SlideShare a Scribd company logo

A tale of mobile threats

V
Vincenzo Iozzo

This document discusses mobile security threats and attacker mindsets. It notes that mobile malware primarily impacts Android due to its fragmented ecosystem and slow patching. Exploitation focuses on gaining control of applications or baseband processors, which have few defenses and high-value data. The document advises software vendors to implement stronger mitigations, developers to better isolate sensitive data, and policymakers to recognize diverse mobile threats and segregate devices from corporate networks. It argues that understanding attacker goals and what data needs protection is key to effective security.

TechnologyBusiness
1 of 64
Download to read offline
A tale of mobile threats Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc
In which I blame people Part 1
Why mobile? 11% increase “Total smartphone sales in 2011 reached 472 million units and accounted for 31 percent of all mobile devices sales, up 58 percent from 2010.” - Gartner
That’s how we deal with mobile
How does offense work? •  Attacker’s mindset •  Gaining access •  Keeping access/stealing data
We currently fail badly at the understanding the first two
First problem: spot the difference
Black swans? What’s that? A very interesting research result that is unlikely to happen in real life
Why black swans exist? “Machines can remain vulnerable longer than you can remain sane” The security community is fixated on persistance A lot of people forget the mantra: “whoever scores is right” Technical elegance is highly valued
Black swans and attacker math Attackers are resource-constrained: “The Exploit Intelligence Project” (Dan Guido) Attackers are rational human beings Attackers will take a given exploitation path IFF no cheaper paths are available
Exploitation paths
A rational attacker
A black swan
Practical example A rational attacker A black swan (AKA: are you nuts?)
So… VS 1 0
Unless.. The ROI on a black swan is higher, for some definition of “return” Flame md5 collision attack comes to mind Therefore our graph is weighted
Weight function That’s very hard to calculate in the general case Some examples in “Attacker Math 101” (Dino Dai Zovi) A bit out of scope here But we can usually draw a line easily
What if two paths are equally cost effective?
Gaining access.. It’s all about programming a “weird machine” (Sergey Bratus et al.)
The weird machine In short: “a machine that executes an unexpected series of instructions”
By examples •  ROP •  JIT Spraying – Dion Blazakis •  SpiderMonkey Bytecode Hijacking – Thomas Dullien •  JIT code hijacking – Chris Rohlf and Yan Ivnitskiy •  …
Exploitation Exploitation is setting up, instantiating, and programming the weird machine - Thomas Dullien
Controlling the machine •  You need write primitives •  You need infoleaks/memleaks For both you need some degree of control over the application. It’s either pure data or you can directly influence the application state (eg: through an interpreter of some kind)
Controlling the machine 2 Just data = most likely you need multiple bugs (infoleak, write primitive, etc) Through interpreter = most likely you just need one (see comex jailbreaks for example)
Me no like exploits This process is challenged in a few ways: •  Negate the initialization (fix bugs) •  Make the setup hard (heap/stack mitigations, ASLR) •  Make it hard to put together ‘weird instructions’ (ASLR, DEP, JIT hardening) •  Reduce/Neutralize the effects of a running weird machine (sandboxing, code signing) •  More to come in the future..
Get to the data/persistence •  How hard is to get your code on a target? •  How far away is the data you care for from you?
For future reference.. So here’s the thing: In a few years everything an attacker cares for will be inside a browser/mobile app Do sandboxes help with that? *NO*
Let’s wrap up Attacker’s mindset: take the most cost-effective path When it comes to exploitation the most cost- effective path is: 1) As close as possible to your data 2) Reduces as much as possible the need for multiple bugs/exploits 3) Reduces maintenance cost
In which I actually talk about mobile Part 2
Drive-bys Mobile  Town   Desktop  City  
Too few and too many ~8%  of  total  web  traffic   comes  from  mobile  devices   Breakdown  by  version  /  features   (+  varying  rates  of  feature  support)  
Like Facebook..
Takeaway Drive-bys don’t matter and realistically never will Hard to get anything useful (contrary to dekstops) out of them Hard to run the attack in the first place The web is the future of the desktop, apps are the future of mobile = attackers behave accordingly
Malware Apple  App  Store   Google  Marketplace  
One of the reasons
Malware lasts long on Android 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 4.x  -­‐  ICS  /  JB   3.x  -­‐  Honeycomb   2.3  -­‐  Gingerbread   2.2  -­‐  Froyo   2.1  -­‐  Eclair   1.X  -­‐  Cupcake  /  Donut   Android  Exploit   Time  to  Patch  50%   Exploid  (2.1)   294  days   RageAgainstTheCage  (2.2.1)   >  240  days  
Not so much on iOS Vulnerability   Exploit   Patch  Availability   Malformed  CFF   Star  (JailbreakMe  2.0)   10  days   T1  Font  Int  Overflow   Saffron  (JailbreakMe  3.0)   9  days  
AppStore vs Google Play Apple enforces accountability Sandbox escape: Android > iOS Fragmented user-base = the investment lasts longer On Android privesc are enough to cause troubles That being said: jailbroken iOS = Android
Malware - takeaway •  Does only matter on Android and jailbroken iOS •  It scales, it’s easy and it lasts •  Can this be fixed? Yes, Apple did
App specific Android NDK can open up this attack surface a lot Interesting because applications are likely less audited than system code But more importantly: interesting data will be inside the app. Why go anywhere else? Expect them in the future!
More “smart” in phone?
Enter baseband
A few words on it •  Most of the code in there is old (1990 old) •  Based on the assumption that the actors are trusted •  Most of the research has been done by Ralf Philipp Weinmann •  His research led to bug fixing and some mitigations
Infrastructure •  Separate processor •  Customized RTOS •  Mostly closed-source •  Most of them run on ARM (notable exception Hexagon) •  Separated (mostly) from the App processor
Baseband weird machines Increased attention being paid to bugs in there Still a very big surface with few (known) actors Big state machine based on a giant interface, so hard to fuzz Need profound knowledge to find certain bugs
Baseband weird machine 2 Very few mitigations in place Still most of the heap metadata exploitation is possible (eg: write4 primitives on Infineon) No ASLR, no “sandboxes” Remote: control through data only Local: “interpreter” (AT commands)
Baseband - persistence Good luck with forensics/IR Depending on how the App processor interacts with the BB it might lead to full- device compromise Regardless: access to phone calls, SMS and data
Attack scenarios •  Remote exploit to steal/alter/make sms/ data/phone calls •  App remote-> BB local rootkit •  BB remote -> BB local rootkit •  DDos in case of crisis?
So .. 1)  High ROI 2)  Very few mitigations 3)  Detection is hard Great target for motivated attackers!
NFC That’s complicated…
NFC - capabilities Can potentially lead to device compromise through malformed packets at protocol level – device proximity Can lead to device compromise at ‘application level’ – tag proximity Steal data – roughly 1.5 meters with custom hardware Auth bypass issues
First case Not very viable.. On the flipside, you can potentially get huge access to the device Most likely a black swan
Second case You can compromise the device by using tags (simple stickers) -> do not need proximity
Second case You can either run your exploit for browser and stuff (might require some kind of permission) Compromise through tag parsing! Mobile Pwn2own 2012 was won using this approach This is more interesting! Rational black swan
In which I give advices Part 3
Software vendors Put in place the mitigations that *matter* Hire full-time exploit writers (just a few) and design mitigations based on them Reduce attacker’s control over your product (why does WinRAR need an x86 interpreter?)
Developers Realize where the important data is and segregate it I know Java sucks but don’t write your own C/ C++ service for your Android app
Policy makers Plan for the threats that are hard to spot (eg: baseband). Enforce encryption for company data on employees devices Do not allow jailbreaks of any kind Segregate mobile devices from the rest of your company network (treat them as “untrusted”)
In which I make provocative statements Part 4
Conclusion If you don’t know *what* you’re protecting, you’ll fail Likewise if you don’t know what you’re protecting *against*, you’ll fail You don’t need a horde of code auditors & policy people, you need a CEO (chief exploitation officer)
Specific to mobile Worry more about the “phone” than the “computer” App sandboxes are great to make persistence hard, way less so for data exfiltration Android is bad, you don’t want that in your company NFC is/will be more a “physical” security issue than an Infosec one
In which you can ask questions or insult me Part 5
Thanks! Questions? vincenzo@trailofbits.com

Recommended

Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsWSO2
 
Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011warezjoe
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Kaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case StudyLastline, Inc.
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamitIftach Ian Amit
 

Recommended

Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsWSO2
 
Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011warezjoe
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Kaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case StudyLastline, Inc.
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamitIftach Ian Amit
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03Wiliam Ferraciolli
 
Security on the Mac
Security on the MacSecurity on the Mac
Security on the MacAllison Sheridan
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Viruses & worms
Viruses & wormsViruses & worms
Viruses & wormsvivek pratap singh
 
Resources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationResources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationOregon Law Practice Management
 
Smart Mobile Apps
Smart Mobile AppsSmart Mobile Apps
Smart Mobile AppsArnd Brugman
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to MeasureLookout
 
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming PlatformsSmartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms1_Fishlabs
 
7. Cell Phone Industry in Indonesia
7. Cell Phone Industry in Indonesia7. Cell Phone Industry in Indonesia
7. Cell Phone Industry in Indonesiadunianyamaya
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidLookout
 
4 Stages of a Smart Mobile Strategy
4 Stages of a Smart Mobile Strategy4 Stages of a Smart Mobile Strategy
4 Stages of a Smart Mobile StrategySalesforce Marketing Cloud
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duckSensePost
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapalibuildersreviews
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...viaForensics
 
MiraiBotnet.pptx
MiraiBotnet.pptxMiraiBotnet.pptx
MiraiBotnet.pptxAmitSingh565980
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008eLiberatica
 

More Related Content

What's hot

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Resources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationResources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationOregon Law Practice Management
 

What's hot (6)

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03
 
Security on the Mac
Security on the MacSecurity on the Mac
Security on the Mac
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Viruses & worms
Viruses & wormsViruses & worms
Viruses & worms
 
Resources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client InformationResources for Lawyers Who Have Experienced Theft of Client Information
Resources for Lawyers Who Have Experienced Theft of Client Information
 

Viewers also liked

Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to MeasureLookout
 
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming PlatformsSmartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms1_Fishlabs
 
7. Cell Phone Industry in Indonesia
7. Cell Phone Industry in Indonesia7. Cell Phone Industry in Indonesia
7. Cell Phone Industry in Indonesiadunianyamaya
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidLookout
 

Viewers also liked (6)

Smart Mobile Apps
Smart Mobile AppsSmart Mobile Apps
Smart Mobile Apps
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to Measure
 
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming PlatformsSmartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms
Smartphone & Tablet Gaming 2011 – SWOT-Analysis of Mobile Gaming Platforms
 
7. Cell Phone Industry in Indonesia
7. Cell Phone Industry in Indonesia7. Cell Phone Industry in Indonesia
7. Cell Phone Industry in Indonesia
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to Avoid
 
4 Stages of a Smart Mobile Strategy
4 Stages of a Smart Mobile Strategy4 Stages of a Smart Mobile Strategy
4 Stages of a Smart Mobile Strategy
 

Similar to A tale of mobile threats

Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duckSensePost
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapalibuildersreviews
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...viaForensics
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008eLiberatica
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmasTech and Law Center
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
Trojan backdoors
Trojan backdoorsTrojan backdoors
Trojan backdoorsseth edmond
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 

Similar to A tale of mobile threats (20)

Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynets
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
 
MiraiBotnet.pptx
MiraiBotnet.pptxMiraiBotnet.pptx
MiraiBotnet.pptx
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Netforts
Netforts Netforts
Netforts
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmas
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Mobile security
Mobile securityMobile security
Mobile security
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
News Bytes - May 2015
News Bytes - May 2015News Bytes - May 2015
News Bytes - May 2015
 
Trojan backdoors
Trojan backdoorsTrojan backdoors
Trojan backdoors
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 

More from Vincenzo Iozzo

Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new blackVincenzo Iozzo
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paperVincenzo Iozzo
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperVincenzo Iozzo
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paperVincenzo Iozzo
 
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Vincenzo Iozzo
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 

More from Vincenzo Iozzo (12)

Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new black
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paper
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paper
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

A tale of mobile threats

  • 1. A tale of mobile threats Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc
  • 2. In which I blame people Part 1
  • 3. Why mobile? 11% increase “Total smartphone sales in 2011 reached 472 million units and accounted for 31 percent of all mobile devices sales, up 58 percent from 2010.” - Gartner
  • 4. That’s how we deal with mobile
  • 5.
  • 6. How does offense work? •  Attacker’s mindset •  Gaining access •  Keeping access/stealing data
  • 7. We currently fail badly at the understanding the first two
  • 8. First problem: spot the difference
  • 9. Black swans? What’s that? A very interesting research result that is unlikely to happen in real life
  • 10. Why black swans exist? “Machines can remain vulnerable longer than you can remain sane” The security community is fixated on persistance A lot of people forget the mantra: “whoever scores is right” Technical elegance is highly valued
  • 11. Black swans and attacker math Attackers are resource-constrained: “The Exploit Intelligence Project” (Dan Guido) Attackers are rational human beings Attackers will take a given exploitation path IFF no cheaper paths are available
  • 15. Practical example A rational attacker A black swan (AKA: are you nuts?)
  • 17. Unless.. The ROI on a black swan is higher, for some definition of “return” Flame md5 collision attack comes to mind Therefore our graph is weighted
  • 18. Weight function That’s very hard to calculate in the general case Some examples in “Attacker Math 101” (Dino Dai Zovi) A bit out of scope here But we can usually draw a line easily
  • 19. What if two paths are equally cost effective?
  • 20. Gaining access.. It’s all about programming a “weird machine” (Sergey Bratus et al.)
  • 21. The weird machine In short: “a machine that executes an unexpected series of instructions”
  • 22. By examples •  ROP •  JIT Spraying – Dion Blazakis •  SpiderMonkey Bytecode Hijacking – Thomas Dullien •  JIT code hijacking – Chris Rohlf and Yan Ivnitskiy •  …
  • 23. Exploitation Exploitation is setting up, instantiating, and programming the weird machine - Thomas Dullien
  • 24. Controlling the machine •  You need write primitives •  You need infoleaks/memleaks For both you need some degree of control over the application. It’s either pure data or you can directly influence the application state (eg: through an interpreter of some kind)
  • 25. Controlling the machine 2 Just data = most likely you need multiple bugs (infoleak, write primitive, etc) Through interpreter = most likely you just need one (see comex jailbreaks for example)
  • 26. Me no like exploits This process is challenged in a few ways: •  Negate the initialization (fix bugs) •  Make the setup hard (heap/stack mitigations, ASLR) •  Make it hard to put together ‘weird instructions’ (ASLR, DEP, JIT hardening) •  Reduce/Neutralize the effects of a running weird machine (sandboxing, code signing) •  More to come in the future..
  • 27. Get to the data/persistence •  How hard is to get your code on a target? •  How far away is the data you care for from you?
  • 28. For future reference.. So here’s the thing: In a few years everything an attacker cares for will be inside a browser/mobile app Do sandboxes help with that? *NO*
  • 29. Let’s wrap up Attacker’s mindset: take the most cost-effective path When it comes to exploitation the most cost- effective path is: 1) As close as possible to your data 2) Reduces as much as possible the need for multiple bugs/exploits 3) Reduces maintenance cost
  • 30. In which I actually talk about mobile Part 2
  • 31. Drive-bys Mobile  Town   Desktop  City  
  • 32. Too few and too many ~8%  of  total  web  traffic   comes  from  mobile  devices   Breakdown  by  version  /  features   (+  varying  rates  of  feature  support)  
  • 34. Takeaway Drive-bys don’t matter and realistically never will Hard to get anything useful (contrary to dekstops) out of them Hard to run the attack in the first place The web is the future of the desktop, apps are the future of mobile = attackers behave accordingly
  • 35. Malware Apple  App  Store   Google  Marketplace  
  • 36. One of the reasons
  • 37. Malware lasts long on Android 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 4.x  -­‐  ICS  /  JB   3.x  -­‐  Honeycomb   2.3  -­‐  Gingerbread   2.2  -­‐  Froyo   2.1  -­‐  Eclair   1.X  -­‐  Cupcake  /  Donut   Android  Exploit   Time  to  Patch  50%   Exploid  (2.1)   294  days   RageAgainstTheCage  (2.2.1)   >  240  days  
  • 38. Not so much on iOS Vulnerability   Exploit   Patch  Availability   Malformed  CFF   Star  (JailbreakMe  2.0)   10  days   T1  Font  Int  Overflow   Saffron  (JailbreakMe  3.0)   9  days  
  • 39. AppStore vs Google Play Apple enforces accountability Sandbox escape: Android > iOS Fragmented user-base = the investment lasts longer On Android privesc are enough to cause troubles That being said: jailbroken iOS = Android
  • 40. Malware - takeaway •  Does only matter on Android and jailbroken iOS •  It scales, it’s easy and it lasts •  Can this be fixed? Yes, Apple did
  • 41. App specific Android NDK can open up this attack surface a lot Interesting because applications are likely less audited than system code But more importantly: interesting data will be inside the app. Why go anywhere else? Expect them in the future!
  • 44. A few words on it •  Most of the code in there is old (1990 old) •  Based on the assumption that the actors are trusted •  Most of the research has been done by Ralf Philipp Weinmann •  His research led to bug fixing and some mitigations
  • 45. Infrastructure •  Separate processor •  Customized RTOS •  Mostly closed-source •  Most of them run on ARM (notable exception Hexagon) •  Separated (mostly) from the App processor
  • 46. Baseband weird machines Increased attention being paid to bugs in there Still a very big surface with few (known) actors Big state machine based on a giant interface, so hard to fuzz Need profound knowledge to find certain bugs
  • 47. Baseband weird machine 2 Very few mitigations in place Still most of the heap metadata exploitation is possible (eg: write4 primitives on Infineon) No ASLR, no “sandboxes” Remote: control through data only Local: “interpreter” (AT commands)
  • 48. Baseband - persistence Good luck with forensics/IR Depending on how the App processor interacts with the BB it might lead to full- device compromise Regardless: access to phone calls, SMS and data
  • 49. Attack scenarios •  Remote exploit to steal/alter/make sms/ data/phone calls •  App remote-> BB local rootkit •  BB remote -> BB local rootkit •  DDos in case of crisis?
  • 50. So .. 1)  High ROI 2)  Very few mitigations 3)  Detection is hard Great target for motivated attackers!
  • 52. NFC - capabilities Can potentially lead to device compromise through malformed packets at protocol level – device proximity Can lead to device compromise at ‘application level’ – tag proximity Steal data – roughly 1.5 meters with custom hardware Auth bypass issues
  • 53. First case Not very viable.. On the flipside, you can potentially get huge access to the device Most likely a black swan
  • 54. Second case You can compromise the device by using tags (simple stickers) -> do not need proximity
  • 55. Second case You can either run your exploit for browser and stuff (might require some kind of permission) Compromise through tag parsing! Mobile Pwn2own 2012 was won using this approach This is more interesting! Rational black swan
  • 56. In which I give advices Part 3
  • 57. Software vendors Put in place the mitigations that *matter* Hire full-time exploit writers (just a few) and design mitigations based on them Reduce attacker’s control over your product (why does WinRAR need an x86 interpreter?)
  • 58. Developers Realize where the important data is and segregate it I know Java sucks but don’t write your own C/ C++ service for your Android app
  • 59. Policy makers Plan for the threats that are hard to spot (eg: baseband). Enforce encryption for company data on employees devices Do not allow jailbreaks of any kind Segregate mobile devices from the rest of your company network (treat them as “untrusted”)
  • 60. In which I make provocative statements Part 4
  • 61. Conclusion If you don’t know *what* you’re protecting, you’ll fail Likewise if you don’t know what you’re protecting *against*, you’ll fail You don’t need a horde of code auditors & policy people, you need a CEO (chief exploitation officer)
  • 62. Specific to mobile Worry more about the “phone” than the “computer” App sandboxes are great to make persistence hard, way less so for data exfiltration Android is bad, you don’t want that in your company NFC is/will be more a “physical” security issue than an Infosec one
  • 63. In which you can ask questions or insult me Part 5