Recommandé
Recommandé
Contenu connexe
En vedette
En vedette (20)
Similaire à Transparent Smartphone Spying
Similaire à Transparent Smartphone Spying (20)
Dernier
Dernier (20)
Transparent Smartphone Spying
- 1. Transparent Smartphone Spying Georgia Weidman
- 2. Agenda • Smartphone Overview • Evil Applications • Evil Jailbreaks • Baseband Spying • Mitigation Strategies
- 3. What is a Smartphone?
- 4. Data Stored and Transmitted • Personal info • Work info • Location info • Account info
- 5. Privacy of Transmitted Data • Mobile communication standards • Encoding vs. Encryption • Attacks against privacy
- 6. Privacy Matters: Text Messages • “Hi meet me for lunch” • “Meet me for lunch while my wife is out” • “Here are your bank account credentials”
- 7. Privacy Required Examples • Vendor text messages – Vendor advertisements – Provider messages • Mobile banking – Balance sheet – Electronic bill paying – One time passwords
- 9. Application Stores • iPhone – Expensive – Identity Verified – Closed – Certificate Authority • Android – Cheap – Open – Anonymous – Self signed
- 10. Application Protections: iPhone • ASLR • Mandatory code signing • No dynamic code loading • Sandboxed
- 11. Applications Protections: Android • Users accept permissions
- 12. Our Text Message Example • Permission to read text message(SMS) database • Specific permission to send text message(SMS) messages • Without user consent, application cannot access this information
- 13. Is this system working to protect users? Are users making good decisions about application permissions?
- 14. Top Android App of all Time
- 15. Demo Demo: Application abusing permissions
- 16. Abusing the Android Sandbox • Load exploit code at runtime • Safe application becomes malicious application • In the wild: DroidDream • In the lab: Rootstrap
- 17. Evil Jailbreak
- 18. Jailbreaking • Get root privileges • Expand feature set • Run unapproved (3rd party apps)
- 19. Jailbreaking Gone Wild • Run this code • It jailbreaks your phone • What else does it do?
- 20. So I’ve exploited a phone, what now?
- 21. Baseband Spying • Read all data sent/receive by the phone • Intercept data before it reaches the user/before it is sent
- 22. How an GSM is sent and received 22
- 23. How an GSM is sent and received © Georgia Weidman 2011 23
- 24. How an GSM is sent and received © Georgia Weidman 2011 24
- 25. Malicious Proxy • Intercept data • Send data • Alter data • Botnet functionality
- 26. Demo Demo: Stealing Text Messages
- 27. Mitigation Strategies • User Awareness • Encryption • Updating • Code signing
- 28. Contact Georgia Weidman, Security Consultant Neohapsis, Inc. Email: georgia@grmn00bs.com georgia.weidman@neohapsis.com Website: http://www.neohapsis.com http://www.grmn00bs.com Twitter: @vincentkadmon
- 29. Selected Bibliography • John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: http://jon.oberheide.org/files/shmoo11- teamjoch.pdf • Charlie Miller and Collin Mulliner “Fuzzing the Phone in Your Phone” Blackhat USA 2009: http://www.blackhat.com/presentations/bhusa- 09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf • Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: https://media.blackhat.com/bh-us- 11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf
Notes de l'éditeur
- ContactsEmails (work emails too)PicturesLocationCredentials to online applicationsMore
- Encryption security in transit varies 2G is broken (Blackhat 2009 Karsten Kohl broke session key in minutes with 1TB storage and 2 nice video cards) Example of interception (Chris PagentDefcon 2010 with his rogue access point}
- “Hi meet me for lunch” -- privacy not so important“Meet me for lunch while my wife is out” -- privacy more important“Here is your bank account credentials” -- privacy required
- iPhoneMust have a developer certificate to even run code on your own device$99/yearIdentity is verifiedAll code is reviewed and signed before upload to the store AndroidAnyone can write an app and upload to the Android market$25 signup fee Anonymous signup possibleNo certificate authority/self signed apps (3rd party store apps run too)
- Mandatory code signing/ apps cannot load new code at runtime (specific dispensation for browsers, etc.)ASLR on system binaries and some apps in 4.3 and laterIndividual apps sandboxed with MAC for system permissions etc.
- Android apps can request any permissions they want. Up to the user to decide to decide if app is safeFoursquare would need GPS but not SMS
- Edit and Read SMS, send SMS, receive SMSModify/delete USB storage contentsPrevent phone from sleeping, write sync settingsGPS dataServices that cost you moneyAct as account authenticator, manage accountsRead and write to your personal information including contact dataPhone calls, read phone state and identityFull network access
- Any app can use kernel exploits to gain root privileges Any app can load new code at runtimeCan load new shellcode as it becomes availableDroidDream:Trojaned apps on the Android App Store Used known root methods to gain root privilegesSends phone info: IMEI, IMSI, etc. offsightRootstrap:Zach Lanier and Jon OberheideShmoocon 2011Rootstrap app downloads new exploits as they become availablePackaged with Twilight ad app to encourage downloads
- Original Android G1 jailbreak: go to home screen, hit enter twice, type telnetd …Current iPhone and Android Jailbreaks: Go to this website and say yes to running this unknown binary by an unknown personIt roots the phone, what else does it do?