SECURITY FLAWS IN MOBILE DEVICES

Seminar on Software Engineering,

Long Presentation

06.03.2008

Christian Gruber

QUICK OVERVIEW OF MOBILE DEVICE SECURITY Modern technologies integrated with each other.

Mobile phones are more and more intelligent and becoming like computers → security problems?

Mobile phones and other mobile devices are coming more attractive to virus writers.

This presentation is dedicated to the threats currently posed by malicious code to mobile devices which run under portable operating systems and are equipped with wireless technologies.

QUICK OVERVIEW OF MOBILE DEVICE SECURITY

This overview focuses on some of the severe malwares found in the following major mobile operation systems:

- Symbian OS- Windows CE .NET- Apple OS X for the Apple iPhone

SYMBIAN OPERATING SYSTEM

A smartphone is a mobile phone offering advanced capabilities beyond a typical mobile phone, often with PC-like functionality.

Symbian is the leading OS in the smart mobile device market.

It is designed for the specific requirements of advanced 3G mobile phones. Symbian OS combines the power of an integrated applications environment with mobile telephony, bringing advanced data services to the mass market.

Statistics published February 2007 showed that Symbian OS had a 67% share of the smart mobile device market, with Microsoft having 13% through Windows CE and Windows Mobile and RIM having 10%.

FIRST MALICIOUS CODE FOR SYMBIAN OS.

2004 a group of professional virus writers known as 29A created the first virus for smartphones called Cabir.

Cabir is the first network worm capable of spreading via Bluetooth.

It infects mobile phones which run Symbian OS.

Creators stated it was purely proof of concept just to show malicious code could be created for Symbian OS.

Source code was published on the Internet → many modified version surfaced.

HOW DOES CABIR WORK? It is design to load at phone boot up and send

itself to available devices using Bluetooth. It sends itself as a Symbian installation file (as

CARIBE.SIS) the receiving phone will recognize it as an installable package.

Before the virus can successfully infect a phone, the virus must be first accepted by the user.

When the virus is received and accepted, the phone then begins installing the installable package file → phone infected.

Later version named as Cabir.k was able to self replicate itself via MMS.

SECOND MALWRE FOR SYMBIAN OS

Soon after Cabir spreaded the “first Trojan” was found for Symbian OS.

Normally a Trojan is a piece of software which appears to perform a certain action but in fact performs something else.

The Trojan was a cracked version of a popular game called Mosquitos.

It sent SMS messages without the knowledge of the user.

It was intended that the program secretly sent a SMS message to alert developers if an unlicensed copy was being used.

MOSQUITOS TROJAN This program is not strictly a Trojan, but, it is

classified as a Trojan as it sends SMS messages to premium rated services without the knowledge of the user.

The numbers which messages were sent to were coded into the program.

Does not spread using its own means. It must be installed and run by the user.

One message cost 1,5£ ≈ 2€

THE SKULLER TROJAN Skuller was the first real Trojan for the

Symbian OS. The Trojan appeared as a program which

would offer new wallpapers and icons for Symbian OS.

Installing the program led to the standard application icons to be replaced with a skull and crossbones.

At the same time it would overwrite the original application → application ceased to work.

Once the smartphone has been infected it can only be used to make calls.

THE SKULLER TROJAN CONTINUED Skuller demonstarted two unpleasent things

about Symbian architecture.

- System files can be overwritten

- Symbian lacks stability when presented with corrupted or non-standard system files.

There are no check designed to compensate these vulnerabilities.

THE LOCKNUT TROJAN These vulnerabilities was quickly exploited

and the second Trojan appeared the Locknut. Locknut was spread as a “critical patch”. The idea behind Locknut was that Symbian

OS did not check file integrity. Locknut disables a phone using a malformed

file to crash internal Symbian process. → causing the phone to lock down so that no

applications can be used. The .app extension makes the OS believe

that the file is executable.

THE LOCKNUT TROJAN CONTINUED The .app file contains simply just text rather

than structured code. The system will freeze when trying to launch

any application. Rebooting woun´t help as Locknut is started

automatically → making it impossible to even turn on the phone.

First malware on Symbian to prevent making even a call.

MOST DANGEROUS SYMBIAN WORM COMWAR

The second worm found for mobile devices was the Comwar.

The worm spread via Bluetooth and MMS. The executable worm file is packed into a

Symbian archive (*.SIS). Once launched the worm will search for

accessible Bluetooth devices and send the infected .SIS archive under a random name to these devices.

The name of the file varies. When spread via Bluetooth, the worm creates a random file name, which will be 8 characters long, e.g. bg82o_s1.sis.

COMWAR CONTINUED The worm also sends itself via MMS to all

contacts in the address book. The subject and text of the messages varies.

Some example subjects found:- Norton AntiVirus Released now for mobile, install it!

- 3DGame 3DGame from me. It is FREE !

- Desktop manager Official Symbian desctop manager.

- Happy Birthday! Happy Birthday! It is present for you!

- Internet Accelerator Internet accelerator, SSL security update #7.

- Security update #12 Significant security update. See www.symbian.com

- Symbian security update See security news at www.symbian.com

- SymbianOS update OS service pack #1 from Symbian inc.

SYMBIAN OS 6.0 AND NEWER

Before discussed malware work in earlier Symbian OS versions 6 and 7.

Newest Symbian OS 9.x also known as S60 platform 3rd Edition has adopted a capability model. Installed software will theoretically be unable to do damaging things without being digitally signed – thus making it traceable.

FIRST MALWARE FOR WINDOWS CE

Duts is the first virus for devices running under Windows CE .NET.

It is also the first file infector for smartphones.

Duts is also made by the group 29A, which made the first Symbian virus.

A proof of concept virus. It can infect devices running the following

operating systems: PocketPC 2000, PocketPC 2002, PocketPC 2003.

DUTS CONTINUED The virus itself is an ARM processor program

and is 1520 bytes in size. When the program is run, it raises a dialog

box “Dear user, Am I allowed to spread?” If confirmation is given, the virus will infect

executable files which correspond to the following criteria: ARM processor, more than 4KB in size, located in the device's root directory.

The virus writes itself to the last section of these files and establishes an entry point at the beginning of the file.

DUTS CONTINUED The Duts virus exploited a clever workaround

of the operating system architecture in order to gain access to the coredll module.

Windows CE was designed with a protected kernel. User-mode applications are not permitted to interact directly with the kernel. This was designed to enhance the security and stability of Windows CE.

Microsoft has left the function "kdatastruct" acessible to usermode. This provided the key to the entrypoint of the virus.

BRADOR Brador is a backdoor (a utility allowing for

remote administration of the infected machine).

Designed for PocketPC based on Windows CE and newer version of Windows Mobile.

It is written in ASM for ARM-processors and is 5632 bytes in size.

After Brador is launched it creates an svchost.exe file in the /Windows/StartUp/ folder, thus gaining full control over the handheld every time it is restarted.

BRADOR CONTINUED Brador identifies the IP address of the infected

device and sends it to the remote malicious user to inform him that the handheld is connected to the Internet and that the backdoor is active. Brador then opens port 2989 and awaits further orders.

The backdoor responds to the following commands:

d - lists the directory contents f - closes the session g - uploads a file m - displays MessageBox p - downloads a file r - executes the specified command

WINDOWS CE SECURITY Windows CE is extremely vulnerable from the

point of view of system security. There are no restrictions on executable applications and their processes. Once launched, a program can gain full access to any operating system function such as receiving and transmitting files, phone and multimedia functions etc.

Creating applications for Windows CE is extremely easy, as the system is totally open to programming, making it possible to use not only machine languages (e.g. ASM for ARM) but also powerful development technologies such as .NET.

APPLE IPHONE Within two weeks after iPhone was released I.S.E.

(Independent Security Evaluators) found a way to take full control of the device.

Apple's Safari web browser exposes the vulnerability.

The exploit can be delivered via a malicious web page opened in the Safari browser on the iPhone.

When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges.

After the Exploit is run the attacker has full control of the device.

DAMAGES In various proof of concept it has been shown

that the attacker can:- Read/send SMS, MMS and emails, - Read the address book, - Read call history, - Read voicemail data.- Read user´s mail and other passwords,- Record audio clips,- Gain access to all files.

The attacker can transmit all this information without the knowledge of the user.

IPHONE DOS VULNERABILITY Recently a Denial of Service (DoS)

vulnerability was discovered in iPhone’s web browser.

The DoS exploit can be triggered by visiting a maliciously crafted webpage.

The page will insert code into the iPhone, which continually eats up available system memory before causing a kernel panic.

It has been stated that the Exploit could be used for malicious purposes → e.g. executing remote code.

WHAT CAN MOBILE VIRUSES DO? In short what can mobile viruses do?

- Spread via Bluetooth, MMS

- Send SMS messages

- Infect files

- Enable remote control of the smartphone

- Modify or replace icons or system applications

- Install “false” or non-operational fonts and applications

- Combat antivirus programs

- Install other malicious programs

- Block memory cards

- Steal data

PROTECTION AGAINST MOBILE VIRUSES

For a smartphone to become infected, the user has to twice confirm that an unknown file should be uploaded and launched.

At the moment there are several anti-virus solutions designed to protect mobile devices from viruses.

For worms which spread via MMS, the optimal solution is for the network operator to install an antivirus product which scans traffic that passes.

FORECAST? It is difficult to forecast the evolution on

mobile viruses. This area is constantly evolving.

Today’s mobile viruses are very similar to computer viruses in terms of their payload.

It took computer viruses over twenty years to evolve, and mobile viruses have covered the same ground in a few years.

Without doubt, mobile malware is the most quickly evolving type of malicious code, and clearly still has great potential for further evolution.

SOURCES Alexander Gostev, Mobile Malware Evolution: An Overview,

Kaspersky Lab Symbian.com: http://www.symbian.com/ Geekzone: http://www.geekzone.co.nz/content.asp?

contentid=3379 Viruslist.com: http://www.viruslist.com Kaspersky: http://www.kaspersky.com/ FastCompany.com:

http://www.fastcompany.com/articles/2007/11/hacking-the-iphone.html?page=0%2C1

Security Evvaluators: http://www.securityevaluators.com/iphone/ I.S.E: http://www.securityevaluators.com/ iPhone World: http://www.iphoneworld.ca/ AvertLabs:

http://www.avertlabs.com/research/blog/index.php/2008/02/20/iphone-dos-vulnerability/