your cell phone is covered in spiders
TRANSCRIPT
Your Cell Phone is Covered in SpidersAn overview of the cell phone security landscape
Cooper Quintin@[email protected]
We are becoming increasingly dependent on mobile devicesWe are storing more and more data on them
Pictures
Videos
Contacts
Social Graphs
Location History
Etc
As the amount of data increasesThe complexity increases
The desirability increases
The number of vulnerabilities increases
And there are a lot of vulnerabilities!
Things to Keep in Mind
physical access == phone can and will be completely compromised.
Also, you should assume that your phone will be compromised at some point.
Security is a Journey Not a DestinationThe more hurdles that you put up, the harder you make it for an attacker.
Time to compromise > Determination of attacker
Just because there are so many threats to cellular security doesn't mean you shouldn't take security seriously. There are still things you can do.
Threat ModelRandom attacks Malicious apps
Stolen / Lost phone
Targeted attacker Law Enforcement
Corporate Espionage
Personal Enemies
Signal Interception
Your Phone Company
Burner PhonesNo encryption
Trivial for Forensic Investigators
Closed Source
Usually no Screen Lock
iPhoneThe Bad
Closed source
Very little in the way of security apps
Default screen lock is a four digit number
Encryption tools that aren't free or open source
FDE keys are stored on phone and can be recovered
The Good
There is a stronger screen lock that can be enabled
Off The Record (OTR) Chatsecure (works with gibberbot)
PrivateGSM (Encrypted VOIP)
oh and an unofficial tor app (covert browser)
Less Malware
AndroidIMO The best phone for security
Open source
Lots of security tools
Lots of encryption tools
Strong Screen lock
Guardian Project
Lets Talk About Threat Models Again
Currently in California (and many other states) an arresting officer can search your phone if it does not have a password lock on it.CA Supreme Court, People vs. DiazTherefore, under Diaz, if you're arrested while carrying a mobile phone on your person, police are free to rifle through your text messages, images, and any other files stored locally on your phone. Any incriminating evidence found on your phone can be used against you in court.
Law Enforcement Investigators are Looking for:Subscriber & Equipment Identifiers
Contacts
Appointment Calendar
SMS, Text Messages, Instant Messages, Email
Call Logs
Photos, Audio and Video
Documents
Location Data
Forensic Methods
Recovering screen lock Recovery mode or google account
Recovery Mode
Cellbrite and UFED
JTAG
SolutionsHave a strong screen lock and a short timeout
Turn USB Debugging off This makes forensics a lot harder
Don't tell them your password
Encryption (Text Secure, LUKS, Device encryption)
Signal InterceptionThreats
Fake Cellular Towers / Drones
USRP/GNU Radio
Snooping as a Service
Cellular companies will provide wiretaps without even a warrant
Solutions
Encrypted Calls (Redphone)
Encrypted Text (Textsecure)
Talk in Person (This is the Most Secure)
Screen LockFace Unlock
Pattern
Pin
Password
Screen LockFace Unlock
The Worst
Your phone can be unlocked with a picture of you
Pattern
Grease from fingers leaves pattern on screen
Only 9! or 362880 combinations
Easily Guessed
Numeric Pin
Slightly better, smudge can be mitigated by lack of order, or by pressing the same number more than once
10^16 possible combinations
Screen LockPassword
Approx 2.3 * 10^30 combinations (assuming max length password with all possible chars)
The most secure option
With A-Za-z0-9 and a 10 character long pass has a key space of 839 quadrillion passwords
Would take a desktop approx 647000 days to crack
Would take a super computer < 100 days to crack
Very hard to guess a strong password
This is all Useless if an Attacker can Circumvent Your Lock Screen Physical access to a rooted phone with USB debugging on
Recovery mods
JTAG Interface
SolutionsChoose a strong screen lock
TURN OFF USB DEBUGGING
Disk Encryption
Use 2 factor authentication on google
Lost and Stolen PhonesPhone Finding Applications
Remote wipePrey (Cross platform, open source)
Poison Pill (Open Source)
Lookout
Droid Tracker
Strong Screen lock
Report to The Provider?They probably don't give a damn.
MalwareVendor and Espianage malware
This stuff is extremely sophisticated
FinFisher
CarrierIQVoodo carrierIQ
Standard, untargeted malwarePersonal Data Theft
Premium SMS
The usual suspects (spyware, trojans, phishing)
SolutionsDroidwall (require root)Unfortunately no longer open source
Try Android firewall or AFwall
Be careful what you install
Antivirus (lookout, etc.)
Be wary of third party app stores
Permission Selection Apps (require root)
Permissions Denied
Cyanogenmod
Root your phone and remove the bloatware
Of Course, Even an App with No Permissions Can do a LotRead files from SD card
Get a list of packages
Access insecure application files
Read gsm and sim vendor ID's
Read android id (unique to your phone)
Call home with a get request
Other Attacks
NFCCan completely control the phone just by touching it.
Can open up a browser, get photos, videos, contacts, etc.
Even Bugger overflows
QR Phishing
Baseband Attacks
Disk EncryptionOn some devices since android 3 (honeycomb)Encrypts the /data partition
Encrypts the /sdcard sometimes, YMMV
DM_Crypt : tried and true
Uses your lockscreen pin/password as the key
VULNERABLE TO COLD BOOT ATTACK (Frost)
Truecrypt (Cryptonite)
Luks Manager (can be used to encrypt SD card)
IOCypher (for devs, still alpha)Allows you to create an encrypted virtual FS for your app.
Call EncryptionOSTN
Open {Secure, Source, Standards} Telephony (Network)
Federated, Open Source
Does not stop censorship or provide anonymity
http://ostel.me
Red PhoneOpen Source client, Closed source server
Easy to use
Does not stop censorship or provide anonymity
Other EncryptionGibberbot (OTR, encrypts chat)
APG (PGP for Android)
Orbot and Orweb (Technically anonymity not enc.)
OpenVPN (encrypts your internet connection)
Notecipher
Sqlcipher
Text Secure
RedPhone
Other Usefull AppsDuck Duck Go Alternateive search engine
Keepass - Password Vault
Adaway - Adblocking for Android
Fdroid Alternative Open Source App Store
Obscuracam - Block peoples faces in sensetive photo
Cacert manager Revoke untrusted root ca certs
Firefox
Iptableslog Log the traffic coming from your phone
Shark Capture packets from your phone
Alogcat View Android Logs
In Conclusion...Turn off USB debugging!
Keep your phone on you
Trust what you install (Open Source Rules!)
Root and install custom firmware
Use a stronger screen lock
Audit your phone
Encrypt Everything!
Open Source Presentation! Get it on Github!
https://github.com/cooperq/spiders
Thank You!Cooper [email protected]: @cooperqJabber: [email protected]: 9B3470B9 B1F10651 B5840FEB 026D6CF7 2D949F6FPGP: 75FB9347 FA4B22A0 5068080B D0EA7B6F F0AFE2CA
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level