Your SlideShare is downloading. ×
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Throw It in the River: Towards Real Live Actual Smartphone Security

8,312

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
8,312
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Throw It in the River? Towards Real Live Actual Smartphone Security Georgia Weidman © Georgia Weidman 2011 1
  • 2. Agenda• Problems and Potential Solutions –Encryption –Applications –Updates –User Awareness © Georgia Weidman 2011 2
  • 3. Notes• This talk focuses on Android and iPhone• Briefly touches on Windows Mobile and Blackberry• Radio based topics cover only GSM © Georgia Weidman 2011 3
  • 4. Encryption © Georgia Weidman 2011 4
  • 5. Encryption Problems• Encryption between phone and base station: – 2G: • Up to the base station to encrypt or not encrypt • Stream cipher A5/1 • Broken (Karsten Nohl Blackhat USA 2010) – 3G: • Encrypted • Stream cipher KASUMI(A5/3) • Conceptually broken © Georgia Weidman 2011 5
  • 6. Interception• Possible to get phones to attach to a rogue base station• 2G rogue base station (Chris Pagent Defcon 2010)• Intercept all traffic while phone still works normally © Georgia Weidman 2011 6
  • 7. The Path of Least Resistance• 4G/3G/2G are not backward compatible• Current phones still have 2G radio• Default is to use both 2G and 3G• When 3G not available phones will use 2G• 3G can be jammed to force phones to fall back © Georgia Weidman 2011 7
  • 8. Mitigation 1: Turn off 2G• Forcing 2G use only is an available setting on modern smartphones• Forcing 3G+ only is not on iPhone or Android (seems to be on Blackberry)• We need to see this setting made available and default © Georgia Weidman 2011 8
  • 9. Mitigation #2: Encrypt before Using• Telephony data sent over GSM is encoded not encrypted• Only encryption is the stream encryption• Smartphones have the resources and tools to add encryption (openssl etc.) © Georgia Weidman 2011 9
  • 10. Case Study: SMSSMS-Deliver PDU Field ValueLength of SMSC 07Type of Address (SMSC) 91Service Center Address (SMSC) 41 40 54 05 10 F1SMS Deliver Info 04Length of Sender Number 0BType of Sender Number 91Sender Number 51 17 34 45 88 F1Protocol Identifier 00Data Coding Scheme 00Time Stamp 01 21 03 71 40 04 4AUser Data Length 0AUser Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 10
  • 11. Case Study: SMSSMS-Deliver PDU Field ValueLength of SMSC 07Type of Address (SMSC) 91Service Center Address (SMSC) 41 40 54 05 10 F1SMS Deliver Info 04Length of Sender Number 0BType of Sender Number 91Sender Number 51 17 34 45 88 F1Protocol Identifier 00Data Coding Scheme 00Time Stamp 01 21 03 71 40 04 4AUser Data Length 0AUser Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 11
  • 12. Case Study: SMS• Given an intercepted PDU 7bit GSM encoding is reversible• All data is recoverable• Ex: From: <redacted> Message: hellohello• Crafting a spoofed SMS-Send PDU is also possible © Georgia Weidman 2011 12
  • 13. Why We Care about SMS?• Two Factor Authentication/ Account verification – Sends SMS with OTP – Verify with SMS on account setup• Mobile Banking – One time passwords for banking sent to customer’s over SMS – Balance reporting – Electronic bill paying © Georgia Weidman 2011 13
  • 14. Why We Care about SMS• Vendor text messages Congrats <vendor> has this awesome product to protect your phone Go <here> to download it. – Links to a 3rd party app store – How do I know this came from <vendor>? Example: T-mobile Mobile Security © Georgia Weidman 2011 14
  • 15. Encrypting SMS• Intercept SMS after the application send the message/before it goes to modem• Encrypt it and adjust SMS-Send PDU• Upon arrival decrypt with the key for the sender number• Then send to user application © Georgia Weidman 2011 15
  • 16. DemoEncrypted SMS on Android © Georgia Weidman 2011 16
  • 17. ApplicationsSoftware that runs on the smartphones © Georgia Weidman 2011 17
  • 18. Android Apps Store• Anyone can write an app and upload to the Android market• $25 signup fee• Anonymous signup possible• No certificate authority/self signed apps © Georgia Weidman 2011 18
  • 19. iPhone App Store• Must have a developer certificate to even run code on your own device• $99/year• Identity is verified• All code is reviewed and signed before upload to the store © Georgia Weidman 2011 19
  • 20. iPhone Security Protections• Mandatory code signing/ apps cannot load new code at runtime• ASLR on system binaries and some apps in 4.3 and later• Individual apps sandboxed with MAC for system permissions etc. © Georgia Weidman 2011 20
  • 21. Android Security Protections• User must accept application permissions upon install © Georgia Weidman 2011 21
  • 22. Android Insecurity• Can load new code at runtime (Twilight Botnet, Rootstrap app)• Sandbox is flawed, any app can exploit a kernel vulnerability• Apps can have any permissions they want if user will approve them (DroidDream) © Georgia Weidman 2011 22
  • 23. iPhone Insecurity• Not all apps are compiled with full ASLR• Patches for apps go through slow review process © Georgia Weidman 2011 23
  • 24. Software Updates• Smartphones are subject to security flaws• Ex: Sendpage Linux Kernel exploit• Software updates address security issues © Georgia Weidman 2011 24
  • 25. How Smartphones Update• Android – Pushes updates out over the air• iPhone – Updates through iTunes – Can update when attached to a computer with iTunes• Windows Mobile – Updates through Windows Mobile Activesync – Can update when attached to a computer with Activesync• Blackberry – Check for updates at Blackberry website – Download updates to computer – Connect phone to computer and run updates © Georgia Weidman 2011 25
  • 26. Why are Android Updates Slow?• Google puts out the new version• Google releases source to other platform makers• Platform makers port new version with custom UI, apps, etc.• Previous updates have taken over 6 months © Georgia Weidman 2011 26
  • 27. Android’s Way on Other Platforms• A simple solution for alerting user’s to updates over the air• System application checks currently installed firmware version• Periodically calls out to update server for current updated version• If update is available instructs the user to plug in and update © Georgia Weidman 2011 27
  • 28. DemoUpdate Application on iPhone © Georgia Weidman 2011 28
  • 29. User Awareness Fails• Great strides in computer user awareness• Not seeing the same with smartphones• With smartphones users have even more to lose © Georgia Weidman 2011 29
  • 30. Too Many App Permissions• Android apps can request any permissions they want.• Up to the user to decide to decide if app is safe• Foursquare would need GPS but not SMS• Is this system working? © Georgia Weidman 2011 30
  • 31. Top Downloaded Android App of all time © Georgia Weidman 2011 31
  • 32. Facebook App• Edit and Read SMS, send SMS, receive SMS• Modify/delete USB storage contents• Prevent phone from sleeping, write sync settings• GPS data• Services that cost you money• Act as account authenticator, manage accounts• Read and write to your personal information including contact data• Phone calls, read phone state and identity• Full network access © Georgia Weidman 2011 32
  • 33. Jailbreaking Gone Wild• Original Android G1 jailbreak: go to home screen, hit enter twice, type telnetd …• Current iPhone and Android Jailbreaks: Go to this website and say yes to running this unknown binary by an unknown person• It roots the phone, what else does it do? © Georgia Weidman 2011 33
  • 34. Raising User Awareness• Stop with those “our apps are better/download all our apps” commercials• Ethical root/jailbreak programs should inform users of the risks• Smartphone security training in organizations © Georgia Weidman 2011 34
  • 35. Contact Georgia Weidman Neohapsis Inc. Email: georgia@grmn00bs.comGeorgia.weidman@neohapsis.comWebsite: http://www.grmn00bs.com Twitter: @vincentkadmon Code and Slides on website © Georgia Weidman 2011 35
  • 36. Selected Bibliography• Chris Pagent “Practical Cellphone Spying” Defcon 2010: http://www.tombom.co.uk/cellphonespying.od• Karsten Nohl “Attacking Phone Privacy” Blackhat USA 2010: https://media.blackhat.com/bh-us-10/whitepapers/Nohl/BlackHat-USA- 2010-Nohl-Attacking.Phone.Privacy-wp.pdf• John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: http://jon.oberheide.org/files/shmoo11-teamjoch.pdf• Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: https://media.blackhat.com/bh-us- 11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf © Georgia Weidman 2011 36

×