(Pdf) yury chemerkin _icitst_2012

  • 160 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
160
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. VULNERABILITY ELIMINATION BY FORCE OF NEW MOBILE OS YURY CHEMERKIN THE 7TH INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS 2012
  • 2. BLACKBERRY SECURITY ENVIRONMENT BLACKBERRY SMARTPHONE WAS SECURE… THE SECURITY IS THE CORNERSTONE A POWERFUL HIGH LEVEL INTEGRATION  IMs, SOCIAL NETWORKS  FINANCIAL DATA AND ETC. THE BLACKBERRY WAS BUILT  FREE OF MALWARE & HARMFUL ACTIONS  WITH NATIVE SECURITY SOLUTIONS MAINLY FOCUSED ON ENTERPRISE  WIDE RANGE IT POLICY SET  UP TO 500 UNITS  A FEW THIRD PARTY SECURITY SOLUTIONS PLAYBOOK HAS COME WITH A POOR ENVIROMENT A SIMPLIFICATION OF THE SECURITY VISION POOR INTERGRATION (ONLY BLACKBERRY BRIDGE)  NO BUILT IMs, HTML5 & WEB-LAUNCHER  NO WALLETS OR ELSE BUILT APPLICATIONS PLAYBOOK MIGHT  PRODUCE FEW VALUE DATA DUE APIs  NOT MORE THAN LARGE PHONE’S SCREEN TOTALLY FOCUSED ON ENTERPRISE  IT POLICY EXTRA REDUCED  UP TO 10 UNITS  ENTERTAINMENT APPLICATIONS ONLY
  • 3. USER MODE ROOTKIT AND SPYWARE MALWARE BOUNDS BECOME UNCLEAR…  A LOT OF TYPES  BOOTKITS  FIRMWARE  USER-MODE  KERNEL  HYPERVISOR  SIMILAR TO THE SPYWARE  BUNDLING WITH DESIRABLE SOFTWARE  WIDESPREADING, EASY DITRIBUTION AND QUITE RELEVANT FOR HACKERS HACKERS ARE INTERESTED IN CHEAPER COSTING  BASED ON:  VENDOR-SUPPLIED EXTENSIONS  THIRD PARTY PLUGINS  PUBLIC INTERFACES  INTERCEPTION OF SYSTEMS MESSAGES  EXPLOITATION OF SECURITY VULNERABILITIES  HOOKING AND PATCHING OF APIs METHODS
  • 4. THE FILE SYSTEM ISSUES BB OS v4–5 WAS ACCESSIBLE BB OS V6–7 PLUS PLAYBOOK ARE ACCESSIBLE  VIA THE BUILT (INTERNAL) EXPLORER  AFTER MOUNTING AS AN EXTERNAL DRIVE(-S)  AFTER ENTERING THE PASSWORD BUT STILL THE INTERNAL EXPLORER  AFTER ENTERING THE PASSWORD BUT IT IS NOT NECESSARY TO USE INTERNAL EXPLORER  FOR EXECUTING MALWARE FROM THE DEVICE BY CLICKING FILE (.JAR/.JAD + .COD)  TO PREVENT FROM EXECUTING ANYTHING OUTSIDE APPWORLD (.BAR)  TO ALLOW COPYING THE MALWARE TO THE DEVICE AS AN EXTERNAL DRIVE (LIKE A WORM)  MALWARE IS A PERSONAL APPLICATION SUBTYPE IN TERMS OF RIM’s SECURITY
  • 5. THE APPLICATION MANAGEMENT ISSUES BLACKBERRY SMARTPHONE (LESS THAN BB 10)  THE “UPGRADE” FEATURE MEANS  THE INSTALL & REMOVE ACTIONS AT LEAST  AN APPLICATION ID REQUIREMENT  AN ACCESSIBLE RUNNING APPLICATION LIST  HANDLING ANOTHER APPs SILENTLY VIA API  HANDLING ANOTHER APPLICATION SILENTLY VIA PC TOOLS  MAY NEED A PASSWORD  DEBUG MODE IS FOR TRACING & DEBUGING ONLY  EASY TRACKING THE NEWCOMING .COD MODULES FOR THE MALWARE PAYLOAD BLACKBERRY PLAYBOOK (PROBABLY BLACKBERRY 10)  THE “UPGRADE” MEANS AN USER INTERACTION  WITH APPWORLD  WITH HOME SCREEN  THERE ARE SOME APIs BUT DISABLED  THERE IS NO API FOR SUCH ACTIONS YET  HANDLING ANOTHER APPLICATION SILENTLY VIA PC TOOLS  MAY NEED A PASSWORD  STRONGLY NEED ACTIVATED A DEBUG MODE  LOOKS LIKE MORE SECURE THAN BLACKBERRY BUT DIFFICULT TO REMOVE DISTRIBUTED MALWARE
  • 6. THE CLIPBOARD ISSUES BLACKBERRY SMARTPHONE BLACKBERRY PLAYBOOK  HOW TO REVEAL THE DATA IN REAL TIME  GETCLIPBOARD()  HOW TO REVEAL THE DATA IN REAL TIME  GETDATA()  ANY PROTECTION  NATIVE WALLETS RESTRICT THE CLIPBOARD ACCESS BY RETURNING “NULL”  WHILE THE APPLICATION IS ACTIVE (ON TOP OF SCREEN STACK) ONLY  DOES NOT WORK IN MINIMIZED STATE  ANY PROTECTION  NO NATIVE WALLET APPLICATION  MANAGING THE LAST CLIPBOARD DATA VIA SHARED FOLDER  PLAIN TEXT  HTML  ETC.
  • 7. THE PHOTOSCREEN ISSUES ARE AVAILABLE FOR ALL BLACKBERRY DEVICES BUT DISABLED FOR PLAYBOOK AND BLACKBERRY 10 YET  SCREEN PROTECTION VIA SWITCHING  PERMIT  RESTRICT  ADDITIONALLY PER APPLICATION….  BUT DOES NOT HANDLE WINDOWs  HANDLE WITH THE KEY PREVIEW DUE THE VIRTUAL KEYBOARD  MAY BE IMPROVED BY XOR’ing TWO PHOTOSCREENS TO GET THE DIFFERENCE  MASKING THE ASTERISKS TAKES A DELAY  ENOUGH TO STEAL THE TEXT  MAY BE PART OF OCR ENGINES  ONLINE OR DESKTOP  RECOGNIZE TYPED DATA VERY QUICKLY  WAS TESTED ON ABBYY ONLINE OCR  SUBSTITUTE FOR HARDWARE KEYLLOGER  RUNNING DOWN THE BATTERRY MORE SLOWLY THAN PHOTO/VIDEO CAMERA  EASY ACCESS TO ANY APPLICATION…WALLET EVEN  NO RESTRICTION LIKE THE CLIPBOARD “NULL”  SCREENSHOTS OFTEN STORE IN CAMERA FOLDER  THE SAME A FILE ACCESS
  • 8. THE MESSAGES ISSUES AVAILABLE ON THE BB DEVICES PROBABLY ON THE BLACKBERRY 10  USING AUTHORIZED API TO INTERCEPT  MESSAGES (BBM, EMAIL, PIN-TO-PIN)  CREATE THE MESSAGE  READ THE MESSAGE  DELETE THE MESSAGE  SET THE MESSAGE STATUS (UNREAD, SENT, ANY ERROR STATE, ETC.)  THE BUTTON EVENTS (THE SAME TYPES)  OPENING THE MESSAGE  FORWARDING THE MESSAGE  SENDING THE MESSAGE NO 3G, NO API FOR PLAYBOOK  INTERCEPTING THE SMS (BASICALLY)  RECEIVING AND SENDING EVENTS  DELETING THE SENT & RECEIVED SMS  ENOUGH TO HANDLE SOCIAL C&C SMS  OUTCOMING SMS (ADVANCED)  BLOCKING (DROPPING) THE SMS  A NOTIFICATION IN THE MESSAGE THREAD  SPOOFING  THE RECEPIENT  THE BODY  TRANSMISSION REFUSED BY … IF SUCH MESSAGE WAS NOT REMOVED
  • 9. THE DEVICE PASSWORD ISSUES FOR THE BLACKBERRY 4–7 DUE THE INTERNAL CASE FOR ALL DEVICES DUE IN THE DESKTOP ACCESS CASE  THE PASSWORD PROTECTION COVERS  DEVICE LOCKING & ENCRYPTION FEATURE  APPWORLD REQUEST  LIMITED BY 5/10 ATTEMPTS & WIPE THEN  WIPING THE INTERNAL STORAGE ONLY  EXTRACTING THE PASSWORD TRHOUGHT  ELCOMSOFT PRODUCT (CUSTOM CASE)  GUI VULNERABILITY  CREATING THE FAKE WINDOW ON DESKTOP SYNCHRONIZATION  BREAKING INTO BB DESKTOP SOFTWARE  HANDLING MS WINDOWS VULNERABILITY  UNMASKING THE FIELD  GRABBING THE PASSWORD  MASKING THE FIELD  THIS DELAY TAKES 10-20 MSEC  AFFECTED PASSWORD TYPES  THE DEVICE PASSWORD  THE BACKUP PASSWORD  AFFECTED DEVICES  BLACKBERRY 4-7 (BB 10 HIGHLY PROBABLY)  BLACKBERRY PLAYBOOK
  • 10. THE GUI EXPLOITATION CONSEQUENCE OF WIDE INTERGRATION FEATURES OFFERED FOR DEVELOPERS (BLACKBERRY 4–7 ONLY)  INITIALLY BASED ON AUTHORIZED API COVERED  ALL PHYSICAL & NAVIGATION BUTTONS  TYPING THE TEXTUAL DATA  AFFECT ALL NATIVE & THIRD PARTY APPs  SECONDARY BASED ON ADDING THE MENU ITEMS  INTO THE GLOBAL MENU  INTO THE “SEND VIA” MENU  AFFECT ALL NATIVE APPLICATIONS  NATIVE APPLICATIONS ARE DEVELOPED BY RIM  BLACKBERRY WALLETS, MESSAGES, SETTINGS, FACEBOOK, TWITTER,…  BBM/GTALK/YAHOO/WINDOWS IMs,…  GUI EXPLOITATION HANDLES WITH  REDRAWING THE SCREENS  ADDING NEW GUI OBJECTS  CHANGING THEIR PROPERTIES  GRABBING THE TEXT FROM THE  ANY FIELDs (INCL. PASSWORD FIELD)  UNLOCK THE DEVICE’s FIELD  SETTING UP THE PASSWORD’s FIELD  ADDING, REMOVING THE FIELD DATA  ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED  GUI OBJECTS SHUFFLING IS NOT POSSIBLE
  • 11. THE THIRD PARTY EXPLOITATION THERE ARE A FEW OF THEM THEY MIGHT HAVE AN EXPLOIT  KASPERSKY MOBILE SECURITY PROVIDES  FIREWALL, WIPE, BLOCK, INFO FEATURES  NO PROTECTION FROM REMOVING.CODs  NO PROTECTION UNDER SIMULATOR  EXAMING THE TRAFFIC, BEHAVIOUR  SHOULD CHECK API “IS SIMULATOR”  SMS MANAGEMENT (“QUITE” SECRET SMS)  PASSWORD IS FOUR– SIXTEEN DIGITS SET  …AND CAN BE MODIFIED IN REAL-TIME  SMS IS A HALF A HASH VALUE OF GOST R 34.11-94  IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT BUT RUIN NATIVE A SECURITY  TABLES (VALUEHASH) ARE EASY BUILT  OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION  OUTCOMING SMS CAN BLOCK OR WIPE THE SAME DEVICE OR ANOTHER DEVICE  McAfee MOBILE SECURITY PROVIDES  FIREWALL, WIPE, BLOCK, INFO FEATURES  NO PROTECTION FROM REMOVING.CODs  NO PROTECTION UNDER SIMULATOR  EXAMING THE TRAFFIC, BEHAVIOUR  SHOULD CHECK API “IS SIMULATOR”  WEB MANAGEMENT CONSOLE  DIFFICULT TO BREAK SMS C&C
  • 12. THE PERMISSIONS PRIVILEGED GENERAL PERMISSIONS OWN APPs, NATIVE & 3RD PARTY APPs FEATURES  DENIAL OF SERVICE  GENERAL PERMISSIONS  REPLACING/REMOVING EXEC FILES  DOS’ing EVENTs, NOISING FIELDS  GUI INTERCEPT  INFORMATION DISCLOSURE  INSTEAD OF SPECIFIC SUB-PERMISSIONS  A FEW NOTIFICATION/EVENT LOGs FOR USER  BUILT PER APPLICATION INSTEAD OF APP SCREENs  CONCRETE PERMISSIONS  CLIPBOARD, SCREEN CAPTURE  GUI INTERCEPT  DUMPING .COD FILES, SHARED FILES  MITM (INTERCEPTION / SPOOFING)    MESSAGES GUI INTERCEPT, THIRD PARTY APPs FAKE WINDOW/CLICKJACKING   BUT COMBINED INTO GENERAL PERMISSION A SCREENSHOT PERMISSION IS PART OF THE CAMERA  GENERAL PERMISSIONS    INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs
  • 13. CONCLUSION THE VENDOR SECURITY VISION              HAS NOTHING WITH REALITY AGGRAVATED BY SIMPLICITY SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST
  • 14. THANK YOU YURY CHEMERKIN