS  ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (PREVIOUS BB)  ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (LATEST BB)  QNX-BB: SCREEN CAPTURE  IS ALLOWED VIA HARDWARE BUTTONS ONLY  NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES  LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS  OLD BB: NO SANBOX HAS NEVER BEEN ANNOUNCED  ALL DATA ACCESSIBLE EXCEPT APP & SYSTEM DATA DUE TO GENERAL PERMISSION  QNX-BB: OFFICIALLY ANNOUNCED SANDBOX  MALWARE IS A PERSONAL APPLICATION SUBTYPE IN TERMS OF BLACKBERRY’s SECURITY  SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
  11. 11. ISSUES : USELESS SOLUTIONS - II USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE  OLD BB: SECURE & INSECURE IM CHATS IN THE SAME TIME  HAS ENCRYPTED COMMUNICATION SESSIONS  STORE CHAT COVERSATION IN PLAIN TEXT WITHOUT ENCRYPTION (EVEN BBM)  INACCESSIBLE FROM THE DEVICE BECAUSE OF UNKNOWN FILE TYPE (.CSV)  UPGRADE FEATURE AFFECT EVERYTHING   UPDATE APP THAT CALLS THIS API – USE GENERAL API REMOVE APP THAT CALLS THIS APPS – USE GENERAL API  REMOVE ANY OTHER APP UNDER THE SAME API WITHOUT NOTIFICATION  HANDLE WITH PC TOOLS ON OLD BB DEVICES WITHOUT DEBUG / DEVELOPMENT MODE  OLD BB: CLIPBOARD (HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)   REVEAL THE DATA IN REAL TIME BY ONE API CALL NATIVE WALLETS PROTECTS BY RETURNING NJULL  WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS  EVERY USER CASE MUST MINIMIZE APP TO PASTE A PASSWORD
  12. 12. ISSUES : USELESS SOLUTIONS – III THE GUI EXPLOITATION (OLD BB) –NATIVE APPs  INITIALLY BASED ON AUTHORIZED API COVERED   ALL PHYSICAL & NAVIGATION BUTTONS  TYPING TEXTUAL DATA, AFFECT ALL APPs SECONDARY BASED ON ADDING THE MENU ITEMS   INTO THE GLOBAL / “SEND VIA” MENU  AFFECT ALL NATIVE APPLICATIONS NATIVE APPs ARE DEVELOPED BY BLACKBERRY   WALLETS, SOCIAL, SETTINGS, IMs,… GUI EXPLOITATION      REDRAWING THE SCREENS GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD) ADDING, REMOVING THE FIELD DATA ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED ADDING GUI OBJECTS BUT NOT SHUFFLING 3RD PARTY SECURE SOLITUINS RUIN THE SECURITY  KASPERSKY MOBILE SECURITY PROVIDES    FIREWALL, WIPE, BLOCK, INFO FEATURES NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR  EXAMING THE TRAFFIC, BEHAVIOUR  JUST SHOULD CHECK API “IS SIMULATOR” ONLY SMS MANAGEMENT VIA “QUITE” SECRET SMS  PASSWORD IS 4–16 DIGITS,AND MODIFIED IN REAL-TIME  SMS IS A HALF A HASH VALUE OF GOST R 34.11-94  IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT  TABLES (VALUEHASH) ARE EASY BUILT  OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES  OUTCOMING SMS BLOCK/WIPE THE SAME/ANOTHERDEVICE
  13. 13. CONCLUSION - I PRIVILEGEDGENERAL PERMISSIONS OWN APPs, NATIVE & 3RD PARTY APPs FEATURES  DENIAL OF SERVICE  GENERAL PERMISSIONS  REPLACING/REMOVING EXEC FILES  DOS’ing EVENTs, NOISING FIELDS  GUI INTERCEPT  INFORMATION DISCLOSURE  INSTEAD OF SPECIFIC SUB-PERMISSIONS  A FEW NOTIFICATION/EVENT LOGs FOR USER  BUILT PER APPLICATION INSTEAD OF APP SCREENs  CONCRETE PERMISSIONS  CLIPBOARD, SCREEN CAPTURE  GUI INTERCEPT  DUMPING .COD FILES, SHARED FILES  MITM (INTERCEPTION / SPOOFING)    MESSAGES GUI INTERCEPT, THIRD PARTY APPs FAKE WINDOW/CLICKJACKING   BUT COMBINED INTO GENERAL PERMISSION A SCREENSHOT PERMISSION IS PART OF THE CAMERA  GENERAL PERMISSIONS    INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs
  14. 14. CONCLUSION - II THE VENDOR SECURITY VISION              HAS NOTHING WITH REALITY AGGRAVATEDBY SIMPLICITY SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST
  15. 15. Q&A
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×