Herding smartphones

Stratum Security

Innovative Risk Solutions

Herding SmartphonesISSA Tampa Bay - March 18, 2011

Stratum Security

Justin Morehouse, Principal Consultant

• Stratum Security

• Security Operations and Consulting

• Co-author ‘Securing the Smart Grid’

• OWASP Tampa Chapter Founder & Leader

• Presented at DEF CON, ShmooCon, OWASP, and more

About Me

Stratum Security

• Since 2008 I’ve owned, modified, and hacked the following:

• BlackBerry Bold 9700 & 8820

• T-Mobile (HTC) Dash (Windows Mobile 6.5)

• iPhone, 3G, 3GS (All iOS version)

• Motorola Droid (Android 2.1, 2.2, 2.3)

• Samsung Galaxy S (Android 2.1)

My Love (Hate) Relationship w/ Smartphones

Stratum Security

Smartphones...

Stratum Security

...are everywhere

Stratum Security

Question

Stratum Security

Smartphones outsold PCs in Q4

1,000,000,000+ smartphone users by 2013

...do amazing things

Video Conferencing

GPS Navigation

Watch streaming videos

...and are

constantly evolving

Motorola Atrix

Near Field Communications (NFC)

Question

How we use smartphones...

...as a phone

...to check email

...personal digital assistant

...what about personal use?

...entertainment

...social networking

...and more

think about your mobile footprint

Hackers do...

...money talks

objective based

Attack Vectors...

...phishing

...rogueapplications

...drive-by downloads

Examples...

Demonstration(http://vimeo.com/18668105)

Apps Gone Wild!!!

50+ malicious (rogue) applications identified

Available for download in the Official Android Market

Applications published by 3 “developers”

Post IMEI & IMSI to website in California

Contains code to steal “sensitive information”

Google remotely “wiping” rogue applications

“Taking steps” to prevent this from happening again

DroidDream

pwn2own 2011

CanSecWest

Vincenzo Iozzo, Willem Pinckaers & Ralf Philipp Weinmann

WebKit Vulnerability in BlackBerry OS 6+

Setup ‘rigged’ website

Downloaded contacts, images & wrote file

Same vulnerability used to hack iPhone 4 (same team as well)

BlackBerry “fix” = disable javascript

BlackBerry Torch 9800

Mitigation Steps...

The sky is not falling...

but attacks are increasing...

strong policies & procedures

Leverage existing technologies...

...and evaluate new solutions

Stratum Security

• Only install applications from trusted sources

• Review permissions that applications ask for

• Utilize free/cheap tools

• Install updates (Platform & Apps)

ProSumer Recommendations

Stratum Security

ProSumer Recommendations

• Don’t click on unsolicited links

• Set a strong password or pattern

• Install remote wipe/lock/locate apps

Questions?Justin Morehouse

justin.morehouse@stratumsecurity.comwww.stratumsecurity.com