Next item on the board meeting agenda: the war on smartphones! For some time now, smartphones have been quietly creeping into our society and slowly infiltrating our families and companies. It started off simply enough: the CEO's husband bought her an iPad for Christmas, and she thought it would be pretty savvy to be able to answer work email on it at a business meeting half way around the world. The fashion slowly trickled down the food chain until everyone wants to put their smartphone devices on the company network. While vacations used to be a time of relaxation, when the pressures of everyday life at the office could be forgotten, now it can be a serious career hazard to be unable to answer emails during the few minutes at the beach when your laptop is out of Wi-Fi range. Gone are the days of parents hovering around the living room praying teenagers will make it home from their dates in one piece and by curfew. In the age of smartphones there's voice chat, video chat, text messaging, picture messages, and email continuously available to worried parents. Special smartphones are even being marketed to the under 13 crowd.
Whether it's bringing your own device or special company BlackBerrys handed out at company meetings, chances are smartphones are able to access emails, deliverables and reports, and other sensitive data in your company environment. How secure are those smartphones? What sorts of attacks are common against the various smartphone platforms? What user behaviors open up your sensitive data to attack? What information could someone who has access to the data on your smartphone learn about you, your family, and your workplace? There are many paths attackers can take to interfere with your smartphone’s intended operation. Jailbreaking, malware, text messages with malicious links, and client-side attacks (like the Safari webkit vulnerability) are a few of the paths discussed in this first entry in a series of articles on hacking mobile devices serves as a primer to the EH-Net crowd. Read on to get a better idea some of the different ways your phone can be compromised along with some of the scenarios attackers are using to make this happen.
Discuss Topic (2)
Consider this scenario: You are being mugged. The culprit gives you a choice: Give up your smartphone or your wallet. Which one would you choose? Would it be more harmful to lose the IDs, credit cards, money and other items in the wallet or have all the data in your smartphone compromised? Our gut reaction is often the wallet, but, as smartphones take over more and more of our lives, it becomes just as if not more dangerous to have your smartphone data fall into the wrong hands. It may be time to reconsider the way you think of that small, unassuming device.
When most people think of a smartphone, they see this:
Yes it does a lot of cool stuff, but ultimately it’s a phone. However, a smartphone has much more in common with this…
Rather than with an old rotary telephone. Security awareness is on the rise and many users are aware of basic security principles to keep their computers safe. Don't click on links in emails that look suspicious or from people you don't know. Don't install random stuff off of the Internet on your computer. Don't use the password “password.” This awareness seems to go away when faced with a smartphone. However, the same sorts of general principles govern smartphone security. Smartphones are subject to the same sorts of attacks as traditional computers. Malicious programs can be installed on these devices, they are subject to security flaws, and you may find yourself targeted in social engineering attacks on your smartphone as well as your PC.
Think about your security awareness training at work. Do you think anyone would tell you to go out to the Internet and download every piece of software you can find that might possibly be interesting and install it on your work computer? Of course not. Unfortunately this is one of the top ways that smartphone devices are marketed to customers. “Our platform has the best app selection, so buy our smartphones!” “Our apps will make your life much easier!” “Even with no development experience for just $25 you too can be a smartphone app millionaire!” Apps are ubiquitous in the smartphone world. If you can dream up a problem to be solved chances are, like it says in the iconic commercial, “There's an app for that!”
Aside from making life easier, introducing you to new addictive games, and making it even easier to stay in touch with friends, family, and strangers alike on Facebook, Twitter, Gmail, AIM, Gchat, and every other social media outlet imaginable, apps may also be stealing sensitive information or even remotely controlling your smartphone. Naturally being the curious sort I wanted to know how hard it would be to write a malicious app. In just a few lines of code I was able to steal data from a victim phone and send it to a remote phone. An example proof of concept video is shown below:
What's worse, to create the app I didn't even need to run exploit code against the phone. I instead just banked on users' willingness to accept potentially dangerous app permissions. Next time you install an Android app take a look at the permissions it is asking for. I only asked for 3 permissions in my proof of concept app, and I took advantage of every one of them. Users are used to seeing a long list of permissions when they install apps. A lot of the most popular apps ask for a series of potentially dangerous permissions. Left with the choice between accepting the dangerous permissions and not having Facebook or Twitter or Angry Birds on their phones, users (even security savvy ones) often choose to install the app and accept the permissions.
From time to time an outbreak of malware in one of the smartphone app stores hits the news. Perhaps the most publicized occurrence was the DroidDream attack. Famous for being the first known malware in the official Android market, DroidDream cloned a handful of benign apps such as games and online dating services. The infected versions ran malicious functionality in the background. DroidDream ran exploits against known security vulnerabilities in the Android platform (discussed further in the jailbreaking section below) attempting to get root privileges on the phone. If successful it installed hidden apps and remotely controlled users' phones. Though DroidDream was discovered by researchers and will now be picked up by mobile antivirus, new app-based mobile malware is being discovered in the wild regularly. And truthfully, how many of you have AV on your smartphones?
Months before the DroidDream attack was discovered, security researcher Jon Oberheide warned of Android apps that can join a smartphone to a botnet was imminent, showing a proof of concept sometimes known as the Twilight Botnet. Advertised as an app that had pictures of the then upcoming Twilight film and no other functionality, when Jon Oberheide posted his proof of concept to the Android market, the app had many downloads in just a matter of hours. On top of showing the exploit potential in Android apps, he also showed that smartphone users will download anything.
My financial analyst and I recently had an in-depth discussion on Android permissions and malware. My Dad brought him along the last time I was speaking in Dallas, and the next time I walked into the office he had written a flowchart of comparisons of permissions on all the apps on his phone. Much the way I long for a definitive answer from him about which stocks will make me rich, quick, and with little to no effort, he wanted some sort of mathematical formula from me, that would let him know beyond a reasonable doubt which apps were malicious and which ones were not. The problem was I have no idea.
Dr. Xuxian Jiang et al at North Carolina State note in "Dissecting Android Malware" that malicious apps on average ask for more permissions than benign ones. I often quip in my talks that the popularized DroidDream attack wasn't very stealthy, since a real app would never ask for only 4 permissions. The apps on my financial analyst’s phone, many of them preinstalled when he bought it, averaged about 10 permissions a piece. Unfortunately there is no clear profile of what a malicious app looks like, and what behaviors should tip a user off. There is no perfect set of guidelines to how to spot malicious apps and what users should look out for. Also unfortunate is that, according to the North Carolina State researchers' findings, mobile antivirus also often can't detect that an app is malicious with the top mobile antivirus performer only finding 80% of the malicious samples.
It is an age old struggle. You bought the device. You should now be able to use it however you please. If I want to use my iPhone exclusively as the front end to my microwave I should be able to. By paying for the device I have bought that right, have I not? According to many vendors I have not, which is why they have created a force field surrounding their operating environment. In attempting to regain full ‘rights’ AKA root privileges on their own device, many users choose to bust out of this virtual prison, thus the rise of jailbreaking. In order to jailbreak most mobile devices, one must first exploit the underlying software. Android is built on a Linux kernel and iOS is based on OSX, both platforms that security researchers and malware writers alike have lots of practice exploiting. And like their computer counterparts both Android and iPhone are subject to security flaws in the underlying systems that can be exploited by jailbreaks. Regardless of your position on whether jailbreaking is an ethical pursuit, the fact remains that the same process used for jailbreaking is also utilized in creating malicious apps.
In a way, smartphones may have the most influential role in taking hacking mainstream since Angelina Jolie. Though I still think the coolest hack ever was changing the start button in Windows XP pre-SP2 to read “georgia” instead of “start.” As the resident computer savvy person in your family, apartment, or office, how many times has someone asked you to “hack” their computer as opposed to jailbreaking their mobile devices. Chances are you get far more requests for mobile hacks. Unfortunately jailbreaking phones comes with inherent risk. By jailbreaking your device you are running known malicious code. You are actively giving an attacker permission to exploit your phone. As long as users are gaining root privileges, no one is the wiser if jailbreak writers are secretly installing malicious root level payloads in the jailbreak programs. Posting a popular mobile jailbreak online saves an attacker the trouble of hiding malicious code inside a seemingly innocuous app and trying to lure users into downloading it. In this case, users are actively looking for malicious code although their initial intention was not malicious. An example of a malicious functionality that can be packaged and silently run with a jailbreak
In this example I patched the baseband drivers on the device which are only available to those with root privileges on the phone. I am able to intercept text messages and even send them to other devices as part of an SMS controlled botnet. Once an attacker gains root privileges through a jailbreak, security controls such as the Android permission model break down, and the attacker has pretty much free rein on the device.
For better or worse, jailbreaking is very popular for smartphone users. While being interviewed as part of a survey of the smartphone usage habits of active seniors, my grandmother says she loves jailbreaking. She says she can get more apps. Though familiar with some of the inherent risks of jailbreaking, “I realize you can get more diseases by jailbreaking, like those ones you write Georgia,” access to 3rd party apps such as Cydia on her iPhone seems worth the risk of a malware infection. For those who are not up to the task of downloading and running jailbreak exploits themselves, there are services that will jailbreak your smartphone for you. Students have put themselves through college by offering jailbreaking services to peers. However, handing your device over to someone else gives them even more opportunity to load malicious software onto the device.
Client-Side Attacks and Social Engineering
You may be used to seeing social engineering and client-side attacks on your computer. Frequently as a penetration tester I am tasked with imitating a social engineering attack against client employees. For instance I may create a clone of the company webmail or employee portal. I would then create an email message pretending to be a boss or IT person luring users to login to the site I control, so I can capture their credentials. In another scenario I may create malicious webpages that attempt to exploit vulnerabilities in web browser software. When an employee surfs to my site, I then try to gain access to their computer rather than harvest credentials. These same sorts of attacks work against smartphones and are beginning to be seen in the wild.
Smartphone browsers have vulnerabilities just like computer-based browsers. Proof of concept exploit code for mobile browser exploits is publicly available. Additionally, even if users pass traditional social engineering tests through email, that security awareness training may not cross over into the smartphone realm. Have you ever gotten a text message such as “Congratulations! Since you pay us enough money each month you get a free security app. Download it here: $link” or “You've won a $500 $company gift card. Login to your account at $company.com.rr.biz to claim.” These are potential social engineering attacks against smartphones. If you click on the link your mobile browser may be exploited, or you may be entering your sensitive information into a malicious site. These are the same sorts of attacks we see in the PC world, but when most users see a text message, they think, “It's text. How can text hurt me?”
Malicious apps, jailbreaks, and client-side attacks happen on the iPhone side as well. Though Apple claims to have a more secure platform than Android, keep in mind that with each jailbreak that hits the news after Apple claims “No hacker will ever jailbreak this device!” is a successful exploit against an iPhone. In fact the first exploit released for iOS 4.0, which required all code run on the device to be signed and approved by Apple, began by exploiting a vulnerability in the Mobile Safari application with a client-side attack. Apple also claims a 100% malware free app store. You get frowned at for managing to get a malicious app into the store. Renowned researcher Charlie Miller made headlines late last year by posting a proof of concept app that made the user part of a botnet (fairly standard fare in Android malware). Consequently Dr. Miller was banned from the Apple developer program. Charlie Miller made Apple aware of the issues in an attempt to improve the security of the iPhone app store, unlike malicious hackers, who incidentally still have Apple developer accounts. Dr. Miller admits to being banned from the Google app store as well. In fact Miller's wife was also recently denied a developer account by the Google Play Store.
The Future of Smartphone Hacking
The natural question that comes up is if smartphones are so insecure and such a bastion for our personal data, then why haven't we seen more attacks against them. Every so often a niche news program wants to do a story about smartphone malware. These shows usually follow the same sort of pattern: a distraught user tells a story of getting an x-thousand dollar phone bill. When the user went to the phone company claiming hacking, the phone company said it wasn't possible for an attacker to take over a phone. Cut to me or another smartphone researcher demonstrating remotely controlling a phone transparently to the user. If smartphone hacking is the next big thing, then why haven't we seen headlines such as “Android Botnet steals $40 billion,” or “$Company Password Database Stolen Through Flaw in iPhone App?”
In a recent talk at the SOURCE Boston Conference Dan Guido and Mike Arpaia discussed their "Mobile Exploit Intelligence Project," where they seek to answer this and other questions about mobile exploitation. The researchers argue that to malware writers, the game is not always about intellect; it is often about money. Though smartphones may be the new, exciting platform to develop never before seen malware and attacks (hopefully leading to a talk at the Blackhat Briefings), attacking smartphones isn't as lucrative as traditional PC platforms. For example, they note that as of December 2011 only 8% of web traffic came from mobile devices. If you were a malware writer and you got paid $1 per browser you popped, naturally you would write exploits for computers instead of mobile devices. Likewise, if iPhones are exploitable, why do we see much more malware in the wild for Android devices? The researchers note this is because it takes less time and effort to write malware for Android devices. If a malware writer is paid a set amount for a working exploit against a smartphone, who wouldn't quickly churn out a malicious app for Android instead of trying to find a new untethered jailbreak for iPhone? Android is currently the path of least resistance. A few years in the future when your television is running on Android and laptops have been entirely replaced by high powered tablets, mobile browsers will be far more than 8% of web traffic. Then no doubt, the majority of malware samples seen in the wild will be targeting smartphone platforms.
Smartphone security is a newer field than traditional computer security, thus naturally it needs some time to mature. Smartphone security is moving forward rapidly. At the recent Blackhat USA security conference and the adjoining Bsides Las Vegas and Defcon conferences, smartphones were definitely a hot topic. New research and tools for smartphone security were released at all three events. Though even faster than smartphone security is advancing, the functionality we must protect is evolving.
As a smartphone security researcher, I cringe when I see a credit card reader hooked up to a smartphone. But naturally usability comes before security and perhaps sooner rather than later the wallet question will be a moot point. Eventually, no one will carry a wallet at all! All of your identification and money will be inside the device whether it be a smartphone in your pocket or some other smartdevice possibly implanted in your head. Either way, the field of smartphone security is exciting, rapidly changing, and there is lots of interesting research still left to be done.
This month we took a high level view of the common threats against smartphones. In future articles we will dig deep into specific platforms, attack vectors, tools, and mitigations in smartphone hacking. I’m proud to be the newest contributing member of the EH-Net Family, and I look forward to tearing apart mobile devices with you and teaching you the finer points of hacking them. In the end, we’ll make our systems and people more secure and have lots of fun along the way.
Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as CISSP, CEH, NIST 4011, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at conferences around the world such as Shmoocon, Blackhat, Security Zone, Hack in the Box, and Derbycon. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews. Building on her experience, Georgia recently founded Bulb Security, LLC a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to build the Smartphone Pentest Framework, a tool that allows users to integrate mobile device security into traditional penetration tests.