Mobile Security is a real world threat in today's technology sector, these slides explore testing attack concepts and how to prevent hacks and vulnerabilities creeping up in your mobile app development or device deployment. Jon D Hagar goes through methodologies all software developers and software testers need to follow to ensure mobile security risks are minimizes and controlled.
2. XBOSoft info
lFounded in 2006
lDedicated to software quality
âąSoftware QA consulting
âąSoftware testing services
lOffices in San Francisco, Beijing, Oslo and
Amsterdam
3. Housekeeping
âąEveryone except the speaker is muted
âąQuestions via the gotowebinar control on the right side of your
screen
âąQuestions can be asked throughout the webinar, weâll try to fit them
in when appropriate
âąGeneral Q & A at the end of the webinar
âąYou will receive info on recording after the webinar
5. Jon Hagar Copyright 2013 How to Attack Embedded Software
Jon Hagar
Jon.d.hagar@gmail.com
6. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Agenda
Definitions and Concepts
Problem and Context
Attack based testing to find security issues
ï§Specific samples
ï§Historic attacks
ï§And yet more attacks
Impact to Engineering Domains
Summary
7. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Mobile, Smart, and Handheld
As the names imply, these are small, hand held devices that are often
connected to communication networks, including
ï§Cell and smart phones â apps
ï§Tablets
ï§Medical devices
Typically these devices have:
ï§Many of the features of classic âembeddedâ systems (and problems)
ï§Many of the power and capabilities of PCs/IT (and problems)
ï§More/different user interfaces (UI) and hardware configurations
(1000s)
ï§Fast updates
ï§Are getting more power, memory, and features (software, e.g., apps)
ï§Initialization, noise, power up/down, timers, sensors, etc.
ï§Often resource constrained: RAM, ROM, stack, power, speed, time,
etc.
These are âhotâ areas of computers and software
Security and testing rules are âevolvingâ
8. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Security
Keep physical and logical system elements safe from harm, compromise,
or adverse consequences.
In the Mobile World
Security of internal information
Security of transmitted information
Security from external threats (usually logical)
9. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Definition: Fundamental Software
Capabilities
Dr. James Whittaker lists these 4
ï§Software accepts inputs from its environment
ï§Software produces output and transmits it to its environment
ï§Software stores data internally in one or more data structures
ï§Software performs computations using input or stored data
Mobile software can be refined with
ï§Mobile with wireless network connections of variable strength
ï§Many kinds of hardware
ï§Many Apps
ï§Large amounts of software
ï§Features of the embedded world (sensors, control, critical
featuresâŠ)
10. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Other Definitions (for this presentation)
Taxonomy - the practice and science of classification.
Test â the act of conducting experiments on something to determine the
quality and provide information
Test case â One set of inputs, environmental set up, and results
(expected and unexpected)
Attack â to set up, forcefully, and attempt to âdamageâ the system or
software, using tools, and techniques, may use one or more test cases or
procedures
Bug (error) â Results that depart from the expected (from requirements,
design, standards, user, etc.)
Lifecycle â From beginning-to-end, the steps, stages, and activities to
create the system (birth-to-death)
Procedure â a particular way of accomplishing tests, usually written (one
or more test cases)
Scenario â a sequence of events with a test plot or story
Script â see procedure, normally uses automation
Users â someone/something that interacts with the system/software (can
be human or machine)
Quality â Value to someone that they will pay for
12. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
The Current Situation
Mobile and embedded systems are highly integrated
hardwareâsoftwareâsystem solutions which:
ï§Must be highly trustworthy since they handle sensitive
data
ï§Often perform critical tasks
Security holes and problems abound
ï§ - Android
âąstatic analysis test attack found 0.47 defects per 1000
SLOC
âą359 defects in total, 88 of which were considered
âhigh riskâ in the security domain
OS hole Andriod with Angry Birds (researchers Jon
Oberheide and Zach Lanier)
Robots and Drones rumored to be attacked
Cars and medical devices being hacked
13. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Other Data Points (scary from the embedded world)
Davis-Besse nuclear plant - Attack
Oil and Gas industry impacts
ï§Night Dragon
ï§Shamoon
Infrastructure
ï§Harrisburg water plant attack
ï§Texas waste treatment plant hack
Even some reports of criminal âblack mailâ
14. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
World Change: Mobile Security
Security remains focused on PC/IT networks (web), and
âTraditionalâ software
More recently with. . .
ï§Mobile usage over taking PC/IT
ï§Lost or stolen devices
ï§Networked/Smart devices and system are open to hacks
âąe.g. GPS spoofing
âąWorms, virus, attacks, etcâŠ..
Physical and logical security concerns will increase
15. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Design & Code Errors Produce Software Cyber
Vulnerabilities
Features/capabilities are known
ï§Some might say all features are known but there can be
âundocumentedâ features
In perfect software, we would not need to be concerned
with security vulnerabilities because we could just
âbuild itâ secure
ï§But many vulnerabilities come from errors or are âaccidentlyâ
introduced by new use situations
16. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Mobile Security Concerns (partial list)
Fraud â Identity Theft
Worms, virus, etc
ï§Fault injection
ï§Error exploitation
Processing on the run
Hacks and attacks that impact
ï§Power
ï§Memory
ï§CPU usage
Eavesdropping â yes everyone can hear you
ï§Hijacking
ï§Click-jacking
ï§Voice/Screen capture
Physical Hacks
ï§File snooping
ï§Lost phone
17. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
POLL: Is Mobile Security a Concern for you?
18. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Security and Vulnerability Actions
for Mobile and Embedded Devices
Prepare for theft or loss of devices (encryption, IT controls, memory wipe programs, etc.)
Establish physical control (locked door and limited access to facilities -historic)
IT operations (VPN, network control, access monitors, registry logon)
Prevent development and test processes such as, developers leaving back doors in the code,
testers doing something they shouldnât when they shouldnât
Software bugs we need to test for (this presentation)
Work third part operating systems and COTS bugs (Use/promote secure OS, encrypted files,
authenticated files, trusted software, etc.)
Regulatory and legal constraints (ISO â 12207, 15288, 29119, and IEEE 1012 into government
âuseâ)
Attack test data/file input and output (this presentation)
Attack tests impersonation (this presentation)
19. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Teams Need to Know the Bug (software error)
Mobile software has similar
defects to traditional software
ï§Requirements & Design
ï§Logic & Math
ï§Control Flow
ï§Data
ï§Initialization & Mode changes
ï§Interfaces
ï§Security
ï§Game interfaces
ï§etc.
lMobile adds defects/issues
lFast and âincompleteâ development
cycles
lMany many kinds of apps and
hardware
lSmall amounts of dense complex
functions
l(a BIG one) Performance issues
Do you have a taxonomy of
your bugs?
21. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
What is an Attack
Attacking your software system â In part, the process
of attempting to demonstrate that a system (hardware,
software, and operations) does not meet requirements
or functional and non-functional objectives
Embedded/handheld software testing must include âthe
systemâ (hardware, software, servers, operations, users,
etc.)
Attacks go after common modes of failure and bugs,
attempting to demonstrate that âdoes not meetâ exists
22. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
An Attack Is. . .
Based on a common mode of failure seen over and over
ï§Maybe seen as a negative, when it is really a positive
ï§Goes after the âbugsâ
ï§Based on or using classic test techniques and test concepts
Testers learn these after years and form a mental model (most
good testers attack)
I offer a few embedded attacks
ï§Based on literature research of published bugs
ï§Be suspicious
23. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Attack: Identity Security Fraud
Apply when the device is mobile/embedded and has
ï§Account numbers
ï§User ids and passwords
ï§Location tags
ï§Restricted data
Current authentication approaches in use on
embedded/mobile devices
ï§Server based
ï§Registry (user/password)
ï§Location-device based
ï§Profile based
Privacy
24. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Mobile Software Attacks
Sub-attack: Identity Fraud Spoofing
ï§â who am I and where am I, or not
ï§ In this sub-attack, the tester is trying to fool or spoof the
device/app on identity and/or location
ï§ The tester should see if the identity can be âhijackedâ
ï§ Hagerman (Unpublished PhD work) reports how to do this
using Wireshark tool to sniff and decode data being broadcast.
25. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Next Approach: Attack Location
Location used as part identity?
ï§Check how the location is used â Is authorization temporary or permanent?
ï§If temporary, the attack should check for remnant data files
ï§Use development tools and/or the OS to poke around in the file system
ï§Warning, the file may be encrypted, in which case you may need a file
encryption cracker for that type of file/encryption, e.g. pkcrack
ï§ If file is not temporary, the tester next needs to determine if any of the
permanent information can be accessed, abused, or corrupted
ï§In many devices and apps, this data should be encrypted, and here
again apply the cracking encryption tools
ï§How hard or easy is it to read the file (text â bad -> encrypted better)?
.
26. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Spoofing Location and User
Once you have the location-identity file information, ask yourself âcan I spoof
the location either inside of the device or what is broadcasting?â
ï§Each system/app will be structured differently
Closely related to location-identify spoofing is the user profile spoof, if used
ï§Here the tester attempts to take over an identity by understanding how user
profile checks work (or donât)
ï§This will require understanding the internal data points of what your system is
checking
ï§Use factors to look for are: location, time, where transactions are occurring,
types of transactions, money amounts in transactions, provider/store, product,
signal location/type, and biometric data
ï§Input them to the system; determine if the server gets confused and gives or
uses âthe wrong/sensitiveâ data
27. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Yet More Attacks (outline)
ï§ Attack: App configuration update
ï§ Attack: Embedded phishing
ï§ Attack: Virus/malware embedded in a hijacked apps
ï§ Attack: OS and other (NOT) âtrustedâ COTS software
Ref. Whittaker and Hagerman
28. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Attack 28 Penetration Attack Test â mobile and embedded
Attack 29.1 Identity Social Engineering
Attack 30: Spoofing Attacks
Attack 30.1 Location and/or User Profile Spoof
Attack 30.2 GPS Spoof SubâAttack
Attack 31: Attacking Viruses on the Run in Factories or
PLCs
Software Test Attacks to Break Mobile and
Embedded Devices
29. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Whittakerâs And Thompsonâs Attacks
Numbe
r
Attack name Applicable to mobile-
embedded
1 Block access to libraries and/or OS internals yes
2 Manipulate the application's registry values yes
3 Force the application to use corrupt files yes
4 Manipulate and replace files that the application creates, reads from, writes to, or executes yes
5 Force the application to operate in low memory, disk-device, and network availability yes
6 Overflow input buffers yes
7 Examine all common switches and options yes
8 Explore escape characters, character sets, and commands yes
9 Try common default and test account names and passwords yes
10 Use a tool to expose unprotected APIs yes
11 Connect to all ports yes
12 Fake the source of data yes
13 Create loop conditions in any app that interprets script, code, or other user-supplied logic yes
14 Use alternate routes (in the app) to accomplish the same task yes
15 Force the system to reset values yes
17 Create files with the same name as files protected with a higher classification yes
18 Force all error messages yes
19 Use a tool to look for temporary files and screen their contents for sensitive info yes
30. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Many More Attacks Exist
Simply doing Verification checking of
requirements in testing is not enough
Some say âWait, let the bad guys find the holesâ
ï§But for many mobile-embedded systems this is not a good
idea
Progressive organization put forth a good offense
as well as defense
ï§Attack testing before the bad guys do
31. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Bottom line
Defenses should include
Device security â registration, wipe/disable programs, encryption, monitoring,
cloud
Development - requirements specification, software design, construction, and
support processes such as configuration management.
Operations/IT - governance, product controls, access limitations, physical
security, and cyber-security
Functional and non-functional security testing - Attacks in development
and after deployment in operations
32. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
POLL: Are you testing Mobile Devices/Apps now?
34. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Summary of My Favorite AttacksNamed Attack Apply Against Example Considerations
Penetration Attack Account numbers/user ids Use tools to gain access e.g., pkcrack
Passwords Check common passwords that may be vulnerable, using password hacking tools or checklists
Usage profiles The pattern of how the software or device is used to expose vulnerabilities
Location tags for embedded/mobile devices Where is the device, are tags temporary as the device moves, and what is reported to an open network
(cellular, Wi-Fi, etc.)?
Fuzz Testing Sub Attack External inputs e.g., user ids passwords Use fuzzing tool to attack the external interfaces
Spoofing Attack âHijackedâ Identity Use spoofing tools in the âsand boxâ test environments
GPS spoofing for mobile/embedded devices Requires specialized equipment and labs. But for devices dependent on GPS, this may be a âhighâ risk
factor
"Social Engineering" spoof Attack like the hackers who use many sources of information to gain an advantage
File checking attack "Hidden" files with unsecured data Look for hidden or unsecure/non-encrypted files [6]
Encryption (or lack thereof) Is there restricted data perhaps hidden in mobile and embedded file systems which may be âtemporaryâ
and/or not encrypted properly?
Good encryption patterns Where did the algorithm(s) come from and how vulnerable is it?
Breaking Software Security Use classic IT/PC/web attacks many of which are
applicable to mobile and embedded
See Whittakerâs book [4] for 20 attacks that can be applied to mobile hybrid/web apps
Virus Attack Off-the-shelf software Test for counterfeit logic such as mobile and embedded viruses, malware, etc.
Third party software Many viruses are embedded in fun apps that users download particularly on âbring your own devicesâ
Operating System Can it be trusted?
Bring your own mobile device Threat from unsecured users
Trojan horses Can the tester use email, hacked apps, or other files to get âinsideâ of the defenses
Embedded multi-tier system For example Stuxnet and its offspring
35. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
How to Increase you Security Skills
Testers looking to become cyber-security test warriors need to develop the following
skills
(not just tool expertise or product knowledge)
- The ability to apply the attacks and synthesize their own attacks
- Critical thinking, including the ability to think like the bad guys
- Exploratory attack testing (my list is only a start)
- Following the âsmellsâ of the software bugs (small hints of a bug or
vulnerability)
- Automation, modeling, and math
- Risk based testing
- General test information, processes, techniques, and documentation
36. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Test Engineering
Test needs to do the âstandardâ efforts, and needs
to play the âbad guysâ
ï§Hacking attacks
ï§Vulnerabilities
ï§Test to provide information from day one, so the team can
plug the holes based on attack information
ï§At the end of a development cycle, get really nasty
ï§Some tester are really good at that
ï§Practice Practice Practice, Learn, and the repeat
37. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Warnings To Testers
ï§Security attacks and testing must be done with the knowledge
and approval of owners of the system and software
ï§Severe legal implications exist in this area
ï§Many of these attacks must be done in a test lab (sandbox) and
not in the field
ï§In these attacks I tell you conceptually how to âdrive a car very
fast (150 miles an hour) but there are places to do this with a car
legally (a race track) and places where you will get a ticket (most
public streets)â
ï§Be forewarned - Do not go attack you favorite app on your
phone or connected server without the right permissions due to
the legal implications
38. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Summary
These attacks are just starting points
Mobile device use, features, and connections will grow
meaning that security threats and vulnerabilities will
increase
-- I see a great need for mobile security
testers
Be carefulâthere are impacts in all effort domains
ï§Systems
ï§Software
ï§Hardware
ï§Support and Operations
39. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
POLL: What is the status of your Mobile Security Testing?
41. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Thanks (ideas used from)
ï§James Whittaker (attacks)
ï§Elisabeth Hendrickson (sims)
ï§Lee Copeland (techniques)
ï§Brian Merrick (testing)
ï§James Bach (tours and thinking)
ï§Cem Kaner (test thinking)
ï§Phil Lew (support good testing and this
meeting)
ï§Many teachers
ï§Generations past and future
ï§Books, references, etc.
42. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Book List (favorites that I use)
ï§Software Test Attacks to Break Mobile and Embedded Devices, Jon D. Hagar
2013
ï§How to Break Software Security, Whittaker & Thompson
âąAnd Whittakerâs other âHow To BreakâŠâ books
ï§A Practitionerâs Guide to Software Test Design , Copeland, 2004
Honorable mentions:
ï§âEmbedded System and Software Validationâ Roychoudhury 2009
ï§âSystems Testing with an Attitudeâ 2005
ï§âSoftware System Testing and Quality Assuranceâ Beizer 1987
ï§âTesting Computer Softwareâ Kaner et. al. 1988
ï§âSystematic Software Testingâ Craig & Jaskiel, 2001
ï§âManaging the Testing Processâ Black 2002
ï§âHacking Exposedâ McClure, Scambray, Kurtz
ï§Y. Tadjdeh, âIndustry, military emphasize need for âCyberwarrrorâ training
as attacks increaseâ, National Defense Magazine, Dec. 2013
ï§J Scambray, S. McClure, G. Kurtz, âHacking Exposedâ, McGraw Hill
43. Jon Hagar Copyright 2014 How to Attack Embedded SoftwareHow to Attack Embedded Software
Resources
âąAssociation of Software Testing
Offers Free Classes on Testing
44. Q and A
Need Assistance With Mobile
(Security) QA?
services@xbosoft.com
@XBOSoft