![Page 1: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/1.jpg)
Zidong Han
Bridge Attack —Double-edged Sword in MobileSec
![Page 2: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/2.jpg)
Self Introduction l Mobile Security researcher
-Tencent Mobile Security Labs Razor Team l Focuses on App vulnerability and IOT related security l GeekPwn 2018 winner in “Hacker Pwn in House”
l HITB-SECCONF-2018-Beijing
![Page 3: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/3.jpg)
Agenda
Ø What is Bridge Attack
Ø Why a Bridge Attack
Ø Bridge Attack and Exploit Cases
Ø Defense the Bridge Attack
Ø Conclusion
![Page 4: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/4.jpg)
What is Bridge Attack
![Page 5: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/5.jpg)
Develop Fast Without Risk?
![Page 6: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/6.jpg)
What is Abstract Bridge
AbstractBridge
MobileApp IoTDevice
Browser l Mobile App Ø Android: Javascript in WebView
Ø IOS:UIWebView/WKWebView l IoT Device
Ø DLNA/Upnp/WebSocket
![Page 7: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/7.jpg)
“UnOffical”definition of Bridge Attack
Browser Attack
User
URL Payload Abstract Bridge
Parse Url
Send Expolit Result JsBridge
IotBridge
…
Mobile Application
Lan IOT Device
![Page 8: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/8.jpg)
Why a Bridge Attack
![Page 9: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/9.jpg)
WebView Attack in Past
l Using addJavascriptInterface to RCE Ø CVE-2012-6336
l WebView Cross-domain Risk Ø setAllowFileAccess Ø setAllowFileAccessFromFileURLs Ø setAllowUniversalAccessFromFileURLs
l URL Scheme Attack Ø <scheme>://<host>:<port>/<path>?<query> with exported
component
![Page 10: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/10.jpg)
Difference in Bridge Attack
l More Attack Surface
l Vulnerability effect with Bridge Ability
l Both Mobile Apps & IoT devicves
![Page 11: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/11.jpg)
Bridge Attack and Exploit Cases
![Page 12: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/12.jpg)
Bridge Attack Surface in Mobile Application
MaliciousRequest
BridgeInApplication&Webview Browser
SchemeParse
BypassRecognize
IdentificationCheck
FakeFun-Call
ActionDispatch
MobileDevice
![Page 13: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/13.jpg)
Bypass Identification Check
Ø XSS attack from url
Ø InSecure domain check(CSRF)
Ø JS Bridge(@JavascriptInterface) Man-in-the-Middle Attack
![Page 14: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/14.jpg)
Insecure Check Case I
str.contains("safe.com")str.endsWith("safe.com") 123safe.com
![Page 15: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/15.jpg)
Expolit JsBridge Ability
Ø Custom JsApi better or worse?
Ø Easy Web attack can csrf in apps
![Page 16: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/16.jpg)
Insecure Check Case II
http://xxx.com/mobile/middle_page/index.html?url=javascript:alert(document.cookie);//m2.mobike.com
What Can we do except stealing cookie??
![Page 17: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/17.jpg)
Insecure Check Case II
Payload Question: Ø import js file from outer url Ø exec any Sensitive JsApi Ø send user sensitive data to malicious url
![Page 18: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/18.jpg)
Import jsapi file
Call getUserInfo jsapi
sendRequest jsapi to get pay info
Steal user pay info
Insecure Check Case II
![Page 19: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/19.jpg)
Attack From A Malicious Url
CompleteExploit
PayloadUrL
Load
WebviewContainer
H5
JsBridge
Pay
NativeJsAPI
Attacker UserSpace JsBridgeAbility
InfoApi
NativeEvent
StealInfo RCE/LCE Worm
NativeCode
Exec
Javascript
ParseUri
LCE
![Page 20: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/20.jpg)
WhatDifferenceinIotBridge
Ø Penetrate LAN from WAN Attack
-DNS Rebinding -Bridge Attack in Brain App -Other remote attack entries’
Ø Persistent attack during the exploiting -More Broiler can be chosen in a LAN -More attack mode can be designed and used
![Page 21: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/21.jpg)
IOTInPrivateNetworks
CloudServer
Application
AbstractIoTBridge
CommandRequest CommandResponse
IoTBridgeWithCloudServer
![Page 22: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/22.jpg)
IoTBridgeWithoutCloudServer
IOTInPrivateNetworks Application
AbstractIoTBridge
UPnP
WebSocket
OtherProtocal
![Page 23: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/23.jpg)
Bridge Attack Surface in IoT Devices
DNSRebinding
BridgeInIOTDevice
Browser
PrivateNetwork
Open-PortAnalyze
BridgeProtocal
SendRequest
ActionDispatch
IOTInPrivateNetworks
![Page 24: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/24.jpg)
IoT Bridge Attack Case I
DLNAAction
Ø ExposesomeInterfacewithnoidentifychecking
Ø Basicallycontrolmediaplayability
Ø SpeciallyinjectbackdoorintoTv
![Page 25: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/25.jpg)
IoT Bridge Attack Case I
Ø SensitiveUpnpActionmakesecurityworseØ RemoteDownload->InstallApp->LaunchAppØ AttackerEnteringprivatenetwork
![Page 26: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/26.jpg)
IoT Bridge Attack Case II
Ø CenterAppwithnoCodeProtectionØ CommunicatewithTvwithnoIdentifycheckØ RemoteattackSmartTvimitateCenterAppAction
![Page 27: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/27.jpg)
Defense the Bridge Attack l For Jsbridge:
Ø Check identification seriously
Ø Constraint the permission of bridge ability
Ø Ensure the communication security with encryto channel(etc. https)
l For IoTbridge:
Ø Same security policy with JsBridge Ø Be cautious in expanding and abusing the bridge ability
Ø Make sure your command action with authentication tickets
![Page 28: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/28.jpg)
Conclusion
l MoreTarget:MobileAppsandIoTdevices
l AttackSurface:IntegrateWebattackswithApp/IoTattacks
l Easy-to-use:Byonlyamaliciousurl,evenspreadquicklyandwidely
l ExpolitAbility:RCE/LCE,SensitiveInformationLeak,APT
![Page 29: Bridge Attack - media.defcon.org CON China 1/DEF CON... · Ø Android: Javascript in WebView ... Open-Port Analyze Bridge Protocal Send Request Action Dispatch IOT In Private Networks](https://reader033.vdocument.in/reader033/viewer/2022052723/5f0ee7567e708231d44181ea/html5/thumbnails/29.jpg)
Thanks