aitp security sig april 2011
DESCRIPTION
Thank you Nick!TRANSCRIPT
Mobile Attack Implications
Nicholas J. Percoco Senior Vice President and head of SpiderLabs
Copyright Trustwave 2011
Agenda
• About Trustwave SpiderLabs • Attack Vector Evolution • Mobile Attack Cookbook • Conclusions • Questions?
Copyright Trustwave 2011
Who is SpiderLabs®?
SpiderLabs is the elite security team at Trustwave, offering clients the most advanced information security expertise available today.
The SpiderLabs team has performed more than 1,000 computer incident response and forensic investigations globally, as well as over 10,000 penetration and application security tests for clients -- more than any other provider.
Companies and organizations in more than 50 countries rely on the SpiderLabs team’s technical expertise to identify and anticipate cyber security attacks before they happen.
Featured Speakers at:
SpiderLabs – Our Mission
To con2nually deliver the most advanced exper2se in informa2on security in order to protect the digital assets of clients worldwide from a growing spectrum of malicious a=acks. We achieve this by: • Recruiting top of market talent from the
information security community
• Performing research in lab facilities in Chicago, London, Sydney and Sao Paulo
• Using Standardized methodologies and
central QA processes to ensure quality and consistency
Copyright Trustwave 2011
SpiderLabs International Footprint
Languages spoken: English French Spanish Greek German Portuguese Mandarin Cantonese Japanese Hindi Zulu Ndebele Xhosa Setswana Sesotho Shona
In country presences: Australia -‐ Brazil -‐ Canada -‐ Hong Kong -‐ India -‐ Mexico -‐ Spain United States -‐ United Kingdom
Attack Vector Evolution
Copyright Trustwave 2011
Attack Vector Evolution
0
1
2
3
4
5
6
7
8
9
1950 1960 1970 1980 1990 2000 2010
A"ack Vectors Over Time
Social Networking
Mobile
Client-‐Side
Wireless
Applica2on
E-‐mail
Network
Physical
Copyright Trustwave 2011
Attack Vector Evolution
1980s: Physical
Copyright Trustwave 2011
Attack Vector Evolution
1990s: Network
Copyright Trustwave 2011
Attack Vector Evolution
2000s: E-mail
Copyright Trustwave 2011
Attack Vector Evolution
2000s: Application
Copyright Trustwave 2011
Attack Vector Evolution
2000s: Wireless
Copyright Trustwave 2011
Attack Vector Evolution
2010s: Client-Side
Copyright Trustwave 2011
Attack Vector Evolution
2010: Client Side (Malware)
1. Targeted Attack
2. Drive-by Infection
3. Manual Installation
Copyright Trustwave 2011
Attack Vector Evolution
2010s: Mobile
Copyright Trustwave 2011
Attack Vector Evolution
2010: Mobile
1. Mobile Phishing Attacks
2. Mobile Ransomware
3. Fake Firmware and Jailbreaks
Copyright Trustwave 2011
Attack Vector Evolution
2010s: Social Networking
Copyright Trustwave 2011
Attack Vector Evolution
2010: Social Networking
1. Malware Propagation
2. Personal Information Exposure
3. Data Mining
Copyright Trustwave 2011
Attack Vector Evolution
0
1
2
3
4
5
6
7
8
9
1950 1960 1970 1980 1990 2000 2010
A"ack Vectors Over Time
Social Networking
Mobile
Client-‐Side
Wireless
Applica2on
E-‐mail
Network
Physical
Mobile Attack Cookbook
Copyright Trustwave 2011
Mobile Attack Cookbook
Copyright Trustwave 2011
Mobile Attack Cookbook – The Recipe
Ingredients • Motivation • Reversing Skills • Creativity • Motivation Process • Step 1 – Pick a Platform to Target • Step 2 – Find a Vulnerability • Step 3 – Select a Payload • Step 4 – Build the Payload • Step 6 – Select a Payload Delivery Method • Step 5 – Test it Out
Copyright Trustwave 2011
Mobile Attack Cookbook – The Recipe
Step 1 – Pick a Platform to Target
• Es2mated are 20% of the Smartphone Marketshare
• Many users are non-‐technical • Jailbreak community does the vulnerability research, so you don’t have to
• Many user don’t EVER update their device to the latest iOS
Copyright Trustwave 2011
Mobile Attack Cookbook – The Recipe
Step 2 – Find a Vulnerability
• Leverage the “Jailbreakme.com” vulnerabilities • Affect iOS 4.0.2 or earlier – still likely 50% of the user base
• What is it?
• The “star” PDF Exploit – Code execution − Classic stack overflow − Leverages IOSurface (IOKit) bug for privilege escalation and sandbox escape
• The IOKit Vulnerability – Priv. escalation / escaping the sandbox − Kernel integer overflow in handling of IOSurface properties − Calls setuid(0) inside Safari getting root
• The Jailbreak Phase – Set up residence on the iDevice − Patches out Kernel code signing − Installs a basic jailbreak filesystem along with Cydia (apt-get)
Copyright Trustwave 2011
Mobile Attack Cookbook – The Recipe
Step 3 – Select a Payload
Implement a Weaponized Jailbreak • Patch out a “security” check comex had incorporated
• The jailbreakme.com PDFs had code to ensure they’d been downloaded from “jailbreakme.com”.
• Patching out all the GUI pop-ups • Didn’t want the victim to realized they were being hacked
• Build a modified wad.bin with our “rootkit”
Copyright Trustwave 2011
Mobile Attack Cookbook – The Recipe
Step 4 – Build the Payload
SpiderLabs Research built Custom-written iOS “Rootkit”
• Patched UNIX utilities like ‘ls’, ‘ps’, ‘find’, ‘netstat’ from the JB filesystem • Hiding our tools from actual jailbreakers
• Port knock daemon called “bindwatch” fakes its name on argv[0] • Spawns a bind-shell called, wait for it …. “bindshell” also fakes argv[0] • Trivial app to record AIFF on the mic – remote eavesdrop • Patched VNC to hide itself a little better
• Nice Open Source iPhone VNC server by saurik • Runs via a DYLIB in MobileSubstrate • Mostly just removed the GUI config plist from System Preferences • Coded a trivial CLI obj-C program to configure and start VNC
without the GUI
Copyright Trustwave 2011
Mobile Attack Cookbook – The Recipe
Step 5 – Select an Payload Delivery Method Many methods can be used:
• Fake Jailbreak site • SEO optimized site to target an organization • Phishing attack • Hack a popular site and install within the mobile version
Copyright Trustwave 2011
Mobile Attack Cookbook – The Recipe
Step 6 – Test it Out
Credit: Eric Mon2, Trustwave SpiderLabs Research
Conclusions
Copyright Trustwave 2011
Motivations For Attackers
• There are over a half-‐billion devices on 3G networks
• By 2020, there will be 10 billion devices
• 60% of all users carry their devices with them at ALL Fmes • For high-‐profile and business folks that is near 100%
• A typical smartphone today has the same processing power as a PC from 8 years ago, plus: • Always-‐on network connec2vity • Loca2ons aware thanks to GPS
Copyright Trustwave 2011
Motivations for Attackers
• Users accessing highly sensiFve informaFon via smartphones is the norm
• Users trust a smartphone over a public computer or kiosk • Never ques2on their smartphones integrity
• CommunicaFon Services Providers (CSPs) must allow for governments to access subscribers communicaFons • Case: In the UAE, E2salat pushed a “performance update” to all their Blackberry subscribers.
• Reality: Malware was inten2onally pushed down to allow intercep2on of data communica2ons.
Copyright Trustwave 2011
Conclusions
• It is possible and feasible to write malware for a mobile device.
• With a li"le work, automated funcFonality can be embedded
• Li"le a"enFon is being paid to smartphone security, while everyone trusts their device to perform criFcal tasks.
• In the next 10 years, we will see an explosive growth in the number of a"acks against smartphones and other mobile compuFng device plaUorms. Will we be prepared?
Questions?
Copyright Trustwave 2011
SpiderLabs®
SpiderLabs® is an elite team of ethical hackers advancing the security capabilities of leading businesses and organizations in over 50 countries. More Information: Web: https://www.trustwave.com/spiderlabs Blog: http://blog.spiderlabs.com Twitter: @SpiderLabs