CLICK AND DRAGGER
Denial and Deception on Android 	

- the grugq [ @thegrugq ]
AGENDA
• OPSEC Refresher	

• Phones Suck	

• Threat Model	

• Some Solutions	

• Conclusion
ABOUT ME
OPERATIONAL SECURITY
The ShortVersion
–Quellcrist Falconer
“If you want to lose a fight, talk about it first”
DENIAL & DECEPTION
DENIAL
Prevent the adversary from gaining useful information
DECEPTION
Feed the adversary false information
• Cover	

• Cover for action	

• Cover for status	

• Concealment	

• Compartmentation
–James Clapper, Director of National Intelligence
“People must communicate.They will make mistakes
and we will exploit the...
PHONES SUCK
–Allen Dulles, 	

Former Director of Central Intelligence
“The greatest material curse to the profession, despite
all its ...
NO MOBILE ANONYMITY
MOBILE IDENTIFIERS
LOCATION
• Specific location, e.g. home, work, etc.	

• Mobility pattern, from home, via commute, to
work	

• Mirroring, tw...
NETWORK
• Numbers dialed, (who you call)	

• Calls received, (who calls you)	

• Calling pattern, (number dialed, for how ...
PHYSICAL
• IMEI, mobile device ID (the serial number)	

• IMSI, mobile subscriber ID (the phone number)
CONTENT
• Identifiers, e.g. names, locations	

• Voice fingerprinting	

• Keywords
SMARTPHONES
• Ad network analytics	

• GPS	

• Apps scrape and upload content	

• Mothership pings	

• Android ID	

• MAC ...
SMARTPHONES CONT.
• IP address	

• WiFi beacons	

• Cameras	

• Gait analysis (via sensors)
THREAT MODEL
LOCAL SECURITY FORCES
• Reporters are searched and interrogated	

• AJ reporters arrested for “spy equipment”	

• Mobile 3G access point	

• Mil...
NOT NSA
USERS
SECURITY IS HARD WORK
SECURITYTAKES DISCIPLINE
USERS ARE LAZY
so are we
EASYTO USE
SECURE BY DEFAULT
REASONABLY SECURE
BURNER PHONES
WHAT ARETHEY GOOD FOR?
• Threat actors without nation state level capabilities	

• Your mom	

• Building a non-operational...
DEFINITELY NOT NSA
BURNER GUIDELINES
• Dumber the better	

• Learn to disable completely (battery + SIM out)	

• Disable around locations lin...
BURNER GUIDELINES, CONT.
• Call non-operational numbers to chaff the analysis	

• Keep it short	

• Keep it simple	

• Get...
BURNER GUIDE CONT.
• Purchase using cash from smaller stores	

• Time delay before activation (months)	

• Dispose of with...
CLANDESTINE CALLS
–Allen Dulles
“Never dial [the] number before having thought about
your conversation. Do not improvise even the dummy
part...
• Keep it short, simple and natural	

• Prefer signalling over operational data	

• signalling > open codes > plain talk	
...
–Allen Dulles, Former Director of Central Intelligence
“Even if you do not use [the phone] carelessly
yourself, the other ...
FORTRESS PHONE
NSA GUIDELINES
• Two forms of encryption	

• Belts and braces	

• Data at rest	

• FDE + app encryption	

• Data in motion...
YOU CANNOT HAVE A
SECURE ANDROID PHONE
BECAUSE IT IS A PHONE
BECAUSE IT IS ANDROID
LEO’S LOVE ANDROID
YOU CAN'T BOLT ON SECURITY
Android cannot be secured by adding apps
BUT WHAT IF I…
No. Seriously, just no.
• Blackphone	

• For people with money	

• Samsung KNOX	

• For people who don’t want a secure phone
• GuardianROM	

• For people who like to reboot	

• CryptogenMod*	

• For DIY hackers
* name subject to change
IS IT NSA-PROOF?
CRYPTOGENMOD
Hardened Android ROM
FEATURES
• Lots of crypto	

• Robust against physical access	

• Resilient against network attacks	

• Impact containment
• Derived from CyanogenMod 11	

• Stripped down (no browser, no analytics)	

• Advanced privacy patches	

• OpenPDroid + P...
• Kernel hardening tweaks	

• A lot more work to be done here	

• Hardened userland	

• A lot more work to be done here
PROTECTION
• Local physical access	

• Remote hacking	

• Baseband hacking	

• Network monitoring	

• GSM monitoring
PHYSICAL
• Forensic analysis	

• Encryption	

• Security Ratchet
REMOTE
• Reduce attack surface dramatically	

• No browser, services, or email	

• No app store
BASEBAND
• Nothing I can do	

• Except PORTAL	

• But it’s not the end of the world	

• BB exploits are finicky	

• BB desi...
NETWORK MONITORING
• VPN direct to a secure backend	

• Limited information is exposed	

• Provides dual layer encryption
OPSEC STILL CRITICAL
Secure phones can’t cure stupid.
DARKMATTER
This App Kills Forensic Analysis
SECURE APP CONTAINERS +
SECURE OPERATIONAL ENV
CRYPTED APP CONTAINERS
MOBILETRUECRYPT
• Runs apps withinTrueCrypt containers	

• Automagically kills sensitive apps, then	

• mount -o bind … /d...
MOBILETRUECRYPT
• tc-play https://github.com/bwalex/tc-play	

• Uses theTrueCrypt volume format	

• Supports outer and hid...
MOBILETRUECRYPT
• Why not use native /data encryption?	

• AES-256-XTS > AES-128-CBC	

• Use both
WIN STATES
CLOSED CRYPTED
CONTAINERS
SHUTDOWN/REBOOT
COUNTS
HOW DO WE GETTHERE?
EVENT BASED HARDENING
CHANGE SECURITY POSTURE
BASED ON OBSERVATIONS OFTHE
OPERATIONAL ENVIRONMENT
• Observe the operational environment	

• Monitor for SecurityEvents
• Harden the security posture	

• Trigger SecurityAct...
INDICATORS OF A NEGATIVE
OPERATIONAL ENVIRONMENT
• Failed login	

• Timer	

• Temperature drop	

• Radio silence	

• Debugger attach	

• Receive alert	

• SIM removed
HARDEN SECURITY POSTURE
• Kill sensitive applications	

• Unmount file systems	

• Wipe files	

• Wipe ram	

• Reboot phone
DURESS CODES
• Explicit duress codes don’t work	

• “of these two codes, only use this one when
you’re under extreme stres...
CryptogenMod + 	

DarkMatter =
http://github.com/grugq/darkmatter
RAISE	

NSA	

PRICE 2 PWN*
* probably
THEY’LL ADAPT
THANKS!
QUESTIONS?
THANKYOU
@thegrugq	

the.grugq@gmail.com
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
Upcoming SlideShare
Loading in …5
×

Click and Dragger: Denial and Deception on Android mobile

24,106 views
22,284 views

Published on

A presentation on OPSEC for mobile phones, covering the design and reasoning behind the CryptogenMod ROM and the DarkMatter app.

Source for DarkMatter: https://github.com/grugq/darkmatter

Published in: Mobile, Technology, Business
1 Comment
22 Likes
Statistics
Notes
  • www.webdunyasi.net
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
24,106
On SlideShare
0
From Embeds
0
Number of Embeds
779
Actions
Shares
0
Downloads
183
Comments
1
Likes
22
Embeds 0
No embeds

No notes for slide

Click and Dragger: Denial and Deception on Android mobile

  1. CLICK AND DRAGGER Denial and Deception on Android - the grugq [ @thegrugq ]
  2. AGENDA • OPSEC Refresher • Phones Suck • Threat Model • Some Solutions • Conclusion
  3. ABOUT ME
  4. OPERATIONAL SECURITY The ShortVersion
  5. –Quellcrist Falconer “If you want to lose a fight, talk about it first”
  6. DENIAL & DECEPTION
  7. DENIAL Prevent the adversary from gaining useful information
  8. DECEPTION Feed the adversary false information
  9. • Cover • Cover for action • Cover for status • Concealment • Compartmentation
  10. –James Clapper, Director of National Intelligence “People must communicate.They will make mistakes and we will exploit them.”
  11. PHONES SUCK
  12. –Allen Dulles, Former Director of Central Intelligence “The greatest material curse to the profession, despite all its advantages, is undoubtedly the telephone.”
  13. NO MOBILE ANONYMITY
  14. MOBILE IDENTIFIERS
  15. LOCATION • Specific location, e.g. home, work, etc. • Mobility pattern, from home, via commute, to work • Mirroring, two (or more) devices traveling together
  16. NETWORK • Numbers dialed, (who you call) • Calls received, (who calls you) • Calling pattern, (number dialed, for how long, when, how frequently)
  17. PHYSICAL • IMEI, mobile device ID (the serial number) • IMSI, mobile subscriber ID (the phone number)
  18. CONTENT • Identifiers, e.g. names, locations • Voice fingerprinting • Keywords
  19. SMARTPHONES • Ad network analytics • GPS • Apps scrape and upload content • Mothership pings • Android ID • MAC address
  20. SMARTPHONES CONT. • IP address • WiFi beacons • Cameras • Gait analysis (via sensors)
  21. THREAT MODEL
  22. LOCAL SECURITY FORCES
  23. • Reporters are searched and interrogated • AJ reporters arrested for “spy equipment” • Mobile 3G access point • Militia members thought it looked “suspicious”
  24. NOT NSA
  25. USERS
  26. SECURITY IS HARD WORK
  27. SECURITYTAKES DISCIPLINE
  28. USERS ARE LAZY
  29. so are we
  30. EASYTO USE
  31. SECURE BY DEFAULT
  32. REASONABLY SECURE
  33. BURNER PHONES
  34. WHAT ARETHEY GOOD FOR? • Threat actors without nation state level capabilities • Your mom • Building a non-operational legend • Flesh out a persona that doesn’t need protection
  35. DEFINITELY NOT NSA
  36. BURNER GUIDELINES • Dumber the better • Learn to disable completely (battery + SIM out) • Disable around locations linked to you (home!) • Never put in real information • Feel free to load with fake data https://b3rn3d.herokuapp.com/blog/2014/01/22/burner-phone-best-practices/
  37. BURNER GUIDELINES, CONT. • Call non-operational numbers to chaff the analysis • Keep it short • Keep it simple • Get rid of it as soon as possible
  38. BURNER GUIDE CONT. • Purchase using cash from smaller stores • Time delay before activation (months) • Dispose of with extreme prejudice
  39. CLANDESTINE CALLS
  40. –Allen Dulles “Never dial [the] number before having thought about your conversation. Do not improvise even the dummy part of it. But do not be too elaborate.The great rule…is to be natural.”
  41. • Keep it short, simple and natural • Prefer signalling over operational data • signalling > open codes > plain talk • Enter your conversation with a plan
  42. –Allen Dulles, Former Director of Central Intelligence “Even if you do not use [the phone] carelessly yourself, the other fellow, very often will, so in any case, warn him.”
  43. FORTRESS PHONE
  44. NSA GUIDELINES • Two forms of encryption • Belts and braces • Data at rest • FDE + app encryption • Data in motion • VPN + app encryption
  45. YOU CANNOT HAVE A SECURE ANDROID PHONE
  46. BECAUSE IT IS A PHONE
  47. BECAUSE IT IS ANDROID
  48. LEO’S LOVE ANDROID
  49. YOU CAN'T BOLT ON SECURITY Android cannot be secured by adding apps
  50. BUT WHAT IF I… No. Seriously, just no.
  51. • Blackphone • For people with money • Samsung KNOX • For people who don’t want a secure phone
  52. • GuardianROM • For people who like to reboot • CryptogenMod* • For DIY hackers * name subject to change
  53. IS IT NSA-PROOF?
  54. CRYPTOGENMOD Hardened Android ROM
  55. FEATURES • Lots of crypto • Robust against physical access • Resilient against network attacks • Impact containment
  56. • Derived from CyanogenMod 11 • Stripped down (no browser, no analytics) • Advanced privacy patches • OpenPDroid + PDroid Manager • Secure application replacements
  57. • Kernel hardening tweaks • A lot more work to be done here • Hardened userland • A lot more work to be done here
  58. PROTECTION
  59. • Local physical access • Remote hacking • Baseband hacking • Network monitoring • GSM monitoring
  60. PHYSICAL • Forensic analysis • Encryption • Security Ratchet
  61. REMOTE • Reduce attack surface dramatically • No browser, services, or email • No app store
  62. BASEBAND • Nothing I can do • Except PORTAL • But it’s not the end of the world • BB exploits are finicky • BB design is everything (segmentation FTW)
  63. NETWORK MONITORING • VPN direct to a secure backend • Limited information is exposed • Provides dual layer encryption
  64. OPSEC STILL CRITICAL Secure phones can’t cure stupid.
  65. DARKMATTER This App Kills Forensic Analysis
  66. SECURE APP CONTAINERS + SECURE OPERATIONAL ENV
  67. CRYPTED APP CONTAINERS
  68. MOBILETRUECRYPT • Runs apps withinTrueCrypt containers • Automagically kills sensitive apps, then • mount -o bind … /data/data/$app
  69. MOBILETRUECRYPT • tc-play https://github.com/bwalex/tc-play • Uses theTrueCrypt volume format • Supports outer and hidden volumes • Backend is dm-crypt not FUSE
  70. MOBILETRUECRYPT • Why not use native /data encryption? • AES-256-XTS > AES-128-CBC • Use both
  71. WIN STATES
  72. CLOSED CRYPTED CONTAINERS
  73. SHUTDOWN/REBOOT COUNTS
  74. HOW DO WE GETTHERE?
  75. EVENT BASED HARDENING
  76. CHANGE SECURITY POSTURE BASED ON OBSERVATIONS OFTHE OPERATIONAL ENVIRONMENT
  77. • Observe the operational environment • Monitor for SecurityEvents • Harden the security posture • Trigger SecurityActions
  78. INDICATORS OF A NEGATIVE OPERATIONAL ENVIRONMENT
  79. • Failed login • Timer • Temperature drop • Radio silence • Debugger attach • Receive alert • SIM removed
  80. HARDEN SECURITY POSTURE
  81. • Kill sensitive applications • Unmount file systems • Wipe files • Wipe ram • Reboot phone
  82. DURESS CODES • Explicit duress codes don’t work • “of these two codes, only use this one when you’re under extreme stress. ps don’t forget” • “if you use the wrong code, you are severely punished”
  83. CryptogenMod + DarkMatter =
  84. http://github.com/grugq/darkmatter
  85. RAISE NSA PRICE 2 PWN* * probably
  86. THEY’LL ADAPT
  87. THANKS!
  88. QUESTIONS?
  89. THANKYOU @thegrugq the.grugq@gmail.com

×