Mobile Security Attacks: A Glimpse from the Trenches - Yair Amit, Skycure
-
Upload
codemotion-tel-aviv -
Category
Technology
-
view
124 -
download
1
Transcript of Mobile Security Attacks: A Glimpse from the Trenches - Yair Amit, Skycure
Mobile Security A Glimpse from the Trenches
Yair Amit CTO & Co-Founder Skycure @YairAmit
! Today
! CTO & co-founder of Skycure
! Previously
! Managed the Application Security Group at IBM
! Joined IBM through the acquisition of Watchfire
! Loves and lives security
! Filed over 15 security patents
About&Me&
A&Holis-c&Outlook&on&Mobile&Security&
Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Biggest'Threat
Changing'Threat Emerging'Threat
Basic'Threat
Malware&
The$Physical$Layer$Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
! Threat&vector&! Device'lost'/'device'stolen'/'temporary'physical'access
! Basic&physical&security&needs:&! Remote'wipe ! Locate'device ! Backup ! Local'storage ! Passcode'protec@on
! The&above&becomes&OS&responsibility&! MDM&provides&the&above&OS&features&together&with&management&and&policy&enforcement&
The&Physical&Layer&
Network$Based$A6acks$Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
Based on Skycure enabled devices worldwide
Real World Incident Statistics&
Affected Devices Over Time
0%&
10%&
20%&
30%&
40%&
50%&
0%&
23%&30%&
35%& 41%&
1&Month& 2&Months&3&Months& 4&Months&
!&
&! Did&network&aNacks&happen&near&your&office?&! Are&airports&more&suscep-ble&to&aNacks?&! Which&networks&at&a&conference&should&I&be&avoiding?&
Global&RealUTime&Threat&Map&&
hNps://maps.skycure.com&
$$
Implementa;on<Based$Vulnerabili;es$$Vs.$$
Design<Based$Vulnerabili;es$
Network&Based&ANacks&
Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
Network$Based$A6acks$$
Implementa-on&issues$
Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
$iOS$vs.$Android$
Implementa-onUBased&Vulnerabili-es&
! Example&I:&&
gotofail&
Implementa-onUBased&Vulnerabili-es&
>>'Read'more
Gotofail&–&The&Code&
static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { … if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;
err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, /* plaintext */ dataToSignLen, /* plaintext length */ signature, signatureLen); …fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err;}&
Always&goto&“fail”,&even&if&
err==0&
Code&is&skipped&(even&though&err&==&0)&
Func-on&returns&0&(i.e.&verified),&even&though&sslRawVerify&was&
not&called&
! Example&II:&&
Heartbleed&
Implementa-onUBased&Vulnerabili-es&
>>'Read'more
Heartbleed&
Network$Based$A6acks$$
Design&issues$
Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
! Design&issues&are&much&more&interes-ng&! …'and'much'harder'to'fix
! These&are÷d&into&two&types:&! General'“protocol”'vulnerabili@es ! Design'issues'affec@ng'mobile'OS
! Mobile&devices&are&more&suscep-ble:&! Classical'solu@ons'are'inadequate ! Excessive'use'of'untrusted'networks
DesignUBased&Vulnerabili-es&
! Example&I:&&& sslstrip&
DesignUBased&Vulnerabili-es&(Generic)&
ANacker&removes&redirec;ons$and&links&to&HTTPS&
Vic-m&con-nues&to&interact&via&HTTP&instead&of&HTTPs&
Server&returns&a&redirec-on&to&HTTPS&
>>'Read'more
! Example&II:&
SSL&decryp-on&
DesignUBased&Vulnerabili-es&(Generic)&
92%'of'users'click'on'“Con@nue” compromising'their'Exchange'iden@ty''(username'and'password)
Con@nue 92%
Cancel 8%
! Example&III:&
Karma&
DesignUBased&Vulnerabili-es&(Generic)&
Hak5’s'WiFi'Pineapple
>>'Read'more
Network$Based$A6acks$$
MobileUspecific&design&issues$
Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
iOS sandbox approach
Source: Apple’s App Sandbox Design Guide
App Characteristics$! One&Store&
! Heavy&Screening&
! App&Sandboxing&
Profile Characteristics
! No&Store&
! No&Screening&
! No&Sandboxing&
iOS Security Model&
Where$Do$We$Find$Them?$! Mobile&Device&Management&(MDM)&! Cellular&carriers&
! Usually'used'for'APN'se\ngs
! Mobile&applica-ons&! Service&providers&
Configura-on&Profiles&
Configura;on$profiles$can$also$be$malicious$! Malicious&“service&providers”&(apps/services/WiUFis/etc.)&! Vulnerable&services&! Privacy&viola-ng&services&
Malicious&Profiles&
Click to install streaming profile
Welcome to iOS Streamer
Watch TV shows and movies free online.
Stream your favorite content directly to
your iOS device. Hacker'gains'access'to'your'mail,'business'apps,'cloud'services,'bank'accounts'and'more,'even if traffic is encrypted
>>'Read'more
Going$Viral$! ANacker&hijacks&vic-m’s&key&iden--es&
! Corporate'Exchange ! Facebook ! LinkedIn
! ANacker&sends&mass&messages&to&vic-m’s&contacts,&luring&them&to&install&the&malicious&profile&
! ANack&propagates&
Malicious&Profiles&
! Profile&lis-ng&could&indicate&suspicious&profiles&! CatUandUmouse&game:&aNackers&can&name&their&profile&to&look&benign&&
Am&I&Safe?&
! Example&II:&
WiFiGate&
DesignUBased&Vulnerabili-es&(Mobile)&
>>'Read'more
App$Level$Security$Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
! Mobile&OS&enforce&addi-onal&security&models&! Sandbox ! Be_er'updates ! Controlled'applica@on'stores
! AppUlevel&issues&are&now&on&the&rise&
App&Level&Security&&&Privacy&
App$Vulnerabili;es$Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
! Example&I:&
Plain&HTTP&
App&Level&Vulnerabili-es&
Daaa!&
! Example&II:&&
Cer-ficate&Pinning&
App&Level&Vulnerabili-es&
>>'Read'more
A$Long$Way$to$Go$! Almost&all&major&apps&today&lack&SSL&Pinning&
! Suscep@ble'to'a_acks'such'as'malicious'profiles'by'design ! Also'exploited'when'a_acker'gains'access'to'a'trusted'CA
! Slow&adop-on&should¬&come&as&a&surprise&! Implementa@on'challenges
! Less'flexibility ! Can'become'a'nightmare'if'done'wrong…
Cer-ficate&Pinning&
! Example&III:&&
HTTP&Request&&&Hijacking&
App&Level&Vulnerabili-es&
Vic@m'interacts'with'the'malicious'server
A'while'later, vic@m'opens'the'app
App'logic'has'changed!
A_acker'returns'a'301'direc@ve'specifying'a'
permanent'change'in'URI
Victim opens the app in an untrusted environment
App'con@nues'to'connect'to'the'malicious'server!
Malicious'server'can'return'actual'results'from'the'target'server
>>'Read'more
HRH&–&ANack&Flow&
Malicious$Apps$Physical&Security&
Network&
Applica-on&Security&&&Privacy&
Malware&
The year of Android malware [1]
Google reveals “Bouncer” - its malware scanner [2]
Malware is moving out of the Google Play [3]
Google adds full-time app scanning to address malware on external stores [4]
Google’s&Focus&on&Malware&
Android is becoming like iOS
when it comes to malware
! While&OS&an-Umalware&techniques&advance,&there&are&other&similar&problems&(harder&to&address)&
The&Maliciousness&Axis&
Malicious'Apps
Ad'Networks
Privacy'Viola@ons
Not&an&Android&Only&Issue…&
Summary$
! The&physical&threats&! Becomes'the'OS'responsibility
! Network&based&threats&! Implementa@on'vulnerabili@es ! Design'vulnerabili@es
! Generic'vs.'mobile'specific
! App&level&threats&! Vulnerabili@es
! HTTP/S,'Cer@ficate'Pinning,'HTTP'Request'Hijacking
! The'“maliciousness”'axis ! Malware'!'Ad'Networks'!'Privacy'Viola@ons
Summary&
! Personal level
! Maintain'an'up'to'date'opera@nglsystem
! Update'the'apps'that'you'are'using
! Be'alerted'and'aware'of'evolving'threats ! Network'layer
! Thirdlparty'app'stores
! OS'misconfigura@ons'and'vulnerabili@es
! Organizational level&! Deploy'a'mobile'security'solu@on
Recommenda-ons&
Thank you!! Twi_er: @YairAmit ! Email: [email protected] ! Blog: h_p://www.skycure.com/blog
Seamless Mobile Security