mobile vulnerabilities from data breach to complete shutdown
TRANSCRIPT
![Page 1: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/1.jpg)
#RSAC
SESSION ID:
Adi Sharabani Yair Amit
Mobile Vulnerabilities From Data Breach to Complete Shutdown
MBS-T09
CTO and Co-founder
Skycure
@YairAmit
CEO and Co-founder
Skycure
@adisharabani
![Page 2: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/2.jpg)
#RSAC
Bug
Vulnerability
Exploit Fix
Exposure
Sibling Threats
Agenda
The Mobile Security Landscape
SSL Stack Vulnerabilities
No-iOS-Zone Vulnerability
The Vulnerability Lifecycle
Summary & Apply
![Page 3: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/3.jpg)
#RSAC
Mobile Security Landscape
![Page 4: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/4.jpg)
#RSAC
Stolen
Compromised
Lost
![Page 5: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/5.jpg)
#RSAC
24/7 exposure
Off-the-shelf
hacking
tools
WiFi
&
cellular
![Page 6: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/6.jpg)
#RSAC
External
Android
stores
Repackaged
Apps
iOS
impact
![Page 7: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/7.jpg)
#RSAC
OS
&
app-level
Patching
challenges
Never-ending
story
![Page 8: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/8.jpg)
#RSAC
This Presentation’s Focus
![Page 9: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/9.jpg)
#RSAC
Network Incident Statistics
0%
25%
30%
38%
43%
0%
23%
30%
35%
41%
0%
10%
20%
30%
40%
50%
0 1 Month 2 Months 3 Months 4 Months
% a
ffec
ted
dev
ices
Affected Devices Over Time
2015 2014
Based on Skycure Threat Intelligence
![Page 10: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/10.jpg)
#RSAC
Known iOS Vulnerabilities (by Year)
Source: Skycure analysis based of CVEdetails.com
0
20
40
60
80
100
120
140
160
180
2007 2008 2009 2010 2011 2012 2013 2014 2015
Number of CVEs Trajectory
![Page 11: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/11.jpg)
#RSAC
Actual Numbers are Higher
Awareness
What seems to be about quality might be about security
Motivation
Black market
Finding a bug in a haystack
2014 reminded us that bugs can lie undetected for A LOT of years
![Page 12: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/12.jpg)
#RSAC
Safari Crash
So… What did we do
next?
Click to see
demo
![Page 13: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/13.jpg)
#RSAC
Nothing.
![Page 14: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/14.jpg)
#RSAC
But We Did Research Another Bug…
Quick findings:
iOS devices
A specific network
Almost any app crashes
Further analysis:
SSL certificate parser bug
Click to see
demo
![Page 15: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/15.jpg)
#RSAC
SSL Stack Issues goto fail;
Heartbleed
SSL decryption
…
![Page 16: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/16.jpg)
#RSAC
Example 1: GoToFail
Gotofail – The Code static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen) {
…
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
err = sslRawVerify(ctx,
ctx->peerPubKey,
dataToSign, /* plaintext */
dataToSignLen, /* plaintext length */
signature,
signatureLen);
…
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
Always goto “fail”, even if
err==0
Code is skipped (even though err == 0)
Function returns 0 (i.e. verified), even though sslRawVerify was
not called
Source: Apple’s published source code
![Page 17: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/17.jpg)
#RSAC
Example 2: SSL Decryption
92% of users click on “Continue”
compromising their Exchange identity
(username and password)
Continue 92%
Cancel 8%
Source: Skycure Threat Intelligence
![Page 18: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/18.jpg)
#RSAC
SSL Bugs - Implications
Data decryption
Data leakage
Remote control
In our case, none of the
above was feasible
![Page 19: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/19.jpg)
#RSAC
Going back to our crash…
![Page 20: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/20.jpg)
#RSAC
Is This Really Interesting?
Current attack flow:
Attacker creates a malicious “Free Public Wifi” network
Victim connects to the network
All apps constantly crash
Problems with the attack:
Victim needs to connect to the malicious network
Victim likely to understand the issue relates to the network
Victim can simple switch to another network to resolve the impact
![Page 21: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/21.jpg)
#RSAC
Is Manual Connection Required?
WiFi auto connect:
Karma attacks
WiFiGate
Cellular attacks:
Fake towers
Bug
Vulnerability
Exploit
![Page 22: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/22.jpg)
#RSAC
So, Is This Interesting Now?
Current attack flow:
Attacker forces nearby victims to connect to the malicious network
No victims’ action required
Users cannot use any SSL-enabled iOS apps
Problems with the attack:
Victims can still determine the attack is associated with the network
Victims can move to “airplane mode” or switch to another network
![Page 23: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/23.jpg)
#RSAC
But What About the OS?
Unsurprisingly, iOS system processes also use SSL
Impact: iOS crash
![Page 24: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/24.jpg)
#RSAC
iOS crashes
iOS Bug exploited again
iPhone crashes again
Device restarts
and again
and again
and again
Click to see
demo
![Page 25: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/25.jpg)
#RSAC
So, Now it is Interesting…
Current attack flow:
Attacker forces nearby victims to connect to the malicious network
No victims’ action required
iOS devices in range could get into a DoS restart loop
Result:
No-iOS Zone
No-iOS Zone
Vulnerability
![Page 26: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/26.jpg)
#RSAC
“No-iOS Zone” Attack
iOS users in range are unable to use their mobile devices
No WiFi, no offline work, no phone calls, no airplane mode…
Potential areas that may be attractive for attackers:
Political events
Economical & business events
Wall Street
Governmental and military facilities
![Page 27: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/27.jpg)
#RSAC
Disclosure & Fix Process
Issue reported to Apple on Oct. 2nd, 2014
We have been working with Apple to fix the issue
8.3 release seem to resolve some of the issues
The threat has not yet been confirmed as resolved
We will update more on our blog:
https://blog.skycure.com
Bug
Vulnerability
Exploit Fix
![Page 28: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/28.jpg)
#RSAC
#RSAC #Skycure
HTTP Request Hijacking
- (void)fetchArticles { NSURL *serverUrl =
[NSURL URLWithString:@"http://journal.skycure.com"];
NSMutableURLRequest *request =
[NSMutableURLRequest requestWithURL:serverUrl];
[request setValue:@"application/json”
forHTTPHeaderField:@"Content-Type"]; self.connection = [[NSURLConnection alloc] initWithRequest:request delegate:self]; }
NSURL *serverUrl =
[NSURL URLWithString:@"http://journal.skycure.com"];
NSMutableURLRequest *request =
[NSMutableURLRequest requestWithURL:serverUrl];
NSURL *serverUrl =
[NSURL URLWithString:@"http://attacker.site/skycureJournal"];
NSMutableURLRequest *request =
[NSMutableURLRequest requestWithURL:serverUrl];
@"http://journal.skycure.com"
@"http://attacker.site/skycureJournal"
HTTP Request Hijacking
Disclosed by Skycure at RSA Europe 2013
![Page 29: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/29.jpg)
#RSAC
Further Research
No-iOS
Zone = No-iOS + HRH
![Page 30: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/30.jpg)
#RSAC
Vulnerability Lifecycle
![Page 31: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/31.jpg)
#RSAC
Vulnerability Lifecycle
Bug
Vulnerability
Exploit Fix
Exposure
Sibling Threats
![Page 32: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/32.jpg)
#RSAC
Summary
Bug
Vulnerability
Exploit
Fix
Exposure
Sibling Threats
No-iOS Zone
Vulnerability
The
Vulnerability
Lifecycle
Mobile Security
Landscape
![Page 33: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/33.jpg)
#RSAC
Apply What You Have Learned
Researchers’ Perspective
Be mindful
Be persistent Responsible disclosure
Look around you Bug
Vulnerability
Exploit
Fix
Exposure
Sibling Threats
![Page 34: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/34.jpg)
#RSAC
Apply What You Have Learned
Security/Remediation Perspective
Personal level
Updates (both OS & apps)
Awareness (mobile threats are constantly evolving)
Organizational level
(Same as above)2
Deploy a mobile threat defense solution for visibility and protection
Vendors
OS vendors should employ a multi-platforms oriented vulnerability
patching process
![Page 35: Mobile Vulnerabilities From Data Breach to Complete Shutdown](https://reader034.vdocuments.us/reader034/viewer/2022051716/58a1a2d11a28abf2228b9062/html5/thumbnails/35.jpg)
#RSAC
Next Steps
https://www.skycure.com
https://blog.skycure.com
@YairAmit, @AdiSharabani, @SkycureSecurity
/Skycure