Ransombile: yet another reason to ditch sms

Martin Vigo
Martin VigoRed teamer and security researcher at Triskel Security
Ransombile Yet another reason to ditch SMS Martin Vigo @martin_vigo | martinvigo.com 123456
Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
Have you left your phone unattended?
Did you disable the assistant on lock screen?
Did you disable notifications on lock screen?
What can the assistant do while the device is locked? ?
How to steal $2,999.99 in less than 2 minutes https://www.martinvigo.com/steal-2999-99-minute-venmo-siri
Ransombile: yet another reason to ditch sms
Goal Broadening the impact
Ransombile: yet another reason to ditch sms
Well known issues for years “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
Objective Help push the industry to stop relying on SMS as a secure channel
Finding more SMS services usshortcodedirectory.com
Password reset
2-factor authentication
Verification
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
Obtain victim’s email “Send an email to attacker@domain.com about subject saying content”
Obtain secret codes from SMS SMSs are displayed on locked home screen “Read my texts”
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
Lots to compromise, limited time We need automation
Ransombile Ransomware + Mobile Automates the entire password reset process over SMS Uses Selenium for UI automation rather APIs there is even a Firefox plugin that records your mouse movement and generates code for you Does not require any backend/API knowledge to add new SMS services
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
Ransombile … 1. “Send an email to victim.ransom@gmail.com about subject saying content” 3. Initiate password reset process 4. Send codes over SMS 5. Read codes and enter in Ransombile 2. Get email address 6. Send secret codes and complete password reset
Ransombile Demo Hi, my name is Tom Promise and I am a millenial!
Ransombile: yet another reason to ditch sms
Open source github.com/martinvigo/ransombile
Conclusions A locked mobile device is still insecure Unattended mobile devices can be a bigger risk than unattended computers and companies tend to ignore this Consequences of losing your phone are not only monetary
Can we do better? Getting rid of the physical access requirement
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords Requires physical access
Chaouki Kasmi & Jose Lopes Esteves “Remote Command Injection on Modern Smartphones” Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner & Wenchao Zhou “Hidden Voice Commands” Obtain victim’s email without physical access Guoming Zhang, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, Wenyuan Xu “DolphinAtack: Inaudible Voice Commands”
Dolphin Attack
Obtain secret codes from SMS without physical access SS7 attacks 2G downgrade attacks and broken A5/1 cipher Femtocells Defcon 21 - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell DEF CON 18 - Kristin Paget - Practical Cellphone Spying CCC - Tobias Engel - SS7: Locate. Track. Manipulate. SIM Swapping
Conclusions It is possible to perform these attacks without physical access to the device (In theory…) POC||GTFO SMS wasn’t designed with security in mind nor to be used as a secure channel Online services should encourage app-based temp codes and make SMS opt-in
Recommendations for you Don’t leave your mobile device unattended Disable the assistant in the lock screen Disable notifications preview in the lock screen Use apps for 2FA Don’t provide your phone number if not required unless it’s the only way to get 2FA use a virtual number to prevent OSINT and SIM swapping attacks Check the settings to disable security challenges over SMS
THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo Come see my DEF CON talk: “Compromising online accounts by cracking voicemail systems” Friday, 1PM in Track 1
1 of 36

Ransombile: yet another reason to ditch sms

Download to read offline
Technology

The general belief is that a mobile device that is locked, encrypted and protected with a PIN or biometrics is a secure device. The truth is, major OS including iOS and Android help and encourage you to downgrade security on locked devices through certain features and default to insecure settings. Personal assistants on mobile devices are very popular. Siri, OK Google and Cortana are just a few of them. They can perform multiple tasks including calls, sending emails and reading SMS among other sensitive actions. How secure are they? Can we trust our personal assistants to keep our data safe? How about displaying your notifications on the lock screen? On the other hand, with the proliferation of cheap SDR hardware, DIY IMSI catchers, open source tools and still supported broken GSM protocols, targeting mobile communications is easier than ever. But what are the real consequences? It is well known that SMS is not a secure channel but the industry is still hesitant to move away from it. This presentation is yet another nail in the SMS coffin and aims to help push the industry away from supporting it. Ransombile is a tool that can be used in different scenarios to compromise someone's digital life in less than 2 minutes. Email accounts, financial data, social networks... all gone. Have you ever left your phone on the desk unattended? Do you belief losing your phone only impacts your wallet? Do you feel safe when crossing the border when entering USA since they can't force you to reveal the passcode? This presentation is for you.

Martin Vigo
Martin VigoRed teamer and security researcher at Triskel Security

Recommended

Compromising online accounts by cracking voicemail systems by
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsMartin Vigo
1.3K views46 slides
From email address to phone number, a new OSINT approach by
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachMartin Vigo
3K views30 slides
Modicare Mighty Guard by
Modicare Mighty GuardModicare Mighty Guard
Modicare Mighty GuardAmritansh Barnwal
223 views46 slides
Infosec 4 The Home by
Infosec 4 The HomeInfosec 4 The Home
Infosec 4 The Homejaysonstreet
366 views18 slides
14 tips to increase cybersecurity awareness by
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
552 views18 slides
Spoofing by
Spoofing Spoofing
Spoofing paulina villanueva
124 views6 slides

More Related Content

What's hot

Block numbers on any i phone simple process by
Block numbers on any i phone simple processBlock numbers on any i phone simple process
Block numbers on any i phone simple processsagar_raj
50 views13 slides
Cybersecurity Awareness by
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity AwarenessJoshuaWisniewski3
313 views10 slides
Dos and Don'ts of Internet Security by
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityQuick Heal Technologies Ltd.
2.6K views35 slides
Learn awesome hacking tricks by
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricksSudhanshu Mishra
2.6K views19 slides
Avoid the Hack by
Avoid the HackAvoid the Hack
Avoid the HackJason Jakus
329 views45 slides
Cybersecurity Awareness Training Presentation v2021.08 by
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08DallasHaselhorst
6.7K views47 slides

What's hot(14)

Block numbers on any i phone simple process by sagar_raj
Block numbers on any i phone simple processBlock numbers on any i phone simple process
Block numbers on any i phone simple process
sagar_raj50 views
Cybersecurity Awareness by JoshuaWisniewski3
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
JoshuaWisniewski3313 views
Dos and Don'ts of Internet Security by Quick Heal Technologies Ltd.
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
Quick Heal Technologies Ltd.2.6K views
Learn awesome hacking tricks by Sudhanshu Mishra
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricks
Sudhanshu Mishra2.6K views
Avoid the Hack by Jason Jakus
Avoid the HackAvoid the Hack
Avoid the Hack
Jason Jakus329 views
Cybersecurity Awareness Training Presentation v2021.08 by DallasHaselhorst
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst6.7K views
travel Safely by ssuser4b758a
travel Safelytravel Safely
travel Safely
ssuser4b758a18 views
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2) by Nuzhat Memon
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Nuzhat Memon76 views
Cyber crime by Smantha Brooks
Cyber crimeCyber crime
Cyber crime
Smantha Brooks198 views
Network Security and Spoofing Attacks by PECB
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
PECB 737 views
7 Cybersecurity Sins When Working From Home by DallasHaselhorst
7 Cybersecurity Sins When Working From Home7 Cybersecurity Sins When Working From Home
7 Cybersecurity Sins When Working From Home
DallasHaselhorst920 views
Enhanced adaptive security system for SMS – based One Time Password by Chandrapriya Rediex
Enhanced adaptive security system for SMS – based One Time PasswordEnhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time Password
Chandrapriya Rediex108 views
Password hacking by Abhay pal
Password hackingPassword hacking
Password hacking
Abhay pal115.3K views
ECSM - Ce faci dacă ți-au fost compromise conturile bancare by One-IT
ECSM - Ce faci dacă ți-au fost compromise conturile bancareECSM - Ce faci dacă ți-au fost compromise conturile bancare
ECSM - Ce faci dacă ți-au fost compromise conturile bancare
One-IT98 views

Similar to Ransombile: yet another reason to ditch sms

Phone cloning by
Phone cloning Phone cloning
Phone cloning Subhrajit Paul
710 views23 slides
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight by
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightMahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightParitosh Sharma
485 views14 slides
52 mobile phone cloning by
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloningSALMAN SHAIKH
1.5K views16 slides
Mobile Phone Cloning by
Mobile Phone CloningMobile Phone Cloning
Mobile Phone CloningShivam Jaiswal
2.4K views14 slides
mobile jammer ppt.pptx by
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptxManojMudhiraj3
10 views11 slides
Mobile cloning by
Mobile cloningMobile cloning
Mobile cloningSai Srinivas Mittapalli
329 views27 slides

Similar to Ransombile: yet another reason to ditch sms(20)

Phone cloning by Subhrajit Paul
Phone cloning Phone cloning
Phone cloning
Subhrajit Paul710 views
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight by Paritosh Sharma
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightMahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Paritosh Sharma485 views
52 mobile phone cloning by SALMAN SHAIKH
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloning
SALMAN SHAIKH1.5K views
Mobile Phone Cloning by Shivam Jaiswal
Mobile Phone CloningMobile Phone Cloning
Mobile Phone Cloning
Shivam Jaiswal2.4K views
mobile jammer ppt.pptx by ManojMudhiraj3
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
ManojMudhiraj310 views
Mobile cloning by Sai Srinivas Mittapalli
Mobile cloningMobile cloning
Mobile cloning
Sai Srinivas Mittapalli329 views
Seminar-Two Factor Authentication by Dilip Kr. Jangir
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir6.6K views
MOBILE PHONE CLONING-Steginjoy2013@gmail.com by christ university
MOBILE PHONE CLONING-Steginjoy2013@gmail.comMOBILE PHONE CLONING-Steginjoy2013@gmail.com
MOBILE PHONE CLONING-Steginjoy2013@gmail.com
christ university12.9K views
Mobile cloning modified with images and bettermented by Sai Srinivas Mittapalli
Mobile cloning modified with images and bettermentedMobile cloning modified with images and bettermented
Mobile cloning modified with images and bettermented
Sai Srinivas Mittapalli535 views
cellphone virus and security by Akhil Kumar
cellphone virus and securitycellphone virus and security
cellphone virus and security
Akhil Kumar2.7K views
Web Security by Bharath Manoharan
Web SecurityWeb Security
Web Security
Bharath Manoharan80.5K views
How to Secure Your Mac Based Law Practice by Rocket Matter, LLC
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law Practice
Rocket Matter, LLC843 views
2015.11.06. Luca Melette_Mobile threats evolution by Tech and Law Center
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
Tech and Law Center1.2K views
ISACA CACS 2012 - Mobile Device Security and Privacy by Michael Davis
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis964 views
Making your Asterisk System Secure by Digium
Making your Asterisk System SecureMaking your Asterisk System Secure
Making your Asterisk System Secure
Digium2.1K views
Cloning. (4) by Jagjit Khalsa
Cloning. (4)Cloning. (4)
Cloning. (4)
Jagjit Khalsa13.4K views
Secure your Voice over IP (VoIP) by Techso
Secure your Voice over IP (VoIP)Secure your Voice over IP (VoIP)
Secure your Voice over IP (VoIP)
Techso400 views
Clonning by okolodennis
ClonningClonning
Clonning
okolodennis324 views
Security Threats in E-Commerce by Dattatreya Reddy Peram
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
Dattatreya Reddy Peram25.5K views
Mobile phone-cloning by Shishupal Nagar
Mobile phone-cloningMobile phone-cloning
Mobile phone-cloning
Shishupal Nagar111.9K views

More from Martin Vigo

Mobile apps security. Beyond XSS, CSRF and SQLi by
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMartin Vigo
1.9K views46 slides
Building secure mobile apps by
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
500 views19 slides
Secure Salesforce: Hardened Apps with the Mobile SDK by
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKMartin Vigo
343 views40 slides
Breaking vaults: Stealing Lastpass protected secrets by
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
550 views75 slides
Even the LastPass Will be Stolen Deal with It! by
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Martin Vigo
457 views86 slides
Creating secure apps using the salesforce mobile sdk by
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
371 views39 slides

More from Martin Vigo(9)

Mobile apps security. Beyond XSS, CSRF and SQLi by Martin Vigo
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
Martin Vigo1.9K views
Building secure mobile apps by Martin Vigo
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
Martin Vigo500 views
Secure Salesforce: Hardened Apps with the Mobile SDK by Martin Vigo
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo343 views
Breaking vaults: Stealing Lastpass protected secrets by Martin Vigo
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo550 views
Even the LastPass Will be Stolen Deal with It! by Martin Vigo
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
Martin Vigo457 views
Creating secure apps using the salesforce mobile sdk by Martin Vigo
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo371 views
Security Vulnerabilities: How to Defend Against Them by Martin Vigo
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
Martin Vigo441 views
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol by Martin Vigo
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo360 views
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol by Martin Vigo
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo315 views

Recently uploaded

Business Analyst Series 2023 - Week 3 Session 5 by
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5DianaGray10
300 views20 slides
PRODUCT PRESENTATION.pptx by
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptxangelicacueva6
15 views1 slide
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
34 views35 slides
MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
31 views8 slides
Piloting & Scaling Successfully With Microsoft Viva by
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft VivaRichard Harbridge
12 views160 slides
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfDr. Jimmy Schwarzkopf
20 views29 slides

Recently uploaded(20)

Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10300 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva615 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum34 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14131 views
Piloting & Scaling Successfully With Microsoft Viva by Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
Richard Harbridge12 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf20 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays17 views
6g - REPORT.pdf by Liveplex
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdf
Liveplex10 views
PRODUCT LISTING.pptx by angelicacueva6
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptx
angelicacueva614 views
NET Conf 2023 Recap by Lee Richardson
NET Conf 2023 RecapNET Conf 2023 Recap
NET Conf 2023 Recap
Lee Richardson10 views
Serverless computing with Google Cloud (2023-24) by wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal14 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP23 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil400 views
Mini-Track: AI and ML in Network Operations Applications by Network Automation Forum
Mini-Track: AI and ML in Network Operations ApplicationsMini-Track: AI and ML in Network Operations Applications
Mini-Track: AI and ML in Network Operations Applications
Network Automation Forum10 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya80 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56115 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely25 views

Ransombile: yet another reason to ditch sms

  • 1. Ransombile Yet another reason to ditch SMS Martin Vigo @martin_vigo | martinvigo.com 123456
  • 2. Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
  • 3. Have you left your phone unattended?
  • 4. Did you disable the assistant on lock screen?
  • 5. Did you disable notifications on lock screen?
  • 6. What can the assistant do while the device is locked? ?
  • 7. How to steal $2,999.99 in less than 2 minutes https://www.martinvigo.com/steal-2999-99-minute-venmo-siri
  • 11. Well known issues for years “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
  • 12. Objective Help push the industry to stop relying on SMS as a secure channel
  • 17. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  • 18. Obtain victim’s email “Send an email to attacker@domain.com about subject saying content”
  • 19. Obtain secret codes from SMS SMSs are displayed on locked home screen “Read my texts”
  • 20. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  • 21. Lots to compromise, limited time We need automation
  • 22. Ransombile Ransomware + Mobile Automates the entire password reset process over SMS Uses Selenium for UI automation rather APIs there is even a Firefox plugin that records your mouse movement and generates code for you Does not require any backend/API knowledge to add new SMS services
  • 23. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  • 24. Ransombile … 1. “Send an email to victim.ransom@gmail.com about subject saying content” 3. Initiate password reset process 4. Send codes over SMS 5. Read codes and enter in Ransombile 2. Get email address 6. Send secret codes and complete password reset
  • 25. Ransombile Demo Hi, my name is Tom Promise and I am a millenial!
  • 28. Conclusions A locked mobile device is still insecure Unattended mobile devices can be a bigger risk than unattended computers and companies tend to ignore this Consequences of losing your phone are not only monetary
  • 29. Can we do better? Getting rid of the physical access requirement
  • 30. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords Requires physical access
  • 31. Chaouki Kasmi & Jose Lopes Esteves “Remote Command Injection on Modern Smartphones” Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner & Wenchao Zhou “Hidden Voice Commands” Obtain victim’s email without physical access Guoming Zhang, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, Wenyuan Xu “DolphinAtack: Inaudible Voice Commands”
  • 33. Obtain secret codes from SMS without physical access SS7 attacks 2G downgrade attacks and broken A5/1 cipher Femtocells Defcon 21 - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell DEF CON 18 - Kristin Paget - Practical Cellphone Spying CCC - Tobias Engel - SS7: Locate. Track. Manipulate. SIM Swapping
  • 34. Conclusions It is possible to perform these attacks without physical access to the device (In theory…) POC||GTFO SMS wasn’t designed with security in mind nor to be used as a secure channel Online services should encourage app-based temp codes and make SMS opt-in
  • 35. Recommendations for you Don’t leave your mobile device unattended Disable the assistant in the lock screen Disable notifications preview in the lock screen Use apps for 2FA Don’t provide your phone number if not required unless it’s the only way to get 2FA use a virtual number to prevent OSINT and SIM swapping attacks Check the settings to disable security challenges over SMS
  • 36. THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo Come see my DEF CON talk: “Compromising online accounts by cracking voicemail systems” Friday, 1PM in Track 1