Embed Size (px)
Citation preview
A Survey on Mobile Device Security: Threats, Vulnerabilities and Defenses
David StitesA Few Guys Coding, LLC
http://[email protected]@davidrstites, @afewguyscoding
Standard Disclaimer
• Be smart
• If you get in trouble/caught, I disavow knowing you and giving this presentation
Who Am I?
• Owner of A Few Guys Coding, LLC (iOS and web (Ruby on Rails))
• Works full-time at EW Defense Systems, a small defense contractor in Peyton. I am involved in planning, development, testing and maintenance of C DSP and firmware code, as well as Java front-end interfaces for RF signal detection, collection and analysis of ECM (electronic counter-measures) for the Air Force.
• B.S. from Purdue in CS, currently working on Ph.D in CS at UCCS
• I like operating systems, computer networks, computer security and parallel and distributed architectures.
• When I’m not doing computer related things I enjoy snowboarding, cooking and flying
Why Should I Care About This Topic?• You all are or are hoping to be, iOS developers
• Mobile devices have become increasingly popular with consumers and provide essential functionality in our everyday life.
• They contain lots of sensitive information, such as addresses, contacts, ingoing/outgoing call logs, SMS messages, and on latest models, a calendar, emails and potentially the user’s current position.
• A smartphone or mobile device today is as powerful as a desktop or laptop and while the latest models feature a complete OS, for many users these devices are “just phones”, so there is a underestimation of the risk connected to mobile device security.
• This makes mobile devices an interesting target for malicious users. Some of the damages that a user can sustain are financial loss, privacy and confidentiality, slowdown of processing speed, battery life, etc.
The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
- The Art of War, Sun Tzu
What is Security?
• Physical
• Locks, security cameras, checkpoints/screening, body guards, laws
• Emotional (feeling)
• Perception vs. reality
• Virtual
• Firewalls, antivirus, passwords, encryption
Virtual Physical
Emotional
External Models
How Much Is Enough?
• Cost-benefit analysis
• Simple tradeoffs
• Risk analysis
• Common sense
Security Theater
• Security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.
• Ex: Having a system administrator create policies that don’t make sense (such as the crazy combinations of letters, numbers, special chars) when the password is far less secure (cryptographically speaking)
• Ex: Apple’s walled app garden
Computer Security
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (including hardware, software, firmware, information/data and telecommunications).
NIST Computer Security Handbook
The Key Objectives• Confidentiality
• Data
• Privacy
• Integrity
• Data
• System
• Origin
• Availability
• Authenticity
• Accountability
Impact Levels
• Allows us to define or label the impact of security breaches
• Low
• Medium
• High
Computer Security Challenges• Not simple to implement
• Must consider potential attacks
• Procedures are counter-intuitive
• Involves algorithms and secret information
• Must decide where to deploy security mechanisms
• Potentially not understood well
• Constant battle between attackers and administrators
• Not perceived as a benefit until it fails
• Requires regular monitoring/upkeep
• Often an afterthought in system design
• Impediment to using the system
• Costly
Aspects of Security
• Security attacks
• Threat v. attack
• Security policy
• Security mechanisms
• Security services
Security Attacks
• Passive attacks
• Releasing message contents, traffic analysis
• Active attacks
• Masquerade, replay, modification of messages, DoS, delay, repudiation
• Passive attacks are hard to detect, active attacks are hard to prevent
Security Services
• Service provided by a protocol layer of communicating systems, which ensures adequate security of the systems or of data transfers
• Enhance security of data processing systems and information transfers
• Counter security attacks
• Often replicates functions associated with physical documents (signing, dating, etc.)
• Examples: Authentication, access control, data confidentiality, data integrity, non-repudiation, availability, etc.
Security Mechanisms
• Feature designed to detect, prevent or recover from a security attack
• Need multiple mechanisms since no single one will support everything required
• Example: Encryption, digital signatures, access controls, etc.
Previous Work
•W. Enck, D. Octeau, P. McDaniel, S. Chaudhuri. “A Study of Android Application Security.”
•H Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, D. Boneh, “On the effectiveness of address-space randomization”. Proceedings of the ACM conference on Computer and Communications Security (CCS’04). New York. 2004.
•R. Hund, T. Holz, F. Freiling. “Return-oriented rootkits: bypassing kernel code integrity protection mechanisms”. Proceedings of ACM 18th Conference on USENIX Security Symposium (SSYM’09). Berkeley, CA. 2009.
•T. Blasing, L. Batyuk, A.D. Schmidt, S. A. Camtepe. S. Albayrak. “An Android Application Sandbox System for Suspicious Software Detection.”
Previous Work Continued
•M. Hypponen, “Malware Goes Mobile”, November 2006, Scientific American Magazine, pages 70–77.
•T. Martin, M. Hsiao, D. Ha, J. Krishnawami. “Denial-of-Service Attacks on Battery Powered Mobile Computeres”. Proc. of Second IEEE Annual Conference on Pervasive Computing and Communications (PERCOM). 2004.
•A. Felt, M. Finifter, E. Chin, S. Hanna, D. Wagner. “A Survey of Mobile Malware in the Wild.” ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). Oct. 2011.
•C. Miller, “Mobile Attacks and Defenses”, IEEE Security and Privacy. Vol. 9, Issue 4, Pages 68-70, July-Aug 2011
Previous Work Continued
•J. Bickford, O. O'Hare, A. Baliga, V. Ganapathy, and Iftode. L, “Rootkits on Smartphones: Attacks, Implications and Opportunities”, ACM, In the Workshop on Mobile Computing Systems and Applications, Annapolis, MD, Feb. 2010.
•N. Seriot, “iPhone Privacy”, Black Hat DC 2010, Arlington, Virginia, USA, http://seriot.ch
•R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, X. Wang, "Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones”, In Proceedings of the 18th Annual Network & Distributed System Security Symposium (NDSS) (February 2011).
A Natural Evolution
• 1 line display, 9 analog buttons vs. touch screens
• Memory measured in GB instead of KB
• Internet access, email, SMS, GPS, camera, personal organizer
• “Awesome”, “amazing”, “revolutionary” devices...that are perfect targets.
Why A Perfect Target?
• Confidentiality: Data theft, data harvesting
• Integrity: Phone hijacking
• Availability: DoS, battery draining
If We Don’t Remember History…
• Cabir - proof of concept, spread via bluetooth (power management attack)
• Mabir - cabir with SMS functionality
• Duts - PocketPC virus
• Skulls - 1st mobile trojan horse
• CommWarrior - 1st mobile worm
...We’re Doomed To Repeat It
• Carrier IQ - 11/2011
• Soundcomber
• AuroraFeint
What’s The Landscape Today?
• Over 1,200 known mobile malware samples
• F-Secure reports 400% increase in mobile malware, 2005-2007
• McAfee reports mobile malware jumped 37% Q3 2011
• [2] surveyed malware from 2009-2011
• 46 pieces released: 4 for iOS, 24 for Symbian and 18 for Android
0
300
600
900
1200
1500
Q1 2009 Q2 2009 Q3 2009 Q4 2009 Q1 2010 Q1 2010 Q2 2010 Q3 2010 Q4 2010 Q1 2011 Q2 2011 Q3 2011
Malware Discovered/Quarter
Symbian Android Symbian 3 EdJava ME Others
Data from McAfee 2011 Q3 Vulnerability Report
Why Research Mobile Security?• New computing paradigm in terms of availability, user interface and security.
• Being targeted as never before by attackers. Today more than 300 kinds of malware - among them worms, Trojan horses and other viruses and spyware have been unleashed against the devices.
• Although desktop systems remain the most widely targeted platform, as mobile computing become more ubiquitous, devices become more powerful and the lines between a traditional desktop system and a mobile system are blurred, these devices will enter the virtual battlefield.
• Clearly, these new capabilities mixed with the fact that users store personal information on the devices make it a prime target for attackers.
Goals For My Research
• Learn about some mobile attacks, vulnerabilities and defenses
• Attempt to survey mobile applications
• Turn the mobile device into a wireless sniffer
Reasons For An Increase
• Increased computing power and storage capabilities
• Increased network connectivity
• Standardization of OS and interfaces
• Enterprise integration
• Other: social engineering and hacktivisim
Attack Vectors
• Very similar to attack vectors available for the desktop
• However, typically they spread on interfaces unique to mobile devices
Types Of Attacks
• Malware attacks
• Grayware attacks
• Spyware attacks
Malware Attacks• RF attacks
• Bluetooth attacks
• SMS attacks
• GPS and location attacks
• Application masquerading and personal data attacks
• Premium-rate attacks
• Power management attacks
• Time or location activated attacks
Grayware Attacks
• Analytics packages
Spyware Attacks
• The jealous husband attack
Mobile Vulnerability Defenses• Code analysis (static and dynamic)
• ASLR and DEP
• Application sandboxing
• Permissions systems
• ACLs, capability lists, users and groups
• Code signing
• Data encryption
• Detection and recovery
What Might The Future Look Like?
• Enhanced permission systems
• Trusted computing modules
• Encryption modules
• Firewall modules
The Results
Application Survey
• Over 100 iOS applications surveyed, including some on the “Top 100” list.
• Hoped to determine what type of information could be extracted from auditing packet streams.
• Used WireShark to capture packets and analyze security.
• Open network with a Cisco Small Business Router (WAP4410N).
• Used an iPhone 4, iPad 1G and iPod Touch 4G with iOS 5.0.1.
The Threat Levels
• None: Has no potential security breaches and no exposure of confidential information.
• Low: Has a few potential security breaches or exposure of confidential information that could not directly affect the user, such as device IDs that could be used in tracking users.
• Medium: Has several potential security breaches or exposure of confidential information that is potentially serious or able to identify the user on an individual basis, such as addresses, latitudes or longitudes, etc.
• High: Has multiple potential security breaches or exposure of extremely confidential information, such as account numbers, PINs, and username/password combinations.
Applications Level Risks Found
Coupious MediumGeocoded location, UDID, coupon redemption codes
Delivery Status MediumUPS transits reverse geocoded locations and tracking numbers
Wordpress High Username and password
Foodspotting HighUsername and password,
geocoded location
Southwest Airlines High Username and password
Ustream HighUsername and password,
geocoded location
Labelbox HighUsername and password,
geocoded location
Color MediumReverse geocoded location, photos taken and shared by
usersMinus High Username and password
A full list of applications surveyed and their risks can be found in our paper.
Don’t Panic Yet…
• The majority of the applications that were surveyed encrypted the exchanges of confidential or sensitive information.
• But…
• Nearly all applications performed some sort of tracking or storing of analytic information, such as passing the UUID in a call to a web service.
Naughty Developers
• Bad Southwest Airlines devs!
• Username and password in plaintext.
• How would DHS react to the idea that someone on the “No-Fly” list could book travel in someone else’s name?
• Why?
• Overprivileged applications? Don’t understand security? Lazy?
You want proof?
http://www.youtube.com/watch?v=7vt5A64Qf5w&context=C3ac8254ADOEgsToPDskJWNWp-
ErkbCBMoqmcmDRRT
Using Mobile Devices As Capture Devices
• It’s easy to fake an app that silently collects user data in the background.
• What about the possibility of turning mobile devices into a capture device for wireless packets?
What We’ll Need
• root access
• bpf device in /dev
• libpcap, cross-compiled
• tcpdump, cross-compiled
• Lots of space
Don’t Be These People
• Marshall’s/TJ Maxx/Home Goods
• 2005
• 45.7 -200 MILLION credit card numbers were stolen
• Drivers licenses, military IDs, social security numbers stolen too
• WEP
• Attackers sat outside in a car with a laptop
Possible Future Work
• Aircrack-ng suite running on mobile devices
What You Can Do (non-coding)• A lot!
• Disk encryption: FileVault*, TrueCrypt
• Don’t use passwords
• If you must use passwords, make good password choices
• “my sister likes to eat juicy oranges every sunny friday afternoon” → msltejoesfa
• Chocolateprojectorglobemarker
• Implement firewalls and NIDS/HIDS.
• Be smart (don’t join unsecure WiFi, shred secure documents, etc)
• Sniff out security theater
What You Can Do (coding)
• Security is about control
• Doing things electronically produces data that we must control
• Apple has given us a great start and abstracted us from the messy details
Bake Security Goodness In
• Threat identification
• Policy
• Specifications
• Design
• Implementation
• Testing & maintenance
Access Control to Resources
• Use the principle of least privilege
• Elevate permissions in a controlled manner
• User/group/world model
• drwxr-xr-x
• Role based model
The Security Framework
• Provides a framework for certificate, key and trust services
• Determining identities, create certificates and keys
• The framework is <Security/Security.h>
• All functions in the framework are reentrant
• Your new friends: SecBase.h, SecCertificate.h, SecIdentity.h, SecImportExport.h, SecKey.h, SecPolicy.h
https://developer.apple.com/library/ios/#documentation/Security/Reference/certifkeytrustservices/Reference/reference.html%23//apple_ref/doc/uid/TP30000157
What is Encryption?• Transforming data into a form in which it
cannot be read without some sort of key
• The encrypted data is called cipher-text, the unencrypted data is called plain-text.
• The process of reversing the encryption and returning the data to it’s original form is called decryption.
• Can be a simple ROT-13 cipher but typically are mathematically based algorithms
• The stronger the key and algorithm, the better (to a point)
• The larger the key space, the more the attack must try to break the encryption
A Little Bit on Encryption
• Symmetric vs. Asymmetric
• Earliest forms of encryption used symmetric (1 shared key)
• Browser encryption uses asymmetric (2 keys, 1 shared, 1 private)
• Substitution vs. permutation
A Classical Caesar Cipher
• Sometimes called ROT-13
• Symmetric (shared key)
• Simply substituting one character for another
• Not particularly hard to break
• Brute force
• Cryptanalysis
MEET ME UNDER THE BRIDGE = BTTI BT JCSTG IWT QGXSVT
ROT 15. Using cryptanalysis we can map E = T
Modern Symmetric Ciphers
• 1 shared key
• DES - 56 bit key, 64 bit blocks
• Triple DES - 128 bit key, 64 bit blocks
• AES - 128, 192 or 256 bit key, 128 bit blocks
• Uses n number of rounds, with substitution and permutation and different sub keys from the original
Modern Asymmetric Ciphers• 2 keys, 1 public, 1 private
• Separate functionality
• If you’ve used git or purchased something online, then you’ve used asymmetric encryption
• RSA
• 1024, 2048 bit encryption
• Attempting to factor two large prime numbers
Key Space
• Think about iPhone unlock password
• There are 10 numbers possible and 4 spots to enter a number
• Key space is 104
• Going to depend on the algorithm, but generally key space is nm
• The bigger the key space the longer to brute force
• An effective method is to lock out after x number of tries
Generating Key Pairs•SecKeyGeneratePair
•kSecAttrKeyType, kSecAttrKeySizeInBits
OSStatus SecKeyGeneratePair ( CFDictionaryRef parameters, SecKeyRef *publicKey, SecKeyRef *privateKey);
Do NOT release the SecKeyRef pointers unless you want permanent encryption.
Importing Key Pairs
• PKCS#12 format
• SecPKCS12Import
OSStatus SecPKCS12Import( CFDataRef pkcs12_data, CFDictionaryRef options, CFArrayRef *items);
Encrypting Data
•SecKeyEncrypt
OSStatus SecKeyEncrypt ( SecKeyRef key, SecPadding padding, const uint8_t *plainText, size_t plainTextLen, uint8_t *cipherText, size_t *cipherTextLen);
Decrypting Data
•SecKeyDecrypt
OSStatus SecKeyDecrypt ( SecKeyRef key, SecPadding padding, const uint8_t *cipherText, size_t cipherTextLen, uint8_t *plainText, size_t *plainTextLen);
Signing and Validating Data
•SecKeyRawVerify
•SecKeyRawSign
SStatus SecKeyRawVerify ( SecKeyRef key, SecPadding padding, const uint8_t *signedData, size_t signedDataLen, const uint8_t *sig, size_t sigLen);
OSStatus SecKeyRawSign ( SecKeyRef key, SecPadding padding, const uint8_t *dataToSign, size_t dataToSignLen, uint8_t *sig, size_t *sigLen);
Transmit Data Securely
• Several ways to do this: NSURL class, CFNetwork, Secure Transport API
• If you’re making API calls, connect to a secure service (https)
• Purchase a SSL (X509) certificate or generate one of your own using openssl
• NSURLConnection handles SSL connections under the covers
• Implement delegate methods as normal*
• Third party libraries such as ASIHTTPRequest also support SSL
Self-Signed Certificates with iOS
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace { return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) if ([trustedHosts containsObject:challenge.protectionSpace.host]) [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];}
If you use this, you’re vulnerable to Man-in-the-Middle attacks.
Data Collection
• If you intend to collect data, notify the user
• Give them the chance to opt out
• Don’t abuse your privileges and collect information you weren’t authorized for
Store Data Securely
• Encrypt sensitive information
• Encrypt the entire information store
• Use Keychain services to store information securely
• Salt the data
Keychain Services
• Security framework
• SecItemAdd - Add a new item
• SecItemDelete - Remove an existing item
• SecItemCopyMatching - Retrieves an existing item
Good Password Security
• Security theater at it’s best
• Which is more secure
• QEzur9NeT8 or chocolateprojectorglobemarker
• 7212 vs 2629
• Assuming 1 decryption/µs, 22 years vs. 1.085 x 1035 years
Restrict API Call Access
• Establish some sort of session information (username, password)
• Use security tokens
• Rate limiting
• 2 factor authentication
Logging/Monitoring
• Monitor your server logs
• Monitor crash reports from the field
• Set up monitoring in your app
Defensive Programming
• Assume the user is your enemy
• Analyze the code to look for potential buffer overflows
• (20% of all exploits, as reported by CERT in 2004)
• Validate all user input
• Use a fuzzer
• Securely design your interfaces
Testing/OCUnit
• ATYC: Always test your code
• The user base is not your beta testers
• “You are not done yet”
• Pen testing with BackTrack5, Wireshark, etc.
Additional Resources• Schneier on Security
• Krebs on Security
• F-Secure/Sophos/Symantec
• Apple
• CryptoExercise
• Security Engineering - Russ Anderson
• Computer Security - Matt Bishop
iOS References
• Apple Cryptographic Services Guide
• Apple Secure Programming Guide
• Apple Guide on Cryptography, Trust and Key Management
Discussion & Questions
• Your turn to talk or ask me questions.
