a day in the life of your mobile phone (or: how your phone hates you)
DESCRIPTION
Your mobile device lives in an Orwellian world of surveillance, intrigue and promiscuity. While your phone is safely tucked away in your pocket, it lives an alternate existence selling you out, betraying you and offering up your secrets whenever it can. While you're sleeping, driving, buying coffee or checking email, your phone is busy divulging your location, storing your credentials and documenting everything you do. This presentation from the 2014 (ISC)2 Security Congress walks through a day in the life of your mobile device and shows you what it's telling the world about you.TRANSCRIPT
#ISC2CongressStrengthening Cybersecurity Defenders
A Day in the Life of Your Mobile Phone
Rob Barnes, CISSP®, CSSLP®
Software Security ArchitectThe College Board
#YourPhoneHatesYou
(or: how your phone hates you)
3 #ISC2Congress
Reality:
Your phone hates you.
How we like to think our phones protect our
privacy:
4 #ISC2Congress
Things you do every day
» Check email» Check weather» Check stocks» Use social media» Take photos» Post photos» Buy coffee» Sync device with phone
» Join Wi-Fi access points» Send email» Navigate with map» Research restaurants» Place hands-free calls» Browse websites» (Plus all the things your
kids do that you don’t know about)
5 #ISC2Congress
Things your phone does every day
Collects location information(Divulges location information.)
Collects personal information(Divulges personal information.)
Collects usage information(Divulges usage information.)
6 #ISC2Congress
Does it matter?
97% of mobile applications access personal address books, social media pages and
connectivity options like Bluetooth or Wi-Fi.
86% of mobile applications are insecure.
But it doesn’t matter. 100% of what you do reveals something about you.
http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.VA2ntvlr6Cc
http://threatpost.com/insecure-applications-we-are-84-percent-120711/75961
7 #ISC2Congress
Don’t think like an attacker.
Think like:
a marketer.
a parent.
a forensic investigator.
8 #ISC2Congress
Location Privacy: Using the device
9 #ISC2Congress
Location Privacy: Browsing
This is where I spent my summer, as told by a web service:
10 #ISC2Congress
Browser version
Firmware version = iOS 6.1.4
Belongs to Verizon FiOS in Chantilly, VA
Device make and model (OLD!)
Location and Device Privacy
108.28.101.205
08/Sep/2014:14:18:45 -0400
Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X)
Version/6.0 Mobile/10B350 Safari/8536.25
(a two-for-one bonus!)
When you (or an app) access a web page or web service, it sends the following information:
11 #ISC2Congress
Location Privacy: Using apps
Are you sure you’re just checking the weather? As a bonus to you, Weather Channel shares your usage statistics!
» http://or1.sc.omtrdc.net/b/ss/twciiphonescroll/0 . . .» Resolution=640x1136» AppID=iPhone 6.2.1 (420573)» TimeSinceLaunch=58» DeviceName=iPhone6,1» action=weather:data-refresh-requested» OSVersion=iOS 7.1.2» CarrierName=Verizon» actionTracking=weatherdatarefreshrequested» ts=1408722639
(which translates to 8/22/2014 11:50:39 AM)
XYZ XYZ
12 #ISC2Congress
Location Privacy: Using apps
Sure enough, you agreed to all of this.
13 #ISC2Congress
When you’re at home
When you’re at workWhen you’re driving
Why should you care?
“Big Data” marketing can infer:
14 #ISC2Congress
…and when you’re not
When you’re at home
Why should you care?
An attacker can infer:
15 #ISC2Congress
Device Privacy: Using Wi-Fi
Hi! Can I please join your network? My MAC address is DC:9B:9C:xx:xx:xx!
Sure! (Ah…so you’re an Apple device…)
Thanks! Oh, also, my name is “Rob Barnes’s iPhone 5”!
OK, thanks. Welcome! (Welcome, indeed, “Rob Barnes”!)
16 #ISC2Congress
It’s 209.48.123.456.
Device Privacy: Using Wi-Fi
Hey, it’s “Rob Barnes’s iPhone 5” again. Sorry to bother you. What is the IP address for email.mycompany.com?
17 #ISC2Congress
Why should you care?
Dear Rob Barnes:
Congratulations! Your iPhone 5 is eligible for a free upgrade! Please click here for details, or visit your local Atlanta Apple retail store.
This message was sent to [email protected]. Click here to unsubscribe from future emails.
Sincerely,The Apple Customer Loyalty Team
18 #ISC2Congress
Device Privacy: Using Wi-Fi
belkin.d36
belkin.d36.guests
HoundNet_Guest
xfinitywifi
DUKE
LCPS-OPEN
Residence_GUEST
Marriott_Guest
Kimpton
Marriott_CONFERENCE
Dunn_Bros_337!
Carlton
My stored Wi-Fi networks(com.apple.wifi.plist)
19 #ISC2Congress
belkin.d36
belkin.d36.guests
HoundNet_Guest
xfinitywifi
DUKE
LCPS-OPEN
Residence_GUEST
Marriott_Guest
Kimpton
Marriott_CONFERENCE
Dunn_Bros_337!
Carlton
Device Privacy: Using Wi-Fi
Marriott_Guest
<key>lastAutoJoined</key><date>2014-07-13T06:33:08</date><key>SSID_STR</key><string>Marriott_Guest</string><key>Strength</key><real>0.9104790687561035</real><key>CAPABILITIES</key><key>NOISE</key><integer>91</integer><key>isWPA</key><integer>0</integer><key>CaptiveNetwork</key><boolean>true</boolean><key>lastJoined</key><date>2014-07-12T16:22:16</date>
20 #ISC2Congress
Device Privacy: MACEver get the feeling that you’re being watched?
http://qz.com/112873/this-recycling-bin-is-following-you/
This recycling bin is tracking you.
21 #ISC2Congress
Device Privacy: MAC
http://www.moxieretail.com/storage/heat_map2.jpg
Ever get the feeling that you’re being watched?
Your supermarket is tracking you.
22 #ISC2Congress
Why should you care?
Loyalty Card Yo
u
23 #ISC2Congress
A picture is worth1,000 words…
http://sophosnews.files.wordpress.com/2012/12/mcafee-exif.jpg?w=640
24 #ISC2Congress
…and some EXIF data as well…Exif Image Size 470 × 353Make AppleCamera Model Name
iPhone 4
Orientation Horizontal (normal)Date/Time Original
2012:12:03 12:26:00
Create Date 2012:12:03 12:26:00Flash Off, Did not fireGPS Latitude Ref NorthGPS Latitude 15.658167 degreesGPS Longitude Ref WestGPS Longitude 88.992167 degreesGPS Altitude Ref Above Sea LevelGPS Altitude 7.152159468 mResolution 72 pixels/inch
25 #ISC2Congress
…and some geolocation, too.
26 #ISC2Congress
Usage Privacy: Using email
iOS mail header:
X-Mailer: iPhone Mail (10B350)[10B350 = iOS 6.1.4]
Android mail header:
X-Mailer: YahooMailAndroidMobile/3.1.3
27 #ISC2Congress
Usage Privacy: Using Bluetooth
http://cnet3.cbsistatic.com/hub/i/r/2013/08/22/2cbcf893-6de6-11e3-913e-14feb5ca9861/resize/620x/e604bfe06973383ec0c3ca6323c35487/142B6607.jpg
28 #ISC2Congress
How to Protect Yourself
» Location Services• Turn it off• Use it selectively
» Browsing• Use Onion browser (or other Tor equivalent)• Maintain awareness
» Wi-Fi• Do not connect to untrusted networks
– (But if you do, assume everything you do is monitored)– (Also, tell your device to “forget” the network when you’re
done.)
29 #ISC2Congress
How to Protect Yourself
» EXIF Data• iOS
– TrashExif– Metadata Cut
• Android:– EXIF Stripper– Photo Editor
30 #ISC2Congress
How to Protect Yourself
» MAC Tracking• iOS
– Upgrade to iOS 8
• Android– Pry-Fi (requires rooting the device)
» Bluetooth• Delete any data from synced devices
– This becomes increasingly applicable with iOS 8’s HealthKit
31 #ISC2Congress
The End.
Rob Barnes
ww.linkedin.com/in/robertdbarnes
#YourPhoneHatesYou