Smartphone Insecurity                          Click to edit the outline text                           •               ...
Agenda    Smartphone Security Basics    Common Attack Vectors and Examples    Mitigation Strategies    Common vulnerab...
What is a smartphone?                                            Click to edit the outline text                         ...
What is a smartphone?                                            Click to edit the outline text                         ...
What’s on your phone    Personal info    Work info    Location info                                                   ...
Do We Need Privacy? (SMS examples)    “Hi meet me for lunch”    “Meet me for lunch while my wife is out”    “Here is yo...
Attacks on Privacy (Infrastructure)                                     Cell Network                                     ...
Attacks on Privacy (Infrastructure)                   ? ?                 Cell Network            io n         p t     c r...
Is GSM traffic encrypted?SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37                  ...
Is GSM traffic encrypted?SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37                  ...
Is GSM traffic encrypted?Sending Number: 1-571-435-4881Data: hellohello                                                  ...
2G(EDGE)Bad crypto:          Up to the base station          Algorithms breakable                                    Click...
Attacks on Privacy (Infrastructure)                                     Cell Network                                     ...
Attacks on Privacy (Infrastructure)                                     Cell Network                                     ...
Breaking 2G CryptoBreak session key to get on the networkA5/2 trivial to breakKarsten Nohl broke A5/1 in 2009 in minutes  ...
Attacks on Privacy (Infrastructure)                                     Cell Network                                     ...
Who cares about EDGE anyway?    Still deployed    By default phones will drop back to EDGE    Is anyone on EDGE right n...
Mitigation Strategies    Replace 2G    Option to turn off 2G on phones    Encrypt data on phones before sending        ...
Attacks on Privacy (Platform)              =Attackers know how to attack these platforms                                  ...
Rooting/Jailbreaking    Exploiting kernel/platform flaws    Client side attacks    Gain system level privileges similar...
JailbreakMe 3.0    iPhone jailbreak    Client side flaw in PDF (Mobile Safari)    Kernel exploit                       ...
Rootstrap    Android app loads kernel exploits    Loads code dynamically    Runs native code                           ...
DroidDream    Android app in the market    Rooted phones via kernel exploits    Stole information                      ...
Payload example: SMS botnet                                            Click to edit the outline text                    ...
Payload example: SMS botnet                                            Click to edit the outline text                    ...
Payload example: SMS botnet                                            Click to edit the outline text                    ...
Payload example: SMS botnet                                            Click to edit the outline text                    ...
SMS PDUSMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37                                   ...
How the Botnet Works1.   Bot Receives a Message3.   Bot Decodes User Data5.   Checks for Bot Key                          ...
How the Botnet Works1.   Bot Receives a Message3.   Bot Decodes User Data5.   Checks for Bot Key                          ...
How the Botnet Works1.   Bot Receives a Message3.   Bot Decodes User Data5.   Checks for Bot Key                          ...
How the Botnet Works1.   Bot Receives a Message3.   Bot Decodes User Data5.   Checks for Bot Key (Swallows Message)       ...
How the Botnet Works1.   Bot Receives a Message3.   Bot Decodes User Data5.   Checks for Bot Key                          ...
Demo Demo of Botnet Click to edit the outline text                Payload                                               ...
Mitigations for Platform Attacks    Updating    Better sandboxing    Vigilance from users                             ...
App attacks on privacy                                              Click to edit the outline text                      ...
App Stores    iPhone            Expensive            Closed            Identity verified    Android            Cheap...
Android Permission Model    Specifically request permissions    Users must accept at install    Send SMS, Receive SMS, ...
App attacks on privacyIs this system working? Are usersmaking good decisions aboutapps?                 Click to edit the ...
Top Android App of All Time                                              Click to edit the outline text                  ...
DemoDemo: App Abusing Permissions                                    Click to edit the outline text                     ...
App Attacks Mitigations    Oversight on apps    Analysis of permissions    User awareness                              ...
Vulnerabilities in Android Apps    No coding standards for Android apps    Badly coded apps    Data Leak               ...
Data Leak    Access to sensitive data    Insecure storage            sdcard            World readable            Stor...
Return to the Source    Free tools available    Complete source available    Don’t store secrets here                  ...
DemoDEMO: Abusing bad storage practices                                            Click to edit the outline text        ...
Mitigating this risk    Store sensitive data privately    Don’t use the sdcard    Don’t put secrets in source code     ...
Permission leak through components    Other apps can call public components    That’s a reason Android is awesome    If...
DemoDEMO: Stealing permissions from exposedcomponents                                                  Click to edit the ...
Mitigating This Risk    Require permissions to access components    Use custom permissions    Don’t have dangerous func...
Contact                Georgia Weidman    Security Consultant, Researcher, Trainer    Website: http://www.georgiaweidman.c...
Upcoming SlideShare
Loading in...5
×

Smartphone Insecurity

504

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
504
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Ubiquitous. Rural areas Saving my battery during a hurricane
  • Edit and Read SMS, send SMS, receive SMS Modify/delete USB storage contents Prevent phone from sleeping, write sync settings GPS data Services that cost you money Act as account authenticator, manage accounts Read and write to your personal information including contact data Phone calls, read phone state and identity Full network access
  • Smartphone Insecurity

    1. 1. Smartphone Insecurity  Click to edit the outline text  • Georgia Click to Weidman formatedit the outline text format   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    2. 2. Agenda Smartphone Security Basics Common Attack Vectors and Examples Mitigation Strategies Common vulnerabilities in 3rd party apps Attack strategies against apps Secure coding practices for developing apps  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    3. 3. What is a smartphone?  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    4. 4. What is a smartphone?  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    5. 5. What’s on your phone Personal info Work info Location info  Click to edit the outline text Account info formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    6. 6. Do We Need Privacy? (SMS examples) “Hi meet me for lunch” “Meet me for lunch while my wife is out” “Here is your bank account credentials”  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    7. 7. Attacks on Privacy (Infrastructure) Cell Network  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    8. 8. Attacks on Privacy (Infrastructure) ? ? Cell Network io n p t c ry E n  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    9. 9. Is GSM traffic encrypted?SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    10. 10. Is GSM traffic encrypted?SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    11. 11. Is GSM traffic encrypted?Sending Number: 1-571-435-4881Data: hellohello  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    12. 12. 2G(EDGE)Bad crypto: Up to the base station Algorithms breakable Click to edit the outline text  No authentication of base format stations Click to edit the outline text format    Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    13. 13. Attacks on Privacy (Infrastructure) Cell Network  Click to edit the outline text  formatedit the outline text format Click to Research by: Chris Pagent   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    14. 14. Attacks on Privacy (Infrastructure) Cell Network  Click to edit the outline text  formatedit the outline text format Click to Research by: Chris Pagent   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    15. 15. Breaking 2G CryptoBreak session key to get on the networkA5/2 trivial to breakKarsten Nohl broke A5/1 in 2009 in minutes  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    16. 16. Attacks on Privacy (Infrastructure) Cell Network  Click to edit the outline text  formatedit the outline text format Click to Research by: Chris Pagent   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    17. 17. Who cares about EDGE anyway? Still deployed By default phones will drop back to EDGE Is anyone on EDGE right now?  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    18. 18. Mitigation Strategies Replace 2G Option to turn off 2G on phones Encrypt data on phones before sending  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    19. 19. Attacks on Privacy (Platform) =Attackers know how to attack these platforms  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    20. 20. Rooting/Jailbreaking Exploiting kernel/platform flaws Client side attacks Gain system level privileges similarly to PC platforms  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    21. 21. JailbreakMe 3.0 iPhone jailbreak Client side flaw in PDF (Mobile Safari) Kernel exploit  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    22. 22. Rootstrap Android app loads kernel exploits Loads code dynamically Runs native code  Click to edit the outline text Packaged with interesting app formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    23. 23. DroidDream Android app in the market Rooted phones via kernel exploits Stole information  Click to edit the outline text Ran up charges formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    24. 24. Payload example: SMS botnet  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    25. 25. Payload example: SMS botnet  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    26. 26. Payload example: SMS botnet  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    27. 27. Payload example: SMS botnet  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    28. 28. SMS PDUSMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    29. 29. How the Botnet Works1. Bot Receives a Message3. Bot Decodes User Data5. Checks for Bot Key  Click to edit the outline text7. Performs Functionality formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    30. 30. How the Botnet Works1. Bot Receives a Message3. Bot Decodes User Data5. Checks for Bot Key  Click to edit the outline text7. Performs Functionality formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    31. 31. How the Botnet Works1. Bot Receives a Message3. Bot Decodes User Data5. Checks for Bot Key  Click to edit the outline text7. Performs Functionality formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    32. 32. How the Botnet Works1. Bot Receives a Message3. Bot Decodes User Data5. Checks for Bot Key (Swallows Message)  Click to edit the outline text7. Performs Functionality formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    33. 33. How the Botnet Works1. Bot Receives a Message3. Bot Decodes User Data5. Checks for Bot Key  Click to edit the outline text7. Performs Functionality formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    34. 34. Demo Demo of Botnet Click to edit the outline text Payload  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    35. 35. Mitigations for Platform Attacks Updating Better sandboxing Vigilance from users  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    36. 36. App attacks on privacy  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    37. 37. App Stores iPhone  Expensive  Closed  Identity verified Android  Cheap  Click to edit the outline text formatedit the outline text format  Self Signed  Click to   Second Outline Level Second Outline Level  Open − − Third Outline Level Third Outline Level  Anonymous Fourth Outline Fourth Outline  
    38. 38. Android Permission Model Specifically request permissions Users must accept at install Send SMS, Receive SMS, GPS location  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    39. 39. App attacks on privacyIs this system working? Are usersmaking good decisions aboutapps? Click to edit the outline text   formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    40. 40. Top Android App of All Time  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    41. 41. DemoDemo: App Abusing Permissions  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    42. 42. App Attacks Mitigations Oversight on apps Analysis of permissions User awareness  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    43. 43. Vulnerabilities in Android Apps No coding standards for Android apps Badly coded apps Data Leak  Click to edit the outline text Permission Leak formatedit the outline text format  Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    44. 44. Data Leak Access to sensitive data Insecure storage  sdcard  World readable  Stored in source code  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    45. 45. Return to the Source Free tools available Complete source available Don’t store secrets here  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    46. 46. DemoDEMO: Abusing bad storage practices  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    47. 47. Mitigating this risk Store sensitive data privately Don’t use the sdcard Don’t put secrets in source code  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    48. 48. Permission leak through components Other apps can call public components That’s a reason Android is awesome If not used safely, this can be dangerous  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    49. 49. DemoDEMO: Stealing permissions from exposedcomponents  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    50. 50. Mitigating This Risk Require permissions to access components Use custom permissions Don’t have dangerous functionality accessible without user interaction  Click to edit the outline text  formatedit the outline text format Click to   Second Outline Level Second Outline Level − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    51. 51. Contact Georgia Weidman Security Consultant, Researcher, Trainer Website: http://www.georgiaweidman.comSlides: http://www.slideshare.net/georgiaweidman Click to edit the outline text  Email:georgia@grmn00bs.com formatedit the outline text format Click to  Twitter: @georgiaweidman Outline Level Second Outline Level  Second  − − Third Outline Level Third Outline Level   Fourth Outline Fourth Outline
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×