Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A Day in the Life of Your Mobile Phone 
(or: how your phone hates you) 
Rob Barnes, CISSP®, CSSLP® 
Software Security Arch...
Reality: 
Your phone hates you. 
3 #ISC2Congress 
How we like to think our 
phones protect our privacy:
Things you do every day 
4 #ISC2Congress 
» Check email 
» Check weather 
» Check stocks 
» Use social media 
» Take photo...
Things your phone does every day 
Collects location information 
(Divulges location information.) 
Collects personal infor...
6 #ISC2Congress 
Does it matter? 
97% of mobile applications access personal 
address books, social media pages and 
conne...
Don’t think like an attacker. 
7 #ISC2Congress 
Think like: 
a marketer. 
a parent. 
a forensic investigator.
Location Privacy: Using the device 
8 #ISC2Congress
Location Privacy: Browsing 
This is where I spent my summer, as told by a web service: 
9 #ISC2Congress
When you (or an app) access a web page or web service, 
it sends the following information: 
Browser version 
(a two-for-o...
Location Privacy: Using apps 
Are you sure you’re just checking the weather? As a 
bonus to you, Weather Channel shares yo...
Location Privacy: Using apps 
Sure enough, you agreed 
to all of this. 
12 #ISC2Congress
Why should you care? 
“Big Data” marketing can infer: 
13 #ISC2Congress 
When you’re at home 
When you’re at work 
When yo...
…and when you’re not 
Why should you care? 
14 #ISC2Congress 
An attacker can infer: 
When you’re at home
Device Privacy: Using Wi-Fi 
Hi! Can I please join your network? 
My MAC address is 
DC:9B:9C:xx:xx:xx! 
Sure! 
(Ah…so you...
Device Privacy: Using Wi-Fi 
Hey, it’s “Rob Barnes’s iPhone 5” 
again. Sorry to bother you. What is 
the IP address for 
e...
Why should you care? 
17 #ISC2Congress 
Dear Rob Barnes: 
Congratulations! Your iPhone 5 is eligible 
for a free upgrade! ...
Device Privacy: Using Wi-Fi 
18 #ISC2Congress 
belkin.d36 
belkin.d36.guests 
HoundNet_Guest 
xfinitywifi 
DUKE 
LCPS-OPEN...
Device Privacy: Using Wi-Fi 
19 #ISC2Congress 
belkin.d36 
belkin.d36.guests 
HoundNet_Guest 
xfinitywifi 
DUKE 
LCPS-OPEN...
Device Privacy: MAC 
Ever get the feeling that you’re being watched? 
This recycling bin is tracking 
you. 
http://qz.com/...
Device Privacy: MAC 
Ever get the feeling that you’re being watched? 
Your supermarket is 
tracking you. 
http://www.moxie...
Why should you care? 
Loyalty 
Card Yo 
u 
22 #ISC2Congress
A picture is worth1,000 words… 
http://sophosnews.files.wordpress.com/2012/12/mcafee-exif.jpg?w=640 
23 #ISC2Congress
…and some EXIF data as well… 
Exif Image Size 470 × 353 
Make Apple 
Camera Model Nam 
iPhone 4 
e 
Orientation Horizontal...
…and some geolocation, too. 
25 #ISC2Congress
Usage Privacy: Using email 
26 #ISC2Congress 
iOS mail header: 
X-Mailer: iPhone Mail (10B350) 
[10B350 = iOS 6.1.4] 
Andr...
Usage Privacy: Using Bluetooth 
http://cnet3.cbsistatic.com/hub/i/r/2013/08/22/2cbcf893-6de6-11e3-913e-14feb5ca9861/resize...
How to Protect Yourself 
28 #ISC2Congress 
» Location Services 
• Turn it off 
• Use it selectively 
» Browsing 
• Use Oni...
How to Protect Yourself 
29 #ISC2Congress 
» EXIF Data 
• iOS 
– TrashExif 
– Metadata Cut 
• Android: 
– EXIF Stripper 
–...
How to Protect Yourself 
30 #ISC2Congress 
» MAC Tracking 
• iOS 
– Upgrade to iOS 8 
• Android 
– Pry-Fi (requires rootin...
The End. 
31 #ISC2Congress 
Rob Barnes 
rbarnes@collegeboard.org 
ww.linkedin.com/in/robertdbarnes 
#YourPhoneHatesYou
A Day in the Life of your Mobile Phone (or: How Your Phone Hates You)
Upcoming SlideShare
Loading in …5
×

A Day in the Life of your Mobile Phone (or: How Your Phone Hates You)

836 views

Published on

Your mobile device lives in an Orwellian world of surveillance, intrigue and promiscuity. While your phone is safely tucked away in your pocket, it lives an alternate existence selling you out, betraying you and offering up your secrets whenever it can. While you're sleeping, driving, buying coffee or checking email, your phone is busy divulging your location, storing your credentials and documenting everything you do. This presentation from the 2014 (ISC)2 Security Congress walks through a day in the life of your mobile device and shows you what it's telling the world about you.

Published in: Technology
  • Be the first to comment

A Day in the Life of your Mobile Phone (or: How Your Phone Hates You)

  1. 1. A Day in the Life of Your Mobile Phone (or: how your phone hates you) Rob Barnes, CISSP®, CSSLP® Software Security Architect The College Board #YourPhoneHatesYou Strengthening Cybersecurity Defenders #ISC2Congress
  2. 2. Reality: Your phone hates you. 3 #ISC2Congress How we like to think our phones protect our privacy:
  3. 3. Things you do every day 4 #ISC2Congress » Check email » Check weather » Check stocks » Use social media » Take photos » Post photos » Buy coffee » Sync device with phone » Join Wi-Fi access points » Send email » Navigate with map » Research restaurants » Place hands-free calls » Browse websites » (Plus all the things your kids do that you don’t know about)
  4. 4. Things your phone does every day Collects location information (Divulges location information.) Collects personal information (Divulges personal information.) Collects usage information (Divulges usage information.) 5 #ISC2Congress
  5. 5. 6 #ISC2Congress Does it matter? 97% of mobile applications access personal address books, social media pages and connectivity options like Bluetooth or Wi-Fi. 86% of mobile applications are insecure. But it doesn’t matter. 100% of what you do reveals something about you. http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.VA2ntvlr6Cc http://threatpost.com/insecure-applications-we-are-84-percent-120711/75961
  6. 6. Don’t think like an attacker. 7 #ISC2Congress Think like: a marketer. a parent. a forensic investigator.
  7. 7. Location Privacy: Using the device 8 #ISC2Congress
  8. 8. Location Privacy: Browsing This is where I spent my summer, as told by a web service: 9 #ISC2Congress
  9. 9. When you (or an app) access a web page or web service, it sends the following information: Browser version (a two-for-one bonus!) 10 #ISC2Congress Firmware version = iOS 6.1.4 Belongs to Verizon FiOS in Chantilly, VA Device make and model (OLD!) Location and Device Privacy 108.28.101.205 08/Sep/2014:14:18:45 -0400 Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X) Version/6.0 Mobile/10B350 Safari/8536.25
  10. 10. Location Privacy: Using apps Are you sure you’re just checking the weather? As a bonus to you, Weather Channel shares your usage statistics! » http://or1.sc.omtrdc.net/b/ss/twciiphonescroll/0 . . . » Resolution=640x1136 » AppID=iPhone 6.2.1 (420573) » TimeSinceLaunch=58 XY » Z DeviceName=iPhone6,1 » action=weather:data-refresh-requested » OSVersion=iOS 7.1.2 » CarrierName=Verizon » actionTracking=weatherdatarefreshrequested » ts=1408722639 (which translates to 8/22/2014 11:50:39 AM) XY Z 11 #ISC2Congress
  11. 11. Location Privacy: Using apps Sure enough, you agreed to all of this. 12 #ISC2Congress
  12. 12. Why should you care? “Big Data” marketing can infer: 13 #ISC2Congress When you’re at home When you’re at work When you’re driving
  13. 13. …and when you’re not Why should you care? 14 #ISC2Congress An attacker can infer: When you’re at home
  14. 14. Device Privacy: Using Wi-Fi Hi! Can I please join your network? My MAC address is DC:9B:9C:xx:xx:xx! Sure! (Ah…so you’re an Apple device…) Thanks! Oh, also, my name is “Rob Barnes’s iPhone 5”! OK, thanks. Welcome! (Welcome, indeed, “Rob Barnes”!) 15 #ISC2Congress
  15. 15. Device Privacy: Using Wi-Fi Hey, it’s “Rob Barnes’s iPhone 5” again. Sorry to bother you. What is the IP address for email.mycompany.com? It’s 209.48.123.456. 16 #ISC2Congress
  16. 16. Why should you care? 17 #ISC2Congress Dear Rob Barnes: Congratulations! Your iPhone 5 is eligible for a free upgrade! Please click here for details, or visit your local Atlanta Apple retail store. This message was sent to rbarnes@mycompany.com. Click here to unsubscribe from future emails. Sincerely, The Apple Customer Loyalty Team
  17. 17. Device Privacy: Using Wi-Fi 18 #ISC2Congress belkin.d36 belkin.d36.guests HoundNet_Guest xfinitywifi DUKE LCPS-OPEN Residence_GUEST Marriott_Guest Kimpton Marriott_CONFERENCE Dunn_Bros_337! Carlton My stored Wi-Fi networks (com.apple.wifi.plist)
  18. 18. Device Privacy: Using Wi-Fi 19 #ISC2Congress belkin.d36 belkin.d36.guests HoundNet_Guest xfinitywifi DUKE LCPS-OPEN Residence_GUEST Marriott_Guest Kimpton Marriott_CONFERENCE Dunn_Bros_337! Carlton <key>lastAutoJoined</key> <date>2014-07-13T06:33:08</date> <key>SSID_STR</key> <string>Marriott_Guest</string> <key>Strength</key> <real>0.9104790687561035</real> <key>CAPABILITIES</key> <key>NOISE</key> <integer>91</integer> <key>isWPA</key> <integer>0</integer> <key>CaptiveNetwork</key> <boolean>true</boolean> <key>lastJoined</key> <date>2014-07-12T16:22:16</date>
  19. 19. Device Privacy: MAC Ever get the feeling that you’re being watched? This recycling bin is tracking you. http://qz.com/112873/this-recycling-bin-is-following-you/ 20 #ISC2Congress
  20. 20. Device Privacy: MAC Ever get the feeling that you’re being watched? Your supermarket is tracking you. http://www.moxieretail.com/storage/heat_map2.jpg 21 #ISC2Congress
  21. 21. Why should you care? Loyalty Card Yo u 22 #ISC2Congress
  22. 22. A picture is worth1,000 words… http://sophosnews.files.wordpress.com/2012/12/mcafee-exif.jpg?w=640 23 #ISC2Congress
  23. 23. …and some EXIF data as well… Exif Image Size 470 × 353 Make Apple Camera Model Nam iPhone 4 e Orientation Horizontal (normal) Date/Time Original 2012:12:03 12:26:00 Create Date 2012:12:03 12:26:00 Flash Off, Did not fire GPS Latitude Ref North GPS Latitude 15.658167 degrees GPS Longitude Ref West GPS Longitude 88.992167 degrees GPS Altitude Ref Above Sea Level GPS Altitude 7.152159468 m Resolution 72 pixels/inch 24 #ISC2Congress
  24. 24. …and some geolocation, too. 25 #ISC2Congress
  25. 25. Usage Privacy: Using email 26 #ISC2Congress iOS mail header: X-Mailer: iPhone Mail (10B350) [10B350 = iOS 6.1.4] Android mail header: X-Mailer: YahooMailAndroidMobile/3.1.3
  26. 26. Usage Privacy: Using Bluetooth http://cnet3.cbsistatic.com/hub/i/r/2013/08/22/2cbcf893-6de6-11e3-913e-14feb5ca9861/resize/620x/e604bfe06973383ec0c3ca6323c35487/142B6607.jpg 27 #ISC2Congress
  27. 27. How to Protect Yourself 28 #ISC2Congress » Location Services • Turn it off • Use it selectively » Browsing • Use Onion browser (or other Tor equivalent) • Maintain awareness » Wi-Fi • Do not connect to untrusted networks – (But if you do, assume everything you do is monitored) – (Also, tell your device to “forget” the network when you’re done.)
  28. 28. How to Protect Yourself 29 #ISC2Congress » EXIF Data • iOS – TrashExif – Metadata Cut • Android: – EXIF Stripper – Photo Editor
  29. 29. How to Protect Yourself 30 #ISC2Congress » MAC Tracking • iOS – Upgrade to iOS 8 • Android – Pry-Fi (requires rooting the device) » Bluetooth • Delete any data from synced devices – This becomes increasingly applicable with iOS 8’s HealthKit
  30. 30. The End. 31 #ISC2Congress Rob Barnes rbarnes@collegeboard.org ww.linkedin.com/in/robertdbarnes #YourPhoneHatesYou

×