I was kindly invited down to Bournemouth University the other day by Shamal Faily, to give a talk as part of their Cyber Seminar series. I decided to talk about a quite hot topic which I’m very familiar with, mobile phone theft. The slides are updated from an earlier talk, but cover some of the political involvement in 2012/13 and some information on recent industry action and what should happen next.
hacking
Mobile related presentations at Blackhat and DEFCON 2013
Next week I’ll be heading over to Las Vegas for the world’s biggest security and hacking conferences; Blackhat and DEFCON. Here’s a short run-down of some presentations and briefings that are related to mobile. Obviously there are many others that may also be relevant to mobile (e.g. SSL attacks or HTML5). As you can see, mobile interest is again steadily going up, as well as in other embedded platforms such as automotive and in-home systems. It looks like it is going to be a pretty interesting, if slightly scary week!
Blackhat
- A Practical Attack Against MDM Solutions
- Android: One Root to Own Them All
- BlackberryOS 10 From a Security Perspective
- Bluetooth Smart: The Good, The Bad, the Ugly, And The Fix!
- Hiding @ Depth – Exploring, Subverting and Breaking NAND Flash Memory
- How to Build a Spyphone
- I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning With a Compromised CDMA Femtocell
- Legal Considerations for Cellphone Research
- Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers
- Mobile Rootkits: Exploiting and Rootkitting ARM TrustZone
- Multiplexed Wired Attack Surfaces
- Rooting SIM Cards
- Embedded Devices Security and Firmware Reverse Engineering
- JTAGulator: Assisted Discovery of On-Chip Debug Interfaces
- Abusing Web APIs Through Scripted Android Applications
- Beyond the Application: Cellular Privacy Regulation Space
- LTE Booms with Vulnerabilities
- Mobile Malware: Why the Traditional AV Paradigm Is Doomed and How To Use Physics To Detect Undesirable Routines
- OPSEC Failures of Spies
- Hacking Like In The Movies: Visualizing Page Tables For Local Exploitation
DEFCON
- I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning With a Compromised CDMA Femtocell (same as Blackhat)
- The Secret Life of SIM Cards
- DragonLady: An Investigation of SMS Fraud Operations in Russia
- Business Logic Flaws in Mobile Operators Services
- Protecting Data With Short-Lived Encryption Keys and Hardware Root of Trust
- Do-It-Yourself Cellular IDs (same as Blackhat)
- Android WebLogin: Google’s Skeleton Key
- Building an Android IDS on Network Level
- Defeating SEAndroid
- Hacking Wireless Networks of the Future: Security in Cognitive Radio Networks
- BYO-Disaster and Why Corporate Wireless Security Still Sucks
- JTAGulator: Assisted Discovery Of On-Chip Debug Interfaces (same as Blackhat)
- Combatting Mac OSX/iOS Malware with Data Visualization
- Blucat: Netcat For Bluetooth
- The Bluetooth Device Database
NFC hack at Black Hat USA 2012
A nice piece of work by famed Apple hacker Charlie Miller at Black Hat 2012. He presented exploits which use NFC as an attack vector to launch other attacks against Android and Nokia devices. More details here. Expect more attacks to be revealed on NFC over the next year.
Videos below.
Android:
Nokia N9:
Blackhat & DEFCON19 – mobile presentations
With the main sessions of Blackhat starting tomorrow morning (Las Vegas time), I’ve posted the mobile-related talks here for those who are interested.
The mobile hacking training course which took place today (I think) was sold out. What has interested me the most is the increase in interest from the security and hacking community in all types of mobile platforms. As you’ll see below, there are really quite a few presentations focussed on mobile. Also, as smartphones become more advanced, a lot of the other presentations not listed here become relevant (for example web application security). I just want to highlight two of the presentations: ‘Aerial Cyber Apocalypse’ which will demonstrate a UAV equipped with WiFi and GSM hacking capabilities (see the picture below) and ‘War Texting: Identifying and Interacting with Devices on the Telephone Network’ which shows attacks on car systems which use SMS to remote control the car. Fun in the sun.
 |
| From: http://www.geek.com/articles/geek-pick/wasp-the-linux-powered-flying-spy-drone-that-cracks-wi-fi-gsm-netwokrs-20110729/ |
Blackhat USA 2011 (Briefings 3-4th August)
Schedule: https://www.blackhat.com/html/bh-us-11/bh-us-11-schedule.html
Don A. Bailey:
War Texting: Identifying and Interacting with Devices on the Telephone Network
Karsten Nohl + Chris Tarnovsky:
Reviving smart card analysis
Andrey Belenko
Overcoming IOS Data Protection to Re-enable iPhone Forensics
Ravi Borgaonkar + Nico Golde + Kevin Redon:
Femtocells: A poisonous needle in the operator’s hay stack
Dino Dai Zovi:
Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption
Richard Perkins + Mike Tassey:
Aerial Cyber Apocalypse: If we can do it… they can too.
Long Le + Thanh Nguyen:
ARM exploitation ROPmap
Jennifer Granick:
The Law of Mobile Privacy and Security
Riley Hassell + Shane Macaulay:
Hacking Androids for Profit
Tyler Shields + Anthony Lineberry + Charlie Miller + Chris Wysopal + Dino Dai Zovi + Ralf-Phillipp Weinmann + Nick Depetrillo + Don Bailey:
Owning Your Phone at Every Layer – A Mobile Security Panel
DEFCON19: (4th-7th August)
Schedule: https://www.defcon.org/html/defcon-19/dc-19-index.html
Cellular Privacy: A Forensic Analysis of Android Network Traffic
This is REALLY not the droid you’re looking for…
Mobile App Moolah: Profit taking with Mobile Malware
Wireless Aerial Surveillance Platform
Seven Ways to Hang Yourself with Google Android
Staying Connected during a Revolution or Disaster
So, plenty to keep everyone going then! It’ll be interesting to see what the next few weeks bring.
Confused Users and Insecure Platforms – the Perfect Storm Approaches
 |
| (picture from: http://commons.wikimedia.org/wiki/File:Storm_Approaching_Anna_Bay.JPG) |
The evolution of hacking against mobile devices has been as rapid as the evolution of the device technology itself. Traditionally, mobile phone hacking has centred around the ‘embedded’ part of the phone, that is the electronic hardware. The software and firmware within the device was proprietary to that particular manufacturer so hackers and hacking groups specialised in a particular area. The knowledge and expertise needed to crack devices was very high and technically complex. As a result, it was difficult to understand and even though there was a large grey and black market centred around SIMlock removal and IMEI number changing, the media didn’t ever report it. Large amounts of money were made with lots of this going directly up the chain to the top. As the hacking technology developed, protection techniques were established in order to ensure that the revenue chain was always going back to the originator of the tool. To the ordinary user, they just knew that they could take their handset to a market and get it unlocked. The perception was that hacking a phone was easy.
The first real main-stream attention that embedded hacking got was around the iPhone. Existing mainstream hardware hacking groups had been involved in assisting George Hotz, a 17 year old at the time to create a hardware crack which would enable the removal of the SIMlock and ‘jailbreak’ the device, allowing non-Apple approved applications to be installed.
The public perception of hacking is extremely confused. The recent “phone hacking” scandal in the UK was really unauthorised access to voicemails on the servers of the mobile operators. Users don’t really understand where they are with regard to their own phone security or what they need to do. The anti-virus vendors in particular are responsible for sabre-rattling with respect to the threat to mobile devices. They have repeatedly declared “20xx” (choose a year) as “the year of the mobile virus”. This is simply false and shows a complete lack of understanding of the technologies involved. Indeed in 2004 one anti-virus solution completely filled the application memory of a phone such that no other application could be installed. Perfect protection then! There has been no mass malware outbreak to-date. The only ‘major’ incident was various variants of ‘commwarrior’ which was an MMS virus which propagated via users’ phonebooks. The anti-virus vendors have now been so discredited in the mobile space that they have used up their opportunities for funding and convincing users that they need to purchase protection. Ironically, the year is upon us where anti-virus would provide real value-add to users.
The perfect storm is approaching. The unification of devices under common platforms such as Google’s Android, easy application and widget development on an insecure platform (the web) and weak application policy mechanisms (such as deferring key decisions on permissions to the user) are all leading users down a dangerous path. There are mitigating factors though. The inherited knowledge from the days of PC viruses has allowed the development of some good security defence technologies and processes. Apple, at one end of the scale has a very rigorous application inspection process, both automatically and manually, whereas Android’s is much more open and therefore open to attack by malware authors. Sideloading of non-digitally signed applications is also generally restricted. In early March 2011, DroidDream was identified in around 50 applications supplied by 3 developers to the Android Market. These applications were originally legitimate but had been cracked and dressed up as Trojan versions of the originals. They were only spotted because someone noticed that the author was different to the original. Immediate action was taken by Google to remove the apps and ban the developers, but the malware is still out in the field at the time of writing – an estimation of between 50,000 and 200,000 downloads for one of the applications is quite a severe incident. Other incidents that have taken place over the past couple of years include suspected phishing applications on Android, attempts at creating mobile botnets in China, malicious multi-part SMS messages which crash phones through to rogue ‘Hello Kitty’ wallpaper applications which suck out user data and upload them to IP addresses in China.
It is clear that hacking against mobile devices is a developing discipline. The fight seems to be being won in the hardware space, but much more work needs to be done to protect users in the application space – and now. And the bottom line for consumers? They just want to be secure, without any hassle.
Questions to answer from private forensic companies
Chris Williams from The Register has published an article “Yorkshire cops accused of copyright theft”: http://www.theregister.co.uk/2009/07/14/fts_west_yorkshire/ . It seems that Steve Hirst, a policeman from West Yorkshire Police created some mobile handset forensic software and used some hexadecimal look-up tables from manuals provided by a private company, Forensic Telecommunications Services (FTS). These tables had been created from reverse engineering and extracting data from various manufacturers’ handsets. It looks like FTS have taken quite a heavy-handed approach and have taken Steve Hirst and West Yorkshire Police to the High Court.
Private forensic companies such as FTS make a lot of money out of police forces and security agencies around the world. They provide in-house services where handsets can be sent to them for analysis, including a full report of the findings or they will produce and sell their own forensic hardware and software.
Whilst West Yorkshire Police clearly seem to have put their foot in it with FTS, there are some bigger questions to answer about the forensic analysis of mobile handsets. Is it right to hack into handsets in order to reverse engineer the storage mechanisms? For example, Nokia’s e71 user manual clearly states the following:
Reverse engineering of any software in the Nokia device is prohibited to the extent permitted by applicable law.
So what are private forensic companies playing at? By reverse engineer manufacturer’s devices themselves they are in breach of manufacturers’ terms and conditions.
This subject goes a lot further than in-house reverse engineering and brings up the questionable use of hacking software and hardware purchased or downloaded from the Internet. What happens when data extracted from phones was performed using software that was purchased over the internet from organised criminals in Russia?
The Police need to go about their jobs in a challenging technical environment, but there is a clear need for oversight and regulation of private forensic companies and to reign-in cowboy practices which will inevitably cause miscarriages of justice.