CEO of Tamoggemon Ltd. Tam Hanna covers the issues of mobile security at DeepSec 2011 conference, focusing on phone theft problems and mobile OS vulnerabilities.
Well, today we are going to speak on attack vectors on mobile devices. Well, who am I? This is how I looked before I got into mobile security (see photo). You see I used to be a handsome man, now I look like a shaved monkey. I’m running a mobile computing consultancy, and we run websites, we do applications – basically, you name it and we do it.
You might now wonder why you need mobile security. Who of you needs mobile security to keep his own phone safe? The reason is this thing here – today, smartphones are given not only to technical employees but everybody gets them: administrators, secretaries, programmers.
And for many less technical people, the user perception is that the phone is safe. And this has two reasons. First of all, there have been no large outbreaks so far. And secondarily, the phone is always in the pocket. And what’s in my pocket – it must be safe.
This issue is complicated because you cannot run antivirus software on a phone. Why can’t you run antivirus software on a phone? Because of the battery. So it is not possible to protect a phone using antivirus software. And the next problem is that users are stupid. There was a Symbian virus, it was called Cabir. It displayed a total of three warnings – not one, not two, but three warnings. But users clicked: ‘Next’, ‘Next’, ‘Next’…And there is a nice little sentence: ‘Users choose dancing pigs over security.’
As we already said, smartphones are soft targets because the programmers don’t know anything about mobile security. There was a guy today in the morning here who was speaking on the Windows Phone 7. If you look at what OEMs have been doing, it is just crazy. We have got the open operating systems, more and more smartphones, and finally smartphones become more attractive as attacking targets, for multiple reasons.
First of all, a smartphone today has a very fast processor. So it means you can really do some brute-force, you can do quite a bit of junk with those smartphone CPUs. Secondarily, smartphones connect seamlessly to the PC. And finally, not only can they call premium-rate numbers, but they can now deduct money right from my credit card. How can they do it? For example, in app purchases.
Now, you might say: “I bought the phone from a carrier, so the carrier should keep it safe”. And to some extent, I also agree that it’s logical thinking. But the problem is this: the carriers cannot protect everything because today smartphone not only has GSM or CDMA, but it also has a Bluetooth and wireless. And Bluetooth doesn’t go over the carrier. And the moment a carrier interferes with the Wi-Fi transmitter of the smartphone, people like me from the tech press start to wail: “This is an evil carrier!” So this essentially means the carriers cannot protect the smartphones.Before we get into any of the more advanced technical attack schemes, what is the most common way phones disappear? Here is a picture (see image), these people are the Thuggee clan of India. When the Brits were still owning India, they essentially did what I am doing to you right not, but they didn’t give you things – they took things away. And in British English, still today a thug is somebody who you don’t want to meet for a drink.
And cell phones are stolen by two groups of people: one is the teenage thugs, basically people like me but five years younger. They steal them for personal usage and for resale. It’s a rampant issue in Western Europe. If you read the papers, in Austria there was a huge such scandal.
And now I am going to show you why carriers love theft. This guy here owns a beautiful Samsung smartphone. If I steal it from him, what does he do? He buys another one. And the carrier obviously charges outrageous prices for the phones.
And the manufactures also love theft, because let’s assume that a fourteen-year-old teenager who can’t afford an iPhone steals an iPhone. Then later he buys another iPhone, and the victim also buys a new iPhone, and now there are three iPhones on the market, so the market share of Apple raises. And so, why should Apple be unhappy with thefts? It’s true.
There is one way to stop these kinds of cell phone thefts, and this way is IMEI1 blacklisting. It works extraordinary well for example in the UK. But the problem is this – the governments don’t want to enforce it, because if you as a government admit that you have got a problem with petty theft, who would vote for a government which can’t control crime? Who of you would? Nobody, all of you are smart and honest.
And then of course, there are also the targeted attacks. If a person wants someone’s phone, he steals his phone, gets out the memory card; the data is usually unencrypted. And with that, it’s time for the first of the three platforms we look at.Symbian was the first operating system to introduce some kind of security. It introduced the so-called Symbian signed code signing scheme. This meant that binaries had to be signed. And if the binary wasn’t signed, then the binary wasn’t allowed to do sensitive stuff, like for example call a premium-rate number. And the Symbian signed system was broken down on the process level.
Why on the process level? The person who has a phone in his hand usually is the legal owner. Nobody of you hopefully shares a phone with somebody else nowadays. And so the point with this is that processes were divided into tiers (see image), and every tier required different types of signing and had different types of privileges. As I have already said, the capability is the token which must be presented to gain access to a privileged service. You might now be wondering why I am going over Symbian in such detail if the operating system is almost dead. I am going over it not out of boredom but because you meet these terms used in the concepts in every other mobile platform.
In regards to capabilities, there are three types of capabilities: TCB2 capabilities, then there are system capabilities, and then there are user capabilities which are essentially granted like they are granted on a J2ME3 application.Another thing is data caging: Symbian protects some folders from access by other applications (see image). So it’s basically like a sandbox which we have today. But the difference between the sandbox we have today and the Symbian sandbox is that today you are allowed to access one folder. In the past, you were allowed to access all folders except for one.
And now, there is a problem. People like me develop applications. And if I have to send every application I have compiled to the signing house, have to pay 200 EUR and have to wait for a week – my productivity would be very, very low. Due to this, a developer certificate was introduced. A developer certificate allows me to say: “My company – Tamoggemon Ltd. – has these thousand phones. For these thousand phones, I – Tamoggemon Ltd. – act as a trusted provider”.
These developer certificates are easy to obtain. What I need is a capital company, like a UK Limited. It costs only about 200 USD to open UK Limited. These Limited’s are very easy to get. And with this site cer.opda.cn I can get these developers certificates. I open the Limited – the ‘Vakadukubananarama’ Phone Certification and Levitation Company. It is based in the Banana Street 64 in Timbuktu. The company’s house doesn’t care – they get the taxes. Cert department doesn’t care – they get the money. And I have a developer certificate.And this is the process used for a very dangerous trojan called SpitMo (see image). I am not going to explain in each detail how SpitMo works. SpitMo is a relatively simple trojan. The point is this: I am an attacker, I cheat you people to visit a bank website. On this website, I ask you to give me the IMEI number to send a security update to your phone. I collect these IMEIs. When I’ve got a thousand IMEIs, I request a developer certificate, it costs a few cents, so I waste a few cents. Then I send the signed files back to you, you install them, and then, when a Trojan comes in and an SMS comes in, I can read the SMS and send it to the server. These attacks are used to attack banks.
And of course I‘ve got some improvement ideas. The improvement idea is – why not in the future create a small unsigned application; make the unsigned application collect the IMEI; send the IMEI automatically to the server and automatically deploy the update? It would save you a bit of effort and make it even simpler.
1 – IMEI (International Mobile Equipment Identity) is a unique number to identify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones.
2 – TCB (trusted computing base) is the set of all hardware, firmware, and/or software components that are critical to system security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system.
3 – J2ME (Java 2 Micro Edition) is a consumer wireless device platform allowing developers to use Java and the J2ME wireless toolkit to create applications and programs for wireless and mobile devices.