Have you ever thought about what would happen if you lost your mobile phone? These days we rely on our mobile phones more than ever. For a lot of us, it can also be a nightmare if it’s lost, stolen or hacked, especially since today it’s become our most personal computer,
For most of us, our first reaction when we lose our wallet is I have to cancel my credits cards, get a new license, etc. When we lose our phones, we think about the pain and cost of replacing the device. But that’s just the tip of the iceberg.
We don’t realize that our photos, emails, text messages and our apps can be an open door for thieves into our personal information, privacy and financial accounts.
And the time to replace your smartphone and its contents can consume as much as 18 hours of your life.
Mobile devices are on the move, meaning they can more easily be lost or stolen and their screens and keyboards are easier targets for “over the shoulder” browsing.
Below is an infographic that shows why you should protect your smartphone and some tips to protect you and your device.
Take time to protect your mobile device. Here’s some tips to keep your mobile safe:
Never leave your phone unattended in a public place
Put a password on your mobile and set it to auto-lock after a certain period of time.
If you use online banking and shopping sites, always log out and don’t select the “remember me” function
Use mobile device protection that provides anti-theft which can backup and restore the information on your phone, as well as remotely locate it and wipe data in the case of loss or theft, as well as antivirus and web and app protection.
This week many security researchers will converge on Las Vegas for the annual Black Hat USA, Security B-Sides Las Vegas, and DefCon security conferences. As in previous years, we’ll present and discuss many new security techniques and methods used by computer criminals, attackers, and defenders. A good portion of the new research will be related to mobile phones and devices.
Android Malware and Exploits
Google introduced an interesting security service, Bouncer, for its app market (Google Play). The company left out details on implementation or what exactly will prevent bad apps from entering the market. While this sounds like a good step to make it more difficult for attackers, this move also makes it much more difficult for security researchers to defend against those same bad guys. Security through obscurity doesn’t work and is only a delaying tactic.
Charlie Miller and Jon Oberheide presented their findings on Bouncer at SummerCon earlier this year. And they weren’t the only ones looking at Bouncer: Researchers Nicholas Percoco and Sean Schulte have also thrown their hats in the ring. They’ll present methods that their proof-of-concept (PoC) Android app used to bypass the security checks put in place with Bouncer.
The Android file format DEX hasn’t received as much attention as the portable executable (PE) format on Windows, though DEX serves a similar purpose. Malware researcher Tim Strazerre will fix that oversight when he presents his research on DEX and the tricks one can play with it to bypass the common tools that we use to analyze Android malware. While he presents PoC DEX files that crash or otherwise render our analysis tools useless, he will also provide a deep dive into the format and give out pointers and advice on robustly fixing flaws in those same tools. If your work involves dealing with Android malware, Strazerre’s talk is a can’t-miss event.
Mobile security researcher Bob Pan, owner of the dex2jar project, will present a PoC file infector for APK files. This will most likely involve injecting code into the classes.dex file in a legitimate APK and re-signing the APK with the attacker’s key. This is already possible manually and has been demonstrated in malware families such as Android/DrdDream. What we haven’t seen yet is an automated infection method or tool in the wild.
iOS Threats and Security
Apple’s iOS has been getting progressively more secure with each new update, closing holes and adding preventive measures. We’ll hear about improvements in platform security from the manger of Apple’s Platform Security Team.
Researcher Jonathan Zdziarski–a well-known name in jailbreaking, forensics, and security–will put on an iOS app hacking workshop. It looks like he’ll cover how attackers can obtain our private data and financial information from the embrace of our apps.
Stefan ‘ionic’ Esser, developer of address-space layout randomization for jailbroken iOS devices, will present on advanced heap exploitation on iOS. He’ll show a technique to control kernel memory and execute arbitrary code. Because this is in the kernel, memory and other security protections can be bypassed by skilled attackers. Will this result in easier jailbreaks or aid in the development of better iOS rootkits?
Mobile Hardware Exploitation
Other talks will involve OS specifics. Researchers Stephen Ridley and Stephen Lawler bring their experience on attacking ARM processor-based devices. They will cover the research process that enabled them to create their two-day ARM exploitation training. They will attack Linux-based devices and build a test lab of devices.
Sometimes attackers don’t want to restrict themselves to one OS. The Smartphone Pen Test Framework (SPF) makes Android and Apple iOS devices into targets of a penetration test. Previously when we wrote “pen test” and “smartphone” in the same sentence, it meant that someone was exploiting a PC from a phone. Now it’s the other way around. The framework’s creator Georgia Weidman, an innovator in offensive security research on smartphones, will demonstrate the DARPA Cyber Fast Track-funded project throughout the week. The SPF tests for jailbroken or rooted phones and other security vulnerabilities.
Attacking the OS and application processor are the two most common attacks on smartphones. Researcher Ralf-Phillip Weinmann will remind us that the baseband processor, which controls the phone’s radio and access to the mobile phone network, is still susceptible to attack. His previous demonstrations involved using a fake base station, but the current attack appears to require only a standard network connection to succeed.
Researcher Ang Cui ,who convinced us that attackers really can harm our printers, is back with a framework to help protect us from bad firmware. His FRAK, Firmware Reverse Analysis Konsole, provides security researchers with a toolkit that eases the search for vulnerabilities.
Near-field communications (NFC) hardware and security has been getting coverage in the press lately. We’ve talked about how attackers can use fuzzing to find vulnerabilities; now Charlie Miller, a researcher who has successfully used fuzzing to find holes in Android and iOS, returns with new attacks on NFC-enabled hardware. At first glance the attacks don’t go after the payment portions of NFC capabilities, but Miller has apparently managed to take over every other aspect of the devices.
Researcher Collin Mulliner isn’t sitting on the sideline. Having previously worked on SMS fuzzing with Miller and NFC fuzzing independently, he continues with his research into mobile carrier networks. Normally it’s difficult to find out what lives on a mobile carrier’s network, yet Mulliner will provide details on exploring cellular networks the way we do most other Internet-connected networks.
Microcells (or femtocells) are tiny cell towers that use your home network to increase the range of your moble phone. Marketed as a way to increase reception within residences, they dial home to your mobile carrier for billing and establishing a connection. All good things, but perhaps they aren’t as secure as we think. Researcher Mathew Rowley will show how he reverse-engineered a modern microcell.
Network forensics are useful for discovering new attacks and communication from malware. Mobile network forensics hasn’t yet received as much attention. Researcher Eric Fulton will rectify that with his workshop showing what real mobile malware and botnets look like over the network.
Wealth of Mobile Talks
There are more mobile talks than anyone has time to attend at the three conferences. This may be the year that mobile security receives as much attention as that on other platforms.
When we last looked at NFC phones and similar apps, there were questions of whether an attacker could go after the apps or the phone hardware and the Android OS. Since then we have seen a PIN-reset vulnerability that allowed an attacker to use the free prepaid card and the ability to crack PINs on the phone. Google updated the Wallet app to fix those vulnerabilities and make attacks much harder. Now attackers would need to go after the hardware itself, though this does not necessarily involve going after the Secure Element portion. One can get excellent results by targeting the OS and its NFC-handling libraries.
Fuzzing the hardware, which involves feeding corrupt or damaged data to an app to discover vulnerabilities, is a good first step. Researchers Charlie Miller and Collin Mulliner fuzzed SMS messages to great effect to discover exploitable vulnerabilities on Android and iOS phones a few years back. Mulliner has also looked at fuzzing NFC tags, going as far as developing a Python library and framework for testing older devices. Recently he updated his software to measure Android devices, allowing him to inject crafted NFC tags to a phone and then monitor the results. He can programmatically feed crafted or damaged NFC tags to Android’s library and then capture any crashes or code-execution opportunities.
The Samsung Galaxy SIII goes on sale in North America and wordlwide within the first two weeks of July. An attacker wishing to target the device can purchase one easily and use Mulliner’s research to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases. The Olympics will also provide a concentrated pool of targets (people and phones) to pilfer from–especially if everyone is busy watching who wins the medals and not worrying about where his or her phone is.