View
212
Download
0
Category
Tags:
Preview:
Citation preview
Storage of sensitive data in a Java enabled cell phone
MSc ThesisTommy Egeberg
June 2006
Agenda
• Introduction • Problem• Methods• Results• Conclusion• Further Work
Introduction
• Cell phones → small computers• Stores a lot of sensitive information
– RMS, email, SMS, calendar …
• Able to run Java applications– Mobile SSO solution
• Store passwords
-Introduction
Main problem
Will a Java MIDlet on a cellular phone be a secure location to store sensitive information?
-Problem
Research Questions
• What is already known about security in Java enabled cell phones?
• Will information stored on a cellular phone be easy to extract?
• How can we secure the stored sensitive information even if the cellular phone is lost or stolen?
• What kind of threats will the cell phone be vulnerable to?
• What kind of countermeasures can be used to reduce or eliminate the threats?
-Problem
Methods
• Literature study– J2ME specifications– Communication link; cell phone ↔ server
• Prototype– Try to break into the prototype
• Security analysis– Identify threats and vulnerabilities
-Methods
Digital safe
• Master password– PIN– Pass-faces– Stored as a SHA1 hash digest
• The sensitive information– AES encrypted with a 128 bit key
• Key derived from master password, username and a iteration count of 20, like described in PKCS5v2 [1]
-Methods
Remote deletion
• SMS sent to the phone with the digital safe installed– Defined port number– The AMS starts the digital safe– SHA1 value of password– Deletes the stored information
-Methods
Stealing MIDlet
• Upgrade a previously installed MIDlet• The RMS will not be erased• Read the stored information• Identical values in the JAD file• Can be used to inject Trojan code
-Methods
Results
• Encryption and decryption– Bouncy Castle Crypto API [2]
• AES, SHA1, …
• Remote deletion is a poor functionality– Can easily be deactivated
• Data stored in the RMS can easily be extracted
-Results
Data extraction
• Forensic methods [3]
– Desoldering techniques, boundary-scan (JTAG)– Native applications
• Windows Mobile, Symbian OS
• Stealing MIDlet• Phone Managers
– Backup of MIDlet’s RMS
-Results
Stealing MIDlet
• Overwrite the installed MIDlet• MIDlet-Name and MIDlet-
Vendor• Source code
– Add Trojan code
• A signed MIDlet can not be upgraded with an unsigned MIDlet!
-Results
A Stealing MIDlet’s JAD file
MIDlet-1: StealingMIDlet,,StealingMIDlet
MIDlet-Jar-Size:
4743
MIDlet-Jar-URL:
StealingMIDlet.jar
MIDlet-Name: Password Store
MIDlet-Vendor:
Tommy Egeberg
MIDlet-Version:
1.0
MicroEdition-Configuration:
CLDC-1.1
MicroEdition-Profile:
MIDP-2.0
Phone Managers
• Oxygen Phone Manager II [4]
– Backup Java MIDlets– Backup MIDlet's RMS
• MOBILedit! [5]
– Forensic edition available
-Results
RMS backup-Results
-Results
Threats & Vulnerabilities
• Information extracted• Trojan code
– Keyboard sniffer, send information to hacker, …
• Phone is stolen• Brute-force attacks• Remote deletion disabled• MIDlet installation request
-Results
Countermeasures
• Reflash cell phone OS• Check MIDlet size and functionality• Sign the MIDlet
– Prevent Stealing MIDlets
• Strong master password and encryption• Frequently update the login credentials
-Results
Conclusion
• A strong master password must be chosen– The key in the encryption process, access to the
application
• Data easily extracted– Encryption extremely important
• The MIDlet should be signed– Prevent installation of Stealing MIDlets, trusted
source
-Conclusion
Further Work
• SATSA (The Security and Trust Service API)• Biometric authentication
– Speech recognition (Java Speech API)
• Proactive password checking• Synchronization service
– Update the stored login credentials if the phone is lost
-Further work
References
[1]RSA-Laboratories. March 1999. Pkcs5v2.0: Password-based cryptography standard.
[2]Bouncy Castle. Bouncy Castle Crypto Package. Light-weight API, release 1.33.
[3] Willassen, S. Y. Spring 2003. Forensics and the GSM mobile telephone system. International Journal of Digital Evidence, 2, 10–11.
[4] Oxygen-Software. Oxygen phone manager for Nokia phones (forensic edition) http://www.opm-2.com
[5] Compelson laboratories. MOBILedit! Forensic http://www.mobiledit.com
Recommended