transparent smartphone spying
DESCRIPTION
TRANSCRIPT
![Page 1: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/1.jpg)
Transparent Smartphone Spying
Georgia Weidman
![Page 2: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/2.jpg)
Agenda
• Smartphone Overview
• Evil Applications
• Evil Jailbreaks
• Baseband Spying
• Mitigation Strategies
![Page 3: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/3.jpg)
What is a Smartphone?
![Page 4: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/4.jpg)
Data Stored and Transmitted
• Personal info
• Work info
• Location info
• Account info
![Page 5: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/5.jpg)
Privacy of Transmitted Data
• Mobile communication standards
• Encoding vs. Encryption
• Attacks against privacy
![Page 6: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/6.jpg)
Privacy Matters: Text Messages
• “Hi meet me for lunch”
• “Meet me for lunch while my wife is out”
• “Here are your bank account credentials”
![Page 7: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/7.jpg)
Privacy Required Examples
• Vendor text messages– Vendor advertisements– Provider messages
• Mobile banking– Balance sheet– Electronic bill paying– One time passwords
![Page 8: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/8.jpg)
Evil Applications
![Page 9: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/9.jpg)
Application Stores
• iPhone– Expensive – Identity Verified– Closed– Certificate Authority
• Android– Cheap– Open– Anonymous– Self signed
![Page 10: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/10.jpg)
Application Protections: iPhone
• ASLR
• Mandatory code signing
• No dynamic code loading
• Sandboxed
![Page 11: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/11.jpg)
Applications Protections: Android
• Users accept permissions
![Page 12: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/12.jpg)
Our Text Message Example
• Permission to read text message(SMS) database
• Specific permission to send text message(SMS) messages
• Without user consent, application cannot access this information
![Page 13: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/13.jpg)
Is this system working to protect users?
Are users making good decisions about application permissions?
![Page 14: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/14.jpg)
Top Android App of all Time
![Page 15: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/15.jpg)
Demo
Demo: Application abusing permissions
![Page 16: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/16.jpg)
Abusing the Android Sandbox
• Load exploit code at runtime
• Safe application becomes malicious application
• In the wild: DroidDream
• In the lab: Rootstrap
![Page 17: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/17.jpg)
Evil Jailbreak
![Page 18: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/18.jpg)
Jailbreaking
• Get root privileges
• Expand feature set
• Run unapproved (3rd party apps)
![Page 19: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/19.jpg)
Jailbreaking Gone Wild
• Run this code
• It jailbreaks your phone
• What else does it do?
![Page 20: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/20.jpg)
So I’ve exploited a phone, what now?
![Page 21: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/21.jpg)
Baseband Spying
• Read all data sent/receive by the phone
• Intercept data before it reaches the user/before it is sent
![Page 22: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/22.jpg)
22
How an GSM is sent and received
![Page 23: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/23.jpg)
© Georgia Weidman 2011 23
How an GSM is sent and received
![Page 24: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/24.jpg)
© Georgia Weidman 2011 24
How an GSM is sent and received
![Page 25: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/25.jpg)
Malicious Proxy
• Intercept data
• Send data
• Alter data
• Botnet functionality
![Page 26: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/26.jpg)
Demo
Demo: Stealing Text Messages
![Page 27: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/27.jpg)
Mitigation Strategies
• User Awareness
• Encryption
• Updating
• Code signing
![Page 28: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/28.jpg)
Contact
Georgia Weidman, Security ConsultantNeohapsis, Inc.
Email: [email protected]@neohapsis.com
Website: http://www.neohapsis.com http://www.grmn00bs.comTwitter: @vincentkadmon
![Page 29: Transparent Smartphone Spying](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546c2118b4af9f8e2c8b503c/html5/thumbnails/29.jpg)
Selected Bibliography
• John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: http://jon.oberheide.org/files/shmoo11-teamjoch.pdf
• Charlie Miller and Collin Mulliner “Fuzzing the Phone in Your Phone” Blackhat USA 2009: http://www.blackhat.com/presentations/bhusa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf
• Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: https://media.blackhat.com/bh-us-11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf