aitp security sig april 2011

Mobile Attack Implications

Nicholas J. Percoco Senior Vice President and head of SpiderLabs

Copyright Trustwave 2011

Agenda

•  About Trustwave SpiderLabs •  Attack Vector Evolution •  Mobile Attack Cookbook •  Conclusions •  Questions?


Who is SpiderLabs®?

SpiderLabs is the elite security team at Trustwave, offering clients the most advanced information security expertise available today.

The SpiderLabs team has performed more than 1,000 computer incident response and forensic investigations globally, as well as over 10,000 penetration and application security tests for clients -- more than any other provider.

Companies and organizations in more than 50 countries rely on the SpiderLabs team’s technical expertise to identify and anticipate cyber security attacks before they happen.

Featured Speakers at:

SpiderLabs – Our Mission

To con2nually deliver the most advanced exper2se in informa2on security in order to protect the digital assets of clients worldwide from a growing spectrum of malicious a=acks. We achieve this by: •  Recruiting top of market talent from the

information security community

•  Performing research in lab facilities in Chicago, London, Sydney and Sao Paulo

•  Using Standardized methodologies and

central QA processes to ensure quality and consistency


SpiderLabs International Footprint

Languages spoken: English French Spanish Greek German Portuguese Mandarin Cantonese Japanese Hindi Zulu Ndebele Xhosa Setswana Sesotho Shona

In country presences: Australia -‐ Brazil -‐ Canada -‐ Hong Kong -‐ India -‐ Mexico -‐ Spain United States -‐ United Kingdom

Attack Vector Evolution



0

1

2

3

4

5

6

7

8

9

1950 1960 1970 1980 1990 2000 2010

A"ack Vectors Over Time

Social Networking

Mobile

Client-‐Side

Wireless

Applica2on

E-‐mail

Network

Physical



1980s: Physical



1990s: Network



2000s: E-mail



2000s: Application



2000s: Wireless



2010s: Client-Side



2010: Client Side (Malware)

1.  Targeted Attack

2.  Drive-by Infection

3.  Manual Installation



2010s: Mobile



2010: Mobile

1.  Mobile Phishing Attacks

2.  Mobile Ransomware

3.  Fake Firmware and Jailbreaks



2010s: Social Networking



2010: Social Networking

1.  Malware Propagation

2.  Personal Information Exposure

3.  Data Mining



0

1

2

3

4

5

6

7

8

9

1950 1960 1970 1980 1990 2000 2010

A"ack Vectors Over Time

Social Networking

Mobile

Client-‐Side

Wireless

Applica2on

E-‐mail

Network

Physical

Mobile Attack Cookbook


Mobile Attack Cookbook – The Recipe

Ingredients •  Motivation •  Reversing Skills •  Creativity •  Motivation Process •  Step 1 – Pick a Platform to Target •  Step 2 – Find a Vulnerability •  Step 3 – Select a Payload •  Step 4 – Build the Payload •  Step 6 – Select a Payload Delivery Method •  Step 5 – Test it Out



Step 1 – Pick a Platform to Target

•  Es2mated are 20% of the Smartphone Marketshare

•  Many users are non-‐technical •  Jailbreak community does the vulnerability research, so you don’t have to

•  Many user don’t EVER update their device to the latest iOS



Step 2 – Find a Vulnerability

•  Leverage the “Jailbreakme.com” vulnerabilities •  Affect iOS 4.0.2 or earlier – still likely 50% of the user base

•  What is it?

•  The “star” PDF Exploit – Code execution −  Classic stack overflow −  Leverages IOSurface (IOKit) bug for privilege escalation and sandbox escape

•  The IOKit Vulnerability – Priv. escalation / escaping the sandbox −  Kernel integer overflow in handling of IOSurface properties −  Calls setuid(0) inside Safari getting root

•  The Jailbreak Phase – Set up residence on the iDevice −  Patches out Kernel code signing −  Installs a basic jailbreak filesystem along with Cydia (apt-get)



Step 3 – Select a Payload

Implement a Weaponized Jailbreak •  Patch out a “security” check comex had incorporated

•  The jailbreakme.com PDFs had code to ensure they’d been downloaded from “jailbreakme.com”.

•  Patching out all the GUI pop-ups •  Didn’t want the victim to realized they were being hacked

•  Build a modified wad.bin with our “rootkit”



Step 4 – Build the Payload

SpiderLabs Research built Custom-written iOS “Rootkit”

•  Patched UNIX utilities like ‘ls’, ‘ps’, ‘find’, ‘netstat’ from the JB filesystem •  Hiding our tools from actual jailbreakers

•  Port knock daemon called “bindwatch” fakes its name on argv[0] •  Spawns a bind-shell called, wait for it …. “bindshell” also fakes argv[0] •  Trivial app to record AIFF on the mic – remote eavesdrop •  Patched VNC to hide itself a little better

•  Nice Open Source iPhone VNC server by saurik •  Runs via a DYLIB in MobileSubstrate •  Mostly just removed the GUI config plist from System Preferences •  Coded a trivial CLI obj-C program to configure and start VNC

without the GUI



Step 5 – Select an Payload Delivery Method Many methods can be used:

•  Fake Jailbreak site •  SEO optimized site to target an organization •  Phishing attack •  Hack a popular site and install within the mobile version



Step 6 – Test it Out

Credit: Eric Mon2, Trustwave SpiderLabs Research

Conclusions


Motivations For Attackers

•  There are over a half-‐billion devices on 3G networks

•  By 2020, there will be 10 billion devices

•  60% of all users carry their devices with them at ALL Fmes •  For high-‐profile and business folks that is near 100%

•  A typical smartphone today has the same processing power as a PC from 8 years ago, plus: •  Always-‐on network connec2vity •  Loca2ons aware thanks to GPS


Motivations for Attackers

•  Users accessing highly sensiFve informaFon via smartphones is the norm

•  Users trust a smartphone over a public computer or kiosk •  Never ques2on their smartphones integrity

•  CommunicaFon Services Providers (CSPs) must allow for governments to access subscribers communicaFons •  Case: In the UAE, E2salat pushed a “performance update” to all their Blackberry subscribers.

•  Reality: Malware was inten2onally pushed down to allow intercep2on of data communica2ons.


Conclusions

•  It is possible and feasible to write malware for a mobile device.

•  With a li"le work, automated funcFonality can be embedded

•  Li"le a"enFon is being paid to smartphone security, while everyone trusts their device to perform criFcal tasks.

•  In the next 10 years, we will see an explosive growth in the number of a"acks against smartphones and other mobile compuFng device plaUorms. Will we be prepared?

Questions?


SpiderLabs®

SpiderLabs® is an elite team of ethical hackers advancing the security capabilities of leading businesses and organizations in over 50 countries. More Information: Web: https://www.trustwave.com/spiderlabs Blog: http://blog.spiderlabs.com Twitter: @SpiderLabs

aitp security sig april 2011

Technology

attack vector evolution2010s

attack vector evolution2000s

attack vector evolution1980s

attack vector evolution1990s

outcopyright trustwave

physicalcopyright trustwave

networkcopyright trustwave

applicationcopyright