click and dragger: denial and deception on android mobile

95
CLICK AND DRAGGER Denial and Deception on Android - the grugq [ @thegrugq ]

Upload: grugq

Post on 08-Sep-2014

12.055 views

Category:

Mobile


5 download

DESCRIPTION

A presentation on OPSEC for mobile phones, covering the design and reasoning behind the CryptogenMod ROM and the DarkMatter app. Source for DarkMatter: https://github.com/grugq/darkmatter

TRANSCRIPT

Page 1: Click and Dragger: Denial and Deception on Android mobile

CLICK AND DRAGGERDenial and Deception on Android

- the grugq [ @thegrugq ]

Page 2: Click and Dragger: Denial and Deception on Android mobile

AGENDA• OPSEC Refresher

• Phones Suck

• Threat Model

• Some Solutions

• Conclusion

Page 3: Click and Dragger: Denial and Deception on Android mobile

ABOUT ME

Page 4: Click and Dragger: Denial and Deception on Android mobile

OPERATIONAL SECURITYThe Short Version

Page 5: Click and Dragger: Denial and Deception on Android mobile
Page 6: Click and Dragger: Denial and Deception on Android mobile

–Quellcrist Falconer

“If you want to lose a fight, talk about it first”

Page 7: Click and Dragger: Denial and Deception on Android mobile

DENIAL & DECEPTION

Page 8: Click and Dragger: Denial and Deception on Android mobile

DENIALPrevent the adversary from gaining useful information

Page 9: Click and Dragger: Denial and Deception on Android mobile

DECEPTIONFeed the adversary false information

Page 10: Click and Dragger: Denial and Deception on Android mobile

• Cover

• Cover for action

• Cover for status

• Concealment

• Compartmentation

Page 11: Click and Dragger: Denial and Deception on Android mobile

–James Clapper, Director of National Intelligence

“People must communicate. They will make mistakes and we will exploit them.”

Page 12: Click and Dragger: Denial and Deception on Android mobile

PHONES SUCK

Page 13: Click and Dragger: Denial and Deception on Android mobile

–Allen Dulles, Former Director of Central Intelligence

“The greatest material curse to the profession, despite all its advantages, is undoubtedly the telephone.”

Page 14: Click and Dragger: Denial and Deception on Android mobile

NO MOBILE ANONYMITY

Page 15: Click and Dragger: Denial and Deception on Android mobile

MOBILE IDENTIFIERS

Page 16: Click and Dragger: Denial and Deception on Android mobile

LOCATION

• Specific location, e.g. home, work, etc.

• Mobility pattern, from home, via commute, to work

• Mirroring, two (or more) devices traveling together

Page 17: Click and Dragger: Denial and Deception on Android mobile

NETWORK

• Numbers dialed, (who you call)

• Calls received, (who calls you)

• Calling pattern, (number dialed, for how long, when, how frequently)

Page 18: Click and Dragger: Denial and Deception on Android mobile

PHYSICAL

• IMEI, mobile device ID (the serial number)

• IMSI, mobile subscriber ID (the phone number)

Page 19: Click and Dragger: Denial and Deception on Android mobile

CONTENT

• Identifiers, e.g. names, locations

• Voice fingerprinting

• Keywords

Page 20: Click and Dragger: Denial and Deception on Android mobile

SMARTPHONES• Ad network analytics

• GPS

• Apps scrape and upload content

• Mothership pings

• Android ID

• MAC address

Page 21: Click and Dragger: Denial and Deception on Android mobile

SMARTPHONES CONT.

• IP address

• WiFi beacons

• Cameras

• Gait analysis (via sensors)

Page 22: Click and Dragger: Denial and Deception on Android mobile

THREAT MODEL

Page 23: Click and Dragger: Denial and Deception on Android mobile

LOCAL SECURITY FORCES

Page 24: Click and Dragger: Denial and Deception on Android mobile

• Reporters are searched and interrogated

• AJ reporters arrested for “spy equipment”

• Mobile 3G access point

• Militia members thought it looked “suspicious”

Page 25: Click and Dragger: Denial and Deception on Android mobile

NOT NSA

Page 26: Click and Dragger: Denial and Deception on Android mobile

USERS

Page 27: Click and Dragger: Denial and Deception on Android mobile

SECURITY IS HARD WORK

Page 28: Click and Dragger: Denial and Deception on Android mobile

SECURITY TAKES DISCIPLINE

Page 29: Click and Dragger: Denial and Deception on Android mobile

USERS ARE LAZY

Page 30: Click and Dragger: Denial and Deception on Android mobile

so are we

Page 31: Click and Dragger: Denial and Deception on Android mobile

EASY TO USE

Page 32: Click and Dragger: Denial and Deception on Android mobile

SECURE BY DEFAULT

Page 33: Click and Dragger: Denial and Deception on Android mobile

REASONABLY SECURE

Page 34: Click and Dragger: Denial and Deception on Android mobile

BURNER PHONES

Page 35: Click and Dragger: Denial and Deception on Android mobile

WHAT ARE THEY GOOD FOR?

• Threat actors without nation state level capabilities

• Your mom

• Building a non-operational legend

• Flesh out a persona that doesn’t need protection

Page 36: Click and Dragger: Denial and Deception on Android mobile

DEFINITELY NOT NSA

Page 37: Click and Dragger: Denial and Deception on Android mobile

BURNER GUIDELINES• Dumber the better

• Learn to disable completely (battery + SIM out)

• Disable around locations linked to you (home!)

• Never put in real information

• Feel free to load with fake datahttps://b3rn3d.herokuapp.com/blog/2014/01/22/burner-phone-best-practices/

Page 38: Click and Dragger: Denial and Deception on Android mobile

BURNER GUIDELINES, CONT.

• Call non-operational numbers to chaff the analysis

• Keep it short

• Keep it simple

• Get rid of it as soon as possible

Page 39: Click and Dragger: Denial and Deception on Android mobile

BURNER GUIDE CONT.

• Purchase using cash from smaller stores

• Time delay before activation (months)

• Dispose of with extreme prejudice

Page 40: Click and Dragger: Denial and Deception on Android mobile

CLANDESTINE CALLS

Page 41: Click and Dragger: Denial and Deception on Android mobile
Page 42: Click and Dragger: Denial and Deception on Android mobile

–Allen Dulles

“Never dial [the] number before having thought about your conversation. Do not improvise even the dummy

part of it. But do not be too elaborate. The great rule…is to be natural.”

Page 43: Click and Dragger: Denial and Deception on Android mobile

• Keep it short, simple and natural

• Prefer signalling over operational data

• signalling > open codes > plain talk

• Enter your conversation with a plan

Page 44: Click and Dragger: Denial and Deception on Android mobile

–Allen Dulles, Former Director of Central Intelligence

“Even if you do not use [the phone] carelessly yourself, the other fellow, very often will, so in any

case, warn him.”

Page 45: Click and Dragger: Denial and Deception on Android mobile

FORTRESS PHONE

Page 46: Click and Dragger: Denial and Deception on Android mobile

NSA GUIDELINES• Two forms of encryption

• Belts and braces

• Data at rest

• FDE + app encryption

• Data in motion

• VPN + app encryption

Page 47: Click and Dragger: Denial and Deception on Android mobile

YOU CANNOT HAVE A SECURE ANDROID PHONE

Page 48: Click and Dragger: Denial and Deception on Android mobile

BECAUSE IT IS A PHONE

Page 49: Click and Dragger: Denial and Deception on Android mobile

BECAUSE IT IS ANDROID

Page 50: Click and Dragger: Denial and Deception on Android mobile

LEO’S LOVE ANDROID

Page 51: Click and Dragger: Denial and Deception on Android mobile

YOU CAN'T BOLT ON SECURITYAndroid cannot be secured by adding apps

Page 52: Click and Dragger: Denial and Deception on Android mobile

BUT WHAT IF I…No. Seriously, just no.

Page 53: Click and Dragger: Denial and Deception on Android mobile

• Blackphone

• For people with money

• Samsung KNOX

• For people who don’t want a secure phone

Page 54: Click and Dragger: Denial and Deception on Android mobile

• GuardianROM

• For people who like to reboot

• CryptogenMod*

• For DIY hackers

* name subject to change

Page 55: Click and Dragger: Denial and Deception on Android mobile

IS IT NSA-PROOF?

Page 56: Click and Dragger: Denial and Deception on Android mobile
Page 57: Click and Dragger: Denial and Deception on Android mobile
Page 58: Click and Dragger: Denial and Deception on Android mobile

CRYPTOGENMODHardened Android ROM

Page 59: Click and Dragger: Denial and Deception on Android mobile

FEATURES

• Lots of crypto

• Robust against physical access

• Resilient against network attacks

• Impact containment

Page 60: Click and Dragger: Denial and Deception on Android mobile

• Derived from CyanogenMod 11

• Stripped down (no browser, no analytics)

• Advanced privacy patches

• OpenPDroid + PDroid Manager

• Secure application replacements

Page 61: Click and Dragger: Denial and Deception on Android mobile

• Kernel hardening tweaks

• A lot more work to be done here

• Hardened userland

• A lot more work to be done here

Page 62: Click and Dragger: Denial and Deception on Android mobile

PROTECTION

Page 63: Click and Dragger: Denial and Deception on Android mobile

• Local physical access

• Remote hacking

• Baseband hacking

• Network monitoring

• GSM monitoring

Page 64: Click and Dragger: Denial and Deception on Android mobile

PHYSICAL

• Forensic analysis

• Encryption

• Security Ratchet

Page 65: Click and Dragger: Denial and Deception on Android mobile

REMOTE

• Reduce attack surface dramatically

• No browser, services, or email

• No app store

Page 66: Click and Dragger: Denial and Deception on Android mobile

BASEBAND• Nothing I can do

• Except PORTAL

• But it’s not the end of the world

• BB exploits are finicky

• BB design is everything (segmentation FTW)

Page 67: Click and Dragger: Denial and Deception on Android mobile

NETWORK MONITORING

• VPN direct to a secure backend

• Limited information is exposed

• Provides dual layer encryption

Page 68: Click and Dragger: Denial and Deception on Android mobile

OPSEC STILL CRITICALSecure phones can’t cure stupid.

Page 69: Click and Dragger: Denial and Deception on Android mobile

DARKMATTERThis App Kills Forensic Analysis

Page 70: Click and Dragger: Denial and Deception on Android mobile

SECURE APP CONTAINERS + SECURE OPERATIONAL ENV

Page 71: Click and Dragger: Denial and Deception on Android mobile

CRYPTED APP CONTAINERS

Page 72: Click and Dragger: Denial and Deception on Android mobile

MOBILE TRUECRYPT

• Runs apps within TrueCrypt containers

• Automagically kills sensitive apps, then

• mount -o bind … /data/data/$app

Page 73: Click and Dragger: Denial and Deception on Android mobile

MOBILE TRUECRYPT

• tc-play https://github.com/bwalex/tc-play

• Uses the TrueCrypt volume format

• Supports outer and hidden volumes

• Backend is dm-crypt not FUSE

Page 74: Click and Dragger: Denial and Deception on Android mobile

MOBILE TRUECRYPT

• Why not use native /data encryption?

• AES-256-XTS > AES-128-CBC

• Use both

Page 75: Click and Dragger: Denial and Deception on Android mobile

WIN STATES

Page 76: Click and Dragger: Denial and Deception on Android mobile

CLOSED CRYPTED CONTAINERS

Page 77: Click and Dragger: Denial and Deception on Android mobile

SHUTDOWN/REBOOT COUNTS

Page 78: Click and Dragger: Denial and Deception on Android mobile

HOW DO WE GET THERE?

Page 79: Click and Dragger: Denial and Deception on Android mobile

EVENT BASED HARDENING

Page 80: Click and Dragger: Denial and Deception on Android mobile

CHANGE SECURITY POSTURE BASED ON OBSERVATIONS OF THE OPERATIONAL ENVIRONMENT

Page 81: Click and Dragger: Denial and Deception on Android mobile

• Observe the operational environment

• Monitor for SecurityEvents

• Harden the security posture

• Trigger SecurityActions

Page 82: Click and Dragger: Denial and Deception on Android mobile

INDICATORS OF A NEGATIVE OPERATIONAL ENVIRONMENT

Page 83: Click and Dragger: Denial and Deception on Android mobile

• Failed login

• Timer

• Temperature drop

• Radio silence

• Debugger attach

• Receive alert

• SIM removed

Page 84: Click and Dragger: Denial and Deception on Android mobile

HARDEN SECURITY POSTURE

Page 85: Click and Dragger: Denial and Deception on Android mobile

• Kill sensitive applications

• Unmount file systems

• Wipe files

• Wipe ram

• Reboot phone

Page 86: Click and Dragger: Denial and Deception on Android mobile

DURESS CODES

• Explicit duress codes don’t work

• “of these two codes, only use this one when you’re under extreme stress. ps don’t forget”

• “if you use the wrong code, you are severely punished”

Page 87: Click and Dragger: Denial and Deception on Android mobile
Page 88: Click and Dragger: Denial and Deception on Android mobile

CryptogenMod +

DarkMatter =

Page 89: Click and Dragger: Denial and Deception on Android mobile

http://github.com/grugq/darkmatter

Page 90: Click and Dragger: Denial and Deception on Android mobile

RAISE NSA PRICE 2 PWN*

* probably

Page 91: Click and Dragger: Denial and Deception on Android mobile

THEY’LL ADAPT

Page 92: Click and Dragger: Denial and Deception on Android mobile
Page 93: Click and Dragger: Denial and Deception on Android mobile

THANKS!

Page 94: Click and Dragger: Denial and Deception on Android mobile

QUESTIONS?