Shiny Expensive Things: The Global Problem of Mobile Phone Theft

I was kindly invited down to Bournemouth University the other day by Shamal Faily, to give a talk as part of their Cyber Seminar series. I decided to talk about a quite hot topic which I’m very familiar with, mobile phone theft. The slides are updated from an earlier talk, but cover some of the political involvement in 2012/13 and some information on recent industry action and what should happen next.

Mobile related presentations at Blackhat and DEFCON 2013

Next week I’ll be heading over to Las Vegas for the world’s biggest security and hacking conferences; Blackhat and DEFCON. Here’s a short run-down of some presentations and briefings that are related to mobile. Obviously there are many others that may also be relevant to mobile (e.g. SSL attacks or HTML5). As you can see, mobile interest is again steadily going up, as well as in other embedded platforms such as automotive and in-home systems. It looks like it is going to be a pretty interesting, if slightly scary week!

Blackhat
DEFCON

Blackhat & DEFCON19 – mobile presentations

With the main sessions of Blackhat starting tomorrow morning (Las Vegas time), I’ve posted the mobile-related talks here for those who are interested.

The mobile hacking training course which took place today (I think) was sold out. What has interested me the most is the increase in interest from the security and hacking community in all types of mobile platforms. As you’ll see below, there are really quite a few presentations focussed on mobile. Also, as smartphones become more advanced, a lot of the other presentations not listed here become relevant (for example web application security). I just want to highlight two of the presentations: ‘Aerial Cyber Apocalypse’ which will demonstrate a UAV equipped with WiFi and GSM hacking capabilities (see the picture below) and ‘War Texting: Identifying and Interacting with Devices on the Telephone Network’ which shows attacks on car systems which use SMS to remote control the car. Fun in the sun.

From: http://www.geek.com/articles/geek-pick/wasp-the-linux-powered-flying-spy-drone-that-cracks-wi-fi-gsm-netwokrs-20110729/

Blackhat USA 2011 (Briefings 3-4th August)
Schedule: https://www.blackhat.com/html/bh-us-11/bh-us-11-schedule.html

Don A. Bailey:
War Texting: Identifying and Interacting with Devices on the Telephone Network

Karsten Nohl + Chris Tarnovsky:
Reviving smart card analysis

Andrey Belenko
Overcoming IOS Data Protection to Re-enable iPhone Forensics

Ravi Borgaonkar + Nico Golde + Kevin Redon:
Femtocells: A poisonous needle in the operator’s hay stack

Dino Dai Zovi:
Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption

Richard Perkins + Mike Tassey:
Aerial Cyber Apocalypse: If we can do it… they can too.

Long Le + Thanh Nguyen:
ARM exploitation ROPmap

Jennifer Granick:
The Law of Mobile Privacy and Security

Riley Hassell + Shane Macaulay:
Hacking Androids for Profit

Tyler Shields + Anthony Lineberry + Charlie Miller + Chris Wysopal + Dino Dai Zovi + Ralf-Phillipp Weinmann + Nick Depetrillo + Don Bailey:
Owning Your Phone at Every Layer – A Mobile Security Panel

DEFCON19: (4th-7th August)
Schedule: https://www.defcon.org/html/defcon-19/dc-19-index.html

Abusing HTML5

Cellular Privacy: A Forensic Analysis of Android Network Traffic

Getting SSLizzard

This is REALLY not the droid you’re looking for…

Mobile App Moolah: Profit taking with Mobile Malware

Wireless Aerial Surveillance Platform

Seven Ways to Hang Yourself with Google Android

Staying Connected during a Revolution or Disaster

So, plenty to keep everyone going then! It’ll be interesting to see what the next few weeks bring.

Confused Users and Insecure Platforms – the Perfect Storm Approaches

(picture from: http://commons.wikimedia.org/wiki/File:Storm_Approaching_Anna_Bay.JPG)
 

The evolution of hacking against mobile devices has been as rapid as the evolution of the device technology itself. Traditionally, mobile phone hacking has centred around the ‘embedded’ part of the phone, that is the electronic hardware. The software and firmware within the device was proprietary to that particular manufacturer so hackers and hacking groups specialised in a particular area. The knowledge and expertise needed to crack devices was very high and technically complex. As a result, it was difficult to understand and even though there was a large grey and black market centred around SIMlock removal and IMEI number changing, the media didn’t ever report it. Large amounts of money were made with lots of this going directly up the chain to the top. As the hacking technology developed, protection techniques were established in order to ensure that the revenue chain was always going back to the originator of the tool. To the ordinary user, they just knew that they could take their handset to a market and get it unlocked. The perception was that hacking a phone was easy.

The first real main-stream attention that embedded hacking got was around the iPhone. Existing mainstream hardware hacking groups had been involved in assisting George Hotz, a 17 year old at the time to create a hardware crack which would enable the removal of the SIMlock and ‘jailbreak’ the device, allowing non-Apple approved applications to be installed.

The public perception of hacking is extremely confused. The recent “phone hacking” scandal in the UK was really unauthorised access to voicemails on the servers of the mobile operators. Users don’t really understand where they are with regard to their own phone security or what they need to do. The anti-virus vendors in particular are responsible for sabre-rattling with respect to the threat to mobile devices. They have repeatedly declared “20xx” (choose a year) as “the year of the mobile virus”. This is simply false and shows a complete lack of understanding of the technologies involved. Indeed in 2004 one anti-virus solution completely filled the application memory of a phone such that no other application could be installed. Perfect protection then! There has been no mass malware outbreak to-date. The only ‘major’ incident was various variants of ‘commwarrior’ which was an MMS virus which propagated via users’ phonebooks. The anti-virus vendors have now been so discredited in the mobile space that they have used up their opportunities for funding and convincing users that they need to purchase protection. Ironically, the year is upon us where anti-virus would provide real value-add to users.

The perfect storm is approaching. The unification of devices under common platforms such as Google’s Android, easy application and widget development on an insecure platform (the web) and weak application policy mechanisms (such as deferring key decisions on permissions to the user) are all leading users down a dangerous path. There are mitigating factors though. The inherited knowledge from the days of PC viruses has allowed the development of some good security defence technologies and processes. Apple, at one end of the scale has a very rigorous application inspection process, both automatically and manually, whereas Android’s is much more open and therefore open to attack by malware authors. Sideloading of non-digitally signed applications is also generally restricted. In early March 2011, DroidDream was identified in around 50 applications supplied by 3 developers to the Android Market. These applications were originally legitimate but had been cracked and dressed up as Trojan versions of the originals. They were only spotted because someone noticed that the author was different to the original. Immediate action was taken by Google to remove the apps and ban the developers, but the malware is still out in the field at the time of writing – an estimation of between 50,000 and 200,000 downloads for one of the applications is quite a severe incident. Other incidents that have taken place over the past couple of years include suspected phishing applications on Android, attempts at creating mobile botnets in China, malicious multi-part SMS messages which crash phones through to rogue ‘Hello Kitty’ wallpaper applications which suck out user data and upload them to IP addresses in China.

It is clear that hacking against mobile devices is a developing discipline. The fight seems to be being won in the hardware space, but much more work needs to be done to protect users in the application space – and now. And the bottom line for consumers? They just want to be secure, without any hassle.

Questions to answer from private forensic companies

Chris Williams from The Register has published an article “Yorkshire cops accused of copyright theft”: http://www.theregister.co.uk/2009/07/14/fts_west_yorkshire/ . It seems that Steve Hirst, a policeman from West Yorkshire Police created some mobile handset forensic software and used some hexadecimal look-up tables from manuals provided by a private company, Forensic Telecommunications Services (FTS). These tables had been created from reverse engineering and extracting data from various manufacturers’ handsets. It looks like FTS have taken quite a heavy-handed approach and have taken Steve Hirst and West Yorkshire Police to the High Court.

Private forensic companies such as FTS make a lot of money out of police forces and security agencies around the world. They provide in-house services where handsets can be sent to them for analysis, including a full report of the findings or they will produce and sell their own forensic hardware and software.

Whilst West Yorkshire Police clearly seem to have put their foot in it with FTS, there are some bigger questions to answer about the forensic analysis of mobile handsets. Is it right to hack into handsets in order to reverse engineer the storage mechanisms? For example, Nokia’s e71 user manual clearly states the following:

Reverse engineering of any software in the Nokia device is prohibited to the extent permitted by applicable law.

So what are private forensic companies playing at? By reverse engineer manufacturer’s devices themselves they are in breach of manufacturers’ terms and conditions.

This subject goes a lot further than in-house reverse engineering and brings up the questionable use of hacking software and hardware purchased or downloaded from the Internet. What happens when data extracted from phones was performed using software that was purchased over the internet from organised criminals in Russia?

The Police need to go about their jobs in a challenging technical environment, but there is a clear need for oversight and regulation of private forensic companies and to reign-in cowboy practices which will inevitably cause miscarriages of justice.