Mobile Attack Implications             Nicholas J. PercocoSenior Vice President and head of SpiderLabs
Agenda •     About Trustwave SpiderLabs •     Attack Vector Evolution •     Mobile Attack Cookbook •     Conclusions •    ...
Who is SpiderLabs®?     SpiderLabs is the elite security team at Trustwave, offering clients the     most advanced informa...
SpiderLabs – Our Mission                  To	  con2nually	  deliver	  the	  most	  advanced	                    exper2se	 ...
SpiderLabs International FootprintIn	  country	  presences:	  Australia	  -­‐	  Brazil	  -­‐	  Canada	  -­‐	  Hong	  Kong	...
Attack Vector Evolution
Attack Vector Evolution                                              A"ack	  Vectors	  Over	  Time	  9	  8	  7	           ...
Attack Vector Evolution1980s: PhysicalCopyright Trustwave 2011
Attack Vector Evolution1990s: NetworkCopyright Trustwave 2011
Attack Vector Evolution2000s: E-mailCopyright Trustwave 2011
Attack Vector Evolution2000s: ApplicationCopyright Trustwave 2011
Attack Vector Evolution2000s: WirelessCopyright Trustwave 2011
Attack Vector Evolution2010s: Client-SideCopyright Trustwave 2011
Attack Vector Evolution2010: Client Side (Malware)1.  Targeted Attack2.  Drive-by Infection3.  Manual InstallationCopyrigh...
Attack Vector Evolution2010s: MobileCopyright Trustwave 2011
Attack Vector Evolution2010: Mobile1.  Mobile Phishing Attacks2.  Mobile Ransomware3.  Fake Firmware and JailbreaksCopyrig...
Attack Vector Evolution2010s: Social NetworkingCopyright Trustwave 2011
Attack Vector Evolution2010: Social Networking1.  Malware Propagation2.  Personal Information Exposure3.  Data MiningCopyr...
Attack Vector Evolution                                              A"ack	  Vectors	  Over	  Time	  9	  8	  7	           ...
Mobile Attack Cookbook
Mobile Attack CookbookCopyright Trustwave 2011
Mobile Attack Cookbook – The Recipe Ingredients •  Motivation •  Reversing Skills •  Creativity •  Motivation Process •  S...
Mobile Attack Cookbook – The Recipe Step 1 – Pick a Platform to Target                           •  Es2mated	  are	  20%	 ...
Mobile Attack Cookbook – The Recipe Step 2 – Find a Vulnerability •  Leverage the “Jailbreakme.com” vulnerabilities     • ...
Mobile Attack Cookbook – The Recipe Step 3 – Select a Payload Implement a Weaponized Jailbreak •  Patch out a “security” c...
Mobile Attack Cookbook – The Recipe Step 4 – Build the Payload SpiderLabs Research built Custom-written iOS “Rootkit”     ...
Mobile Attack Cookbook – The Recipe Step 5 – Select an Payload Delivery Method Many methods can be used:   •  Fake Jailbre...
Mobile Attack Cookbook – The Recipe Step 6 – Test it Out Credit:	  Eric	  Mon2,	  Trustwave	  SpiderLabs	  Research	  Copy...
Conclusions
Motivations For Attackers •  There	  are	  over	  a	  half-­‐billion	  devices	  on	  3G	  networks	   •  By	  2020,	  the...
Motivations for Attackers •  Users	  accessing	  highly	  sensiFve	  informaFon	  via	      smartphones	  is	  the	  norm	...
Conclusions •  It	  is	  possible	  and	  feasible	  to	  write	  malware	  for	  a	  mobile	      device.	   •  With	  a	...
Questions?
SpiderLabs® SpiderLabs® is an elite team of ethical hackers advancing the security capabilities of leading businesses and ...
Upcoming SlideShare
Loading in …5
×

AITP Security SIG April 2011

478 views

Published on

Thank you Nick!

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
478
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AITP Security SIG April 2011

  1. 1. Mobile Attack Implications Nicholas J. PercocoSenior Vice President and head of SpiderLabs
  2. 2. Agenda •  About Trustwave SpiderLabs •  Attack Vector Evolution •  Mobile Attack Cookbook •  Conclusions •  Questions?Copyright Trustwave 2011
  3. 3. Who is SpiderLabs®? SpiderLabs is the elite security team at Trustwave, offering clients the most advanced information security expertise available today. The SpiderLabs team has performed more than 1,000 computer incident response and forensic investigations globally, as well as over 10,000 penetration and application security tests for clients -- more than any other provider. Companies and organizations in more than 50 countries rely on the SpiderLabs team’s technical expertise to identify and anticipate cyber security attacks before they happen.Featured  Speakers  at:   Copyright Trustwave 2011
  4. 4. SpiderLabs – Our Mission To  con2nually  deliver  the  most  advanced   exper2se  in  informa2on  security  in  order  to   protect  the  digital  assets  of  clients  worldwide   from  a  growing  spectrum  of  malicious  a=acks.   We achieve this by: •  Recruiting top of market talent from the information security community •  Performing research in lab facilities in Chicago, London, Sydney and Sao Paulo •  Using Standardized methodologies and central QA processes to ensure quality and consistency
  5. 5. SpiderLabs International FootprintIn  country  presences:  Australia  -­‐  Brazil  -­‐  Canada  -­‐  Hong  Kong  -­‐  India  -­‐  Mexico  -­‐  Spain  United  States  -­‐  United  Kingdom    Languages   spoken:   English   French   Spanish   Greek   German   Portuguese   Mandarin  Cantonese  Japanese  Hindi    Zulu    Ndebele  Xhosa  Setswana  Sesotho  Shona   Copyright Trustwave 2011
  6. 6. Attack Vector Evolution
  7. 7. Attack Vector Evolution A"ack  Vectors  Over  Time  9  8  7   Social  Networking   Mobile  6   Client-­‐Side  5   Wireless  4   Applica2on  3   E-­‐mail  2   Network  1   Physical  0   1950   1960   1970   1980   1990   2000   2010   Copyright Trustwave 2011
  8. 8. Attack Vector Evolution1980s: PhysicalCopyright Trustwave 2011
  9. 9. Attack Vector Evolution1990s: NetworkCopyright Trustwave 2011
  10. 10. Attack Vector Evolution2000s: E-mailCopyright Trustwave 2011
  11. 11. Attack Vector Evolution2000s: ApplicationCopyright Trustwave 2011
  12. 12. Attack Vector Evolution2000s: WirelessCopyright Trustwave 2011
  13. 13. Attack Vector Evolution2010s: Client-SideCopyright Trustwave 2011
  14. 14. Attack Vector Evolution2010: Client Side (Malware)1.  Targeted Attack2.  Drive-by Infection3.  Manual InstallationCopyright Trustwave 2011
  15. 15. Attack Vector Evolution2010s: MobileCopyright Trustwave 2011
  16. 16. Attack Vector Evolution2010: Mobile1.  Mobile Phishing Attacks2.  Mobile Ransomware3.  Fake Firmware and JailbreaksCopyright Trustwave 2011
  17. 17. Attack Vector Evolution2010s: Social NetworkingCopyright Trustwave 2011
  18. 18. Attack Vector Evolution2010: Social Networking1.  Malware Propagation2.  Personal Information Exposure3.  Data MiningCopyright Trustwave 2011
  19. 19. Attack Vector Evolution A"ack  Vectors  Over  Time  9  8  7   Social  Networking   Mobile  6   Client-­‐Side  5   Wireless  4   Applica2on  3   E-­‐mail  2   Network  1   Physical  0   1950   1960   1970   1980   1990   2000   2010   Copyright Trustwave 2011
  20. 20. Mobile Attack Cookbook
  21. 21. Mobile Attack CookbookCopyright Trustwave 2011
  22. 22. Mobile Attack Cookbook – The Recipe Ingredients •  Motivation •  Reversing Skills •  Creativity •  Motivation Process •  Step 1 – Pick a Platform to Target •  Step 2 – Find a Vulnerability •  Step 3 – Select a Payload •  Step 4 – Build the Payload •  Step 6 – Select a Payload Delivery Method •  Step 5 – Test it OutCopyright Trustwave 2011
  23. 23. Mobile Attack Cookbook – The Recipe Step 1 – Pick a Platform to Target •  Es2mated  are  20%  of  the   Smartphone  Marketshare   •  Many  users  are  non-­‐technical   •  Jailbreak  community  does  the   vulnerability  research,  so  you  don’t   have  to   •  Many  user  don’t  EVER  update  their   device  to  the  latest  iOS    Copyright Trustwave 2011
  24. 24. Mobile Attack Cookbook – The Recipe Step 2 – Find a Vulnerability •  Leverage the “Jailbreakme.com” vulnerabilities •  Affect iOS 4.0.2 or earlier – still likely 50% of the user base •  What is it? •  The “star” PDF Exploit – Code execution −  Classic stack overflow −  Leverages IOSurface (IOKit) bug for privilege escalation and sandbox escape •  The IOKit Vulnerability – Priv. escalation / escaping the sandbox −  Kernel integer overflow in handling of IOSurface properties −  Calls setuid(0) inside Safari getting root •  The Jailbreak Phase – Set up residence on the iDevice −  Patches out Kernel code signing −  Installs a basic jailbreak filesystem along with Cydia (apt-get)Copyright Trustwave 2011
  25. 25. Mobile Attack Cookbook – The Recipe Step 3 – Select a Payload Implement a Weaponized Jailbreak •  Patch out a “security” check comex had incorporated •  The jailbreakme.com PDFs had code to ensure they’d been downloaded from “jailbreakme.com”. •  Patching out all the GUI pop-ups •  Didn’t want the victim to realized they were being hacked •  Build a modified wad.bin with our “rootkit”Copyright Trustwave 2011
  26. 26. Mobile Attack Cookbook – The Recipe Step 4 – Build the Payload SpiderLabs Research built Custom-written iOS “Rootkit” •  Patched UNIX utilities like ‘ls’, ‘ps’, ‘find’, ‘netstat’ from the JB filesystem •  Hiding our tools from actual jailbreakers •  Port knock daemon called “bindwatch” fakes its name on argv[0] •  Spawns a bind-shell called, wait for it …. “bindshell” also fakes argv[0] •  Trivial app to record AIFF on the mic – remote eavesdrop •  Patched VNC to hide itself a little better •  Nice Open Source iPhone VNC server by saurik •  Runs via a DYLIB in MobileSubstrate •  Mostly just removed the GUI config plist from System Preferences •  Coded a trivial CLI obj-C program to configure and start VNC without the GUICopyright Trustwave 2011
  27. 27. Mobile Attack Cookbook – The Recipe Step 5 – Select an Payload Delivery Method Many methods can be used: •  Fake Jailbreak site •  SEO optimized site to target an organization •  Phishing attack •  Hack a popular site and install within the mobile versionCopyright Trustwave 2011
  28. 28. Mobile Attack Cookbook – The Recipe Step 6 – Test it Out Credit:  Eric  Mon2,  Trustwave  SpiderLabs  Research  Copyright Trustwave 2011
  29. 29. Conclusions
  30. 30. Motivations For Attackers •  There  are  over  a  half-­‐billion  devices  on  3G  networks   •  By  2020,  there  will  be  10  billion  devices   •  60%  of  all  users  carry  their  devices  with  them  at  ALL  Fmes   •  For  high-­‐profile  and  business  folks  that  is  near  100%   •  A  typical  smartphone  today  has  the  same  processing  power   as  a  PC  from  8  years  ago,  plus:   •  Always-­‐on  network  connec2vity   •  Loca2ons  aware  thanks  to  GPS  Copyright Trustwave 2011
  31. 31. Motivations for Attackers •  Users  accessing  highly  sensiFve  informaFon  via   smartphones  is  the  norm   •  Users  trust  a  smartphone  over  a  public  computer  or  kiosk   •  Never  ques2on  their  smartphones  integrity   •  CommunicaFon  Services  Providers  (CSPs)  must  allow  for   governments  to  access  subscribers  communicaFons   •  Case:  In  the  UAE,  E2salat  pushed  a  “performance  update”   to  all  their  Blackberry  subscribers.   •  Reality:  Malware  was  inten2onally  pushed  down  to  allow   intercep2on  of  data  communica2ons.  Copyright Trustwave 2011
  32. 32. Conclusions •  It  is  possible  and  feasible  to  write  malware  for  a  mobile   device.   •  With  a  li"le  work,  automated  funcFonality  can  be   embedded   •  Li"le  a"enFon  is  being  paid  to  smartphone  security,  while   everyone  trusts  their  device  to  perform  criFcal  tasks.     •  In  the  next  10  years,  we  will  see  an  explosive  growth  in  the   number  of  a"acks  against  smartphones  and  other  mobile   compuFng  device  plaUorms.  Will  we  be  prepared?  Copyright Trustwave 2011
  33. 33. Questions?
  34. 34. SpiderLabs® SpiderLabs® is an elite team of ethical hackers advancing the security capabilities of leading businesses and organizations in over 50 countries. More Information: Web: https://www.trustwave.com/spiderlabs Blog: http://blog.spiderlabs.com Twitter: @SpiderLabsCopyright Trustwave 2011

×