Mobile Securty - An Oxymoron?

613 views

Published on

Mobile devices are becoming the favored location for storing and doing everything we need, anywhere we want. From personal email, to company confidential information, including the social networks, location services and even online banking - we are storing our lives on mobile devices.

Is all of this information secure, or are we now facing some of the same problems we faced before in personal computing ? Have we learned something?

During this talk we discuss the most common problems affecting mobile devices, from Layer 1 to Layer 7. From poor GSM encryption, to poor application development, and everything in between. What are the risks? Are there solutions?

https://codebits.eu/intra/s/session/219

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
613
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mobile Securty - An Oxymoron?

  1. 1. MobileSecurityAn Oxymoron? Pedro  Cabrita  <pfcabrita@gmail.com>   Bruno  Morisson    <morisson@genhex.org>  
  2. 2. About  us   Pedro  Cabrita   Bruno  Morisson   <pfcabrita@gmail.com>   <morisson@genhex.org>   h>p://genhex.org/~mori/   •  Principal  Consultant  and  Partner  @  •  Infosec  Consultant  &  Partner  @  BiAHEAD;   INTEGRITY  S.A.;  •  Working  in  InformaSon  Security  for  the   •  Working  in  infosec  for  over  12  years;   past  11  years;     •  In  a  past  life,  Security  OperaSons  Manager  •  About  10  years  working  @  a  financial   and  Senior  Infosec  Consultant  @  a  private   insStuSon;   telco;    •  I  do  mainly  PenTesSng  for  living  (and  have   •  Did  Sme  as  a  developer  (C/C++);   fun);   Also:  secure  coding  guidelines  &  reviews;   •  CISSP-­‐ISSMP,  CISA,  ISO27k1LA,  ITILv3,  …   reverse  engineering;  risk  assessments;   audits…    and  other  security  related  stuff!   •  MSc  InformaSon  Security  student  @  Royal     Holloway,  University  of  London  •  CISSP  •  But  life  isn’t  all  about  security…    
  3. 3. What  is  Mobile  Security  ?  
  4. 4. InformaSon  
  5. 5. Why  do  we  care  ?  
  6. 6. Approach  
  7. 7. Users  ApplicaSons   OS   Transport  Transmission   Physical  
  8. 8. Users  ApplicaSons   OS   Transport  Transmission   Physical  
  9. 9. Thinking  security…  •  What  can  someone  do  with  momentarily   physical  access  to  my  device  ?  •  How  secure  is  my  informaSon  if  my  device  is   lost/stolen  ?  •  What  else  can  go  wrong  ?  
  10. 10. Demo  
  11. 11. h>p://lifehacker.com/5811383/these-­‐are-­‐the-­‐most-­‐common-­‐lockscreen-­‐pins-­‐and-­‐you-­‐should-­‐avoid-­‐using-­‐them  
  12. 12. h>p://www.whispersys.com/screenlock.html  
  13. 13. h>p://electronicspyeye.info/your-­‐fingers-­‐are-­‐greasy-­‐giving-­‐up-­‐your-­‐android-­‐password/  
  14. 14. h>p://stream.pleated-­‐jeans.com/post/8575021665/password-­‐acquired?e6abb3a8  
  15. 15. Filesystem  
  16. 16. Juice  Jacking  
  17. 17. h>p://www.pcworld.com/arScle/238499/charging_staSons_may_be_juicejacking_data_from_your_cellphone.html  
  18. 18. h>p://krebsonsecurity.com/2011/08/beware-­‐of-­‐juice-­‐jacking/  
  19. 19. Bo>om  line…  •  If    someone  has  physical  access  to  the   device...  GAME  OVER!  •  Turn  on  security  features  (encrypSon,   authenScaSon,  remote  wipe/lock)  •  Choose  an  appropriate  PIN  •  Wash  your  hands  frequently  •  Don’t  connect  it  anywhere...  except  home!  
  20. 20. Users  ApplicaSons   OS   Transport  Transmission   Physical  
  21. 21. Thinking  security…  •  Is  my  informaSon  transmi>ed  securely?  •  Can  someone  eavesdrop  my  communicaSons?  
  22. 22. GSM  ...is  broken!  
  23. 23. GSM  Professional  equipment   US$75.000  
  24. 24. GSM   USRP   US$1.500  h>p://openbts.sourceforge.net/  
  25. 25. GSM   Old  phone   Priceless  h>p://openbts.sourceforge.net/  
  26. 26. GSM   Old  phone   Priceless   US$10  h>p://openbts.sourceforge.net/  
  27. 27. Bo>om  line…  Don’t  trust  the  link  layer    J  
  28. 28. Users  ApplicaSons   OS   Transport  Transmission   Physical  
  29. 29. Thinking  security…  •  Do  applicaSons  transmit  data  securely  ?  •  What  data  ?  •  Can  someone  intercept  it  ?  
  30. 30. h>p://www.theregister.co.uk/2011/05/16/android_impersonaSon_a>acks/  
  31. 31. h>p://support.apple.com/kb/HT4824  
  32. 32. Bo>om  line…  •  Lots  and  lots  of  apps  send  informaSon  in  clear  •  Some  apps  handle  SSL  errors  really  badly…  •  Bugs  in  the  underlying  OS       CHAOS  
  33. 33. Users  ApplicaSons   OS   Transport  Transmission   Physical  
  34. 34. Thinking  security…  •  How  do  security  issues  affect  the  OS  ?  •  Is  it  updated  ?  •  For  how  long  ?  •  Does  it  do  anything  should  know  about  ?  
  35. 35. h>p://www.pcworld.com/businesscenter/arScle/239607/diginotar_cerSficates_are_pulled_but_not_on_smartphones.html  
  36. 36. h>p://www.zdnet.com/blog/london/-­‐8216hacked-­‐server-­‐claims-­‐another-­‐cerSficate-­‐authority-­‐casualty/596  
  37. 37. h>p://threatpost.com/en_us/blogs/new-­‐ios-­‐bug-­‐lets-­‐apps-­‐run-­‐unsigned-­‐code-­‐110711  
  38. 38. h>ps://twi>er.com/#!/dinodaizovi/status/133705807157145600  
  39. 39. h>p://corte.si/posts/security/openfeint-­‐udid-­‐deanonymizaSon/index.html  
  40. 40. h>p://corte.si/posts/security/openfeint-­‐udid-­‐deanonymizaSon/index.html  
  41. 41. Bo>om  line…  •  Difficult  (impossible?)  to  keep  updated  •  “secret”  features  reveal  private  informaSon  •  Encourages  uploading  private  informaSon  to   the  “cloud”  •  Insecure  default  configuraSons  However,  they  do  provide  interesSng  security  features  
  42. 42. Users  Applica4ons   OS   Transport  Transmission   Physical  
  43. 43. Thinking  security…  •  How  do  applicaSons  handle  security  ?  •  Do  they  store  informaSon  securely  ?  •  What  informaSon  do  they  share  ?  •  Are  the  markets/app  stores  safe  ?  
  44. 44. OWASP  Top  10  Mobile  Risks   Release  Candidate  v1.0   •  Insecure  Data  Storage   •  Weak  Server  Side  Controls   •  Insufficient  Transport  Layer  ProtecSon   •  Client  Side  InjecSon   •  Poor  AuthorizaSon  and  AuthenScaSon   •  Improper  Session  Handling   •  Security  Decisions  Via  Untrusted  Inputs   •  Side  Channel  Data  Leakage   •  Broken  Cryptography   •  SensiSve  InformaSon  Disclosure  h>ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project  
  45. 45. h>p://threatpost.com/en_us/blogs/wells-­‐fargo-­‐boa-­‐cited-­‐lax-­‐mobile-­‐app-­‐security-­‐110510  
  46. 46. h>p://www.androidpolice.com/2011/10/01/massive-­‐security-­‐vulnerability-­‐in-­‐htc-­‐android-­‐devices-­‐evo-­‐3d-­‐4g-­‐thunderbolt-­‐others-­‐exposes-­‐phone-­‐numbers-­‐gps-­‐sms-­‐emails-­‐addresses-­‐much-­‐more/  
  47. 47. h>ps://superevr.com/blog/2011/xss-­‐in-­‐skype-­‐for-­‐ios/  
  48. 48. h>p://www.androidpolice.com/2011/04/14/exclusive-­‐vulnerability-­‐in-­‐skype-­‐for-­‐android-­‐is-­‐exposing-­‐your-­‐name-­‐phone-­‐number-­‐chat-­‐logs-­‐and-­‐a-­‐lot-­‐more/  
  49. 49. h>p://www.androidpolice.com/2011/04/14/exclusive-­‐vulnerability-­‐in-­‐skype-­‐for-­‐android-­‐is-­‐exposing-­‐your-­‐name-­‐phone-­‐number-­‐chat-­‐logs-­‐and-­‐a-­‐lot-­‐more/  
  50. 50. Markets  and  App  Stores  
  51. 51. h>p://www.darkreading.com/insider-­‐threat/167801100/security/vulnerabiliSes/228201093/google-­‐issuing-­‐fix-­‐for-­‐latest-­‐android-­‐vulnerability-­‐disclosure.html  
  52. 52. h>p://news.cnet.com/8301-­‐27080_3-­‐10446402-­‐245.html  
  53. 53. h>p://threatpost.com/en_us/blogs/new-­‐ios-­‐bug-­‐lets-­‐apps-­‐run-­‐unsigned-­‐code-­‐110711  
  54. 54. h>p://www.kaspersky.co.uk/news?id=207576416  
  55. 55. h>p://www.darkreading.com/authenScaSon/167901072/security/news/231500422/gingermaster-­‐is-­‐first-­‐malware-­‐to-­‐uSlize-­‐a-­‐root-­‐exploit-­‐on-­‐android-­‐2-­‐3.html  
  56. 56. Other  Malicious  Soyware  
  57. 57. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories  
  58. 58. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories  
  59. 59. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories  
  60. 60. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories  
  61. 61. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories  
  62. 62. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories  
  63. 63. Bo>om  line…  •  Apps  are  leaking  private  informaSon  •  InformaSon  is  not  stored  securely  •  Have  security  vulnerabiliSes  •  Some  include  malware  •  Android  malware  is  on  the  rise  •  Apps  circumvent  security  features  •  ValidaSng  apps  is  not  enough  
  64. 64. Users  ApplicaSons   OS   Transport  Transmission   Physical  
  65. 65. Given  a  choice  between  dancing  pigs  and   security,  users  will  pick  dancing  pigs  every  8me  Gary  McGraw  and  Edward  Felten:  Securing  Java  (John  Wiley  &  Sons,  1999;  ISBN  0-­‐471-­‐31952-­‐X),  Chapter  one,  Part  seven  
  66. 66. Users  ApplicaSons   OS   Transport  Transmission   Physical  
  67. 67. Wrap  Up  
  68. 68. Wrap  Up  •  Users  trust  by  default  •  Apps  sSll  have  room  for  improvement   (security  wise)  J  •  Mobile  devices  are  becoming  a  mainstream   target  for  malware  •  Hardware  has  longer  longevity  than  the  OS  •  Lower  layers  are  not  helping   Mobile  security  is  sSll  in  its  infancy  
  69. 69. Thanks!   Q&A  Pedro  Cabrita  <pfcabrita@gmail.com>  Bruno  Morisson    <morisson@genhex.org>  

×