(pdf) yury chemerkin _null_con_2013
DESCRIPTION
TRANSCRIPT
SECURITY EVALUATION OR ESCAPING FROM "VULNERABILITY PRISON"
Ph.D. YURY CHEMERKIN
NULLCON ‘GOA ‘2013
THE SECURITY IS THE CORNERSTONE A POWERFUL HIGH LEVEL INTEGRATION
IMs, SOCIAL NETWORKS
FINANCIAL DATA AND ETC.THE BLACKBERRY WAS BUILT
FREE OF MALWARE & HARMFUL ACTIONS
WITH NATIVE SECURITY SOLUTIONSMAINLY FOCUSED ON ENTERPRISE
WIDE RANGE IT POLICY SET
UP TO 500 UNITS
A FEW THIRD PARTY SECURITY SOLUTIONS
A SIMPLIFICATION OF THE SECURITY VISIONPOOR INTERGRATION (ONLY BLACKBERRY BRIDGE)
NO BUILT IMs, HTML5 & WEB-LAUNCHER
NO WALLETS OR ELSE BUILT APPLICATIONSPLAYBOOK MIGHT
PRODUCE FEW VALUE DATA DUE APIs
NOT MORE THAN LARGE PHONE’S SCREEN TOTALLY FOCUSED ON ENTERPRISE
IT POLICY EXTRA REDUCED
UP TO 10 UNITS
ENTERTAINMENT APPLICATIONS ONLY
BLACKBERRY SECURITY ENVIRONMENT
BLACKBERRY SMARTPHONE WAS SECURE… PLAYBOOK HAS COME WITH A POOR ENVIROMENT
A LOT OF TYPES
BOOTKITS
FIRMWARE
USER-MODE
KERNEL
HYPERVISOR SIMILAR TO THE SPYWARE BUNDLING WITH DESIRABLE SOFTWARE WIDESPREADING, EASY DITRIBUTION AND QUITE
RELEVANT FOR HACKERS
BASED ON:
VENDOR-SUPPLIED EXTENSIONS
THIRD PARTY PLUGINS
PUBLIC INTERFACES
INTERCEPTION OF SYSTEMS MESSAGES
EXPLOITATION OF SECURITY VULNERABILITIES
HOOKING AND PATCHING OF APIs METHODS
USER MODE ROOTKIT AND SPYWARE
MALWARE BOUNDS BECOME UNCLEAR… HACKERS ARE INTERESTED IN CHEAPER COSTING
VIA THE BUILT (INTERNAL) EXPLORER
AFTER ENTERING THE PASSWORD BUT STILL THE INTERNAL EXPLORER
FOR EXECUTING MALWARE FROM THE DEVICE BY CLICKING FILE (.JAR/.JAD + .COD)
TO ALLOW COPYING THE MALWARE TO THE DEVICE AS AN EXTERNAL DRIVE (LIKE A WORM)
ALL DATA ACCESSIBLE EXCEPT APP & SYSTEM DATA WITHOUT ANY API & OTHER INFO
AFTER MOUNTING AS AN EXTERNAL DRIVE(-S)
AFTER ENTERING THE PASSWORD BUT IT IS NOT NECESSARY TO USE INTERNAL EXPLORER
TO PREVENT FROM EXECUTING ANYTHING OUTSIDE APPWORLD (.BAR)
MALWARE IS A PERSONAL APPLICATIONSUBTYPE IN TERMS OF RIM’s SECURITY
SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
THE FILE SYSTEM ISSUES
BB OS v4–5 WAS ACCESSIBLE BB OS V6–7 PLUS PLAYBOOK ARE ACCESSIBLE
THE “UPGRADE” FEATURE MEANS
THE INSTALL & REMOVE ACTIONS AT LEAST
AN APPLICATION ID REQUIREMENT AN ACCESSIBLE RUNNING APPLICATION LIST HANDLING ANOTHER APPs SILENTLY VIA API HANDLING ANOTHER APPLICATION SILENTLY VIA
PC TOOLS
MAY NEED A PASSWORD
DEBUG MODE IS FOR TRACING & DEBUGING ONLY
EASY TRACKING THE NEWCOMING .COD MODULES FOR THE MALWARE PAYLOAD
THE “UPGRADE” MEANS AN USER INTERACTION
WITH APPWORLD
WITH HOME SCREEN THERE ARE SOME APIs BUT DISABLED THERE IS NO API FOR SUCH ACTIONS YET HANDLING ANOTHER APPLICATION SILENTLY VIA
PC TOOLS
MAY NEED A PASSWORD
STRONGLY NEED ACTIVATED A DEBUGMODE
LOOKS LIKE MORE SECURE THAN BLACKBERRY BUT DIFFICULT TO REMOVE DISTRIBUTED MALWARE
THE APPLICATION MANAGEMENT ISSUES
BLACKBERRY SMARTPHONE (LESS THAN BB 10) BLACKBERRY PLAYBOOK (PROBABLY BLACKBERRY 10)
HOW TO REVEAL THE DATA IN REAL TIME
GETCLIPBOARD()
ANY PROTECTION
NATIVE WALLETS RESTRICT THE CLIPBOARD ACCESS BY RETURNING “NULL”
WHILE THE APPLICATION IS ACTIVE (ON TOP OF SCREEN STACK) ONLY
DOES NOT WORK IN MINIMIZED STATE
HOW TO REVEAL THE DATA IN REAL TIME
GETDATA()
ANY PROTECTION
NO NATIVE WALLET APPLICATION
MANAGING THE LAST CLIPBOARD DATA VIA SHARED FOLDER
PLAIN TEXT
HTML
ETC.
THE CLIPBOARD ISSUES
BLACKBERRY SMARTPHONE BLACKBERRY PLAYBOOK
SCREEN PROTECTION VIA SWITCHING
PERMIT
RESTRICT
ADDITIONALLY PER APPLICATION….
BUT DOES NOT HANDLE WINDOWs HANDLE WITH THE KEY PREVIEW DUE THE
VIRTUAL KEYBOARD MAY BE IMPROVED BY XOR’ing TWO
PHOTOSCREENS TO GET THE DIFFERENCE MASKING THE ASTERISKS TAKES A DELAY
ENOUGH TO STEAL THE TEXT
MAY BE PART OF OCR ENGINES
ONLINE OR DESKTOP
RECOGNIZE TYPED DATA VERY QUICKLY
WAS TESTED ON ABBYY ONLINE OCR SUBSTITUTE FOR HARDWARE KEYLLOGER RUNNING DOWN THE BATTERRY MORE SLOWLY
THAN PHOTO/VIDEO CAMERA EASY ACCESS TO ANY APPLICATION…WALLET EVEN NO RESTRICTION LIKE THE CLIPBOARD “NULL” SCREENSHOTS OFTEN STORE IN CAMERA FOLDER
THE SAME A FILE ACCESS
THE PHOTOSCREEN ISSUES
ARE AVAILABLE FOR ALL BLACKBERRY DEVICES BUT DISABLED FOR PLAYBOOK AND BLACKBERRY 10 YET
USING AUTHORIZED API TO INTERCEPT
MESSAGES (BBM, EMAIL, PIN-TO-PIN)
CREATE THE MESSAGE
READ THE MESSAGE
DELETE THE MESSAGE
SET THE MESSAGE STATUS (UNREAD, SENT, ANY ERROR STATE, ETC.)
THE BUTTON EVENTS (THE SAME TYPES)
OPENING THE MESSAGE
FORWARDING THE MESSAGE
SENDING THE MESSAGE
INTERCEPTING THE SMS (BASICALLY)
RECEIVING AND SENDING EVENTS
DELETING THE SENT & RECEIVED SMS
ENOUGH TO HANDLE SOCIAL C&C SMS OUTCOMING SMS (ADVANCED)
BLOCKING (DROPPING) THE SMS
A NOTIFICATION IN THE MESSAGE THREAD
SPOOFING
THE RECEPIENT
THE BODY
TRANSMISSION REFUSED BY … IF SUCH MESSAGE WAS NOT REMOVED
THE MESSAGES ISSUES
AVAILABLE ON THE BB DEVICES PROBABLY ON THE BLACKBERRY 10 NO 3G, NO API FOR PLAYBOOK
THE PASSWORD PROTECTION COVERS
DEVICE LOCKING & ENCRYPTION FEATURE
APPWORLD REQUEST
LIMITED BY 5/10 ATTEMPTS & WIPE THEN
WIPING THE INTERNAL STORAGE ONLY EXTRACTING THE PASSWORD TRHOUGHT
ELCOMSOFT PRODUCT (CUSTOM CASE)
GUI VULNERABILITY
CREATING THE FAKE WINDOW ON DESKTOP SYNCHRONIZATION
BREAKING INTO BB DESKTOP SOFTWARE
HANDLING DESKTOP SOFTWARE VULNERABILITY
UNMASKING THE FIELD
GRABBING THE PASSWORD
MASKING THE FIELD
DELAY TAKES NOT MORE THAN 15 MSEC AFFECTED PASSWORD TYPES
THE DEVICE PASSWORD
THE BACKUP PASSWORD AFFECTED DEVICES
BLACKBERRY 4-7 (BB 10 HIGHLY PROBABLY)
BLACKBERRY PLAYBOOK
THE DEVICE PASSWORD ISSUES
FOR THE BLACKBERRY 4–7 DUE THE INTERNAL CASE FOR ALL DEVICES DUE IN THE DESKTOP ACCESS CASE
INITIALLY BASED ON AUTHORIZED API COVERED
ALL PHYSICAL & NAVIGATION BUTTONS
TYPING THE TEXTUAL DATA
AFFECT ALL NATIVE & THIRD PARTY APPs SECONDARY BASED ON ADDING THE MENU ITEMS
INTO THE GLOBAL MENU
INTO THE “SEND VIA” MENU
AFFECT ALL NATIVE APPLICATIONS NATIVE APPLICATIONS ARE DEVELOPED BY RIM
BLACKBERRY WALLETS, MESSAGES, SETTINGS, FACEBOOK, TWITTER,…
BBM/GTALK/YAHOO/WINDOWS IMs,…
GUI EXPLOITATION HANDLES WITH
REDRAWING THE SCREENS
ADDING NEW GUI OBJECTS
CHANGING THEIR PROPERTIES
GRABBING THE TEXT FROM THE
ANY FIELDs (INCL. PASSWORD FIELD)
UNLOCK THE DEVICE’s FIELD
SETTING UP THE PASSWORD’s FIELD
ADDING, REMOVING THE FIELD DATA ORIGINAL DATA IS INACCESSIBLE BUT NOT
AFFECTED GUI OBJECTS SHUFFLING IS NOT POSSIBLE
THE GUI EXPLOITATION
CONSEQUENCE OF WIDE INTERGRATION FEATURES OFFERED FOR DEVELOPERS (BLACKBERRY 4–7 ONLY)
KASPERSKY MOBILE SECURITY PROVIDES
FIREWALL, WIPE, BLOCK, INFO FEATURES
NO PROTECTION FROM REMOVING.CODs
NO PROTECTION UNDER SIMULATOR
EXAMING THE TRAFFIC, BEHAVIOUR
SHOULD CHECK API “IS SIMULATOR” SMS MANAGEMENT (“QUITE” SECRET SMS) PASSWORD IS FOUR– SIXTEEN DIGITS SET …AND CAN BE MODIFIED IN REAL-TIME SMS IS A HALF A HASH VALUE OF GOST R
34.11-94 IMPLEMENTATION USES TEST CRYPTO
VALUES AND NO SALT
TABLES (VALUEHASH) ARE EASY BUILT OUTCOMING SMS CAN BE SPOOFED
WITHOUT ANY NOTIFICATION OUTCOMING SMS CAN BLOCK OR WIPE
THE SAME DEVICE OR ANOTHER DEVICE McAfee MOBILE SECURITY PROVIDES
FIREWALL, WIPE, BLOCK, INFO FEATURES
NO PROTECTION FROM REMOVING.CODs
NO PROTECTION UNDER SIMULATOR
EXAMING THE TRAFFIC, BEHAVIOUR
SHOULD CHECK API “IS SIMULATOR”
WEB MANAGEMENT CONSOLE
DIFFICULT TO BREAK SMS C&C
THE THIRD PARTY EXPLOITATION
THERE ARE A FEW OF THEM THEY MIGHT HAVE AN EXPLOIT BUT RUIN NATIVE A SECURITY
DENIAL OF SERVICE
REPLACING/REMOVING EXEC FILES
DOS’ing EVENTs, NOISING FIELDS
GUI INTERCEPT INFORMATION DISCLOSURE
CLIPBOARD, SCREEN CAPTURE
GUI INTERCEPT
DUMPING .COD FILES, SHARED FILES MITM (INTERCEPTION / SPOOFING)
MESSAGES
GUI INTERCEPT, THIRD PARTY APPs
FAKE WINDOW/CLICKJACKING
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs CONCRETE PERMISSIONS
BUT COMBINED INTO GENERAL PERMISSION
A SCREENSHOT PERMISSION IS PART OF THE CAMERA
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs
THE PERMISSIONS
PRIVILEGED GENERAL PERMISSIONS OWN APPs, NATIVE & 3RD PARTY APPs FEATURES
SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST
CONCLUSION
THE VENDOR SECURITY VISION HAS NOTHING WITH REALITY AGGRAVATED BY SIMPLICITY
THANK YOUYURY CHEMERKIN