Mobile Securty - An Oxymoron?

MobileSecurityAn Oxymoron? Pedro Cabrita <pfcabrita@gmail.com> Bruno Morisson <morisson@genhex.org>

About us Pedro Cabrita Bruno Morisson <pfcabrita@gmail.com> <morisson@genhex.org> h>p://genhex.org/~mori/ •  Principal Consultant and Partner @ •  Infosec Consultant & Partner @ BiAHEAD; INTEGRITY S.A.; •  Working in InformaSon Security for the •  Working in infosec for over 12 years; past 11 years; •  In a past life, Security OperaSons Manager •  About 10 years working @ a ﬁnancial and Senior Infosec Consultant @ a private insStuSon; telco; •  I do mainly PenTesSng for living (and have •  Did Sme as a developer (C/C++); fun); Also: secure coding guidelines & reviews; •  CISSP-‐ISSMP, CISA, ISO27k1LA, ITILv3, … reverse engineering; risk assessments; audits… and other security related stuﬀ! •  MSc InformaSon Security student @ Royal Holloway, University of London •  CISSP •  But life isn’t all about security…

What is Mobile Security ?

InformaSon

Why do we care ?

Approach

Users ApplicaSons OS Transport Transmission Physical

Thinking security… •  What can someone do with momentarily physical access to my device ? •  How secure is my informaSon if my device is lost/stolen ? •  What else can go wrong ?

h>p://lifehacker.com/5811383/these-‐are-‐the-‐most-‐common-‐lockscreen-‐pins-‐and-‐you-‐should-‐avoid-‐using-‐them

h>p://www.whispersys.com/screenlock.html

h>p://electronicspyeye.info/your-‐ﬁngers-‐are-‐greasy-‐giving-‐up-‐your-‐android-‐password/

h>p://stream.pleated-‐jeans.com/post/8575021665/password-‐acquired?e6abb3a8

Filesystem

Juice Jacking

h>p://www.pcworld.com/arScle/238499/charging_staSons_may_be_juicejacking_data_from_your_cellphone.html

h>p://krebsonsecurity.com/2011/08/beware-‐of-‐juice-‐jacking/

Bo>om line… •  If someone has physical access to the device... GAME OVER! •  Turn on security features (encrypSon, authenScaSon, remote wipe/lock) •  Choose an appropriate PIN •  Wash your hands frequently •  Don’t connect it anywhere... except home!

Thinking security… •  Is my informaSon transmi>ed securely? •  Can someone eavesdrop my communicaSons?

GSM ...is broken!

GSM Professional equipment US$75.000

GSM USRP US$1.500 h>p://openbts.sourceforge.net/

GSM Old phone Priceless h>p://openbts.sourceforge.net/

GSM Old phone Priceless US$10 h>p://openbts.sourceforge.net/

Bo>om line… Don’t trust the link layer J

Thinking security… •  Do applicaSons transmit data securely ? •  What data ? •  Can someone intercept it ?

h>p://www.theregister.co.uk/2011/05/16/android_impersonaSon_a>acks/

h>p://support.apple.com/kb/HT4824

Bo>om line… •  Lots and lots of apps send informaSon in clear •  Some apps handle SSL errors really badly… •  Bugs in the underlying OS CHAOS

Thinking security… •  How do security issues aﬀect the OS ? •  Is it updated ? •  For how long ? •  Does it do anything should know about ?

h>p://www.pcworld.com/businesscenter/arScle/239607/diginotar_cerSﬁcates_are_pulled_but_not_on_smartphones.html

h>p://www.zdnet.com/blog/london/-‐8216hacked-‐server-‐claims-‐another-‐cerSﬁcate-‐authority-‐casualty/596

h>p://threatpost.com/en_us/blogs/new-‐ios-‐bug-‐lets-‐apps-‐run-‐unsigned-‐code-‐110711

h>ps://twi>er.com/#!/dinodaizovi/status/133705807157145600

h>p://corte.si/posts/security/openfeint-‐udid-‐deanonymizaSon/index.html

Bo>om line… •  Diﬃcult (impossible?) to keep updated •  “secret” features reveal private informaSon •  Encourages uploading private informaSon to the “cloud” •  Insecure default conﬁguraSons However, they do provide interesSng security features

Users Applica4ons OS Transport Transmission Physical

Thinking security… •  How do applicaSons handle security ? •  Do they store informaSon securely ? •  What informaSon do they share ? •  Are the markets/app stores safe ?

OWASP Top 10 Mobile Risks Release Candidate v1.0 •  Insecure Data Storage •  Weak Server Side Controls •  Insuﬃcient Transport Layer ProtecSon •  Client Side InjecSon •  Poor AuthorizaSon and AuthenScaSon •  Improper Session Handling •  Security Decisions Via Untrusted Inputs •  Side Channel Data Leakage •  Broken Cryptography •  SensiSve InformaSon Disclosure h>ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project

h>p://threatpost.com/en_us/blogs/wells-‐fargo-‐boa-‐cited-‐lax-‐mobile-‐app-‐security-‐110510

h>p://www.androidpolice.com/2011/10/01/massive-‐security-‐vulnerability-‐in-‐htc-‐android-‐devices-‐evo-‐3d-‐4g-‐thunderbolt-‐others-‐exposes-‐phone-‐numbers-‐gps-‐sms-‐emails-‐addresses-‐much-‐more/

h>ps://superevr.com/blog/2011/xss-‐in-‐skype-‐for-‐ios/

h>p://www.androidpolice.com/2011/04/14/exclusive-‐vulnerability-‐in-‐skype-‐for-‐android-‐is-‐exposing-‐your-‐name-‐phone-‐number-‐chat-‐logs-‐and-‐a-‐lot-‐more/

Markets and App Stores

h>p://www.darkreading.com/insider-‐threat/167801100/security/vulnerabiliSes/228201093/google-‐issuing-‐ﬁx-‐for-‐latest-‐android-‐vulnerability-‐disclosure.html

h>p://news.cnet.com/8301-‐27080_3-‐10446402-‐245.html

h>p://threatpost.com/en_us/blogs/new-‐ios-‐bug-‐lets-‐apps-‐run-‐unsigned-‐code-‐110711

h>p://www.kaspersky.co.uk/news?id=207576416

h>p://www.darkreading.com/authenScaSon/167901072/security/news/231500422/gingermaster-‐is-‐ﬁrst-‐malware-‐to-‐uSlize-‐a-‐root-‐exploit-‐on-‐android-‐2-‐3.html

Other Malicious Soyware

h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories

Bo>om line… •  Apps are leaking private informaSon •  InformaSon is not stored securely •  Have security vulnerabiliSes •  Some include malware •  Android malware is on the rise •  Apps circumvent security features •  ValidaSng apps is not enough

Given a choice between dancing pigs and security, users will pick dancing pigs every 8me Gary McGraw and Edward Felten: Securing Java (John Wiley & Sons, 1999; ISBN 0-‐471-‐31952-‐X), Chapter one, Part seven

Wrap Up

Wrap Up •  Users trust by default •  Apps sSll have room for improvement (security wise) J •  Mobile devices are becoming a mainstream target for malware •  Hardware has longer longevity than the OS •  Lower layers are not helping Mobile security is sSll in its infancy

Thanks! Q&A Pedro Cabrita <pfcabrita@gmail.com> Bruno Morisson <morisson@genhex.org>

Mobile Securty - An Oxymoron?

by morisson on Nov 15, 2011

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics

Mobile Securty - An Oxymoron? Presentation Transcript