mobile devices vulnerabilities · local active side channel attacks i clock and power glitching i...
TRANSCRIPT
![Page 1: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/1.jpg)
Mobile Devices VulnerabilitiesLecture 7
Security of Mobile Devices
2020
SMD Android Vulnerabilities, Lecture 7 1/62
![Page 2: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/2.jpg)
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 2/62
![Page 3: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/3.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 3/62
![Page 4: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/4.jpg)
General concepts
I Vulnerabilities
I What can you gain?
I Causes
SMD Android Vulnerabilities, Lecture 7 4/62
![Page 5: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/5.jpg)
Mobile vs Desktop
SMD Android Vulnerabilities, Lecture 7 5/62
![Page 6: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/6.jpg)
Attack surface
I Attack vector
I Attack surface
I Castle analogy
SMD Android Vulnerabilities, Lecture 7 6/62
![Page 7: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/7.jpg)
Attack surface
SMD Android Vulnerabilities, Lecture 7 7/62
![Page 8: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/8.jpg)
Android system attack surface
SMD Android Vulnerabilities, Lecture 7 8/62
![Page 9: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/9.jpg)
Attack surface classification
I Remote
I Local
I Physical
SMD Android Vulnerabilities, Lecture 7 9/62
![Page 10: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/10.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 10/62
![Page 11: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/11.jpg)
Android application attack surface
I Activities
I Services (exposed and bound services)
I Broadcast receivers
I Content providers
SMD Android Vulnerabilities, Lecture 7 11/62
![Page 12: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/12.jpg)
Application security
I application permission issuesI Android documentation related to permissions does not
correspond with what the Android middleware actually requiresI undergranting or overgranting permissions
I insecure transmission of sensitive dataI insecure data storage
I plaintext storageI no encryptionI Skype - world-readable, world-writable permissions, no
encryption
SMD Android Vulnerabilities, Lecture 7 12/62
![Page 13: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/13.jpg)
Application security
I information leakage through logsI excessive, very verbose loggingI Firefox - browsing activity, session identifiers
I insecure transmission of sensitive dataI Unsecured IPC endpoints
I who can access whom?I activities - UI redressing attacks (clickjacking) - Cloak and
DaggerI bounded services - expose functionalityI content providers - expose data, susceptible to SQLite injectionI broadcast receivers - implicit intents
SMD Android Vulnerabilities, Lecture 7 13/62
![Page 14: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/14.jpg)
Malware
I virus
I spyware
I botnet
I trojan
I rootkit
SMD Android Vulnerabilities, Lecture 7 14/62
![Page 15: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/15.jpg)
Google Infrastructure
I Google Single Sign On (SSO)
SMD Android Vulnerabilities, Lecture 7 15/62
![Page 16: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/16.jpg)
Google Infrastructure
I Google Single Sign On (SSO)
I Google Play Store
I Malicious applicationsI Third-party applications
I Top 100 Android Paid App listI hacked, modified, available on 3rd party distribution sitesI over 500k downloadsI Android.troj.mdk Trojan infected over 1 million Chinese
Android devices - Temple Run, Fishing Joy
SMD Android Vulnerabilities, Lecture 7 16/62
![Page 17: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/17.jpg)
Google Infrastructure
I Verify Apps feature queries a Google databaseI Google Play Protect (Bouncer)
I QEMU machine that runs the application in an isolatedenvironment
I dynamic runtime analysis toolI populates the environment dummy data (contacts, photos)
SMD Android Vulnerabilities, Lecture 7 17/62
![Page 18: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/18.jpg)
Google Play Protect
I Why do we still have malicious apps with the Google PlayProtect check?
SMD Android Vulnerabilities, Lecture 7 18/62
![Page 19: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/19.jpg)
Google Play Protect
I Evading Google Play ProtectI identifying the unique dummy dataI identifying the unique fingerprint of the QEMU instanceI use a command and control server that sends to the
application malicious code
SMD Android Vulnerabilities, Lecture 7 19/62
![Page 20: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/20.jpg)
Malware detection
I signature based techniques
I machine learning based techniques
SMD Android Vulnerabilities, Lecture 7 20/62
![Page 21: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/21.jpg)
Malware countermeasures
I user education
I install apps from trusted sources
I wireless network security (no free WiFi)
I prevent rooting/jailbreaking
I keep OS up to date
SMD Android Vulnerabilities, Lecture 7 21/62
![Page 22: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/22.jpg)
Malware countermeasures
SMD Android Vulnerabilities, Lecture 7 22/62
![Page 23: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/23.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 23/62
![Page 24: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/24.jpg)
Network attacks
I No network services availableI Susceptible to common network attacks
I Spoofing attacks (ARP, DNS, DHCP)I Man in the middle attacksI TCP attacks (SYN flooding, RST attack, sequence prediction
attack)I DoS attacks
SMD Android Vulnerabilities, Lecture 7 24/62
![Page 25: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/25.jpg)
ARP Spoofing
SMD Android Vulnerabilities, Lecture 7 25/62
![Page 26: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/26.jpg)
Mobile network attacks
I Cellular communications - an additional remote surface attack
I SMS, MMS
I WAP push (Wireless Application Protocol)
SMD Android Vulnerabilities, Lecture 7 26/62
![Page 27: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/27.jpg)
Mobile network attacks
I Dialer attackI tel://URI received through SMS, Twitter postI USSD code for factory resetI USSD code for reseting PUK - after 10 times, SIM card is
destroyed
SMD Android Vulnerabilities, Lecture 7 27/62
![Page 28: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/28.jpg)
Mobile network attacks
I Stagefright attackI Android native multimedia libraryI exploited through MMS, Hangouts, web browsersI integer overflow leads to heap overflowI shellcode with a reverse TCP connection callback
SMD Android Vulnerabilities, Lecture 7 28/62
![Page 29: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/29.jpg)
Client-side attack surface
I Client applicationsI Browser attacks
I Plethora of technologies: HTTP(S)/FTP, HTML, JavaScriptI rogue URLI cross-site scripting (XSS)I cross-site request forgery (CSRF)
SMD Android Vulnerabilities, Lecture 7 29/62
![Page 30: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/30.jpg)
Cross-site scripting
SMD Android Vulnerabilities, Lecture 7 30/62
![Page 31: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/31.jpg)
Cross-site request forgery
SMD Android Vulnerabilities, Lecture 7 31/62
![Page 32: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/32.jpg)
Client-side attack surface
I Web-Powered mobile applications - Twitter, Dropbox
I Authentication - SSL/TLS certificates
I Apps do not adequately validate the certificates
I 8% of the apps on Google Play Store exposed to MitM attacks
SMD Android Vulnerabilities, Lecture 7 32/62
![Page 33: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/33.jpg)
Wireless communication attacks
I GPSI no known attacks to compromise a deviceI GPS spoofing
SMD Android Vulnerabilities, Lecture 7 33/62
![Page 34: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/34.jpg)
Wireless communication attacks
I Baseband (GSM, HSPA, LTE)I emulate a base station (cell tower) - specialized equipmentI RIL (Radio Interface Layer) - AT commands through USB or
Bluetooth (attention commands that can read/write messages,downgrade OS, charge the user)
SMD Android Vulnerabilities, Lecture 7 34/62
![Page 35: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/35.jpg)
Wireless communication attacks
I BluetoothI weaknesses related to pairing and encryption in the Android
Bluetooth stack (BlueDroid)I Bluejacking - send unsolicited messages to the targetI Bluesnarfing - access unrestricted data from the targetI BlueBorne - unrestricted access to a remote device. Heap
overflow generated by sending multiple Bluetooth discoverypackets.
I BlueFrag - allows remote code execution through a speciallycrafted Bluetooth packet. Bluetooth address can be deducedfrom MAC address.
SMD Android Vulnerabilities, Lecture 7 35/62
![Page 36: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/36.jpg)
Wireless communication attacks
I WiFiI WEP, WPA, WPA2, WPA3I rogue AP (access point)I Krack - Key Reinstallation Attack
SMD Android Vulnerabilities, Lecture 7 36/62
![Page 37: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/37.jpg)
Wireless communication attacks
I NFCI lack of encryption and authenticationI browser attackI NFC relay attack
SMD Android Vulnerabilities, Lecture 7 37/62
![Page 38: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/38.jpg)
Wireless communication attacks
SMD Android Vulnerabilities, Lecture 7 38/62
![Page 39: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/39.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 39/62
![Page 40: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/40.jpg)
Local attack surfaces
I file system - files, pipes, character and block devicesI F2FS (Flash Friendly File System) vulnerabilitiesI memory corruption → boundary checks → integer overflows
I TCP/IP stackI CVE-2014-0100I IPv4 fragmentationI race condition - fragment deleted before being added to a LRU
listI use-after-free issueI internal denial of service
SMD Android Vulnerabilities, Lecture 7 40/62
![Page 41: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/41.jpg)
Local attack surfaces
I binderI use-after-free issue caused by race conditions between binder
ioctl calls
I shared memoryI KillingInTheNameOf jailbreakI remaps the system properties address space to be writableI ro.secure = 0I root access through ADB
SMD Android Vulnerabilities, Lecture 7 41/62
![Page 42: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/42.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 42/62
![Page 43: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/43.jpg)
Physical attack surfaces
I dismantling the deviceI USB
I send AT commands to the RIL - issue calls, alter the pinI vold vulnerability - allows to overwrite filesystems through USB
SMD Android Vulnerabilities, Lecture 7 43/62
![Page 44: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/44.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 44/62
![Page 45: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/45.jpg)
Side channel attacks
I What are they?I Classification
I Active vs PassiveI Physical properties vs Logical propertiesI Local attackers vs Vicinity attackers vs Remote attackers
SMD Android Vulnerabilities, Lecture 7 45/62
![Page 46: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/46.jpg)
Local pasive side channel attacks
I power analysis attack - attacks on DES
I electromagnetic analysis attack - attacks on AES, RSA, ECC,ECDSA
I smudge attack - unlock lock screen
I shoulder surfing and reflections - reflections on sunglasses canbe used to capture what the user is writing/pressing
I hand and device movements - infer PIN input
SMD Android Vulnerabilities, Lecture 7 46/62
![Page 47: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/47.jpg)
Local active side channel attacks
I clock and power glitchingI underclocking, overclocking
I electromagnetic fault injectionI EM pulses affect state of memory cells
I laser and optical faultsI laser beams can flip bits in memory cells
I temperature variationI heat up can lead to faults in memory cellsI cooling down can lead to remanence effect of RAM (cold-boot
attack)
SMD Android Vulnerabilities, Lecture 7 47/62
![Page 48: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/48.jpg)
Vicinity pasive side channel attacks
I network traffic analysisI USB power analysis
I USB charging stations can detect power tracesI infer visited sites
I WiFi signal monitoringI keystrokes can affect the WiFi signal - Channel State
Information (CSI)I infer unlock patterns
SMD Android Vulnerabilities, Lecture 7 48/62
![Page 49: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/49.jpg)
Remote pasive side channel attacks
I Linux inherited procfs leaksI /proc/[pid]/statusI infer browsing behavior using the memory footprintI shared memory size increase to detect activity transitionsI number of context switches and interrupts to detect keystrokes
pattern
I data-usage statisticsI infer browsing behavior
I page deduplicationI identical physical pages merged into one across different
processesI copy-on-write fault when another process wants to write in
that areaI infer browsing behavior
SMD Android Vulnerabilities, Lecture 7 49/62
![Page 50: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/50.jpg)
Remote pasive side channel attacks
I microarchitectural attacksI timing behavior of cryptographic system componentsI branch prediction units, CPU cachesI cache-timing attacks against AES
I location inferenceI accelerometer, gyroscopeI speaker status information offered by Android APII infer speech length (Turn right onto East Main Street)
I speech recognitionI acoustic signals can influence gyroscope measurements
SMD Android Vulnerabilities, Lecture 7 50/62
![Page 51: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/51.jpg)
Remote active side channel attacks
I RowhammerI DDR3 or DDR4 SDRAM cellsI high cell density in DRAMI cells leak their electrical charge to other cellsI bypass isolation between DRAM memory cellsI RAMpage attack - gain root privileges
SMD Android Vulnerabilities, Lecture 7 51/62
![Page 52: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/52.jpg)
Rowhammer
SMD Android Vulnerabilities, Lecture 7 52/62
![Page 53: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/53.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 53/62
![Page 54: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/54.jpg)
RageAgainstTheCage jailbreak
/∗ Code i n t ended to run wi th e l e v a t e d p r i v i l e g e s ∗/d o s t u f f a s p r i v i l e g e d ( ) ;
/∗ Drop p r i v i l e g e s to u n p r i v i l e g e d u s e r ∗/s e t u i d ( u i d ) ;
/∗ Code i n t ended to run wi th l owe r p r i v i l e g e s ∗/d o s t u f f a s u n p r i v i l e g e d ( ) ;
SMD Android Vulnerabilities, Lecture 7 54/62
![Page 55: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/55.jpg)
RageAgainstTheCage jailbreak
/∗ Code i n t ended to run wi th e l e v a t e d p r i v i l e g e s ∗/d o s t u f f a s p r i v i l e g e d ( ) ;
/∗ Drop p r i v i l e g e s to u n p r i v i l e g e d u s e r ∗/s e t u i d ( u i d ) ;
/∗ Code i n t ended to run wi th l owe r p r i v i l e g e s ∗/d o s t u f f a s u n p r i v i l e g e d ( ) ;
ERRORSEAGAIN The u id does not match the c u r r e n t
u i d and u id b r i n g s p r o c e s s ove r i t sRLIMIT NPROC r e s o u r c e l i m i t .
SMD Android Vulnerabilities, Lecture 7 55/62
![Page 56: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/56.jpg)
RageAgainstTheCage jailbreak
/∗ Code i n t ended to run wi th e l e v a t e d p r i v i l e g e s ∗/d o s t u f f a s p r i v i l e g e d ( ) ;
/∗ Drop p r i v i l e g e s to u n p r i v i l e g e d u s e r ∗/s e t u i d ( u i d ) ;
/∗ Code i n t ended to run wi th l owe r p r i v i l e g e s ∗/d o s t u f f a s u n p r i v i l e g e d ( ) ;
ERRORSEAGAIN The u id does not match the c u r r e n t
u i d and u id b r i n g s p r o c e s s ove r i t sRLIMIT NPROC r e s o u r c e l i m i t .
RLIMIT NPROCThe maximum number o f p r o c e s s e s ( or , morep r e c i s e l y on Linux , t h r e a d s ) t ha t can bec r e a t e d f o r the r e a l u s e r ID o f the c a l l i n gp r o c e s s . Upon en coun t e r i n g t h i s l i m i t , f o r k (2 )f a i l s w i th the e r r o r EAGAIN .
SMD Android Vulnerabilities, Lecture 7 56/62
![Page 57: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/57.jpg)
RageAgainstTheCage jailbreak
I too many processes → setuid will fail → privileges will not bedropped
I Who can we target for this? Answer: ADB
/∗ then sw i t ch u s e r and group to ” s h e l l ” ∗/s e t g i d (AID SHELL ) ;s e t u i d (AID SHELL ) ;
SMD Android Vulnerabilities, Lecture 7 57/62
![Page 58: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/58.jpg)
RageAgainstTheCage jailbreak
I fork() up to RLIMIT NPROC for shell user
I kill adb process, fork() again
I setuid() fails for adb
I adb shell is now a root shell
SMD Android Vulnerabilities, Lecture 7 58/62
![Page 59: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/59.jpg)
Other jailbreaks
I Goto Don’t root robots presentation
SMD Android Vulnerabilities, Lecture 7 59/62
![Page 60: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/60.jpg)
Outline
General concepts
Application security
Remote attack surfaces
Local attack surfaces
Physical attack surfaces
Side channel attacks
Gaining root access
Bibliography
SMD Android Vulnerabilities, Lecture 7 60/62
![Page 61: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/61.jpg)
Bibliography
I Android Hacker’s Handbook, Joshua J. Drake, 2014
I Systematic Classification of Side-channel Attacks: A CaseStudy for Mobile Devices, Raphael Spreitzer, VeelashaMoonsamy, Thomas Korak and Stefan Mangard
I A Survery on Smartphones Security: Software Vulnerabilities,Malware and Attacks
SMD Android Vulnerabilities, Lecture 7 61/62
![Page 62: Mobile Devices Vulnerabilities · Local active side channel attacks I clock and power glitching I underclocking, overclocking I electromagnetic fault injection I EM pulses a ect state](https://reader033.vdocuments.us/reader033/viewer/2022053118/609dc46d0cf00a3fea0a5237/html5/thumbnails/62.jpg)
Keywords
I Attack vector
I Attack surface
I Application security
I Side channel attacks
I Root access
I Cellular communications
I WiFi
I Bluetooth
I NFC
I Activities
I Services
I Content providers
I Broadcast receivers
I Bouncer
SMD Android Vulnerabilities, Lecture 7 62/62