SlideShare une entreprise Scribd logo

Your cell phone is covered in spiders

Télécharger en tant que ODP, PDF
C
cooperq

Practical

TechnologieBusiness
1  sur  31
Your Cell Phone is Covered in Spiders An overview of the cell phone security landscape Cooper Quintin @cooperq cooper@radicaldesigns.org
We are becoming increasingly dependent on mobile devices ● We are storing more and more data on them ● Pictures ● Videos ● Contacts ● Email ● Social Graphs ● Location History ● Etc
● As the amount of data increases ● The complexity increases ● The desirability increases ● The number of vulnerabilities increases
And there are a lot of vulnerabilities!
Things to Keep in Mind physical access == phone can and will be completely compromised. Also, you should assume that your phone will be compromised at some point.
Security is a Journey Not a Destination The more hurdles that you put up, the harder you make it for an attacker. Time to compromise > Determination of attacker Just because there are so many threats to cellular security doesn't mean you shouldn't take security seriously. There are still things you can do.
Threat Model ●Random attacks ● Malicious apps ● Stolen / Lost phone ●Targeted attacker ● Law Enforcement ● Corporate Espionage ● Personal Enemies ●Signal Interception ●Your Phone Company
Burner Phones ● No encryption ● Trivial for Forensic Investigators ● Closed Source ● Usually no Screen Lock
iPhone The Bad ● Closed source ● Very little in the way of security apps ● Default screen lock is a four digit number ● Encryption tools that aren't free or open source ● FDE keys are stored on phone and can be recovered The Good ● There is a stronger screen lock that can be enabled ● Off The Record (OTR) ● Chatsecure (works with gibberbot) ● PrivateGSM (Encrypted VOIP) ● oh and an unofficial tor app (covert browser) ● Less Malware
Android ● IMO The best phone for security ● Open source ● Lots of security tools ● Lots of encryption tools ● Strong Screen lock ● Guardian Project
Lets Talk About Threat Models Again
Currently in California (and many other states) an arresting officer can search your phone if it does not have a password lock on it. CA Supreme Court, People vs. Diaz “Therefore, under Diaz, if you're arrested while carrying a mobile phone on your person, police are free to rifle through your text messages, images, and any other files stored locally on your phone. Any incriminating evidence found on your phone can be used against you in court. “
Law Enforcement Investigators are Looking for: ● Subscriber & Equipment Identifiers ● Contacts ● Appointment Calendar ● SMS, Text Messages, Instant Messages, Email ● Call Logs ● Photos, Audio and Video ● Documents ● Location Data
Forensic Methods ● Recovering screen lock – Recovery mode or google account ● Recovery Mode ● Cellbrite and UFED ● JTAG
Solutions ● Have a strong screen lock and a short timeout ● Turn USB Debugging off ● This makes forensics a lot harder ● Don't tell them your password ● Encryption (Text Secure, LUKS, Device encryption)
Signal Interception Threats ● Fake Cellular Towers / Drones ● USRP/GNU Radio ● Snooping as a Service ● Cellular companies will provide wiretaps without even a warrant Solutions ● Encrypted Calls (Redphone) ● Encrypted Text (Textsecure) ● Talk in Person (This is the Most Secure)
Screen Lock ● Face Unlock ● Pattern ● Pin ● Password
This is all Useless if an Attacker can Circumvent Your Lock Screen ● Physical access to a rooted phone with USB debugging on ● Recovery mods ● JTAG Interface
Solutions ● Choose a strong screen lock ● TURN OFF USB DEBUGGING ● Disk Encryption ● Use 2 factor authentication on google
Lost and Stolen Phones ● Phone Finding Applications ● Remote wipe ● Prey (Cross platform, open source) ● Poison Pill (Open Source) ● Lookout ● Droid Tracker ● Strong Screen lock ● Report to The Provider? ● They probably don't give a damn.
Malware Vendor and Espianage malware ● This stuff is extremely sophisticated ● FinFisher ● CarrierIQ ● Voodo carrierIQ Standard, untargeted malware ● Personal Data Theft ● Premium SMS ● The usual suspects (spyware, trojans, phishing) ● Facebook
Solutions • Droidwall (require root) ● Unfortunately no longer open source ● Try Android firewall or AFwall • Be careful what you install • Antivirus (lookout, etc.) • Be wary of third party app stores • Permission Selection Apps (require root) • Permissions Denied • Cyanogenmod • Root your phone and remove the bloatware
Of Course, Even an App with No Permissions Can do a Lot ● Read files from SD card ● Get a list of packages ● Access insecure application files ● Read gsm and sim vendor ID's ● Read android id (unique to your phone) ● Call home with a get request
Other Attacks ● NFC – Can completely control the phone just by touching it. – Can open up a browser, get photos, videos, contacts, etc. – Even Bugger overflows ● QR Phishing ● Baseband Attacks
Disk Encryption ● On some devices since android 3 (honeycomb) ● Encrypts the /data partition ● Encrypts the /sdcard sometimes, YMMV ● DM_Crypt : tried and true ● Uses your lockscreen pin/password as the key ● VULNERABLE TO COLD BOOT ATTACK (Frost) ● Truecrypt (Cryptonite) ● Luks Manager (can be used to encrypt SD card) ● IOCypher (for devs, still alpha) ● Allows you to create an encrypted virtual FS for your app.
Call Encryption OSTN ● Open {Secure, Source, Standards} Telephony (Network) ● Federated, Open Source ● Does not stop censorship or provide anonymity http://ostel.me Red Phone ● Open Source client, Closed source server ● Easy to use ● Does not stop censorship or provide anonymity
Other Encryption ● Gibberbot (OTR, encrypts chat) ● APG (PGP for Android) ● Orbot and Orweb (Technically anonymity not enc.) ● OpenVPN (encrypts your internet connection) ● Notecipher ● Sqlcipher ● Text Secure ● RedPhone
Other Usefull Apps ● Duck Duck Go – Alternateive search engine ● Keepass - Password Vault ● Adaway - Adblocking for Android ● Fdroid – Alternative Open Source App Store ● Obscuracam - Block peoples faces in sensetive photo ● Cacert manager – Revoke untrusted root ca certs ● Firefox ● Iptableslog – Log the traffic coming from your phone ● Shark – Capture packets from your phone ● Alogcat – View Android Logs
In Conclusion... ● Turn off USB debugging! ● Keep your phone on you ● Trust what you install (Open Source Rules!) ● Root and install custom firmware ● Use a stronger screen lock ● Audit your phone ● Encrypt Everything!
Open Source Presentation! Get it on Github! https://github.com/cooperq/spiders
Thank You! Cooper Quintin cooper@radicaldesigns.org Twitter: @cooperq Jabber: cooperq@jabber.ccc.de OTR: 9B3470B9 B1F10651 B5840FEB 026D6CF7 2D949F6F PGP: 75FB9347 FA4B22A0 5068080B D0EA7B6F F0AFE2CA

Recommandé

Cell phone security lite
Cell phone security liteCell phone security lite
Cell phone security litecooperq
 
Phone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyPhone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyDavid Rogers
 
Introduction to ceh
Introduction to cehIntroduction to ceh
Introduction to cehHemant Mittal
 
Steps to Follow in Case of Phone Theft or Loss
Steps to Follow in Case of Phone Theft or LossSteps to Follow in Case of Phone Theft or Loss
Steps to Follow in Case of Phone Theft or LossWireless Solutions NY
 
Staying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsStaying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsBen Woelk, CISSP, CPTC
 
Mobile Exhibition
Mobile ExhibitionMobile Exhibition
Mobile ExhibitionAnnie Han
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingLalit Kumar
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 

Recommandé

Cell phone security lite
Cell phone security liteCell phone security lite
Cell phone security litecooperq
 
Phone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyPhone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyDavid Rogers
 
Introduction to ceh
Introduction to cehIntroduction to ceh
Introduction to cehHemant Mittal
 
Steps to Follow in Case of Phone Theft or Loss
Steps to Follow in Case of Phone Theft or LossSteps to Follow in Case of Phone Theft or Loss
Steps to Follow in Case of Phone Theft or LossWireless Solutions NY
 
Staying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsStaying Safe Online for HR Professionals
Staying Safe Online for HR ProfessionalsBen Woelk, CISSP, CPTC
 
Mobile Exhibition
Mobile ExhibitionMobile Exhibition
Mobile ExhibitionAnnie Han
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingLalit Kumar
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Computer Security For Activists & Everyone (Oct 2018)
Computer Security For Activists & Everyone (Oct 2018)Computer Security For Activists & Everyone (Oct 2018)
Computer Security For Activists & Everyone (Oct 2018)Kit O'Connell
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
Mobisheild sales promotion presentation.
Mobisheild sales promotion presentation.Mobisheild sales promotion presentation.
Mobisheild sales promotion presentation.Arijit Ghosh
 
Digital Security for Journalists
Digital Security for JournalistsDigital Security for Journalists
Digital Security for JournalistsLaurent Eschenauer
 
Digital security for journalists laurent eschenauer
Digital security for journalists laurent eschenauerDigital security for journalists laurent eschenauer
Digital security for journalists laurent eschenauerNelly Luna
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationLumension
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Locking down risks from unlocked devices
Locking down risks from unlocked devices Locking down risks from unlocked devices
Locking down risks from unlocked devices Troy C. Fulton
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason AddieDataFest Tbilisi
 
Visual hacking (ec)
Visual hacking (ec)Visual hacking (ec)
Visual hacking (ec)Bradley W. Deacon
 
Spy Software
Spy SoftwareSpy Software
Spy Softwarespyindia01
 
Desgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by JaseelaDesgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by JaseelaStudent
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2Charles Klondike
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardianearthmouse
 
Don't Diligence Information Security for Lawyers
Don't Diligence Information Security for LawyersDon't Diligence Information Security for Lawyers
Don't Diligence Information Security for Lawyersdarrentthurston
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and securityAkhil Kumar
 
Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & securityPriyab Satoshi
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Android forensics
Android forensicsAndroid forensics
Android forensicsInfosys
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Contenu connexe

Similaire à Your cell phone is covered in spiders

Computer Security For Activists & Everyone (Oct 2018)
Computer Security For Activists & Everyone (Oct 2018)Computer Security For Activists & Everyone (Oct 2018)
Computer Security For Activists & Everyone (Oct 2018)Kit O'Connell
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
Mobisheild sales promotion presentation.
Mobisheild sales promotion presentation.Mobisheild sales promotion presentation.
Mobisheild sales promotion presentation.Arijit Ghosh
 
Digital Security for Journalists
Digital Security for JournalistsDigital Security for Journalists
Digital Security for JournalistsLaurent Eschenauer
 
Digital security for journalists laurent eschenauer
Digital security for journalists laurent eschenauerDigital security for journalists laurent eschenauer
Digital security for journalists laurent eschenauerNelly Luna
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationLumension
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Locking down risks from unlocked devices
Locking down risks from unlocked devices Locking down risks from unlocked devices
Locking down risks from unlocked devices Troy C. Fulton
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason AddieDataFest Tbilisi
 
Desgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by JaseelaDesgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by JaseelaStudent
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardianearthmouse
 
Don't Diligence Information Security for Lawyers
Don't Diligence Information Security for LawyersDon't Diligence Information Security for Lawyers
Don't Diligence Information Security for Lawyersdarrentthurston
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and securityAkhil Kumar
 
Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & securityPriyab Satoshi
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Android forensics
Android forensicsAndroid forensics
Android forensicsInfosys
 

Similaire à Your cell phone is covered in spiders (20)

Computer Security For Activists & Everyone (Oct 2018)
Computer Security For Activists & Everyone (Oct 2018)Computer Security For Activists & Everyone (Oct 2018)
Computer Security For Activists & Everyone (Oct 2018)
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
Mobisheild sales promotion presentation.
Mobisheild sales promotion presentation.Mobisheild sales promotion presentation.
Mobisheild sales promotion presentation.
 
Digital Security for Journalists
Digital Security for JournalistsDigital Security for Journalists
Digital Security for Journalists
 
Digital security for journalists laurent eschenauer
Digital security for journalists laurent eschenauerDigital security for journalists laurent eschenauer
Digital security for journalists laurent eschenauer
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Locking down risks from unlocked devices
Locking down risks from unlocked devices Locking down risks from unlocked devices
Locking down risks from unlocked devices
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason Addie
 
Visual hacking (ec)
Visual hacking (ec)Visual hacking (ec)
Visual hacking (ec)
 
Spy Software
Spy SoftwareSpy Software
Spy Software
 
Desgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by JaseelaDesgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by Jaseela
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardian
 
Don't Diligence Information Security for Lawyers
Don't Diligence Information Security for LawyersDon't Diligence Information Security for Lawyers
Don't Diligence Information Security for Lawyers
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and security
 
Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & security
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Android forensics
Android forensicsAndroid forensics
Android forensics
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Dernier (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Your cell phone is covered in spiders

  • 1. Your Cell Phone is Covered in Spiders An overview of the cell phone security landscape Cooper Quintin @cooperq cooper@radicaldesigns.org
  • 2. We are becoming increasingly dependent on mobile devices ● We are storing more and more data on them ● Pictures ● Videos ● Contacts ● Email ● Social Graphs ● Location History ● Etc
  • 3. ● As the amount of data increases ● The complexity increases ● The desirability increases ● The number of vulnerabilities increases
  • 4. And there are a lot of vulnerabilities!
  • 5. Things to Keep in Mind physical access == phone can and will be completely compromised. Also, you should assume that your phone will be compromised at some point.
  • 6. Security is a Journey Not a Destination The more hurdles that you put up, the harder you make it for an attacker. Time to compromise > Determination of attacker Just because there are so many threats to cellular security doesn't mean you shouldn't take security seriously. There are still things you can do.
  • 7. Threat Model ●Random attacks ● Malicious apps ● Stolen / Lost phone ●Targeted attacker ● Law Enforcement ● Corporate Espionage ● Personal Enemies ●Signal Interception ●Your Phone Company
  • 8. Burner Phones ● No encryption ● Trivial for Forensic Investigators ● Closed Source ● Usually no Screen Lock
  • 9. iPhone The Bad ● Closed source ● Very little in the way of security apps ● Default screen lock is a four digit number ● Encryption tools that aren't free or open source ● FDE keys are stored on phone and can be recovered The Good ● There is a stronger screen lock that can be enabled ● Off The Record (OTR) ● Chatsecure (works with gibberbot) ● PrivateGSM (Encrypted VOIP) ● oh and an unofficial tor app (covert browser) ● Less Malware
  • 10. Android ● IMO The best phone for security ● Open source ● Lots of security tools ● Lots of encryption tools ● Strong Screen lock ● Guardian Project
  • 11. Lets Talk About Threat Models Again
  • 12. Currently in California (and many other states) an arresting officer can search your phone if it does not have a password lock on it. CA Supreme Court, People vs. Diaz “Therefore, under Diaz, if you're arrested while carrying a mobile phone on your person, police are free to rifle through your text messages, images, and any other files stored locally on your phone. Any incriminating evidence found on your phone can be used against you in court. “
  • 13. Law Enforcement Investigators are Looking for: ● Subscriber & Equipment Identifiers ● Contacts ● Appointment Calendar ● SMS, Text Messages, Instant Messages, Email ● Call Logs ● Photos, Audio and Video ● Documents ● Location Data
  • 14. Forensic Methods ● Recovering screen lock – Recovery mode or google account ● Recovery Mode ● Cellbrite and UFED ● JTAG
  • 15. Solutions ● Have a strong screen lock and a short timeout ● Turn USB Debugging off ● This makes forensics a lot harder ● Don't tell them your password ● Encryption (Text Secure, LUKS, Device encryption)
  • 16. Signal Interception Threats ● Fake Cellular Towers / Drones ● USRP/GNU Radio ● Snooping as a Service ● Cellular companies will provide wiretaps without even a warrant Solutions ● Encrypted Calls (Redphone) ● Encrypted Text (Textsecure) ● Talk in Person (This is the Most Secure)
  • 18. This is all Useless if an Attacker can Circumvent Your Lock Screen ● Physical access to a rooted phone with USB debugging on ● Recovery mods ● JTAG Interface
  • 19. Solutions ● Choose a strong screen lock ● TURN OFF USB DEBUGGING ● Disk Encryption ● Use 2 factor authentication on google
  • 20. Lost and Stolen Phones ● Phone Finding Applications ● Remote wipe ● Prey (Cross platform, open source) ● Poison Pill (Open Source) ● Lookout ● Droid Tracker ● Strong Screen lock ● Report to The Provider? ● They probably don't give a damn.
  • 21. Malware Vendor and Espianage malware ● This stuff is extremely sophisticated ● FinFisher ● CarrierIQ ● Voodo carrierIQ Standard, untargeted malware ● Personal Data Theft ● Premium SMS ● The usual suspects (spyware, trojans, phishing) ● Facebook
  • 22. Solutions • Droidwall (require root) ● Unfortunately no longer open source ● Try Android firewall or AFwall • Be careful what you install • Antivirus (lookout, etc.) • Be wary of third party app stores • Permission Selection Apps (require root) • Permissions Denied • Cyanogenmod • Root your phone and remove the bloatware
  • 23. Of Course, Even an App with No Permissions Can do a Lot ● Read files from SD card ● Get a list of packages ● Access insecure application files ● Read gsm and sim vendor ID's ● Read android id (unique to your phone) ● Call home with a get request
  • 24. Other Attacks ● NFC – Can completely control the phone just by touching it. – Can open up a browser, get photos, videos, contacts, etc. – Even Bugger overflows ● QR Phishing ● Baseband Attacks
  • 25. Disk Encryption ● On some devices since android 3 (honeycomb) ● Encrypts the /data partition ● Encrypts the /sdcard sometimes, YMMV ● DM_Crypt : tried and true ● Uses your lockscreen pin/password as the key ● VULNERABLE TO COLD BOOT ATTACK (Frost) ● Truecrypt (Cryptonite) ● Luks Manager (can be used to encrypt SD card) ● IOCypher (for devs, still alpha) ● Allows you to create an encrypted virtual FS for your app.
  • 26. Call Encryption OSTN ● Open {Secure, Source, Standards} Telephony (Network) ● Federated, Open Source ● Does not stop censorship or provide anonymity http://ostel.me Red Phone ● Open Source client, Closed source server ● Easy to use ● Does not stop censorship or provide anonymity
  • 27. Other Encryption ● Gibberbot (OTR, encrypts chat) ● APG (PGP for Android) ● Orbot and Orweb (Technically anonymity not enc.) ● OpenVPN (encrypts your internet connection) ● Notecipher ● Sqlcipher ● Text Secure ● RedPhone
  • 28. Other Usefull Apps ● Duck Duck Go – Alternateive search engine ● Keepass - Password Vault ● Adaway - Adblocking for Android ● Fdroid – Alternative Open Source App Store ● Obscuracam - Block peoples faces in sensetive photo ● Cacert manager – Revoke untrusted root ca certs ● Firefox ● Iptableslog – Log the traffic coming from your phone ● Shark – Capture packets from your phone ● Alogcat – View Android Logs
  • 29. In Conclusion... ● Turn off USB debugging! ● Keep your phone on you ● Trust what you install (Open Source Rules!) ● Root and install custom firmware ● Use a stronger screen lock ● Audit your phone ● Encrypt Everything!
  • 30. Open Source Presentation! Get it on Github! https://github.com/cooperq/spiders
  • 31. Thank You! Cooper Quintin cooper@radicaldesigns.org Twitter: @cooperq Jabber: cooperq@jabber.ccc.de OTR: 9B3470B9 B1F10651 B5840FEB 026D6CF7 2D949F6F PGP: 75FB9347 FA4B22A0 5068080B D0EA7B6F F0AFE2CA