Download - Penetration testing using mobile devices
![Page 1: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/1.jpg)
Penetration testing using mobile devices
Emerging Researcher Symposium
Presented by: Siyabonga ShelembeDate: 10 October 2012
![Page 2: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/2.jpg)
Introduction
Purpose :
• To investigate the current state of mobile devices in penetration
testing and future trends
Objectives:
• To review software developer communities’ experience with the use
of mobile devices in pen-testing
• To investigate the reasons behind the adoption of mobile device
pen-testing
• To investigate the techniques used on mobile pen-testing
• To investigate the use of mobile device for pen-testing
• To present future trends
© CSIR 2012 Slide 2
![Page 3: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/3.jpg)
Definition
Pen-testing is:
• A process of attempting to gain access to resources without the
knowledge of formal means of access such as usernames and
passwords (Mancini et.al, 2006)
• An attempt to compromise the security of the mechanism
undergoing the test, it can be host or network based (Fiocca, 2009)
Difference: pen-testing and hacking is permission
Its purpose is to find system vulnerabilities
© CSIR 2012 Slide 3
![Page 4: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/4.jpg)
Previous/traditional methods
• Host-based vulnerability
scanning
• Network based vulnerability
scanning
• Application scanning
• Web Application
Assessment Proxy
© CSIR 2012 Slide 4
![Page 5: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/5.jpg)
Previous/traditional methods
• Advantage: more reliable, it was used in the early 90s
• Disadvantage:
• Fixed workstations
• PCs need larger space
• PC set-up time
• Not easy to hide
• Lack portability
© CSIR 2012 Slide 5
![Page 6: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/6.jpg)
Traditional pen-testing is not complete - why?
• Banning laptops is not enough, cell-phones can hack too
• Pocket sized device is more convenient, since it is easy to carry
around at anytime
• A power plug is not innocent, need to look for activity other than just
traditional PCs / devices
© CSIR 2012 Slide 6
![Page 7: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/7.jpg)
Mobile device pen-testing
Pocket sized devices that connect to the internet and capable of running
mobile Operating System (OS)
Examples:
• Cell phone
• PDA
• Tablet
Other:
• USB
• Power Strip
© CSIR 2012 Slide 7
![Page 8: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/8.jpg)
How it works
© CSIR 2012 Slide 8
Mobile Device
Mobile OS
Pen-testing application
![Page 9: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/9.jpg)
… How it works
Current Android hacking applications:
• WiFi Analyzer
• SpoofApp
• FaceNiff
• Penetrate Pro
• Anti-Android Network Toolkit
• ConnectBot
• Network Discovery
• Wireless Tether
• Shark for Root
• Remote Exploit Applications
• Mobile MITM Attack
• Data Siphon
© CSIR 2012 Slide 9
![Page 10: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/10.jpg)
….How it works
• USB: install appropriate OS, e.g. backtrack and pen-testing tools
• Power plug: attach it to a pc connected to the network
• Own scripts: using program like C4Droid (a C/C++ compiler designed
for Android)
© CSIR 2012 Slide 10
![Page 11: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/11.jpg)
Mobile device pen-testing
Conducting pen-testing using mobile devices as a tool does not limit you to
a specific network
Potential victims include:
• Medical devices
• Cars
• Cell phones
• Networks
• Stealing keystrokes
• Electricity meters etc.
© CSIR 2012 Slide 11
![Page 12: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/12.jpg)
Challenges of mobile pen-testing
• Emerging field
• Industrial psychology
• Limited number of academic literature
• Battery power
• Limited CPUs (getting better)
© CSIR 2012 Slide 12
![Page 13: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/13.jpg)
Conclusion
Bottom line:
• Pen-tests can only measure how bad a person’s application is
• They’re far less effective at measuring how good an application is
Challenge:
• Researchers should look at mobile pen-testing tool since it can be a
great way of getting unexpected information out of a company
The more mobile / innocuous the pen-testing platform the better
© CSIR 2012 Slide 13
![Page 14: Penetration testing using mobile devices](https://reader030.vdocuments.us/reader030/viewer/2022012501/617a4f0d6dba5650232e66d6/html5/thumbnails/14.jpg)
Thank you