Transparent Smartphone Spying

Georgia Weidman

Agenda

• Smartphone Overview

• Evil Applications

• Evil Jailbreaks

• Baseband Spying

• Mitigation Strategies

What is a Smartphone?

Data Stored and Transmitted

• Personal info

• Work info

• Location info

• Account info

Privacy of Transmitted Data

• Mobile communication standards

• Encoding vs. Encryption

• Attacks against privacy

Privacy Matters: Text Messages

• “Hi meet me for lunch”

• “Meet me for lunch while my wife is out”

• “Here are your bank account credentials”

Privacy Required Examples

• Vendor text messages– Vendor advertisements– Provider messages

• Mobile banking– Balance sheet– Electronic bill paying– One time passwords

Evil Applications

Application Stores

• iPhone– Expensive – Identity Verified– Closed– Certificate Authority

• Android– Cheap– Open– Anonymous– Self signed

Application Protections: iPhone

• ASLR

• Mandatory code signing

• No dynamic code loading

• Sandboxed

Applications Protections: Android

• Users accept permissions

Our Text Message Example

• Permission to read text message(SMS) database

• Specific permission to send text message(SMS) messages

• Without user consent, application cannot access this information

Is this system working to protect users?

Are users making good decisions about application permissions?

Top Android App of all Time

Demo

Demo: Application abusing permissions

Abusing the Android Sandbox

• Load exploit code at runtime

• Safe application becomes malicious application

• In the wild: DroidDream

• In the lab: Rootstrap

Evil Jailbreak

Jailbreaking

• Get root privileges

• Expand feature set

• Run unapproved (3rd party apps)

Jailbreaking Gone Wild

• Run this code

• It jailbreaks your phone

• What else does it do?

So I’ve exploited a phone, what now?

Baseband Spying

• Read all data sent/receive by the phone

• Intercept data before it reaches the user/before it is sent

22

How an GSM is sent and received

© Georgia Weidman 2011 23

How an GSM is sent and received

© Georgia Weidman 2011 24

How an GSM is sent and received

Malicious Proxy

• Intercept data

• Send data

• Alter data

• Botnet functionality

Demo

Demo: Stealing Text Messages

Mitigation Strategies

• User Awareness

• Encryption

• Updating

• Code signing

Contact

Georgia Weidman, Security ConsultantNeohapsis, Inc.

Email: georgia@grmn00bs.comgeorgia.weidman@neohapsis.com

Website: http://www.neohapsis.com http://www.grmn00bs.comTwitter: @vincentkadmon

Selected Bibliography

• John Oberheide and Jach Lanier “Team JOCH vs. Android” Shmoocon 2011: http://jon.oberheide.org/files/shmoo11-teamjoch.pdf

• Charlie Miller and Collin Mulliner “Fuzzing the Phone in Your Phone” Blackhat USA 2009: http://www.blackhat.com/presentations/bhusa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf

• Dino Dai Zovi “Apple iOS Security Evalution” Blackhat USA 2011: https://media.blackhat.com/bh-us-11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf