Smart Phone Hacks And Attacks - A Demonstration of Current Threats to Mobile Devices

8/14/2019 Smart Phone Hacks And Attacks - A Demonstration of Current Threats to Mobile Devices

1/34

Smartphone Hacks and Attacks:A Demonstration ofCurrent Threats to Mobile Devices

Daniel V. Hoffman, CISSP, CEH, CHFI

Chief Technology Officer

Troy Vennon, CISSP, CEH, OPST

Global Threat Center Research Engineer


2/34

Copyright 2009 SMobile SystemsPage 2

SMobile Global Threat Center

Exploit Research and Development

Complete threat analysis against all exploit vectors

Continual assessment of new devices and platforms

Knowledge-share with worldwide device exploit

network

Malware Operation Center

Actively monitor SMobile customer Malware alerts,

reporting and trending

Monitor and scan publicly submitted Malware

samples

Scan partner feeds for discovered/

recent viruses, Spyware, etc.

Continually monitor underground and public Malware

bulletin boards, websites, newsgroups, etc.


3/34


BlackBerry

Symbian

Windows Mobile

iPhone

Android

Palm


4/34


5/34

Pa e 5

Smartphone Security In The News

Android Security Chief: Mobile-phone Attacks ComingPC World

August 12th 2009

"The smartphone OS will become a major security target," said Android Security LeaderRich Cannings.

"We wanted developers to be able to upload their applications without anyone stoppingthem from doing that," Cannings said. "Unfortunately this opens us up to malware."


6/34

Pa e 66

Identity Theft Moves to Mobile

Identity theft is the Number 1 consumer crime in America

Identity theft is a $50 billion per year industry

75% of Phishing" e-mails are banking related

5 million U.S. consumers lost money to phishing attacks in 2008 - a 40% increase for thatperiod

SMS (text) messaging is now the second leading conduit for phishing attacks

80% of mobile device owners store personal information on their handset

40% of users who store credit card information on their handset do not have a basicpassword on the device to limit entry

24% of smartphone users store bank account details on their device

10% store credit card information

Approximately 2 million smartphones were stolen in the US 2008

- Gartner Research - Credant Technologies


7/34


Mobile Banking is on the Rise


8/34


Mobile Banking Trojan January 21, 2009


9/34Copyright 2009 SMobile SystemsPage 9

Phone Virus Steals Money February 8, 2009


10/34Pa e 10

News Clips



Smartphones are rapidly replacing featurephones. Analyst predictions state that by 2012,65% of all cell phone sales will be smartphones

Cell phones are used for the same functionsand have the same capabilities as PCs

While most PCs have at least some securitysoftware in place, smartphones commonly donot have any security software installed



Smartphones are the new PCs for consumers

Smartphones are the new workstations forworkers

Smartphones are susceptible to the exactsame threats as PCs



Threats to Mobile Devices

Malware Viruses, Worms, Trojans, Spyware

Direct Attack Attacking device interfaces, browser exploits, etc.

Physical Compromise Accessing sensitive data

Data Communication InterceptionSniffing data as it is transmittedand received

Authentication/IdentitySpoofing and SniffingAccessing resources with ausers identity or credentials

Exploitation and MisconductOnline predators, pornography,inappropriate communications



Are Application Signing and Review Processes the Answer?



Spyware Pushed By Carrier to BlackBerry Users



Symbian Malware Infections



Lets get specific as to whatshappening today with,

Spyware, Direct Attacks and

Loss and Theft



Spyware Capabilities:

Intercept and post to a website everySMS, MMS and e-mail (see image)

Track every key typed by the device

Remotely and silently turn on thephone to hear ambient conversations

Track the position of the device

Spyware Properties:

Silently runs on devices without theknowledge of the device user

Easily installed via Trojans and otherMalware

2 of the top 3 BlackBerry infectorsare Spyware

4 of the top 5 Windows Mobileinfectors are Spyware

Users and enterprises who are waiting to experience an infection beforeimplementing security software are placing themselves into the unsavoryposition of unknowingly becoming infected with Spyware and havingabsolutely no security software in place to address that infection.

SMobile Global Threat Center

M bil B ki K l



Mobile Banking Keylogger



Spyware Demo



Threat: Direct Attack

Curse of Silence Demo



Curse of Silence Demo


24/34

iPhone E mail Sniff



iPhone E-mail Sniff

Sniffed Packets118 and 140



Threat: Loss and Theft

Physical Compromise


27/34Copyright 2009 SMobile SystemsPage 27 Copyright 2008 SMobile Systems

Page 27

Physical Compromise

Even using a PIN/passcodedoesnt guarantee protection

Data is still unencrypted

The authentication method can be

bypassed


28/34


iPhone Encryption


29/34


Threat: Exploitation and

Misconduct

Exploitation and Misconduct


30/34





31/34



Enterprises: Where is your data going?

What is your employee e-mailing, storing ontheir phone, texting?

What pictures are employees taking; DataLeakage Protection

What websites are being visited with thecompany device? You control your PCs, whynot your smartphones?


32/34


Threat SMobile Product

MalwareAntivirus, Firewall,Application Revocation, Update OS

Direct Attack Firewall, AntiVirus, Update OS

Physical Compromise Encryption, Lock and Wipe

Data Communication Interception VPN, SSL

Authentication AttacksVPN, Antivirus, SSL, Firewall, UpdateOS

Exploit and Misconduct Parental and Enterprise Controls,Application Revocation

* Treat the smartphone like a PC because thats essentially what it is

Conclusion


33/34


Threats to smartphones do exist and devices are

being exploited. This is an undeniable fact and thedata supports it

Smartphones are the new PCs and need to beprotected with the same security technologies

Physical compromise is currently the easiestmeans of exploitation

Smartphone Malware does exist and has infecteddevices

Malware is now being written to be stealthy,undetectable and for financial gain infection andexploitation can occur without the knowledge of thedevice user/owner

Not all smartphone security products do notsignificantly drain the battery!

Conclusion


34/34

Additional Resources:

SMobilesystems.com (Global Threat Center/MobileSecurity News)

Ethicalhacker.net

BlackJacking Book

Complete Guide to NAC Book

Documents

Smart Phone Hacks And Attacks - A Demonstration of Current Threats to Mobile Devices