• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Your cell phone is covered in spiders
 

Your cell phone is covered in spiders

on

  • 1,403 views

Practical

Practical

Statistics

Views

Total Views
1,403
Views on SlideShare
1,398
Embed Views
5

Actions

Likes
0
Downloads
11
Comments
0

2 Embeds 5

https://twitter.com 4
https://si0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Your cell phone is covered in spiders Your cell phone is covered in spiders Presentation Transcript

    • Your Cell Phone isCovered in SpidersAn overview of the cell phonesecurity landscapeCooper Quintin@cooperqcooper@radicaldesigns.org
    • We are becoming increasingly dependenton mobile devices●We are storing more and more data on them●Pictures●Videos●Contacts●Email●Social Graphs●Location History●Etc
    • ●As the amount of data increases●The complexity increases●The desirability increases●The number of vulnerabilities increases
    • And there are a lot of vulnerabilities!
    • Things to Keep in Mindphysical access == phone can and will becompletely compromised.Also, you should assume that your phone willbe compromised at some point.
    • Security is a Journey Not a DestinationThe more hurdles that you put up, the harder youmake it for an attacker.Time to compromise > Determination of attackerJust because there are so many threats to cellularsecurity doesnt mean you shouldnt take securityseriously. There are still things you can do.
    • Threat Model●Random attacks●Malicious apps●Stolen / Lost phone●Targeted attacker●Law Enforcement●Corporate Espionage●Personal Enemies●Signal Interception●Your Phone Company
    • Burner Phones●No encryption●Trivial for Forensic Investigators●Closed Source●Usually no Screen Lock
    • iPhoneThe Bad●Closed source●Very little in the way of security apps●Default screen lock is a four digit number●Encryption tools that arent free or open source●FDE keys are stored on phone and can be recoveredThe Good●There is a stronger screen lock that can be enabled●Off The Record (OTR)●Chatsecure (works with gibberbot)●PrivateGSM (Encrypted VOIP)●oh and an unofficial tor app (covert browser)●Less Malware
    • Android●IMO The best phone for security●Open source●Lots of security tools●Lots of encryption tools●Strong Screen lock●Guardian Project
    • Lets Talk About Threat ModelsAgain
    • Currently in California (and many other states)an arresting officer can search your phone if itdoes not have a password lock on it.CA Supreme Court, People vs. Diaz“Therefore, under Diaz, if youre arrested while carryinga mobile phone on your person, police are free to riflethrough your text messages, images, and any other filesstored locally on your phone. Any incriminating evidencefound on your phone can be used against you in court. “
    • Law Enforcement Investigators are Lookingfor:●Subscriber & Equipment Identifiers●Contacts●Appointment Calendar●SMS, Text Messages, Instant Messages, Email●Call Logs●Photos, Audio and Video●Documents●Location Data
    • Forensic Methods● Recovering screen lock– Recovery mode or google account● Recovery Mode● Cellbrite and UFED● JTAG
    • Solutions●Have a strong screen lock and a short timeout●Turn USB Debugging off●This makes forensics a lot harder●Dont tell them your password●Encryption (Text Secure, LUKS, Device encryption)
    • Signal InterceptionThreats●Fake Cellular Towers / Drones●USRP/GNU Radio●Snooping as a Service●Cellular companies will provide wiretaps without evena warrantSolutions●Encrypted Calls (Redphone)●Encrypted Text (Textsecure)●Talk in Person (This is the Most Secure)
    • Screen Lock●Face Unlock●Pattern●Pin●Password
    • This is all Useless if an Attacker canCircumvent Your Lock Screen●Physical access to a rooted phonewith USB debugging on●Recovery mods●JTAG Interface
    • Solutions●Choose a strong screen lock●TURN OFF USB DEBUGGING●Disk Encryption●Use 2 factor authentication on google
    • Lost and Stolen Phones●Phone Finding Applications●Remote wipe●Prey (Cross platform, open source)●Poison Pill (Open Source)●Lookout●Droid Tracker●Strong Screen lock●Report to The Provider?●They probably dont give a damn.
    • MalwareVendor and Espianage malware●This stuff is extremely sophisticated●FinFisher●CarrierIQ●Voodo carrierIQStandard, untargeted malware●Personal Data Theft●Premium SMS●The usual suspects (spyware, trojans, phishing)●Facebook
    • Solutions•Droidwall (require root)●Unfortunately no longer open source●Try Android firewall or AFwall•Be careful what you install•Antivirus (lookout, etc.)•Be wary of third party app stores•Permission Selection Apps (require root)•Permissions Denied•Cyanogenmod•Root your phone and remove the bloatware
    • Of Course, Even an App withNo Permissions Can do a Lot●Read files from SD card●Get a list of packages●Access insecure application files●Read gsm and sim vendor IDs●Read android id (unique to your phone)●Call home with a get request
    • Other Attacks● NFC– Can completely control the phone just bytouching it.– Can open up a browser, get photos, videos,contacts, etc.– Even Bugger overflows● QR Phishing● Baseband Attacks
    • Disk Encryption●On some devices since android 3 (honeycomb)●Encrypts the /data partition●Encrypts the /sdcard sometimes, YMMV●DM_Crypt : tried and true●Uses your lockscreen pin/password as the key●VULNERABLE TO COLD BOOT ATTACK (Frost)●Truecrypt (Cryptonite)●Luks Manager (can be used to encrypt SD card)●IOCypher (for devs, still alpha)●Allows you to create an encrypted virtual FS foryour app.
    • Call EncryptionOSTN●Open {Secure, Source, Standards} Telephony (Network)●Federated, Open Source●Does not stop censorship or provide anonymityhttp://ostel.meRed Phone● Open Source client, Closed source server● Easy to use● Does not stop censorship or provide anonymity
    • Other Encryption●Gibberbot (OTR, encrypts chat)●APG (PGP for Android)●Orbot and Orweb (Technically anonymity not enc.)●OpenVPN (encrypts your internet connection)●Notecipher●Sqlcipher●Text Secure●RedPhone
    • Other Usefull Apps●Duck Duck Go – Alternateive search engine●Keepass - Password Vault●Adaway - Adblocking for Android●Fdroid – Alternative Open Source App Store●Obscuracam - Block peoples faces in sensetive photo●Cacert manager – Revoke untrusted root ca certs●Firefox●Iptableslog – Log the traffic coming from your phone●Shark – Capture packets from your phone●Alogcat – View Android Logs
    • In Conclusion...●Turn off USB debugging!●Keep your phone on you●Trust what you install (Open Source Rules!)●Root and install custom firmware●Use a stronger screen lock●Audit your phone●Encrypt Everything!
    • Open Source Presentation!Get it on Github!https://github.com/cooperq/spiders
    • Thank You!Cooper Quintincooper@radicaldesigns.orgTwitter: @cooperqJabber: cooperq@jabber.ccc.deOTR: 9B3470B9 B1F10651 B5840FEB 026D6CF7 2D949F6FPGP: 75FB9347 FA4B22A0 5068080B D0EA7B6F F0AFE2CA