Security Summit, Roma, 9 Giugno 2011 Raoul Chiesa, CLUSIT

*
Security Summit, Roma, 9 Giugno 2011
Raoul Chiesa, CLUSIT
Alessio L.R.
L R Pennasilico,
Pennasilico CLUSIT
* Raoul
R
l sii scusa, ma è dovuto
d
partire
i per Tallin,
T lli
Estonia, in quanto speaker al CCDOoE.
* Ci penserò io ad illustrarvi il materiale che
Raoul ha scritto con Philippe Langlois (P1
Security, TSTF.net) sulla sicurezza negli
smartphones! :)
*
CyberDefcon - Raoul Chiesa & Jart Armin 2010
2
6/8/2011
*
Mobile communication changed our lives
in the last 15 years (GSM & CDMA)
* Mobile smartphones changed our
“Digital life” in the last 5 years
* always-on
* IP enabled
* CPU power
* High data speed
*
Smartphone handsets are sold more and
more
* Used at personal, business and social
contests
* Attacks on mobile environments are
raising up
* Handsets became an “Attack Vector”
* Increased attention from the
underground (see next)
*
3
6/8/2011
9DEFCON 16 - Taking Back your Cellphone Alexander Lash
9BH DC / BH Europe – Intercepting Mobile Phone/GSM Traffic David
Hulton, Steve–
9BH Europe - Mobile Phone Spying Tools Jarno Niemelä–
9BH USA - Mobile Phone Messaging Anti
Anti-Forensics
Forensics Zane Lackey,
Lackey Luis
Miras
9Ekoparty - Smartphones (in)security Nicolas Economou, Alfredo Ortega
9BH Japan - Exploiting Symbian OS in mobile devices Collin Mulliner–
Mulliner
9GTS-12 - iPhone and iPod Touch Forensics Ivo Peixinho
925C3– Hacking the iPhone - MuscleNerd, pytey, planetbeing
925C3 Locating Mobile Phones using SS7 – Tobias Engel– Anatomy of
smartphone hardware Harald Welte
925C3 Running your own GSM network – H. Welte, Dieter Spaar
925C3 Attacking NFC mobile phones – Collin Mulliner
*
9ShmooCon Building an All-Channel Bluetooth Monitor Michael Ossmann and
Dominic Spill
9ShmooCon Pulling a John Connor: Defeating Android Charlie Miller
9BH USA– Attacking SMS - Zane Lackey, Luis Miras –
9BH USA Premiere at YSTS 3.0 (BR)
9BH USA Fuzzing
F
i the
th Ph
Phone iin your Ph
Phone - Charlie
Ch li Miller,
Mill C
Collin
lli Mulliner
M lli
9BH USA Is Your Phone Pwned? - Kevin Mahaffey, Anthony Lineberry & John
Hering–
9BH USA Post Exploitation Bliss –
9BH USA Loading Meterpreter on a Factory iPhone - Vincenzo Iozzo & Charlie
Miller–
9BH USA Exploratory Android Surgery - Jesse Burns
9DEFCON 17
17– Jailbreaking
J ilb ki and
d th
the L
Law off R
Reversing
i - Fred
F dV
Von Lohmann,
L h
Jennifer Granick–
9DEFCON 17 Hacking WITH the iPod Touch - Thomas Wilhelm
9DEFCON 17 Attacking SMS. It's
It s No Longer Your BFF - Brandon Dixon
9DEFCON 17 Bluetooth, Smells Like Chicken - Dominic Spill, Michael Ossmann,
Mark Steward
*
9BH Europe– Fun and Games with Mac OS X and iPhone Payloads - Charlie Miller and Vincenzo
Iozzo–
9BH Europe Hijacking Mobile Data Connections - Roberto Gassirà and Roberto Piccirillo
Piccirillo–
9BH Europe Passports Reloaded Goes Mobile - Jeroen van Beek
9CanSecWest– The Smart-Phones Nightmare Sergio 'shadown' Alvarez
9CanSecWest - A Look at a Modern Mobile Security Model: Google's Android Jon Oberheide–
9CanSecWest - Multiplatform iPhone/Android Shellcode, and other smart phone insecurities Alfredo
Ortega and Nico Economou
9EuSecWest - Pwning your grandmother's iPhone Charlie Miller–
9HITB Malaysia
y
- Bugs
g and Kisses: Spying
py g on Blackberry
y Users for FunSheran Gunasekera– YSTS
3.0 /
9HITB Malaysia - Hacking from the Restroom Bruno Gonçalves de Oliveira
9PacSec - The Android Security Story: Challenges and Solutions for Secure Open Systems Rich
Cannings & Alex Stamos
9DeepSec - Security on the GSM Air Interface David Burgess, Harald Welte
9DeepSec - Cracking GSM Encryption Karsten Nohl–
9DeepSec - Hijacking Mobile Data Connections 2.0: Automated and Improved Roberto Piccirillo,
Roberto Gassirà–
Gassirà
9DeepSec - A practical DOS attack to the GSM network Dieter Spaar
*
*
7
6/8/2011
Smartphone ogni 100 abitanti
*
9
6/8/2011
Mobile = Devices And More…
Smart phones
Tablets
Google-TV
External memory
Chrome OS
E-readers
Devices - not just phones, but TVs, blu-ray players,
netbooks, ereaders, MIDs
Mobile Security: dove siamo?
* Il primo mobile malware è stato identificato nel 2004.
* Oggi: 516 virus, worm e trojan per piattaforme mobile
* Il target è rappresentato dalle piattaforme più comuni
(Symbian,Windows, J2ME, iPhone, Android)
* Non siamo ancora nell’era del malware “exploit-based”. Non
ancora Ma ci manca poco…
ancora.
poco /
* Mobile Malware by Platform:
• Total: 516
• Symbian: 463
• Windows: 33
• J2ME: 12
• iPhone: 2
• Android: 1
* Mobile phones are always on the user
*
*
It’s something more personal than the underwear (!)
It’s not anymore
y
about “standard data” ((contacts,, calls))
* User feel that the unit is “safe”
* No large-scale
g
outbreaks so far
* User is unwilling to accept the implications of AV software
* User is ignorant/uneducated (think about fake games)
* Display issues / Keyboard issues
*
12
6/8/2011
* Cabir displayed three warning alerts
* Latest trojans are just vidogames user downloads and installs
* Perimeter Security is not enough
* EXAMPLE
*
13
6/8/2011
Una tipica frode mobile di oggi
Uh? Come può essere successo?
“Giocate” sul vs. smartphone?
Un gioco a caso…
Ed il suo “codice” nascosto
I numeri
• +882346077 Antartica
• +17675033611 Dominican republic
• +88213213214 EMSAT satellite prefix
• +25240221601 Somalia
• +2392283261 São Tomé and Príncipe
• +881842011123 Globalstar satellite prefix
"International Premium-rate numbers"
• Come capire quanto ci costa chiamare un simile numero ?
• Come capire chi possiede quel numero?
• Dove lamentarsi?
• Come far sì che detto numero venga disattivato?
xxxxx
xxxxx
xxxxx
xxxxx
*
25
6/8/2011
* Concetto base:
*
* Rendere ll’utente
utente esposto ad eventi “billable”
billable
*Concetto base del cash-out
cash out
* Comunicazioni billabili al subscriber:
* SMS to premium number
* CALL premium number
* CALL international premium number
* DOWNLOAD content from wap sites (wap billing)
*
Frodi
di su telefonia
l f i fissa
fi
* Abuso dei centralini aziendali
* Insider – telefonate a cellulari con profili di autoricarica
* Outsider – abuso del centralino telefonico per effettuare telefonate a PRN
(premium Rate Number) o rivendita di traffico telefonico verso paesi extra
comunitari
* Esistono bande internazionali specializzate nell’abuso di centrali
telefoniche (Nortel, Alcatel, Ericsson)
* La metodologia è sempre la stessa
* Le chiamate finiscono quasi sempre in: Zimbabwe, Liechtenstein e Sierra Leone
* In un w
w-e
e è possibile frodare fino a 300.000 euro
Pag. 27
*
Frodi
di su telefonia
l f i mobile
bil
* Dialer, il ritorno!
* Colpiscono i telefoni di nuova generazione (symbian,
(symbian iPhone,
iPhone Android) per
effettuare automaticamente telefonate a PRN
* Caller Id Spoofing (Wangiri)
* Tramite l’ausilio del VoIP è possibile falsificare il numero di telefono chiamante
(PRN)
* La tecnica consiste nel fare un solo squillo sperando che l’utente richiami
Pag. 28
*
Frodi
di su Internet
* Abuso di servizi Internet per l’invio di SMS
* Accessi abusivi ai portali degli operatori telefonici per poter inviare SMS
* Ricerca di servizi che permettono l’invio di SMS da Internet
*
*
Plug in per firefox per l’invio quotidiano di SMS
Software specifico per gestire gli SMS superflui sui cellulari
* Abuso di SIP/H.323 gateway
* Telefonate verso PRN
Pag. 29
* Interest:
I
d
data
* Trick theft
* Memory Card theft
* Usually unencrypted
*
30
6/8/2011
* LibertyCrack
* Clean and Sweep tester
* Deleted data
*
Phage
*
Cabir
*
Mabir/CommWarrior
*
3D AntiTerrorist
* First self-replicator
* Overwrites PRC segment
* First Symbian virus
* Spread via Bluetooth
* Spread via BT, MMS
* caused damages
* Free game
* Calls Premium Rate #
* Source unknown (original game paid)
* PRN (Premium Rate Numbers) buggery
*
* Call-me-back
* Tricky SMS
31
6/8/2011
*
32
6/8/2011
L’infrastruttura BlackBerry è composta da diversi elementi:
* LL’handheld:
handheld: ovvero il telefono,
telefono che è dotato di connettività
gprs/umts e Wi-Fi
* La connessione dati: ovvero il mezzo trasmissivo utilizzato dal
telefono
* Il BlackBerry Enterprise Server: è il server di gestione che viene
installato presso le aziende
* Permette la navigazione del blackBerry
Tutti questi elementi presentano punti di criticità
*
* L’handheld:
* Se non opportunamente configurato permette l’installazione di software,
giochi alle backdoor
dai g
* È possibile installare un trojan che attraverso il BES da accesso alla rete
privata dell’azienda (http://www.veracode.com/resources/blackberryspyware demo.html)
spyware-demo.html)
* Se la SIM richiede il PIN è possibile sostituirla con qualsiasi altra SIM e
avere ugualmente accesso (per un tempo limitato) alla rete dell’azienda o
alle email memorizzate sul dispositivo
* La connessione dati:
* Il traffico email passa attraverso il network RIM (Canada, UK, Olanda)
rendendo
d d di ffatto il mezzo poco adatto
d
ad
d entii governativi
i i
* La Francia e l’Inghilterra hanno vietato l’uso del BlackBerry ai ministri
* Gli Emirati Arabi Uniti,, per
p primi
p
tra altri Paesi del Golfo e dell’Asia (Arabia
(
Saudita, Qatar, India, etc..), hanno imposto o stanno imponendo a RIM dei cambi
architetturali per evitare il transito di informazioni verso l’esterno del Paese,
causando una conseguente mancanza di controllo da parte del Governo.
*
* BlackBerry Enterprise Server
* Il BES viene solitamente installato in server farm
* Di default memorizza tutte le telefonate effettuate dagli
utenti
* Numero chiamante
* Numero chiamato
* Orario
* Durata
* Nome in rubrica del numero chiamato
* Parte della navigazione Internet viene memorizzata dentro
i file di trace
* Di default installa MS-SQL con l’utente SA privo di password
* Ha funzionalità in grado di salvare gli SMS inviati
*
*
*
37
6/8/2011
Smartphones can be pwned:
compromise network security, attach pc's, sniff info
Linuxs bugs --> problems in linux or 3 party libs
File bugs
--> file format vulnerabilities
Users bug
--> bugs in users
SMS (text messages) as attack vector is 'wormable'
There is no 3-party app content filtering in
android
d id market
k t [C
[Come one. C
Come all.]
ll ]
Privacy issues with GPS, camera and mic, cell
tower
to
e info
o
3 party apps have full access to phone features:
in & outbound call interception, send/read SMS,GPS
attackers
tt k
can :steal
t l money, id
identity
tit ,sabotage
b t
networks, attack cell phones and
computers, searching mails and pics,tap
ti iti
ll
l
t via
i
activities,
calls,
locate
cell tower & wireless networks
*
38
6/8/2011
Android Security
y Basics
Sandboxing
g ,Each app
pp runs in its own Linux p
process
(process, user, data)
Apps request permissions at install-time
(no granularity)
Too much
• trust
• trust
• trust
trust:
between operators
between the user and the operators
between the user and the phone
Layer3 (TCP/IP) is generally protected by mobile
operators by filtering inbound connections (NAT)
How do you secure a platform where 50,000 Android
users install Fartdroid?
Android Exploit
p
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
02/Sep/10 HTC Wildfire Gains Access to Root-Only
Root Only apps With Soft Root
19/Aug/10 Tap Snake Game in Android Market is a Spy App
12/Aug/10 'Exploid', A new Privilege escalation root exploit was found
12/Aug/10 First Virus Trojan app has been found in the wild, attacking
Russian android p
phones by
y sending
g p
premium SMS that cost money
y
01/Aug/10 New security threat was demonstrated on the android market
13/Jul/10 Backdoor software founded by hackers was left on HTC phones
07/Jul/10 HTC Evo 4G adobe flash vulnerability found and exploited to
gain root
04/Jul/10 "MBackup" app is a spyware named 'FlexiSPY' use to hunt privacy
22/Jun/10 Easy infection of Android phone demonstrated by researcher
16/Jun/10 The new HTC Droid Incredible may have an unusual security bug
14/Jun/10 Hackers find holes in Sprint’s new 4G phone
12/M /10 T
12/May/10
Tools
l f
for d
downloading
l di
unknown
k
fil
files f
form th
the web
b are d
dangerous
04/May/10 First android rootkit proof of concept has found on the wild
03/May/10 New hacking tools for Android
11/Mar/10 Windows malware shipped with Vodafone HTC Magic SD card
Android Exploits
p
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
08/Mar/10
/
/
26/Feb/10
26/Feb/10
13/Jan/10
06/Jan/10
16/Dec/09
12/Nov/09
10/Oct/09
20/Sep/09
18/S /09
18/Sep/09
15/Sep/09
17/Aug/09
29/Jul/09
25/May/09
16/Mar/09
12/Feb/09
26/Jan/09
09/Nov/08
Fake weather apps
pp builds A mobile Botnet?
MobiStealth Android Spy software pretend to a fake "GoogleVoice"
"black" market pirated app repository was closed
Security flaw found on motorola droid bypasses security screen
Android cracked nook E-reader is a potential security risk
Large scale phishing scam targeting android-based mobile devices
Malware applicaton launched for android
Two new Android flaws in SMS and Dalvik API could lead to DOS
Android 'InstantRoot' app gains root by exploiting bug in BT
T
Two A
Android
d id applications
li ti
attacking
tt ki
windows
i d
users
Android 'Spam Apps' developer Crackdown
Android App 'Recovery Flasher' exploit Root bug in linux
SMS Flaw Fixed in Silent Android Update
Android improper package verification when using shared uids
Security Threat With 'Open Home' application
Bug in MP3 decoding used to steal android data
First Adware App Attacks Android G1?
G1 ROOT BUG FOUND
Android Exploits
p
Trojan-SMS.AndroidOS.FakePlayer
j
y
virus
LauncherSpam, fake virus apps & fake icons
Android Settings.Secure is Dead [Fixed,not deployed]
Webkit HeapSpray Android 2.0-2.1
Android killer app,
pp, CPU Killer Bug
g
TrojanSMS.AndroidOS.FakePlayer
j
y
In Linux that would not have happened. Oh,it's Linux
Trojan-SMS.AndroidOS.FakePlayer found on the wild
It displays a message in Russian and then sends
SMS messages without the user's consent.
The SMS it sends contains the
string "798657"
798657 to Russian
premium SMS short code numbers
3353,3354,sent $6 SMS messages
Primitive ,POC level, with local
distribution, limited damage
Have another 2 porn related
variants and use black SEO method
LauncherSpam
p
Install fake virus apps & icons on the victim device
Publish on android market
POC level
* http://www.antiy.com/cn/news/android_adrd.htm
h
//
i
/ /
/ d id d d h
* this is basically a good summary on Android malware in
China.
*
45
6/8/2011
*
46
6/8/2011
*
extraexploit.blogspot.com
extraexploit
blogspot com made a good research (as he always
does)
* Following a well known mailing list (clean-mx aka viruswatch) it was
been retrieved the following URL:
http://mmspicture.ru/mms112/mms112.jar (md5:
33EA90E2029478D47D33409B5F48E4EB)
* The JAR file is already detected from Virustotal.
Virustotal Playing a bit
around the URL path is possible retrieve another JAR file:
* http://mmspicture.ru/mms113/mms113.jar
* The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of this JAR file is
not still known around. Anyway, what follows is just a quick analysis
of the contents of this file. Open it with Java Decompiler appears
llike
e a ca
canonical
o cal small
s all JAR
J
apps for
o mobiles
ob les devices
dev ces (Midlet
(M dlet class).
(http://extraexploit.blogspot.com/2011/03/mmspictureru-mobile(h
//
l i bl
/2011/03/
i
bil
malware-depot.html)
47
6/8/2011
48
6/8/2011
Main class
49
Extended Canvas
Java class
6/8/2011
* Some Cyrillic strings…
* Is also shows a reference to a stream (embedded in the JAR)
named "info.dat".
* The code above use this file in order to decode the stream that
as we'll see is the destination phone number of the data gathered
from mobile devices.
devices
* The "info.dat" contains the following string: 75;4x=1?==8:<95
* He bbuilt
ilt a small Java app to decode the stream
stream.
50
6/8/2011
* The output revealed is the following:
* The string obtained is the phone destination number used for
receive SMS from the user mobile devices. The content of the SMS
body is still under investigation.
investigation Probably it send entire
phonebook as well the phone number could be a payment
number. The SMS is send when the user accept to view the
picture in the postcard ("card.png") embedded in the JAR. There
is also a file named "readme" which contains an ICQ id:
51
6/8/2011
* In according with the countrycode.org web site
( p
(http://countrycode.org/russia)
y
g
) the number "+7 497 878542104"
seems a Kazakistan or a Russian phone number. Another detail is
that the domain mmspicture.ru is attested on one IP
(91 201 66 209) where is attested another interesting domain:
(91.201.66.209)
* Now, the
h reall story (Thanks
h k Fyodor!)
d !
52
6/8/2011
* http://www.securelist.com/ru/blog/43154/Katya_vernulas
* The guy discusses a scam scheme involving this short number (7497)
* They use sms to short message to take some money from your phone
balance. Most of the sim cards in russia, even now, are pre-paid, the
scam of forcing users to send sms to a short number with particular
prefix is very common.
*
Different content providers could be registered to the same short
number, but every content provider has his own prefix (a text that sms
has to start with) longer prefixes are cheaper, shorter - more
expensive So I believe the 2nd number is the prefix
expensive.
prefix.
*
In the 2nd p
post from kaspersky
p
y lab, the g
guyy actuallyy talks about
somewhat similar (but social) attack that involved exactly the same
short number. (the same 4 digits). A user would be charged 210 rubles
if he sent sms to that number.
number
53
6/8/2011
*
54
6/8/2011
*
55
6/8/2011
*
56
6/8/2011
Establish a dial in server
* Based on modem configuration for mgetty
* Establish: #/AutoPPP/ - a_ppp /usr/sbin/pppd auth chap +pap
pap login debug
* Change to = /AutoPPP/ - a_ppp /usr/sbin/pppd auth chap +pap login debug
* Setup
S t PPP options
ti
e.g. ms-dns
d 3.4.5.6
3 4 5 6 #replace
# l
3.4.5.6
3456
with DNS address Slave
* Add users (iBot zombies) to pap-secrets
* Create Linux users
* Broadcast
*
57
6/8/2011
*
58
6/8/2011
*
59
6/8/2011
* The
Th main
i effort
ff t for
f manufacturers
f t
iis tto preventt
smartphones from becoming mini ISPs/rebroadcasting hubs.
* Avoid the unit becoming a router and using PPP
(Point-to-Point Protocol); through using “mgetty” or
similar commands; or in Microsoft Windows RAS
(R
(Remote
t A
Access SService).
i )
* Best if the platform reveals the phone number of
p
modem
the device onlyy to the smartphone’s
* Issue an IPv6 IP and public encryption for each
smartphone
60
6/8/2011
* Niebezpiecznik (Pl) Feb 2011
http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
* Collin Mulliner and Jean-Pierre Seifert IEEE
http://mulliner.org/collin/academic/publications/ibots_MALWARE2010.pdf
* Georgia Weider ShmooCon in January 2011
http://www.grmn00bs.com/GeorgiaW_Smartphone_Bots_SLIDES_Shmoocon
2011 df
2011.pdf
* Symantec
y
Mar 2011 http://www.symantec.com/connect/blogs/androidp
y
g
threats-getting-steamy
*
SS speec
SS7
speeches,
es, pape
paperss a
and
d R&D
& by Philippe
l ppe Langlois
a glo s
http://events.ccc.de/congress/2009/Fahrplan/events/3555.en.html
*
61
6/8/2011
I would like to thank the following friends for their direct or indirect
support while creating this presentation:
* Philippe
Phili
L
Langlois,
l i P1 Security,
S
i TSTF.net
TSTF
* Jart Armin, CyberDefCon
* Extraexploit.blogspot.com
* Fyodor Yarochkin, TSTF.net
* Dror, Droidsecurity
* TTam H
Hanna
* Claudia Parodi & Cristiano Cafferata, SonicWall Italy
*
62
6/8/2011