Playing boogie buggy

Bogdan ALECU

Topics

▪ About me

▪ The buggy world

▪ Where does your data go?

Bogdan ALECU

About me

Bogdan ALECU

▪ Independent security researcher

▪ Sysadmin @ LEVI9

▪ Passionate about security, specially when it’s related to mobile devices, CISSP, CEH, CISA,CCSP

▪ #infosec conferences: DeepSec, DefCamp, EUSecWest

▪ Started with NetMonitor, continued with VoIP and finally GSM networks / mobile phones

▪ @msecnet / www.m-sec.net / alecu@m-sec.net

The buggy world

Bogdan ALECU

▪ Developers

▪ Testers

▪ Customers

▪ How do you test?

▪ But is it enough?

The buggy world

Bogdan ALECU

READY FOR SOME REAL LIFE EXAMPLES?

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

NEVER trust the user’s input!

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

NEVER trust the user’s input!

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

NEVER trust the user’s input!

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

▪ 20K application

▪ Two factor authentication

▪ ACL IP

▪ User authenticated automatically if …

… coming from the right internal IP

The buggy world

Bogdan ALECU

PLEASE CHECK YOUR

ERS

The buggy world

Bogdan ALECU

▪ How was the IP address checked?

The buggy world

Bogdan ALECU

▪ X-FORWARDED-FOR HTTP header

The buggy world

Bogdan ALECU

▪ Modify Headers – Firefox Extension

▪ https://addons.mozilla.org/en-US/firefox/addon/modify-headers/

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

▪ Try accessing the website while pretending to be browsing from your mobile device

▪ You would be surprised of the instant access you get

▪ No luck? Try Googlebot!

▪ If your log shows a sensitive access being made by GoogleBot, will you worry ?

The buggy world

Bogdan ALECU

▪ Those damn headers …

DEMO time

The buggy world

Bogdan ALECU

▪ Having the right headers (security by obscurity) can open a lot of doors

The buggy world

Bogdan ALECU

▪ Those damn headers … AGAIN!

Yet another demo

The buggy world

Bogdan ALECU

▪ Don’t bullshit me: admit your weakness!

The buggy world

Bogdan ALECU

▪Implementation gone wild

▪ How many of you use the Internet on your mobile device?

▪ Do you know what DNS is?

The buggy world

Bogdan ALECU

Setup a VPN server on port 53, UDP (DNS port)

… and connect to your server

… pass the traffic to the Internet

UNLIMITEDMOBILE DATA TRAFFIC!

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

▪ The standard itself may have issues

The buggy world

Bogdan ALECU

▪ SIM Toolkit

The buggy world

Bogdan ALECU

▪ SIM Toolkit

The buggy world

Bogdan ALECU

▪ SIM Toolkit

▪ Vulnerability discovered in June 2010

▪ Reported on August 26 2010

▪ CVE-2010-3612

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

The buggy world

Bogdan ALECU

▪ SIM Toolkit

… and the demo

The buggy world

Bogdan ALECU

▪ FIX THIS NOW!

Where does your data go?

Bogdan ALECU

Where does your data go?

Bogdan ALECU

▪ Is the data securely transferred?

▪ What info is the app sending?

▪ When does it sends the info?

▪ Does the app accept any certificate?

▪ What is it stored locally?

Where does your data go?

Bogdan ALECU

▪ Mallory gateway

http://intrepidusgroup.com/insight/2010/12/mallory-and-me-setting-up-a-mobile-mallory-gateway/

Where does your data go?

Bogdan ALECU

▪ Short demo

Call to action

Bogdan ALECU

▪ Don’t rely on thing that most users have no idea how to check if your app is secure. You might meet someone like me and it will get ugly

▪ Write your code in a secure way

▪ Testers: learn how to really tests mobile apps. It’s not all about the usage experience!

The end?!?

Bogdan ALECU

Thank you all!

Don’t forget about feedback forms

www.m-sec.net / @msecnet