Your Cell Phone is Covered in SpidersAn overview of the cell phone security landscape

Cooper Quintin@cooperqcooper@radicaldesigns.org

We are becoming increasingly dependent on mobile devicesWe are storing more and more data on them

Pictures

Videos

Contacts

Email

Social Graphs

Location History

Etc

As the amount of data increasesThe complexity increases

The desirability increases

The number of vulnerabilities increases

And there are a lot of vulnerabilities!

Things to Keep in Mind

physical access == phone can and will be completely compromised.

Also, you should assume that your phone will be compromised at some point.

Security is a Journey Not a DestinationThe more hurdles that you put up, the harder you make it for an attacker.

Time to compromise > Determination of attacker

Just because there are so many threats to cellular security doesn't mean you shouldn't take security seriously. There are still things you can do.

Threat ModelRandom attacks Malicious apps

Stolen / Lost phone

Targeted attacker Law Enforcement

Corporate Espionage

Personal Enemies

Signal Interception

Your Phone Company

Burner PhonesNo encryption

Trivial for Forensic Investigators

Closed Source

Usually no Screen Lock

iPhoneThe Bad

Closed source

Very little in the way of security apps

Default screen lock is a four digit number

Encryption tools that aren't free or open source

FDE keys are stored on phone and can be recovered

The Good

There is a stronger screen lock that can be enabled

Off The Record (OTR) Chatsecure (works with gibberbot)

PrivateGSM (Encrypted VOIP)

oh and an unofficial tor app (covert browser)

Less Malware

AndroidIMO The best phone for security

Open source

Lots of security tools

Lots of encryption tools

Strong Screen lock

Guardian Project

Lets Talk About Threat Models Again

Currently in California (and many other states) an arresting officer can search your phone if it does not have a password lock on it.CA Supreme Court, People vs. DiazTherefore, under Diaz, if you're arrested while carrying a mobile phone on your person, police are free to rifle through your text messages, images, and any other files stored locally on your phone. Any incriminating evidence found on your phone can be used against you in court.

Law Enforcement Investigators are Looking for:Subscriber & Equipment Identifiers

Contacts

Appointment Calendar

SMS, Text Messages, Instant Messages, Email

Call Logs

Photos, Audio and Video

Documents

Location Data

Forensic Methods

Recovering screen lock Recovery mode or google account

Recovery Mode

Cellbrite and UFED

JTAG

SolutionsHave a strong screen lock and a short timeout

Turn USB Debugging off This makes forensics a lot harder

Don't tell them your password

Encryption (Text Secure, LUKS, Device encryption)

Signal InterceptionThreats

Fake Cellular Towers / Drones

USRP/GNU Radio

Snooping as a Service

Cellular companies will provide wiretaps without even a warrant

Solutions

Encrypted Calls (Redphone)

Encrypted Text (Textsecure)

Talk in Person (This is the Most Secure)

Screen LockFace Unlock

Pattern

Pin

Password

Screen LockFace Unlock

The Worst

Your phone can be unlocked with a picture of you

Pattern

Grease from fingers leaves pattern on screen

Only 9! or 362880 combinations

Easily Guessed

Numeric Pin

Slightly better, smudge can be mitigated by lack of order, or by pressing the same number more than once

10^16 possible combinations

Screen LockPassword

Approx 2.3 * 10^30 combinations (assuming max length password with all possible chars)

The most secure option

With A-Za-z0-9 and a 10 character long pass has a key space of 839 quadrillion passwords

Would take a desktop approx 647000 days to crack

Would take a super computer < 100 days to crack

Very hard to guess a strong password

This is all Useless if an Attacker can Circumvent Your Lock Screen Physical access to a rooted phone with USB debugging on

Recovery mods

JTAG Interface

SolutionsChoose a strong screen lock

TURN OFF USB DEBUGGING

Disk Encryption

Use 2 factor authentication on google

Lost and Stolen PhonesPhone Finding Applications

Remote wipePrey (Cross platform, open source)

Poison Pill (Open Source)

Lookout

Droid Tracker

Strong Screen lock

Report to The Provider?They probably don't give a damn.

MalwareVendor and Espianage malware

This stuff is extremely sophisticated

FinFisher

CarrierIQVoodo carrierIQ

Standard, untargeted malwarePersonal Data Theft

Premium SMS

The usual suspects (spyware, trojans, phishing)

Facebook

SolutionsDroidwall (require root)Unfortunately no longer open source

Try Android firewall or AFwall

Be careful what you install

Antivirus (lookout, etc.)

Be wary of third party app stores

Permission Selection Apps (require root)

Permissions Denied

Cyanogenmod

Root your phone and remove the bloatware

Of Course, Even an App with No Permissions Can do a LotRead files from SD card

Get a list of packages

Access insecure application files

Read gsm and sim vendor ID's

Read android id (unique to your phone)

Call home with a get request

Other Attacks

NFCCan completely control the phone just by touching it.

Can open up a browser, get photos, videos, contacts, etc.

Even Bugger overflows

QR Phishing

Baseband Attacks

Disk EncryptionOn some devices since android 3 (honeycomb)Encrypts the /data partition

Encrypts the /sdcard sometimes, YMMV

DM_Crypt : tried and true

Uses your lockscreen pin/password as the key

VULNERABLE TO COLD BOOT ATTACK (Frost)

Truecrypt (Cryptonite)

Luks Manager (can be used to encrypt SD card)

IOCypher (for devs, still alpha)Allows you to create an encrypted virtual FS for your app.

Call EncryptionOSTN

Open {Secure, Source, Standards} Telephony (Network)

Federated, Open Source

Does not stop censorship or provide anonymity

http://ostel.me

Red PhoneOpen Source client, Closed source server

Easy to use

Does not stop censorship or provide anonymity

Other EncryptionGibberbot (OTR, encrypts chat)

APG (PGP for Android)

Orbot and Orweb (Technically anonymity not enc.)

OpenVPN (encrypts your internet connection)

Notecipher

Sqlcipher

Text Secure

RedPhone

Other Usefull AppsDuck Duck Go Alternateive search engine

Keepass - Password Vault

Adaway - Adblocking for Android

Fdroid Alternative Open Source App Store

Obscuracam - Block peoples faces in sensetive photo

Cacert manager Revoke untrusted root ca certs

Firefox

Iptableslog Log the traffic coming from your phone

Shark Capture packets from your phone

Alogcat View Android Logs

In Conclusion...Turn off USB debugging!

Keep your phone on you

Trust what you install (Open Source Rules!)

Root and install custom firmware

Use a stronger screen lock

Audit your phone

Encrypt Everything!

Open Source Presentation! Get it on Github!

https://github.com/cooperq/spiders

Thank You!Cooper Quintincooper@radicaldesigns.orgTwitter: @cooperqJabber: cooperq@jabber.ccc.deOTR: 9B3470B9 B1F10651 B5840FEB 026D6CF7 2D949F6FPGP: 75FB9347 FA4B22A0 5068080B D0EA7B6F F0AFE2CA

Click to edit the title text format

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level