(Selected))Security)Issues)) in)Mobile)Compu7ng)€¦ · © Srdjan Capkun, ETH Zürich ETH Zürich,...
Transcript of (Selected))Security)Issues)) in)Mobile)Compu7ng)€¦ · © Srdjan Capkun, ETH Zürich ETH Zürich,...
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
1
(Selected) Security Issues in Mobile Compu7ng
Srdjan Čapkun
Department of Computer Science ETH Zurich
06.09.2011
There are Many Security and Privacy Issues in Mobile Computing ...
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
2
Zurich, 06.09.2011
Example I: GSM eavesdropping
Many vulnerabili7es: • Weak ciphers (A5/x) • Inappropriate authen7ca7on mechanisms • Backward compa7bility
ATacks used to be costly ...
Not any more
[Wagner, BlackHat,...]
USRP, OpenBTS, < 1000$
Zurich, 06.09.2011
Example II: GPS
Global Posi7oning System • Civilian GPS vulnerable to spoofing a5acks • DoS (Jamming) • Military GPS unusable on a large scale
Recent: seamless lock takeover [www.syssec.ethz.ch]
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
3
Zurich, 06.09.2011
Example III: WLAN (WiFi) Localiza7on
• WiFi localiza7on systems vulnerable to spoofing a5acks [www.syssec.ethz.ch]
•
Zurich, 06.09.2011
Example IV: Physical-‐Layer Fingerprin7ng
Due to manufacturing imperfec7ons, devices exhibit unique and observable ‘fingerprints’ • e.g. Mobile Phones, RFID tags, WiFi, Sensor nodes etc ...
Device iden7fica7on has serious privacy implica7ons. [www.syssec.ethz.ch]
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
4
Zurich, 06.09.2011
Example V: Pacemakers
A5acker can • Trigger informa7on
disclosure • Change pa7ent
name • Change ICD clock • Change therapies
(disable func>ons) • Induce fibrilla>on
hTp://venturebeat.com/2008/08/08/defcon-‐excuse-‐me-‐while-‐i-‐turn-‐off-‐your-‐pacemaker/ hTp://www.secure-‐medicine.org/icd-‐study/icd-‐study.pdf
Zurich, 06.09.2011
Example VI: Relay ATack on PKES Systems
Passive Keyless Entry and Start Systems for Cars • Relay aTack [www.syssec.ethz.ch]
• Tested on 10 car models • Significant impact:
manufacturers are now redesigning Entry and Start Systems
Attacker 1
Attacker 2
30 cm
2-8 m
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
5
Zurich, 06.09.2011
And more ...
Many more aTacks: • WiFi: WEP • E-‐passports (RFID) • NFC-‐based payment systems • Tire pressure sensors • Smartphones • ...
Zurich, 06.09.2011
Future: Cyber-‐Physical Systems
Interac7on between the cyber and physical systems: • increased security and privacy risks • increased safety risks (e.g., Stuxnet)
MobileRobots Robot Reconnaissance Team at SRI's Ar7ficial Intelligence Center in Menlo Park includes AmigoBots and Pioneer-‐AT's.
Biotronik Home Monitoring
Skycar
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
6
Zurich, 06.09.2011
Challenges
Some problems we know how to solve • beTer confiden7ality (e.g., UMTS) • beTer authen7ca7on (e.g., UMTS, WPA2)
Some problems are inherently difficult to solve • (loca7on) privacy • data usage control • sojware security • ...
One Contemporary Example: ���Managing Data Dele>on on Modern Smartphones
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
7
Zurich, 06.09.2011
My phone ...
Songs, Photos, Mail, Dropbox, Bank account, Social Nets, VPN, SwissAir, ... (future) Car key (future) House key (future) Credit card (future) House control (future) Where is my
daughter? and German Dic7onary, Restaurants, Cookbook, ...
(“small, convenient apps”)
[Internet]
Zurich, 06.09.2011
I am worried about my data ...
Applica>on security (while in use) • untrusted applica7ons • compromise of trusted
applica7ons • applica7on collusion
e.g., Soundminer(comber) Data dele>on
• Ajer use: Sani7zing (e.g., repurposing) your phone • While in use: coercion / capture / legal enforcement
• crossing borders • search and seizure
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
8
Zurich, 06.09.2011
Dele7ng Data?
Why would you want to delete data from you phone? • Once that it is not there, it can no longer be stolen • If you encrypt it you can be forced to reveal the key • Legal/policy requirements (because someone told you to)
=> Coercion / Capture / Legisla7ve • crossing borders • search and seizure • phone thej + weak passwords (creden7als) • ...
If you are not concerned, give me your phone for approx. 30 min.
Zurich, 06.09.2011
Do we have a problem?
• Just delete the file?
Problem: only un-‐links the file!
• Overwrite file n-‐7mes with random paTerns? Problem: Flash/FTL and YAFFS are log-‐structured systems! =>
• Overwri7ng/encryp>ng appends data to the log, => ”deleted” data remains on the device and can be recovered! • “solu7ons” available on the App Market!
[Internet]
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
9
Zurich, 06.09.2011
YAFFS / FTL
Flash memory • in-‐place programming and read of pages • erasure per block • e.g., 64 pages x (4,096+128 B) = a block of 256 KB • wear: 100,000 -‐ 1,000,000 erasures / block => wear-‐leveling
Yet Another Flash File System (YAFFS)
• a log-‐structured FS for flash (used on Android) • allocates blocks and pages sequen>ally (wear-‐leveling)
Flash Transla5on Layer (FTL)
• HW or SW device that exposes a block FS interface (e.g., to FAT) • provides wear-‐leveling like log-‐structured systems • Linux jl driver: block with most wasted space or fewest erasures
pg1 pg2 pg3
pg4 ...
p64
block 1 block 2
pg1 pg2 pg3
pg4 ...
p64
Zurich, 06.09.2011
Experiments with YAFFS and FTL
allocated “deleted” re-allocated
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
10
Zurich, 06.09.2011
Experiments with YAFFS and FTL
Real phone experiment: • Android used daily for 670 hours = 27.9 days (average use) • Recorded 20345 block alloca7ons by 73 “writers”
(Android OS, GPS, DHCP, compass, browser, ...) => dele>on latency < 44.5h Dele>on latency for different storage sizes (disc. event simula7on)
Zurich, 06.09.2011
Secure Dele7on Solu7ons
Kernel-‐level solu7ons • Modify kernel (FS) and enforce “zero-‐overwri7ng” • Issues:
• most users are not able to modify their kernel • warranty, updates, reliability, ...
• => Manufacturers need to support secure dele7on
User-‐level solu7ons • An applica7on that can enable secure dele7on • Does not require any special privileges • Empowers the user
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
11
Zurich, 06.09.2011
User-‐Level Solu7ons
Purging • Fills storage fully => immediate realloca>on (overwri>ng) • Issue: execu7on 7me on larger storage drives
Ajer simula7ng wri7ng for some 7me, we performed purging => right edges of the plot many blocks are rapidly allocated.
Zurich, 06.09.2011
User-‐Level Solu7ons
Ballooning • Fills storage par7ally => forces faster block realloca>on. • Issue: only probabilis7c dele7on guarantees
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
12
Zurich, 06.09.2011
User-‐Level Solu7ons
Ballooning with Purging • Fills storage par7ally + Force occasional purging
(e.g., event driven)
Zurich, 06.09.2011
User-‐Level Solu7ons
Implemented an Applica>on for Android (free)
© Srdjan Capkun, ETH Zürich
ETH Zürich, 6. September 2011 www.privacy-security.ch
13
Zurich, 06.09.2011
Summary
• Increasing interac7on between and complexity of our cyber and physical systems
• Increasingly many security/privacy and safety challenges
• Beginning of a complex future in which security will be a prerequisite for deployment of almost all systems.
• “a mandatory security/paranoia/insecurity quote”
Zurich Informa>on Security Center (www.zisc.ethz.ch)