Disclaimer

Disclaimer No Packets where injured in the making of this talk. All

research results and analysis was done from the safety of my lab with my own equipment and my own packets and most importantly my own permission.

No packets were obtained by War Walking, War Dining or Stroll Trolling from unauthorized networks without permission.

Knowledge is a tool that can help or hinder society. Please wield it responsibly.

Caution: Just because we can apply a moral and ethical filter doesn’t mean everyone else will. Get informed then make decisions!

Objectives Change Smart Phone Perceptions

Wi-Fi computer with phone capabilities vs. Phone with “ apps”.

Utilize No Cost High Availability Framework Discuss and use free non-commercial tools from Google Play and the

Internet.

Introduce Terms and Techniques that help facilitate discussions and awareness of mobile threats. War Walking War Dining Wi-Fi Phaking Stroll Trolling

Discuss and demonstrate remediation and mitigation techniques Enterprise and personal best practices discussed.

Prerequisites: “Do Root Robots”* A Smart Device - Android /Iphone

A jail broke Apple I-phone will also do the trick Wi-Fi tablets are also an effective attack vector Some phones may not be “root-able”…yet.

Popular Rooting Programs Android 2.2 – Unrevoked Android 2.3 – Revolutionary Android 2.4 – Eris and More to Come Iphone – Jailbreak.me

Remember your roots! Rooting your device is accomplished by exploiting

a vulnerability and dropping a payload that allows the capability to escalate privileges when requested.

*http://jon.oberheide.org/files/bsides11-dontrootrobots.pdf

Risks and Rewards of Rooting Pros

▪ Increased Functionality and Control Pen-test / Packet Acquisition tool Wi-Fi Tethering Enhanced File Management Screen Capture

▪ Free or Almost Free▪ No/Little cost for apps and programs

▪ Freedom▪ Install other Operating Systems and Custom ROMS

(Ex. BackTrack Linux)

Cons▪ Support

▪ You may void your warranty and support▪ Cost

▪ You may brick the device

Super User World Domination!?

It’s Rooted, Now What?Data Gathering and Analysis

Packer Sniffer – Mobile Device• Used to record packets on a network

Wi-Fi Hotspot – Mobile Device• Mobile internet capable gateway

Data Aggregation Tool – Home Analysis• Used to find information in a capture file

Smart Phone Facts

▪ Time reported in early 2012, 46% of Americans own a smart phone.

▪ Most modern data plans have data limits.

▪ Open network are highly available in public.

▪ Smart phones send packets like computers.

Obtaining a Network Sniffer from Google Play

Packet Capturing – Making Pcap Files

Shark for Root

Free from Google Play a.k.a. Marketplace

Used to passively sniff packets using a smart device.

Gives network and security professionals the ability to analyze data to and from a target device.

Gives criminals the ability to gather and exploit sensitive data of the uninformed for profit.

Pirni for IPhone Free on the internet – See references for link

Wireless in a Sea of Sharks!

1 – 2 – 3 Hack Me! Step 1) Turn on the Wi-Fi Functionality.

Step 2) Tell your phone to inform you of open connections.

Step 2: Join Public Network

Step 2: Join Public Network

Step 3: Start Shark for Root

War Walking

Difficult To DetectNo backpacks or antennasNo sitting in a parked car for hoursNo aircraft circlingNo hot air balloon hoveringPassive sniffing so no network anomalies or IDS detection

War Walking

The act of lingering or loitering in a geographical area for the purpose of gathering packets without prior authorized over

a public wireless network using a smart phone or tablet.

War Walking

▪Scenarios▪Walking a dog or playing with a kid at a park

▪Hanging out at a mall▪Reading on a park bench▪Watching a movie – War Watching▪ Eating a meal – War Dining

War Dining

The unauthorized act of gathering packets over a

public wireless network with a smart phone or tablet while

congregating in a Wi-Fi enabled establishment with

the intent to eat or drink.

What if the Access Point Does Not Leak Data?

*https://github.com/robquad/Arpspoof/Arpspoof.apk/qr_code

In Walks Arpspoof!

Arpspoof▪ ArpSpoof is freely available on the Internet but was

pulled from Google Play earlier this year.

▪ It creates a MITM session by wait for it….spoofing arp.

▪ It passes packets first to the device and then to the public Wi-Fi hotspot.

▪ Packets become readable because they pass through the phone first and then the Shark for Root capture before being passed to the public Wi-Fi access point.

Just for Fun.

Want to take a Peek with Piik?

PIIK

▪ Piik can be purchased from Google Play for $1.99

▪ Allows images of captured and displayed from your smart phone

▪ Easy way to confirm data is being captured after Arpspoof is initialized.

Data Analysis After CapturePacket captures (.pcap’s) need analysisNetWitness® Investigator 9.6 is the award-

winning interactive threat analysis softwareFree – non commercialEffortlessly discovers and categorizes sensitive data

Using Netwitness 9.6 or Higher for Analysis

Download and install Netwitness on Win Machine Start, register, and activate the free software

Using Netwitness 9.6 or Higher for Analysis

Using Netwitness 9.6

Look at all this cleartext!

Lots of Sensitive Data!

Passwords are not the only sensitive data at risk!

Lessons Learned Email App – Leaked AD Permissions in clear text.

Pcap analysis found that mail synch was allowed with http and https. Network credential where synching many times a minute in clear text! Misconfiguration was identified and corrected by this analysis.

Many Apps will login in using http without users knowledge Angry Birds Season is phoning home

No Access Point…No Problem?

A Recipe for Trouble

1 Part – Bad Guy/Girl with Rooted/Jailbroke Phone1 Part – Wi-Fi Tethering App1 Part – Social Engineering_________________________________

= “Wi-Fi Phaking”

Introducing “Wi-Fi Phaking”

The act of configuring a smart phone as a Wi-Fi hotspot using a socially engineered naming convention like

“Free Internet” with the sole purpose of luring devices and individuals to join the network with the intent of

capturing and exploiting personal/confidential data.

Introducing “Stroll Trolling”

The act of lingering or loitering in a specific geographical location usually densely populated using a “Phaked” Wi-Fi connection with the intent of

enticing unsuspecting individuals and devices into joining that network with the intent of capturing and exploiting clear text data leaked from the device.

Examples of Stroll Trolling

• Name Mobile Wi-Fi Hotspot “Lions Free Wi-Fi” at the Detroit game.

• Name Mobile Wi-Fi Hotspot “Free Internet” at the Mall or crowded area.

• Name Mobile Wi-Fi Hotspot “GM Free Internet” when in the Renaissance Center.

Smart Phone Risk Assessment

Mitigation And Remediation

So now that we know what can be done, how do we fix it?

Three categories of corrective action:1) (Good) Personal - Free2) (Better) Personal - Low Cost3) (Best) Enterprise Level – Higher Cost

(Good) Personal - Free1) Policy/Behavioral Change:

Turn off Wi-Fi when in public areas if not needed.

On Off

This stops your device from auto-connecting to open available Hot Spots.

(Good) Personal - Free

2) Use https vs http whenever possible if you are going to use a open Wi-Fi.

However, not the best solution becausedata is still leaked.

Ex. DNS and Apps are still clear text

(Good) Personal - Free3) Paradigm shift - Treat a open connection as a public terminal.

Do not perform sensitive searches and perform private confidential tasks like banking while joined to an open Wi-Fi connection unless absolutely necessary.

Assume all actions are being watched and monitored.

(Good) Personal - Free

Use your mobile Wi-Fi hotspot with WPA2 and > 10 character password for you tablet or laptop to join instead of the joining an available public hotspot when in public.**

**This may quickly exhaust your data plan.

(Better) Personal - Low Cost

• Use and inexpensive VPN service with your mobile devices which encrypts data from a public Wi-Fi hotspots.

• VPN services as low as $3 dollars a month. Ex. IBVPN – Around $37 a year.

• Cheaper than purchasing extra data from your mobile provider.

• Encrypts all data to and from the public hotspot once active once active including DNS and App data.

(Better) Personal - Low Cost

• Easy to configure the Encrypted Tunnel

• Renders War Walking, War Dining, and Stroll Trolling ineffective once VPN is active.

• Free VPN management applications available in the App Store and Google Play. (Ex. 5VPN)

• Same account can be shared by any of your mobile devices including laptops, tablets, and phones.

(Best) Enterprise Level - Higher Cost

Some Mobile Device Attack Vectors

• BYOD• Malware - Infections• MITM - War Walking, War Dining

• Remote Access to Resources• MITM - War Walking, War Dining, Stroll

Trolling• Theft/Forgery – Stolen/Lost phone


Categorization and Management of Smart Devices

• Smart phones are mini computers with phone capabilities.

• Should be place firmly in the Remote Access Domain and be treated like work issue laptops and tablets.

• This means SSL, Certificates and Corporate VPN solutions should be administered for all interactions with corporate resources.


• If possible segregate the Mobile Wi-Fi Network from the rest of the corporate network

• Funnels all data back inside corporate walls which means that it can be analyzed for data leakage and compliance.

• Allows ACLs, Group Policy and Proxies to be applied on some level to enrich security and compliance on these devices.

Take Away

Remember: We have a computer in our pocket that can make phone calls instead of a phone with applications installed.

Public Wi-Fi points can be dangerous if one does not understand what is at stake. Armed with just a little knowledge and technology one can practice safe surfing when using these public connections.

Ask everyone you know if they have heard the following terms and explain to them what they mean. This helps the less technologically savvy friends and family to understand the threats associated with using Public Wi-Fi access points:

• War Walking• War Dining• Wi-Fi Phaking• Stroll Trolling

15 Possible devices could have been Stroll Trolled in 7 hours at this event!

Thank [email protected]

Twitter Handle: RabidSecurity

If you tried to join the Phaked access point during this conference…what data would your device leaked in clear text.

How much and what sensitive data does your device leak?

Are you taking precautions to safeguard your data?

Do you run a VPN solution on Public Wi-Fi?

References Revolutionary: S-OFF & Recovery Tool. (2012). Retrieved Feb

10,2012 from http://revolutionary.io- rooting software for android usually for Android 2.3 phones

Unrevoked – set your phone free. (2012). Retrieved Feb 10,2012 from http://unrevoked.com/ - rooting software for android usually for Android 2.2 phones

Shark for Root. (2012) Retrieved Feb 11, 2012 fromhttp://market.android.com/details?id=lv.n3o.shark&hl=en – Used to passively sniff and record packets from an android device

Pirni for IPhone. (2012) Retrieved March 5, 2012 fromhttp://apt.thebigboss.org/repofiles/cydia/debs2.0/pirni_1.1.1.deb – Used to passively sniff and record packets from a Jail broke IPhone

References Time Business - Nearly 50% of Americans Own Smartphones;

Android, iPhone Dominate (3-1-2012). Retrieved on March 5, 2012 from http://business.time.com/2012/03/01/nearly-50-of-americans-own-smartphones-android-iphone-dominate/

Netwitness Investigator (2012)- Retrieved March 13, 2012 from http://netwitness.com/products-services/investigator-freeware

Invisible Browsing VPN(2012)- Retrieved March 27, 2012 from http://www.ibvpn.com/

Android Robot Blender Model - Retrieved January, 1 2012 from http://www.blendswap.com/blends/author/darmau5/

Disclaimer

Documents

Transcript of Disclaimer