Transparent Smartphone Spying


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ContactsEmails (work emails too)PicturesLocationCredentials to online applicationsMore
  • Encryption security in transit varies 2G is broken (Blackhat 2009 Karsten Kohl broke session key in minutes with 1TB storage and 2 nice video cards) Example of interception (Chris PagentDefcon 2010 with his rogue access point}
  • “Hi meet me for lunch” -- privacy not so important“Meet me for lunch while my wife is out” -- privacy more important“Here is your bank account credentials” -- privacy required
  • iPhoneMust have a developer certificate to even run code on your own device$99/yearIdentity is verifiedAll code is reviewed and signed before upload to the store AndroidAnyone can write an app and upload to the Android market$25 signup fee Anonymous signup possibleNo certificate authority/self signed apps (3rd party store apps run too)
  • Mandatory code signing/ apps cannot load new code at runtime (specific dispensation for browsers, etc.)ASLR on system binaries and some apps in 4.3 and laterIndividual apps sandboxed with MAC for system permissions etc.
  • Android apps can request any permissions they want. Up to the user to decide to decide if app is safeFoursquare would need GPS but not SMS
  • Edit and Read SMS, send SMS, receive SMSModify/delete USB storage contentsPrevent phone from sleeping, write sync settingsGPS dataServices that cost you moneyAct as account authenticator, manage accountsRead and write to your personal information including contact dataPhone calls, read phone state and identityFull network access
  • Any app can use kernel exploits to gain root privileges Any app can load new code at runtimeCan load new shellcode as it becomes availableDroidDream:Trojaned apps on the Android App Store Used known root methods to gain root privilegesSends phone info: IMEI, IMSI, etc. offsightRootstrap:Zach Lanier and Jon OberheideShmoocon 2011Rootstrap app downloads new exploits as they become availablePackaged with Twilight ad app to encourage downloads
  • Original Android G1 jailbreak: go to home screen, hit enter twice, type telnetd …Current iPhone and Android Jailbreaks: Go to this website and say yes to running this unknown binary by an unknown personIt roots the phone, what else does it do?
  • Transparent Smartphone Spying

    1. 1. Transparent Smartphone Spying Georgia Weidman
    2. 2. Agenda• Smartphone Overview• Evil Applications• Evil Jailbreaks• Baseband Spying• Mitigation Strategies
    3. 3. What is a Smartphone?
    4. 4. Data Stored and Transmitted• Personal info• Work info• Location info• Account info
    5. 5. Privacy of Transmitted Data• Mobile communication standards• Encoding vs. Encryption• Attacks against privacy
    6. 6. Privacy Matters: Text Messages• “Hi meet me for lunch”• “Meet me for lunch while my wife is out”• “Here are your bank account credentials”
    7. 7. Privacy Required Examples• Vendor text messages – Vendor advertisements – Provider messages• Mobile banking – Balance sheet – Electronic bill paying – One time passwords
    8. 8. Evil Applications
    9. 9. Application Stores• iPhone – Expensive – Identity Verified – Closed – Certificate Authority• Android – Cheap – Open – Anonymous – Self signed
    10. 10. Application Protections: iPhone• ASLR• Mandatory code signing• No dynamic code loading• Sandboxed
    11. 11. Applications Protections: Android• Users accept permissions
    12. 12. Our Text Message Example• Permission to read text message(SMS) database• Specific permission to send text message(SMS) messages• Without user consent, application cannot access this information
    13. 13. Is this system working to protect users?Are users making good decisions about application permissions?
    14. 14. Top Android App of all Time
    15. 15. DemoDemo: Application abusing permissions
    16. 16. Abusing the Android Sandbox• Load exploit code at runtime• Safe application becomes malicious application• In the wild: DroidDream• In the lab: Rootstrap
    17. 17. Evil Jailbreak
    18. 18. Jailbreaking• Get root privileges• Expand feature set• Run unapproved (3rd party apps)
    19. 19. Jailbreaking Gone Wild• Run this code• It jailbreaks your phone• What else does it do?
    20. 20. So I’ve exploited a phone, what now?
    21. 21. Baseband Spying• Read all data sent/receive by the phone• Intercept data before it reaches the user/before it is sent
    22. 22. How an GSM is sent and received 22
    23. 23. How an GSM is sent and received © Georgia Weidman 2011 23
    24. 24. How an GSM is sent and received © Georgia Weidman 2011 24
    25. 25. Malicious Proxy• Intercept data• Send data• Alter data• Botnet functionality
    26. 26. DemoDemo: Stealing Text Messages
    27. 27. Mitigation Strategies• User Awareness• Encryption• Updating• Code signing
    28. 28. ContactGeorgia Weidman, Security Consultant Neohapsis, Inc. Email: Website: Twitter: @vincentkadmon
    29. 29. Selected Bibliography• John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: teamjoch.pdf• Charlie Miller and Collin Mulliner “Fuzzing the Phone in Your Phone” Blackhat USA 2009: 09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf• Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: 11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf