Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ransombile: yet another reason to ditch sms

60 views

Published on

The general belief is that a mobile device that is locked, encrypted and protected with a PIN or biometrics is a secure device. The truth is, major OS including iOS and Android help and encourage you to downgrade security on locked devices through certain features and default to insecure settings. Personal assistants on mobile devices are very popular. Siri, OK Google and Cortana are just a few of them. They can perform multiple tasks including calls, sending emails and reading SMS among other sensitive actions. How secure are they? Can we trust our personal assistants to keep our data safe? How about displaying your notifications on the lock screen?

On the other hand, with the proliferation of cheap SDR hardware, DIY IMSI catchers, open source tools and still supported broken GSM protocols, targeting mobile communications is easier than ever. But what are the real consequences? It is well known that SMS is not a secure channel but the industry is still hesitant to move away from it. This presentation is yet another nail in the SMS coffin and aims to help push the industry away from supporting it. Ransombile is a tool that can be used in different scenarios to compromise someone's digital life in less than 2 minutes. Email accounts, financial data, social networks... all gone. Have you ever left your phone on the desk unattended? Do you belief losing your phone only impacts your wallet? Do you feel safe when crossing the border when entering USA since they can't force you to reveal the passcode? This presentation is for you.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ransombile: yet another reason to ditch sms

  1. 1. Ransombile Yet another reason to ditch SMS Martin Vigo @martin_vigo | martinvigo.com 123456
  2. 2. Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
  3. 3. Have you left your phone unattended?
  4. 4. Did you disable the assistant on lock screen?
  5. 5. Did you disable notifications on lock screen?
  6. 6. What can the assistant do while the device is locked? ?
  7. 7. How to steal $2,999.99 in less than 2 minutes https://www.martinvigo.com/steal-2999-99-minute-venmo-siri
  8. 8. Goal Broadening the impact
  9. 9. Well known issues for years “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
  10. 10. Objective Help push the industry to stop relying on SMS as a secure channel
  11. 11. Finding more SMS services usshortcodedirectory.com
  12. 12. Password reset
  13. 13. 2-factor authentication
  14. 14. Verification
  15. 15. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  16. 16. Obtain victim’s email “Send an email to attacker@domain.com about subject saying content”
  17. 17. Obtain secret codes from SMS SMSs are displayed on locked home screen “Read my texts”
  18. 18. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  19. 19. Lots to compromise, limited time We need automation
  20. 20. Ransombile Ransomware + Mobile Automates the entire password reset process over SMS Uses Selenium for UI automation rather APIs there is even a Firefox plugin that records your mouse movement and generates code for you Does not require any backend/API knowledge to add new SMS services
  21. 21. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  22. 22. Ransombile … 1. “Send an email to victim.ransom@gmail.com about subject saying content” 3. Initiate password reset process 4. Send codes over SMS 5. Read codes and enter in Ransombile 2. Get email address 6. Send secret codes and complete password reset
  23. 23. Ransombile Demo Hi, my name is Tom Promise and I am a millenial!
  24. 24. Open source github.com/martinvigo/ransombile
  25. 25. Conclusions A locked mobile device is still insecure Unattended mobile devices can be a bigger risk than unattended computers and companies tend to ignore this Consequences of losing your phone are not only monetary
  26. 26. Can we do better? Getting rid of the physical access requirement
  27. 27. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords Requires physical access
  28. 28. Chaouki Kasmi & Jose Lopes Esteves “Remote Command Injection on Modern Smartphones” Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner & Wenchao Zhou “Hidden Voice Commands” Obtain victim’s email without physical access Guoming Zhang, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, Wenyuan Xu “DolphinAtack: Inaudible Voice Commands”
  29. 29. Dolphin Attack
  30. 30. Obtain secret codes from SMS without physical access SS7 attacks 2G downgrade attacks and broken A5/1 cipher Femtocells Defcon 21 - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell DEF CON 18 - Kristin Paget - Practical Cellphone Spying CCC - Tobias Engel - SS7: Locate. Track. Manipulate. SIM Swapping
  31. 31. Conclusions It is possible to perform these attacks without physical access to the device (In theory…) POC||GTFO SMS wasn’t designed with security in mind nor to be used as a secure channel Online services should encourage app-based temp codes and make SMS opt-in
  32. 32. Recommendations for you Don’t leave your mobile device unattended Disable the assistant in the lock screen Disable notifications preview in the lock screen Use apps for 2FA Don’t provide your phone number if not required unless it’s the only way to get 2FA use a virtual number to prevent OSINT and SIM swapping attacks Check the settings to disable security challenges over SMS
  33. 33. THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo Come see my DEF CON talk: “Compromising online accounts by cracking voicemail systems” Friday, 1PM in Track 1

×