Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Smartphone Security
A Holistic view of Layered Defenses
David M. Wheeler, CISSP, CSSLP, GSLC
1 (C) 2012 SecureComm, Inc. All Rights Reserved
The Smartphone Market
• The smartphone security market is expected to grow at a rate of 44 percent annually to be worth US $3 billion by 2015 (from: Canalys analyst report)
(C) 2012 SecureComm, Inc. All Rights Reserved 2
• Many vendors are jumping into the race to provide security solutions
• Solutions can be categorized based on whether or not they require OEM/manufacturing support or not
Source: Juniper Networks
Current Stats & Trends
(C) 2012 SecureComm, Inc. All Rights Reserved 3
Android growth is out- Pacing all other phones
Smartphone use is increasing 48% of Americans use
Smartphones Today
National Vulnerability Database Reported Android Vulnerabilities 2011: 83 Total Vulnerabilities 2012: 60 As Of April (217% increase)
8 of top 50 malware reported by F-Secure
is for Android
Smartphone Security Solutions
• Trust Anchor &
Trusted Boot
• SoC & HW
Encryption
• Encrypted File
System
• Hypervisor
• Secure OS
(C) 2012 SecureComm, Inc. All Rights Reserved 4
Boot Environment
Driver
Full Disk EncryptionPre-BootAuthentication
Operating System
Storage
Encryption Decryption
• Remote Wipe
• App-Level Security
• Anti-Virus
• App Disablement
Hardware/OEM Solutions Software/3rd Party Solutions
How effective are these protections against modern malware that is active today?
The Malware Problem
SecureComm, Inc. Proprietary Copyright © 2012 SecureComm, Inc. All Rights Reserved
Sampling of Android Malware • Angry Birds Malware: (April 2012) Android GingerBreak exploit
– http://nakedsecurity.sophos.com/2012/04/12/android-malware-angry-birds-space-game/ – Legitimate software from questionable source – Includes Trojan (Andr/KongFu-L) that gains root and loads malware – GingerBreak: http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html
• HippoSMS: (July 2011) Mis-use permissions allowed by user – http://www.csc.ncsu.edu/faculty/jiang/HippoSMS/ – Sends SMS messages to premium services (all Java)
• SimChecker.A: () Trojan collects geolocation and other confidential information from a device and sends out this stolen info via e-mail and SMS.
– http://www.f-secure.com/v-descs/monitoring-tool_android_simchecker_a.shtml
• GinMaster.A: (April 2011) steals confidential info & sends it to a website. – http://www.f-secure.com/v-descs/trojan_android_ginmaster_a.shtml
• DroidKungFu.C: () roots the phone & collects senstive info, – Uses various exploits, including RageAgainstTheCage. – Exploits are stored in the malware package and encrypted with a key. – http://www.f-secure.com/v-descs/trojan_android_droidkungfu_c.shtml
(C) 2012 SecureComm, Inc. All Rights Reserved 6
8 of top 50 ANY malware reported by F-Secure is for Android (including Windows & Mac OS)
National Vulnerability Database holds 83 Android Vulnerabilities for 2011 as of 4/15/2012 60 vulnerabilities are already reported
DroidKungFU
• DroidKungFu discovered in 2011 • Multi-Function Malware
– Perform malicious commands (operates as a Bot) – Download new software & files – Install and Delete software (Apps) – Start programs/Apps – Visit Web sites
• Complex Construction – Uses both Java & Native C code
• Bypass Anti-Virus & make reverse-engineering harder
– Includes two exploits to root phone – Uses AES encryption to hide functions/features – Provide instructions on how to root your phone
(C) 2012 SecureComm, Inc. All Rights Reserved 7
Source: AndroidAuthority.com
http://blog.fortinet.com/clarifying-android-droidkungfu-variants/
Collects User Information • Downloads IMEI to remote server • Reports phone model and OS Version • Access any file from any App on phone
Protection from DroidKungFu • Anti-Virus/Malware Scanners not effective
– Malware code is encrypted • Different versions used different keys (polymorphic)
• Encrypted File System affords no protection – Malware accesses files through OS just like legit Apps – If User unlocks phone for use (for any App), the file system is unlocked for the malware
also • Hyper Visors not fully effective
– Does not prevent rooting the OS • Once root, would not prevent breaking out of VM
– Does not protect other Apps in VM • SE Linux / Secure OS possibly effective
– Must have NO privilege escalation vulnerabilities • Root access opens up entire OS
• Trusted Boot – Detect Root kit modifications on reboot – Would not prevent initial exfiltration
(C) 2012 SecureComm, Inc. All Rights Reserved 8
Protection Requires… • App-Level file encryption
to prevent unauthorized data access • Host Firewall on smartphone
to prevent data exfiltration & Bot communications
Applying Hardware & OS Enhancements
• Control rests with Untrusted Parties – Handset OEMs and Carriers control HW, OS, & SW – Government has no control over manufacturing and OEM process
• Most Manufacturing is done in ITAR class D countries – Some attributed to the “Advanced Persistent Threat” – Office of the National Counterintelligence Executive
• Hardware Trojans through supply chain – Known and unknown trojans
• OS changes require OEM cooperation – Dictated by Market demand – If you take control, then have Root’ed phone issues
• Create a backdoor into the OS • Other (untrusted) SW can utilize this backdoor
– Software trojans through supply chain
(C) 2012 SecureComm, Inc. All Rights Reserved 9
Trust Anchors & Trusted Boot
• Looking at Intel’s Wireless Trust Module Patents – Boots the phone into a trusted state
• Based upon Hardware Key in OTP Flash or Fuses – Flexible provisioning process
• Ensures boot loader and base OS are valid and authorized • Cannot be modified except by holder of private key
– Protects against rooting of a phone to replace the base OS or hypervisors if present
– Vulnerabilities: • Does not prevent privilege escalation attacks or rooting of
phone to add services or malware • Hardware trojans added in manufacturer or OEM supply
chain
(C) 2012 SecureComm, Inc. All Rights Reserved
10
SoC & HW Encryption
• Integrated System-on-a-Chip – Part of all smartphone hardware today – Densely packed, multi-layer boards – Often includes encryption modules embedded in chip – Android device drivers are not available for the encryption
engines and other advanced security features • Vulnerabilities
– dense packaging make hardware attacks on buses difficult (impossible for most attackers)
– Physical attacks have high probability of damage to chips (even for national labs - will discuss further)
(C) 2012 SecureComm, Inc. All Rights Reserved 11
Smartphone Architecture: Physical
(C) 2012 SecureComm, Inc. All Rights Reserved 12
iPhone 4 Hardware http://www.ifixit.com/Teardown/iPhone-4-Verizon-Teardown/4693/1
Processor with PoP DDR SDRAM Power Management Power Management Touch screen Controller Power Amplifier Power Amplifier Baseband/RF Transceiver 16 GB NAND Flash DRAM & Flash MCP WiFi & Bluetooth & GPS
PoP = package on package
Encrypted File System • Encrypts all data stored to a file system • Protection occurs at the device driver layer • Prevents access to phone/files/Apps if phone is lost or accessed by
unauthorized user • Very slow performance on Flash architecture
– Much faster in PC (for disk drives) – Characteristics of flash memory block size
• Vulnerabilities – Only as secure as encryption key storage
• Is a HW trust anchor present? – Susceptible to root kits – OEM partnership required (to integrate into OS, or root phone) – Does not protect App data from a malicious App (if malware escapes
the sandbox)
(C) 2012 SecureComm, Inc. All Rights Reserved 13
Boot Environment
Driver
Full Disk EncryptionPre-BootAuthentication
Operating System
Storage
Encryption Decryption
Hypervisors • Hosts one or more guest OS, presenting a virtual operating platform • Sits one level above the supervisory (HW drivers) of the platform • Built for a specific HW platform • Restricts a Guest OS from direct access to HW (in most cases), but
introduces performance penalties • Vulnerabilities
– Does not prevent root kits (which are now VM-aware) – Requires OEM or Manufacturer partnership – Highly susceptible to rooting of the phone – Are all the drivers and physical resources (SIM card, SD Card, network)
equally accessible to all guest OS’s – there could be a cross-infection between hyper visors
– Google labs is currently researching vulnerabilities • Dominant players:
– VM Ware; Greenhills; WindRiver
(C) 2012 SecureComm, Inc. All Rights Reserved 14
Secure OS • Linux SE & Android SE from same architect • Must be provided by OEM • Linux SE requires MAC policy (static view of Apps and drivers)
– Does not offer flexible use of the Smartphone App Open Market Place concept
– Adding a new App requires changes to be made in the OS policy • Not likely to allow User to do this – return to depot?
• Vulnerabilities – Android OS vulnerabilities are growing – requires frequent patch
updates (how will this impact certifications?) • Will appropriate amount of resources be applied to keep Android SE updated?
– Susceptible to rootkits (if vulnerability found) – PC security patching history
(C) 2012 SecureComm, Inc. All Rights Reserved 15
Rooting the Smartphone
• All security solutions, except third party add-ons, root the phone unless working with the OEM or manufacturer
• Some attacks are now checking to see if phone is already rooted (Droid KungFu)
(C) 2012 SecureComm, Inc. All Rights Reserved 16
• New versions of Android are fixing know rooting vulnerabilities o Did we get them all? History => there are always more
Anti-virus SW
• Scans incoming SW & performs signature based detection of known viruses
• Can be installed by user or enterprise without difficulty
• Cannot scan SW brought in by non-standard mechanisms
– Malware directly downloading file from remote host
• Vulnerabilities – Android does not support parallel processing, so cannot
monitor run-time activity for abnormal behavior – This significantly reduces efficacy limiting function to static
signatures scans only (no dynamic analysis of behavior)
(C) 2012 SecureComm, Inc. All Rights Reserved 17
App Disablement
• Go Mobile: stop certain Apps and services when a sensitive App is activated, or when a protected network is attached – Not effective if OS is compromised since root kit
will “lie” to it. Exp: “wireless is disabled” when it really isn’t
(C) 2012 SecureComm, Inc. All Rights Reserved 18
Remote Memory Wipe
• System or add-on SW that removes data on flash after receiving a remote command
• Android OS feature • Vulnerabilities
– Cannot work unless phone is connected, or on removable media if not attached
– May not wipe all forensic data from flash
(C) 2012 SecureComm, Inc. All Rights Reserved 19
APP Security • Wrap around each App or Wrap
around a group of Apps • Either way, need to modify the App
slightly to call the security services • Usually supports commonly used
security services (integrity, confidentiality, passwords for authentication)
• Tends to be unnoticeable to the user – Little to no performance impact
• Vulnerabilities: • Crypto key protection is minimal to
non-existent – FIPS 140-2 level 1
• Susceptible to malware interference, root kit driver replacement
(C) 2012 SecureComm, Inc. All Rights Reserved 20
Hardware Attacks
• What about Bus Attacks & Hardware Attacks? – Must be a physical attack (possession of phone)
• National Lab? Anything goes But there is danger of damage to HW
• Well-Funded Attacker? De-Lit, Chip Replacement, Advanced Forensics Labs available to de-Lit for small fee
• Hacker Org? Software-based attacks, Root Phone, Memory Dumps, Privilege Escalation, Root-Kit, Data Exfiltration, Malware Insertion
(C) 2012 SecureComm, Inc. All Rights Reserved 23
Requires Type-1 HW Protections
Requires Special HW Chips
Security: Multi-Layered Security
• Security is all about asking the right questions – What do you want secured?
• Data Only? App usage? App code?
– From whom do want it secured? • Remote attackers? Other Users? • Other Apps? Thieves? Lost Phone?
– When do you want it secured? • During system operation? At boot? • System turned off?
– What does secured mean? • Confidentiality? Integrity? Availability?
(C) 2012 SecureComm, Inc. All Rights Reserved 29
PhysicalAccessRemoteAttacker EXPLOITWireTapVirus GingerBreak PayloadSourceCodeTrojan Divert ProtectionTrust Injection Sniffing FROYO ScriptBrowserRageAgainstTheCage
EXPLOIT phone Infected Bug System nastyMemoryDumpBackDoor
installPhysicalAccessPhysical AccessTrojanDivert Trust Bug System
InjectionFROYOScriptBrowser Infected
To realize a cost effective, COTS-based security solutions, a layered security approach is required
to achieve assured information sharing Mobility Capability Package v1.1, 2012, NSA