SlideShare une entreprise Scribd logo

Smartphone Security Problems and Potential Solutions

Georgia Weidman
Georgia Weidman

Georgia Weidman presented on smartphone security issues and potential solutions. She discussed problems with encryption of cellular data, the ability to intercept communications by spoofing a rogue base station, and how phones will fall back to less secure 2G networks. She proposed mitigations like enabling 3G-only mode and encrypting data before sending. Weidman also compared security models of Android and iPhone app stores and software update systems. She emphasized the need to improve user awareness of app permissions and risks of unauthorized jailbreaking.

BusinessTechnologie
1  sur  36
Télécharger pour lire hors ligne
Throw It in the River? Towards Real Live Actual Smartphone Security Georgia Weidman © Georgia Weidman 2011 1
Agenda • Problems and Potential Solutions –Encryption –Applications –Updates –User Awareness © Georgia Weidman 2011 2
Notes • This talk focuses on Android and iPhone • Briefly touches on Windows Mobile and Blackberry • Radio based topics cover only GSM © Georgia Weidman 2011 3
Encryption © Georgia Weidman 2011 4
Encryption Problems • Encryption between phone and base station: – 2G: • Up to the base station to encrypt or not encrypt • Stream cipher A5/1 • Broken (Karsten Nohl Blackhat USA 2010) – 3G: • Encrypted • Stream cipher KASUMI(A5/3) • Conceptually broken © Georgia Weidman 2011 5
Interception • Possible to get phones to attach to a rogue base station • 2G rogue base station (Chris Pagent Defcon 2010) • Intercept all traffic while phone still works normally © Georgia Weidman 2011 6
The Path of Least Resistance • 4G/3G/2G are not backward compatible • Current phones still have 2G radio • Default is to use both 2G and 3G • When 3G not available phones will use 2G • 3G can be jammed to force phones to fall back © Georgia Weidman 2011 7
Mitigation 1: Turn off 2G • Forcing 2G use only is an available setting on modern smartphones • Forcing 3G+ only is not on iPhone or Android (seems to be on Blackberry) • We need to see this setting made available and default © Georgia Weidman 2011 8
Mitigation #2: Encrypt before Using • Telephony data sent over GSM is encoded not encrypted • Only encryption is the stream encryption • Smartphones have the resources and tools to add encryption (openssl etc.) © Georgia Weidman 2011 9
Case Study: SMS SMS-Deliver PDU Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 51 17 34 45 88 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 10
Case Study: SMS SMS-Deliver PDU Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 51 17 34 45 88 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 11
Case Study: SMS • Given an intercepted PDU 7bit GSM encoding is reversible • All data is recoverable • Ex: From: <redacted> Message: hellohello • Crafting a spoofed SMS-Send PDU is also possible © Georgia Weidman 2011 12
Why We Care about SMS? • Two Factor Authentication/ Account verification – Sends SMS with OTP – Verify with SMS on account setup • Mobile Banking – One time passwords for banking sent to customer’s over SMS – Balance reporting – Electronic bill paying © Georgia Weidman 2011 13
Why We Care about SMS • Vendor text messages Congrats <vendor> has this awesome product to protect your phone Go <here> to download it. – Links to a 3rd party app store – How do I know this came from <vendor>? Example: T-mobile Mobile Security © Georgia Weidman 2011 14
Encrypting SMS • Intercept SMS after the application send the message/before it goes to modem • Encrypt it and adjust SMS-Send PDU • Upon arrival decrypt with the key for the sender number • Then send to user application © Georgia Weidman 2011 15
Demo Encrypted SMS on Android © Georgia Weidman 2011 16
Applications Software that runs on the smartphones © Georgia Weidman 2011 17
Android Apps Store • Anyone can write an app and upload to the Android market • $25 signup fee • Anonymous signup possible • No certificate authority/self signed apps © Georgia Weidman 2011 18
iPhone App Store • Must have a developer certificate to even run code on your own device • $99/year • Identity is verified • All code is reviewed and signed before upload to the store © Georgia Weidman 2011 19
iPhone Security Protections • Mandatory code signing/ apps cannot load new code at runtime • ASLR on system binaries and some apps in 4.3 and later • Individual apps sandboxed with MAC for system permissions etc. © Georgia Weidman 2011 20
Android Security Protections • User must accept application permissions upon install © Georgia Weidman 2011 21
Android Insecurity • Can load new code at runtime (Twilight Botnet, Rootstrap app) • Sandbox is flawed, any app can exploit a kernel vulnerability • Apps can have any permissions they want if user will approve them (DroidDream) © Georgia Weidman 2011 22
iPhone Insecurity • Not all apps are compiled with full ASLR • Patches for apps go through slow review process © Georgia Weidman 2011 23
Software Updates • Smartphones are subject to security flaws • Ex: Sendpage Linux Kernel exploit • Software updates address security issues © Georgia Weidman 2011 24
How Smartphones Update • Android – Pushes updates out over the air • iPhone – Updates through iTunes – Can update when attached to a computer with iTunes • Windows Mobile – Updates through Windows Mobile Activesync – Can update when attached to a computer with Activesync • Blackberry – Check for updates at Blackberry website – Download updates to computer – Connect phone to computer and run updates © Georgia Weidman 2011 25
Why are Android Updates Slow? • Google puts out the new version • Google releases source to other platform makers • Platform makers port new version with custom UI, apps, etc. • Previous updates have taken over 6 months © Georgia Weidman 2011 26
Android’s Way on Other Platforms • A simple solution for alerting user’s to updates over the air • System application checks currently installed firmware version • Periodically calls out to update server for current updated version • If update is available instructs the user to plug in and update © Georgia Weidman 2011 27
Demo Update Application on iPhone © Georgia Weidman 2011 28
User Awareness Fails • Great strides in computer user awareness • Not seeing the same with smartphones • With smartphones users have even more to lose © Georgia Weidman 2011 29
Too Many App Permissions • Android apps can request any permissions they want. • Up to the user to decide to decide if app is safe • Foursquare would need GPS but not SMS • Is this system working? © Georgia Weidman 2011 30
Top Downloaded Android App of all time © Georgia Weidman 2011 31
Facebook App • Edit and Read SMS, send SMS, receive SMS • Modify/delete USB storage contents • Prevent phone from sleeping, write sync settings • GPS data • Services that cost you money • Act as account authenticator, manage accounts • Read and write to your personal information including contact data • Phone calls, read phone state and identity • Full network access © Georgia Weidman 2011 32
Jailbreaking Gone Wild • Original Android G1 jailbreak: go to home screen, hit enter twice, type telnetd … • Current iPhone and Android Jailbreaks: Go to this website and say yes to running this unknown binary by an unknown person • It roots the phone, what else does it do? © Georgia Weidman 2011 33
Raising User Awareness • Stop with those “our apps are better/download all our apps” commercials • Ethical root/jailbreak programs should inform users of the risks • Smartphone security training in organizations © Georgia Weidman 2011 34
Contact Georgia Weidman Neohapsis Inc. Email: georgia@grmn00bs.com Georgia.weidman@neohapsis.com Website: http://www.grmn00bs.com Twitter: @vincentkadmon Code and Slides on website © Georgia Weidman 2011 35
Selected Bibliography • Chris Pagent “Practical Cellphone Spying” Defcon 2010: http://www.tombom.co.uk/cellphonespying.od • Karsten Nohl “Attacking Phone Privacy” Blackhat USA 2010: https://media.blackhat.com/bh-us-10/whitepapers/Nohl/BlackHat-USA- 2010-Nohl-Attacking.Phone.Privacy-wp.pdf • John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: http://jon.oberheide.org/files/shmoo11-teamjoch.pdf • Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: https://media.blackhat.com/bh-us- 11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf © Georgia Weidman 2011 36

Recommandé

Transparent Smartphone Spying
Transparent Smartphone SpyingTransparent Smartphone Spying
Transparent Smartphone SpyingGeorgia Weidman
 
Transparent Botnet C&C for Smartphones over SMS
Transparent Botnet C&C for Smartphones over SMSTransparent Botnet C&C for Smartphones over SMS
Transparent Botnet C&C for Smartphones over SMSGeorgia Weidman
 
Defcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillDefcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillPriyanka Aash
 
Mbs f41 b
Mbs f41 bMbs f41 b
Mbs f41 bSelectedPresentations
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular SystemsACMBangalore
 
Major project of Video calling and remote accessing
Major project of Video calling and remote accessingMajor project of Video calling and remote accessing
Major project of Video calling and remote accessingsyed Farhan Rizvi
 
Cellcrypt Mobile for iPhone
Cellcrypt Mobile for iPhoneCellcrypt Mobile for iPhone
Cellcrypt Mobile for iPhoneCellcrypt
 

Recommandé

Transparent Smartphone Spying
Transparent Smartphone SpyingTransparent Smartphone Spying
Transparent Smartphone SpyingGeorgia Weidman
 
Transparent Botnet C&C for Smartphones over SMS
Transparent Botnet C&C for Smartphones over SMSTransparent Botnet C&C for Smartphones over SMS
Transparent Botnet C&C for Smartphones over SMSGeorgia Weidman
 
Defcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillDefcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillPriyanka Aash
 
Mbs f41 b
Mbs f41 bMbs f41 b
Mbs f41 bSelectedPresentations
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular SystemsACMBangalore
 
Major project of Video calling and remote accessing
Major project of Video calling and remote accessingMajor project of Video calling and remote accessing
Major project of Video calling and remote accessingsyed Farhan Rizvi
 
Cellcrypt Mobile for iPhone
Cellcrypt Mobile for iPhoneCellcrypt Mobile for iPhone
Cellcrypt Mobile for iPhoneCellcrypt
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
 
CellSIM OS Overview 1.0
CellSIM OS Overview 1.0CellSIM OS Overview 1.0
CellSIM OS Overview 1.0Vladimir Nagin
 
IVR Solutions at the Enterprise Level
IVR Solutions at the Enterprise LevelIVR Solutions at the Enterprise Level
IVR Solutions at the Enterprise LevelCallFire
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Secur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm ShowSecur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm Showfmitchell
 
ANDROID SECURITY
ANDROID SECURITYANDROID SECURITY
ANDROID SECURITYyogeshraut090
 
2600Hz - Detecting and Managing VoIP Fraud
2600Hz - Detecting and Managing VoIP Fraud2600Hz - Detecting and Managing VoIP Fraud
2600Hz - Detecting and Managing VoIP Fraud2600Hz
 
Voxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Corp
 
Sierraware virtual phone
Sierraware virtual phoneSierraware virtual phone
Sierraware virtual phoneSierraware
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEntel
 
Assurity seminar 24 jan
Assurity seminar 24 janAssurity seminar 24 jan
Assurity seminar 24 janJason Kong
 
Home automation
Home automationHome automation
Home automationFinalyear Projects
 
Infonetics and Stoke webinar: Security at the speed of VoLTE
Infonetics and Stoke webinar: Security at the speed of VoLTEInfonetics and Stoke webinar: Security at the speed of VoLTE
Infonetics and Stoke webinar: Security at the speed of VoLTEMary McEvoy Carroll
 
J-Telecom_V2
J-Telecom_V2J-Telecom_V2
J-Telecom_V2Jihad Dib
 
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...drctan
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015Marco Pozzato
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
LeadDesk telephone technology
LeadDesk telephone technologyLeadDesk telephone technology
LeadDesk telephone technologyLeadDesk
 
Mobile Device Mismanagement
Mobile Device MismanagementMobile Device Mismanagement
Mobile Device Mismanagementbreenmachine
 
NEW TRENDS IN MOBILE NETWORKING
NEW TRENDS IN MOBILE NETWORKINGNEW TRENDS IN MOBILE NETWORKING
NEW TRENDS IN MOBILE NETWORKINGkrishna kalpana
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 

Contenu connexe

Tendances

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
 
CellSIM OS Overview 1.0
CellSIM OS Overview 1.0CellSIM OS Overview 1.0
CellSIM OS Overview 1.0Vladimir Nagin
 
IVR Solutions at the Enterprise Level
IVR Solutions at the Enterprise LevelIVR Solutions at the Enterprise Level
IVR Solutions at the Enterprise LevelCallFire
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Secur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm ShowSecur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm Showfmitchell
 
2600Hz - Detecting and Managing VoIP Fraud
2600Hz - Detecting and Managing VoIP Fraud2600Hz - Detecting and Managing VoIP Fraud
2600Hz - Detecting and Managing VoIP Fraud2600Hz
 
Voxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Corp
 

Tendances (8)

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
 
CellSIM OS Overview 1.0
CellSIM OS Overview 1.0CellSIM OS Overview 1.0
CellSIM OS Overview 1.0
 
IVR Solutions at the Enterprise Level
IVR Solutions at the Enterprise LevelIVR Solutions at the Enterprise Level
IVR Solutions at the Enterprise Level
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
Secur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm ShowSecur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm Show
 
ANDROID SECURITY
ANDROID SECURITYANDROID SECURITY
ANDROID SECURITY
 
2600Hz - Detecting and Managing VoIP Fraud
2600Hz - Detecting and Managing VoIP Fraud2600Hz - Detecting and Managing VoIP Fraud
2600Hz - Detecting and Managing VoIP Fraud
 
Voxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactions
 

Similaire à Smartphone Security Problems and Potential Solutions

Sierraware virtual phone
Sierraware virtual phoneSierraware virtual phone
Sierraware virtual phoneSierraware
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEntel
 
Assurity seminar 24 jan
Assurity seminar 24 janAssurity seminar 24 jan
Assurity seminar 24 janJason Kong
 
Infonetics and Stoke webinar: Security at the speed of VoLTE
Infonetics and Stoke webinar: Security at the speed of VoLTEInfonetics and Stoke webinar: Security at the speed of VoLTE
Infonetics and Stoke webinar: Security at the speed of VoLTEMary McEvoy Carroll
 
J-Telecom_V2
J-Telecom_V2J-Telecom_V2
J-Telecom_V2Jihad Dib
 
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...drctan
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015Marco Pozzato
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
LeadDesk telephone technology
LeadDesk telephone technologyLeadDesk telephone technology
LeadDesk telephone technologyLeadDesk
 
Mobile Device Mismanagement
Mobile Device MismanagementMobile Device Mismanagement
Mobile Device Mismanagementbreenmachine
 
NEW TRENDS IN MOBILE NETWORKING
NEW TRENDS IN MOBILE NETWORKINGNEW TRENDS IN MOBILE NETWORKING
NEW TRENDS IN MOBILE NETWORKINGkrishna kalpana
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Securing hand held computing devices
Securing hand held computing devicesSecuring hand held computing devices
Securing hand held computing devicesjraja01
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGBjorn Hjelm
 
Working of Cyanogen mod
Working of Cyanogen modWorking of Cyanogen mod
Working of Cyanogen modallwin thomas
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
Caller ID Android Application
Caller ID Android Application Caller ID Android Application
Caller ID Android ApplicationSmitakshi Sen
 
CIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on ITCIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on ITCloudIDSummit
 

Similaire à Smartphone Security Problems and Potential Solutions (20)

Sierraware virtual phone
Sierraware virtual phoneSierraware virtual phone
Sierraware virtual phone
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTE
 
Assurity seminar 24 jan
Assurity seminar 24 janAssurity seminar 24 jan
Assurity seminar 24 jan
 
Home automation
Home automationHome automation
Home automation
 
Infonetics and Stoke webinar: Security at the speed of VoLTE
Infonetics and Stoke webinar: Security at the speed of VoLTEInfonetics and Stoke webinar: Security at the speed of VoLTE
Infonetics and Stoke webinar: Security at the speed of VoLTE
 
J-Telecom_V2
J-Telecom_V2J-Telecom_V2
J-Telecom_V2
 
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
LeadDesk telephone technology
LeadDesk telephone technologyLeadDesk telephone technology
LeadDesk telephone technology
 
Mobile Device Mismanagement
Mobile Device MismanagementMobile Device Mismanagement
Mobile Device Mismanagement
 
NEW TRENDS IN MOBILE NETWORKING
NEW TRENDS IN MOBILE NETWORKINGNEW TRENDS IN MOBILE NETWORKING
NEW TRENDS IN MOBILE NETWORKING
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Securing hand held computing devices
Securing hand held computing devicesSecuring hand held computing devices
Securing hand held computing devices
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
 
Working of Cyanogen mod
Working of Cyanogen modWorking of Cyanogen mod
Working of Cyanogen mod
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
Caller ID Android Application
Caller ID Android Application Caller ID Android Application
Caller ID Android Application
 
CIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on ITCIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on IT
 

Dernier

digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingrajputmeenakshi733
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...ssuserf63bd7
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...ssuserf63bd7
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxran17april2001
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxShruti Mittal
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 

Dernier (20)

digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketing
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
WAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdfWAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdf
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptx
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptx
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 

Smartphone Security Problems and Potential Solutions

  • 1. Throw It in the River? Towards Real Live Actual Smartphone Security Georgia Weidman © Georgia Weidman 2011 1
  • 2. Agenda • Problems and Potential Solutions –Encryption –Applications –Updates –User Awareness © Georgia Weidman 2011 2
  • 3. Notes • This talk focuses on Android and iPhone • Briefly touches on Windows Mobile and Blackberry • Radio based topics cover only GSM © Georgia Weidman 2011 3
  • 4. Encryption © Georgia Weidman 2011 4
  • 5. Encryption Problems • Encryption between phone and base station: – 2G: • Up to the base station to encrypt or not encrypt • Stream cipher A5/1 • Broken (Karsten Nohl Blackhat USA 2010) – 3G: • Encrypted • Stream cipher KASUMI(A5/3) • Conceptually broken © Georgia Weidman 2011 5
  • 6. Interception • Possible to get phones to attach to a rogue base station • 2G rogue base station (Chris Pagent Defcon 2010) • Intercept all traffic while phone still works normally © Georgia Weidman 2011 6
  • 7. The Path of Least Resistance • 4G/3G/2G are not backward compatible • Current phones still have 2G radio • Default is to use both 2G and 3G • When 3G not available phones will use 2G • 3G can be jammed to force phones to fall back © Georgia Weidman 2011 7
  • 8. Mitigation 1: Turn off 2G • Forcing 2G use only is an available setting on modern smartphones • Forcing 3G+ only is not on iPhone or Android (seems to be on Blackberry) • We need to see this setting made available and default © Georgia Weidman 2011 8
  • 9. Mitigation #2: Encrypt before Using • Telephony data sent over GSM is encoded not encrypted • Only encryption is the stream encryption • Smartphones have the resources and tools to add encryption (openssl etc.) © Georgia Weidman 2011 9
  • 10. Case Study: SMS SMS-Deliver PDU Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 51 17 34 45 88 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 10
  • 11. Case Study: SMS SMS-Deliver PDU Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 51 17 34 45 88 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 11
  • 12. Case Study: SMS • Given an intercepted PDU 7bit GSM encoding is reversible • All data is recoverable • Ex: From: <redacted> Message: hellohello • Crafting a spoofed SMS-Send PDU is also possible © Georgia Weidman 2011 12
  • 13. Why We Care about SMS? • Two Factor Authentication/ Account verification – Sends SMS with OTP – Verify with SMS on account setup • Mobile Banking – One time passwords for banking sent to customer’s over SMS – Balance reporting – Electronic bill paying © Georgia Weidman 2011 13
  • 14. Why We Care about SMS • Vendor text messages Congrats <vendor> has this awesome product to protect your phone Go <here> to download it. – Links to a 3rd party app store – How do I know this came from <vendor>? Example: T-mobile Mobile Security © Georgia Weidman 2011 14
  • 15. Encrypting SMS • Intercept SMS after the application send the message/before it goes to modem • Encrypt it and adjust SMS-Send PDU • Upon arrival decrypt with the key for the sender number • Then send to user application © Georgia Weidman 2011 15
  • 16. Demo Encrypted SMS on Android © Georgia Weidman 2011 16
  • 17. Applications Software that runs on the smartphones © Georgia Weidman 2011 17
  • 18. Android Apps Store • Anyone can write an app and upload to the Android market • $25 signup fee • Anonymous signup possible • No certificate authority/self signed apps © Georgia Weidman 2011 18
  • 19. iPhone App Store • Must have a developer certificate to even run code on your own device • $99/year • Identity is verified • All code is reviewed and signed before upload to the store © Georgia Weidman 2011 19
  • 20. iPhone Security Protections • Mandatory code signing/ apps cannot load new code at runtime • ASLR on system binaries and some apps in 4.3 and later • Individual apps sandboxed with MAC for system permissions etc. © Georgia Weidman 2011 20
  • 21. Android Security Protections • User must accept application permissions upon install © Georgia Weidman 2011 21
  • 22. Android Insecurity • Can load new code at runtime (Twilight Botnet, Rootstrap app) • Sandbox is flawed, any app can exploit a kernel vulnerability • Apps can have any permissions they want if user will approve them (DroidDream) © Georgia Weidman 2011 22
  • 23. iPhone Insecurity • Not all apps are compiled with full ASLR • Patches for apps go through slow review process © Georgia Weidman 2011 23
  • 24. Software Updates • Smartphones are subject to security flaws • Ex: Sendpage Linux Kernel exploit • Software updates address security issues © Georgia Weidman 2011 24
  • 25. How Smartphones Update • Android – Pushes updates out over the air • iPhone – Updates through iTunes – Can update when attached to a computer with iTunes • Windows Mobile – Updates through Windows Mobile Activesync – Can update when attached to a computer with Activesync • Blackberry – Check for updates at Blackberry website – Download updates to computer – Connect phone to computer and run updates © Georgia Weidman 2011 25
  • 26. Why are Android Updates Slow? • Google puts out the new version • Google releases source to other platform makers • Platform makers port new version with custom UI, apps, etc. • Previous updates have taken over 6 months © Georgia Weidman 2011 26
  • 27. Android’s Way on Other Platforms • A simple solution for alerting user’s to updates over the air • System application checks currently installed firmware version • Periodically calls out to update server for current updated version • If update is available instructs the user to plug in and update © Georgia Weidman 2011 27
  • 28. Demo Update Application on iPhone © Georgia Weidman 2011 28
  • 29. User Awareness Fails • Great strides in computer user awareness • Not seeing the same with smartphones • With smartphones users have even more to lose © Georgia Weidman 2011 29
  • 30. Too Many App Permissions • Android apps can request any permissions they want. • Up to the user to decide to decide if app is safe • Foursquare would need GPS but not SMS • Is this system working? © Georgia Weidman 2011 30
  • 31. Top Downloaded Android App of all time © Georgia Weidman 2011 31
  • 32. Facebook App • Edit and Read SMS, send SMS, receive SMS • Modify/delete USB storage contents • Prevent phone from sleeping, write sync settings • GPS data • Services that cost you money • Act as account authenticator, manage accounts • Read and write to your personal information including contact data • Phone calls, read phone state and identity • Full network access © Georgia Weidman 2011 32
  • 33. Jailbreaking Gone Wild • Original Android G1 jailbreak: go to home screen, hit enter twice, type telnetd … • Current iPhone and Android Jailbreaks: Go to this website and say yes to running this unknown binary by an unknown person • It roots the phone, what else does it do? © Georgia Weidman 2011 33
  • 34. Raising User Awareness • Stop with those “our apps are better/download all our apps” commercials • Ethical root/jailbreak programs should inform users of the risks • Smartphone security training in organizations © Georgia Weidman 2011 34
  • 35. Contact Georgia Weidman Neohapsis Inc. Email: georgia@grmn00bs.com Georgia.weidman@neohapsis.com Website: http://www.grmn00bs.com Twitter: @vincentkadmon Code and Slides on website © Georgia Weidman 2011 35
  • 36. Selected Bibliography • Chris Pagent “Practical Cellphone Spying” Defcon 2010: http://www.tombom.co.uk/cellphonespying.od • Karsten Nohl “Attacking Phone Privacy” Blackhat USA 2010: https://media.blackhat.com/bh-us-10/whitepapers/Nohl/BlackHat-USA- 2010-Nohl-Attacking.Phone.Privacy-wp.pdf • John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: http://jon.oberheide.org/files/shmoo11-teamjoch.pdf • Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: https://media.blackhat.com/bh-us- 11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf © Georgia Weidman 2011 36