transparent smartphone spying
DESCRIPTION
TRANSCRIPT
Transparent Smartphone Spying
Georgia Weidman
Agenda
• Smartphone Overview
• Evil Applications
• Evil Jailbreaks
• Baseband Spying
• Mitigation Strategies
What is a Smartphone?
Data Stored and Transmitted
• Personal info
• Work info
• Location info
• Account info
Privacy of Transmitted Data
• Mobile communication standards
• Encoding vs. Encryption
• Attacks against privacy
Privacy Matters: Text Messages
• “Hi meet me for lunch”
• “Meet me for lunch while my wife is out”
• “Here are your bank account credentials”
Privacy Required Examples
• Vendor text messages– Vendor advertisements– Provider messages
• Mobile banking– Balance sheet– Electronic bill paying– One time passwords
Evil Applications
Application Stores
• iPhone– Expensive – Identity Verified– Closed– Certificate Authority
• Android– Cheap– Open– Anonymous– Self signed
Application Protections: iPhone
• ASLR
• Mandatory code signing
• No dynamic code loading
• Sandboxed
Applications Protections: Android
• Users accept permissions
Our Text Message Example
• Permission to read text message(SMS) database
• Specific permission to send text message(SMS) messages
• Without user consent, application cannot access this information
Is this system working to protect users?
Are users making good decisions about application permissions?
Top Android App of all Time
Demo
Demo: Application abusing permissions
Abusing the Android Sandbox
• Load exploit code at runtime
• Safe application becomes malicious application
• In the wild: DroidDream
• In the lab: Rootstrap
Evil Jailbreak
Jailbreaking
• Get root privileges
• Expand feature set
• Run unapproved (3rd party apps)
Jailbreaking Gone Wild
• Run this code
• It jailbreaks your phone
• What else does it do?
So I’ve exploited a phone, what now?
Baseband Spying
• Read all data sent/receive by the phone
• Intercept data before it reaches the user/before it is sent
22
How an GSM is sent and received
© Georgia Weidman 2011 23
How an GSM is sent and received
© Georgia Weidman 2011 24
How an GSM is sent and received
Malicious Proxy
• Intercept data
• Send data
• Alter data
• Botnet functionality
Demo
Demo: Stealing Text Messages
Mitigation Strategies
• User Awareness
• Encryption
• Updating
• Code signing
Contact
Georgia Weidman, Security ConsultantNeohapsis, Inc.
Email: [email protected]@neohapsis.com
Website: http://www.neohapsis.com http://www.grmn00bs.comTwitter: @vincentkadmon
Selected Bibliography
• John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: http://jon.oberheide.org/files/shmoo11-teamjoch.pdf
• Charlie Miller and Collin Mulliner “Fuzzing the Phone in Your Phone” Blackhat USA 2009: http://www.blackhat.com/presentations/bhusa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf
• Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: https://media.blackhat.com/bh-us-11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf