Download - Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006
![Page 1: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/1.jpg)
Storage of sensitive data in a Java enabled cell phone
MSc ThesisTommy Egeberg
June 2006
![Page 2: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/2.jpg)
Agenda
• Introduction • Problem• Methods• Results• Conclusion• Further Work
![Page 3: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/3.jpg)
Introduction
• Cell phones → small computers• Stores a lot of sensitive information
– RMS, email, SMS, calendar …
• Able to run Java applications– Mobile SSO solution
• Store passwords
-Introduction
![Page 4: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/4.jpg)
Main problem
Will a Java MIDlet on a cellular phone be a secure location to store sensitive information?
-Problem
![Page 5: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/5.jpg)
Research Questions
• What is already known about security in Java enabled cell phones?
• Will information stored on a cellular phone be easy to extract?
• How can we secure the stored sensitive information even if the cellular phone is lost or stolen?
• What kind of threats will the cell phone be vulnerable to?
• What kind of countermeasures can be used to reduce or eliminate the threats?
-Problem
![Page 6: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/6.jpg)
Methods
• Literature study– J2ME specifications– Communication link; cell phone ↔ server
• Prototype– Try to break into the prototype
• Security analysis– Identify threats and vulnerabilities
-Methods
![Page 7: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/7.jpg)
Digital safe
• Master password– PIN– Pass-faces– Stored as a SHA1 hash digest
• The sensitive information– AES encrypted with a 128 bit key
• Key derived from master password, username and a iteration count of 20, like described in PKCS5v2 [1]
-Methods
![Page 8: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/8.jpg)
Remote deletion
• SMS sent to the phone with the digital safe installed– Defined port number– The AMS starts the digital safe– SHA1 value of password– Deletes the stored information
-Methods
![Page 9: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/9.jpg)
Stealing MIDlet
• Upgrade a previously installed MIDlet• The RMS will not be erased• Read the stored information• Identical values in the JAD file• Can be used to inject Trojan code
-Methods
![Page 10: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/10.jpg)
Results
• Encryption and decryption– Bouncy Castle Crypto API [2]
• AES, SHA1, …
• Remote deletion is a poor functionality– Can easily be deactivated
• Data stored in the RMS can easily be extracted
-Results
![Page 11: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/11.jpg)
Data extraction
• Forensic methods [3]
– Desoldering techniques, boundary-scan (JTAG)– Native applications
• Windows Mobile, Symbian OS
• Stealing MIDlet• Phone Managers
– Backup of MIDlet’s RMS
-Results
![Page 12: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/12.jpg)
Stealing MIDlet
• Overwrite the installed MIDlet• MIDlet-Name and MIDlet-
Vendor• Source code
– Add Trojan code
• A signed MIDlet can not be upgraded with an unsigned MIDlet!
-Results
A Stealing MIDlet’s JAD file
MIDlet-1: StealingMIDlet,,StealingMIDlet
MIDlet-Jar-Size:
4743
MIDlet-Jar-URL:
StealingMIDlet.jar
MIDlet-Name: Password Store
MIDlet-Vendor:
Tommy Egeberg
MIDlet-Version:
1.0
MicroEdition-Configuration:
CLDC-1.1
MicroEdition-Profile:
MIDP-2.0
![Page 13: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/13.jpg)
Phone Managers
• Oxygen Phone Manager II [4]
– Backup Java MIDlets– Backup MIDlet's RMS
• MOBILedit! [5]
– Forensic edition available
-Results
![Page 14: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/14.jpg)
RMS backup-Results
![Page 15: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/15.jpg)
-Results
![Page 16: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/16.jpg)
Threats & Vulnerabilities
• Information extracted• Trojan code
– Keyboard sniffer, send information to hacker, …
• Phone is stolen• Brute-force attacks• Remote deletion disabled• MIDlet installation request
-Results
![Page 17: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/17.jpg)
![Page 18: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/18.jpg)
Countermeasures
• Reflash cell phone OS• Check MIDlet size and functionality• Sign the MIDlet
– Prevent Stealing MIDlets
• Strong master password and encryption• Frequently update the login credentials
-Results
![Page 19: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/19.jpg)
Conclusion
• A strong master password must be chosen– The key in the encryption process, access to the
application
• Data easily extracted– Encryption extremely important
• The MIDlet should be signed– Prevent installation of Stealing MIDlets, trusted
source
-Conclusion
![Page 20: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/20.jpg)
Further Work
• SATSA (The Security and Trust Service API)• Biometric authentication
– Speech recognition (Java Speech API)
• Proactive password checking• Synchronization service
– Update the stored login credentials if the phone is lost
-Further work
![Page 21: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006](https://reader031.vdocuments.mx/reader031/viewer/2022032800/56649d375503460f94a101d3/html5/thumbnails/21.jpg)
References
[1]RSA-Laboratories. March 1999. Pkcs5v2.0: Password-based cryptography standard.
[2]Bouncy Castle. Bouncy Castle Crypto Package. Light-weight API, release 1.33.
[3] Willassen, S. Y. Spring 2003. Forensics and the GSM mobile telephone system. International Journal of Digital Evidence, 2, 10–11.
[4] Oxygen-Software. Oxygen phone manager for Nokia phones (forensic edition) http://www.opm-2.com
[5] Compelson laboratories. MOBILedit! Forensic http://www.mobiledit.com