your smartphone - a spy in the pocket?

. . . . . .

Your smartphone - a spy in the pocket?

Denis Simonet

February 23, 2014

Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 1 / 23

. . . . . .

Outline

...1 Malware on smartphones

...2 GSM issues

...3 Conclusion


. . . . . .

Malware analysisJuniper Networks Third Annual Mobile Threats Report


. . . . . .

Malware analysisTechnical report from the Northwestern University

A majority of [anti-malware products] can be trivially defeated byapplying slight transformation over known malware with littleeffort.


. . . . . .

Malware analysisWiFi vs. Cellular networks

WiFi GSM, UMTS, LTE

Very popular Very popular

License-free radio spectrum Licensed radio spectrum

Cheap hardware Expensive hardware

Available to anyone Typically limited to professional operators

Easy to monitor No popular analysis tools available


. . . . . .

Malware analysisBase station

sysmoBTS for 2500AC (on themarket since 2012)

Operated with the free softwareproject Osmocom

Network in the box▶ GSM voice▶ SMS▶ GPRS


. . . . . .

Malware analysisOur set-up


. . . . . .

Malware analysisCapturing with Wireshark


. . . . . .

Malware Analysis

Two tests:

Jewels Star 2, a free game from Google Play Store

iSpyoo, spyware as a service


. . . . . .

Malware AnalysisJewels Star 2

Sends information to at least five advertising providers

Uses HTTP (i.e. no transport encryption)

Captured requests include information on the deviceand its location


. . . . . .

Malware AnalysisiSpyoo


. . . . . .

Malware AnalysisiSpyoo

Remote control target phone through web interface

Easy to handle

Functionality dependant on a monthly fee

Data is sent to a dedicated server in plain text


. . . . . .

Malware analysisFindings by c’t: Foursquare

“Find friends” transmits:▶ eMail adresses▶ phone numbers

Do your friends agree on that?


. . . . . .

Malware analysisFindings by c’t: Other apps

Shazam: Position, IP address, Android ID

Who Wants to Be a Millionaire?: List of installed apps

Samsung Chat On: IMEI, phone number

MyXperia: Position, IMSI, phone number, hardware information(without enabling this service!)


. . . . . .

Malware analysisDoes a flash light need to know your location?


. . . . . .

Malware analysisReactions

Many people do not seem to really care▶ “I have nothing to hide”▶ “My data is not important”▶ “I don’t care”

The NSA is interested in advertising providers!


. . . . . .

GSM issuesOsmocom

Osmocom (the software used) provides many possibilities:▶ Run an own baseband on cheap cell phones▶ Run an own GSM network▶ Play with SIM’s▶ . . .

Facilitates GSM research

Interesting summary at 30C3 by Nohl/Melette: Mobile networkattack evolution


. . . . . .

GSM issuesKnown GSM issues

No mutual authentication between phone and network

Weak encryption algorithms

Encryption is optional

Network can obtain positional information from phone


. . . . . .

GSM issuesSniffing GSM

OsmocomBB can be used to analyse GSM traffic

E.g. find whether a cell phone is in your vicinity. . .

. . . or even decrypt phone calls! (Nohl/Munaut @ 27C3)


. . . . . .

GSM issuesBaseband processor

Closed and closed-minded business

Lacks modern security features (stack protection, address spacerandomisation, . . . )

Stability: Wrong messages lead to crashes. They did not evenintentionally send wrong information and phones already crashed.

GSM spec have many options which no real network uses. Potentialattack vectors.

See: Harald Welte @ Linux Kongress 2010


. . . . . .

GSM issuesSIM card attacks

Remote injections on the SIM card by anybody

Applications can break out of the sandbox and read any data

E.g. send the current location every 5 minutes

Stays installed on the SIM even if you put it into a new phone


. . . . . .

What to do?


. . . . . .

What to do?

Only industry can fix most of the issues

Be careful what applications you install

Disable pre-installed applications

Do not consider GSM as a secure channel


your smartphone - a spy in the pocket?

Documents