Upload
belsecblog
View
223
Download
0
Embed Size (px)
Citation preview
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
1/51
Bugs & KissesSpying on BlackBerry users for fun
Troopers Security Conference 2010
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
2/51
Social Engineering
The clever manipulation of the natural human
tendency to trust.
Theres one born every minute.
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
3/51
Theres always a chance you will get 0wned.
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
4/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
5/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
6/51
Push Email
QWERTY Keyboard
Granular Security Controls
Transport Level Security
Device Encryption
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
7/51
Granular Controls
Allow or deny access to User Data
Allow or deny access to Application
Interaction
Allow or deny access to Internet
Connectivity
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
8/51
Transport Security
Traffic is encrypted up to RIM in Canada
Cannot MITM
Even HTTP traffic goes over a tunnel
INTERNETRIM Server
Farm
BlackBerryHandheld
Mobile Service Provider (Telco) orInternet Service Provider(ISP/Telco)
Regional serversbelonging to RIM
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
9/51
Device EncryptionMemory and micro-SD card cannot be read
on another device
Stolen, encrypted devices are still safe
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
10/51
Granular Security Controls
Transport Level Security
Device Encryption
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
11/51
2 39
Vulnerabilities on SecurityFocus - Sep 09
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
12/51
Personal Information?
Personal (read naughty) pictures
Private text messages
Emails with passwords, contracts,
personal info
Phone Call Logs; who have you beencalling?
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
13/51
A Few Problems
We cant hack it - no useful vulnerabilities
We cant MITM - everything is encrypted
We could steal it...
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
14/51
APIs
Text Messages
Package:javax.wireless.messaging
Interface: MessageListener
Methods: setMessageListener()
- Receive and Send SMS messages withoutowners knowledge
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
15/51Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
16/51Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
17/51
Demo
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
18/51
BugsPosts email to TROOPERS 10 - Wall of Geese
Download:
http://www.zensay.com/Bugs.jadWall of Geese:
http://www.zensay.com/
geese.php
Friday, March 12, 2010
http://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jadhttp://www.zensay.com/Bugs.jad8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
19/51
APIs
Email Messages
Package: net.rim.blackberry.api.mail.event
Interface: FolderListener
Methods: messagesAdded()
- Intercept and forward all emails on theBlackBerry handheld
- Send spoofed email from the device
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
20/51
APIs
Remote Listening
Package: net.rim.blackberry.api.phone
Interface: PhoneListener
Methods: EventInjector.invokeEvent()
- Silently intercept phone call, turnmicrophone on and listen in
- Portable bugging device
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
21/51Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
22/51Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
23/51
Demo
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
24/51
APIs
Remote Listening Part 2
Package:javax.microedition.media
Interface: Player / RecordControl
Methods: RecordControl.startRecord()
- Switch on microphone at timed intervalsand record ambient sounds
- Save to SD Card or Memory and extract
periodicallyFriday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
25/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
26/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
27/51
APIs
Camera
Package:javax.microedition.media.control
Interface: VideoControl
Methods: getSnapshot()
- Capture image from built-in camera
- Gives you a clue as to where the victim is
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
28/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
29/51
APIs
Location Based Services
Package:javax.microedition.location
Class: Location
Methods: getQualiedCoordinates()
- Track the location of the victim
- Either time based checking or trigger
based
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
30/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
31/51
BlackJacking
Attack Enterprise networks
Provide direct access to the internal network
Use a BlackBerry to proxy connections
Tool released called BBProxy
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
32/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
33/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
34/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
35/51
Other hacks
Steal contact information
Alter contact information, change email
information, change meeting dates
Run up a victims phone bill by makinginternational calls
Use victims phone to send bulk SMSmessages
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
36/51
i can haz pwnage? kthx
Physically install the spyware on the device
Develop a game (too much work), or
develop a simple slideshow with pr0n
Push a message indicating that the usershould download an upgrade
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
37/51
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
38/51
Dear Etisalat BlackBerry Customer,
Etisalat is always keen to provide you with
the best BlackBerry service and ultimate
experience, for that we will be sending you
a performance enhancement patch that
you need to install on your device. For more
information, please call 101
--Empower your Business with BlackBerry
and Mobile Solutions from Etisalat"
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
39/51
How did it work?
Hidden from Applications list
Starts offdormant
Has a command channel
Listens for message sent by Customer
Service
Will forward all outgoing emails to a server
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
40/51
How did it work?
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
41/51
Problems
Constantly poll the message queue
Source code was available...sort of
Back end server collapsed
Berries slowed down, over heated and
drained battery
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
42/51
How well hidden?
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
43/51
How well hidden?
CodeModuleGroup cmg =
CodeModuleGroupManager.load(Bugs);
cmg.setFlag
(CodeModuleGroup.FLAG_HIDDEN,true);
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
44/51
Kisses
Finds Bugs & other similar, hidden software
Simplies the search for hidden apps.
Version 2.0 will be out next week!
Download:
http://www.zensay.com/Kisses.jad
Friday, March 12, 2010
http://www.zensay.com/Kisses.jadhttp://www.zensay.com/Kisses.jadhttp://www.zensay.com/Kisses.jadhttp://www.zensay.com/Kisses.jadhttp://www.zensay.com/Kisses.jad8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
45/51
Kisses
Works on Signature based detection
Allows a user to submit phone data for
analysis
Baseline analysis is performed
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
46/51
Wrapping up
The BlackBerry is very secure
The problem lies in its complexity
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
47/51
Wrapping up
BlackBerry apps are not regulated
Nothing between you & spyware
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
48/51
Watch out
Dont install random pieces of software
Limit the amount of software on your BB
Learn and set Default Application
Permissions
Dont let others use your phone
Always enable a device password
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
49/51
Keep up to date
http://chirashi.zensay.com
@chopstick_
Friday, March 12, 2010
http://chirashi.zensay.com/http://chirashi.zensay.com/http://chirashi.zensay.com/http://chirashi.zensay.com/8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
50/51
Questions?
Friday, March 12, 2010
8/3/2019 Troopers 10 Bugs and Kisses Sheran Gunasekera
51/51
Thankyou