Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Transparent Smartphone Spying

  1. 1. Transparent Smartphone Spying Georgia Weidman
  2. 2. Agenda • Smartphone Overview • Evil Applications • Evil Jailbreaks • Baseband Spying • Mitigation Strategies
  3. 3. What is a Smartphone?
  4. 4. Data Stored and Transmitted • Personal info • Work info • Location info • Account info
  5. 5. Privacy of Transmitted Data • Mobile communication standards • Encoding vs. Encryption • Attacks against privacy
  6. 6. Privacy Matters: Text Messages • “Hi meet me for lunch” • “Meet me for lunch while my wife is out” • “Here are your bank account credentials”
  7. 7. Privacy Required Examples • Vendor text messages – Vendor advertisements – Provider messages • Mobile banking – Balance sheet – Electronic bill paying – One time passwords
  8. 8. Evil Applications
  9. 9. Application Stores • iPhone – Expensive – Identity Verified – Closed – Certificate Authority • Android – Cheap – Open – Anonymous – Self signed
  10. 10. Application Protections: iPhone • ASLR • Mandatory code signing • No dynamic code loading • Sandboxed
  11. 11. Applications Protections: Android • Users accept permissions
  12. 12. Our Text Message Example • Permission to read text message(SMS) database • Specific permission to send text message(SMS) messages • Without user consent, application cannot access this information
  13. 13. Is this system working to protect users? Are users making good decisions about application permissions?
  14. 14. Top Android App of all Time
  15. 15. Demo Demo: Application abusing permissions
  16. 16. Abusing the Android Sandbox • Load exploit code at runtime • Safe application becomes malicious application • In the wild: DroidDream • In the lab: Rootstrap
  17. 17. Evil Jailbreak
  18. 18. Jailbreaking • Get root privileges • Expand feature set • Run unapproved (3rd party apps)
  19. 19. Jailbreaking Gone Wild • Run this code • It jailbreaks your phone • What else does it do?
  20. 20. So I’ve exploited a phone, what now?
  21. 21. Baseband Spying • Read all data sent/receive by the phone • Intercept data before it reaches the user/before it is sent
  22. 22. How an GSM is sent and received 22
  23. 23. How an GSM is sent and received © Georgia Weidman 2011 23
  24. 24. How an GSM is sent and received © Georgia Weidman 2011 24
  25. 25. Malicious Proxy • Intercept data • Send data • Alter data • Botnet functionality
  26. 26. Demo Demo: Stealing Text Messages
  27. 27. Mitigation Strategies • User Awareness • Encryption • Updating • Code signing
  28. 28. Contact Georgia Weidman, Security Consultant Neohapsis, Inc. Email: Website: Twitter: @vincentkadmon
  29. 29. Selected Bibliography • John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: teamjoch.pdf • Charlie Miller and Collin Mulliner “Fuzzing the Phone in Your Phone” Blackhat USA 2009: 09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf • Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: 11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf

Editor's Notes

  • ContactsEmails (work emails too)PicturesLocationCredentials to online applicationsMore
  • Encryption security in transit varies 2G is broken (Blackhat 2009 Karsten Kohl broke session key in minutes with 1TB storage and 2 nice video cards) Example of interception (Chris PagentDefcon 2010 with his rogue access point}
  • “Hi meet me for lunch” -- privacy not so important“Meet me for lunch while my wife is out” -- privacy more important“Here is your bank account credentials” -- privacy required
  • iPhoneMust have a developer certificate to even run code on your own device$99/yearIdentity is verifiedAll code is reviewed and signed before upload to the store AndroidAnyone can write an app and upload to the Android market$25 signup fee Anonymous signup possibleNo certificate authority/self signed apps (3rd party store apps run too)
  • Mandatory code signing/ apps cannot load new code at runtime (specific dispensation for browsers, etc.)ASLR on system binaries and some apps in 4.3 and laterIndividual apps sandboxed with MAC for system permissions etc.
  • Android apps can request any permissions they want. Up to the user to decide to decide if app is safeFoursquare would need GPS but not SMS
  • Edit and Read SMS, send SMS, receive SMSModify/delete USB storage contentsPrevent phone from sleeping, write sync settingsGPS dataServices that cost you moneyAct as account authenticator, manage accountsRead and write to your personal information including contact dataPhone calls, read phone state and identityFull network access
  • Any app can use kernel exploits to gain root privileges Any app can load new code at runtimeCan load new shellcode as it becomes availableDroidDream:Trojaned apps on the Android App Store Used known root methods to gain root privilegesSends phone info: IMEI, IMSI, etc. offsightRootstrap:Zach Lanier and Jon OberheideShmoocon 2011Rootstrap app downloads new exploits as they become availablePackaged with Twilight ad app to encourage downloads
  • Original Android G1 jailbreak: go to home screen, hit enter twice, type telnetd …Current iPhone and Android Jailbreaks: Go to this website and say yes to running this unknown binary by an unknown personIt roots the phone, what else does it do?
  • ×