1 / 28

Security flaws in mobile devices

Security flaws in mobile devices. Seminar on Software Engineering, Long Presentation 06.03.2008 Christian Gruber. Quick overview of mobile device security. Modern technologies integrated with each other.

benoit
Download Presentation

Security flaws in mobile devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securityflaws in mobile devices Seminar on Software Engineering, Long Presentation 06.03.2008 Christian Gruber

  2. Quickoverview of mobile devicesecurity • Modern technologies integrated with each other. • Mobile phones are more and more intelligent and becoming like computers → security problems? • Mobile phones and other mobile devices are coming more attractive to virus writers. • This presentation is dedicated to the threats currently posed by malicious code to mobile devices which run under portable operating systems and are equipped with wireless technologies.

  3. Quickoverview of mobile devicesecurity • This overview focuses on some of the severe malwares found in the following major mobile operation systems: - Symbian OS - Windows CE .NET - Apple OS X for the Apple iPhone

  4. Symbianoperatingsystem • A smartphone is a mobile phone offering advanced capabilities beyond a typical mobile phone, often with PC-like functionality. • Symbian is the leading OS in the smart mobile device market. • It is designed for the specific requirements of advanced 3G mobile phones. Symbian OS combines the power of an integrated applications environment with mobile telephony, bringing advanced data services to the mass market. • Statistics published February 2007 showed that Symbian OS had a 67% share of the smart mobile device market, with Microsoft having 13% through Windows CE and Windows Mobile and RIM having 10%.

  5. Firstmaliciouscode for Symbian OS. • 2004 a group of professional virus writers known as 29A created the first virus for smartphones called Cabir. • Cabir is the first network worm capable of spreading via Bluetooth. • It infects mobile phones which run Symbian OS. • Creators stated it was purely proof of concept just to show malicious code could be created for Symbian OS. • Source code was published on the Internet → many modified version surfaced.

  6. howdoesCabirwork? • It is design to load at phone boot up and send itself to available devices using Bluetooth. • It sends itself as a Symbian installation file (as CARIBE.SIS) the receiving phone will recognize it as an installable package. • Before the virus can successfully infect a phone, the virus must be first accepted by the user. • When the virus is received and accepted, the phone then begins installing the installable package file → phone infected. • Later version named as Cabir.k was able to self replicate itself via MMS.

  7. Secondmalwre for Symbian OS • Soon after Cabir spreaded the “first Trojan” was found for Symbian OS. • Normally a Trojan is a piece of software which appears to perform a certain action but in fact performs something else. • The Trojan was a cracked version of a popular game called Mosquitos. • It sent SMS messages without the knowledge of the user. • It was intended that the program secretly sent a SMS message to alert developers if an unlicensed copy was being used.

  8. Mosquitos Trojan • This program is not strictly a Trojan, but, it is classified as a Trojan as it sends SMS messages to premium rated services without the knowledge of the user. • The numbers which messages were sent to were coded into the program. • Does not spread using its own means. It must be installed and run by the user. • One message cost 1,5£ ≈ 2€

  9. The SkullerTrojan • Skuller was the first real Trojan for the Symbian OS. • The Trojan appeared as a program which would offer new wallpapers and icons for Symbian OS. • Installing the program led to the standard application icons to be replaced with a skull and crossbones. • At the same time it would overwrite the original application → application ceased to work. • Once the smartphone has been infected it can only be used to make calls.

  10. The SkullerTrojancontinued • Skuller demonstarted two unpleasent things about Symbian architecture. - System files can be overwritten - Symbian lacks stability when presented with corrupted or non-standard system files. • There are no check designed to compensate these vulnerabilities.

  11. The LocknutTrojan • These vulnerabilities was quickly exploited and the second Trojan appeared the Locknut. • Locknut was spread as a “critical patch”. • The idea behind Locknut was that Symbian OS did not check file integrity. • Locknut disables a phone using a malformed file to crash internal Symbian process. → causing the phone to lock down so that no applications can be used. • The .app extension makes the OS believe that the file is executable.

  12. The LocknutTrojancontinued • The .app file contains simply just text rather than structured code. • The system will freeze when trying to launch any application. • Rebooting woun´t help as Locknut is started automatically → making it impossible to even turn on the phone. • First malware on Symbian to prevent making even a call.

  13. MostdangerousSymbianwormComwar • The second worm found for mobile devices was the Comwar. • The worm spread via Bluetooth and MMS. • The executable worm file is packed into a Symbian archive (*.SIS). • Once launched the worm will search for accessible Bluetooth devices and send the infected .SIS archive under a random name to these devices. • The name of the file varies. When spread via Bluetooth, the worm creates a random file name, which will be 8 characters long, e.g. bg82o_s1.sis.

  14. Comwarcontinued • The worm also sends itself via MMS to all contacts in the address book. The subject and text of the messages varies. • Some example subjects found: - Norton AntiVirus Released now for mobile, install it! - 3DGame 3DGame from me. It is FREE ! - Desktop manager Official Symbian desctop manager. - Happy Birthday! Happy Birthday! It is present for you! - Internet Accelerator Internet accelerator, SSL security update #7. - Security update #12 Significant security update. See www.symbian.com - Symbian security update See security news at www.symbian.com - SymbianOS update OS service pack #1 from Symbian inc.

  15. Symbian OS 6.0 and newer • Before discussed malware work in earlier Symbian OS versions 6 and 7. • Newest Symbian OS 9.x also known as S60 platform 3rd Edition has adopted a capability model. Installed software will theoretically be unable to do damaging things without being digitally signed – thus making it traceable.

  16. Firstmalware for Windows CE • Duts is the first virus for devices running under Windows CE .NET. • It is also the first file infector for smartphones. • Duts is also made by the group 29A, which made the first Symbian virus. • A proof of concept virus. • It can infect devices running the following operating systems: PocketPC 2000, PocketPC 2002, PocketPC 2003.

  17. Dutscontinued • The virus itself is an ARM processor program and is 1520 bytes in size. • When the program is run, it raises a dialog box “Dear user, Am I allowed to spread?” • If confirmation is given, the virus will infect executable files which correspond to the following criteria: ARM processor, more than 4KB in size, located in the device's root directory. • The virus writes itself to the last section of these files and establishes an entry point at the beginning of the file.

  18. Dutscontinued • The Duts virus exploited a clever workaround of the operating system architecture in order to gain access to the coredll module. • Windows CE was designed with a protected kernel. User-mode applications are not permitted to interact directly with the kernel. This was designed to enhance the security and stability of Windows CE. • Microsoft has left the function "kdatastruct" acessible to usermode. This provided the key to the entrypoint of the virus.

  19. Brador • Brador is a backdoor (a utility allowing for remote administration of the infected machine). • Designed for PocketPC based on Windows CE and newer version of Windows Mobile. • It is written in ASM for ARM-processors and is 5632 bytes in size. • After Brador is launched it creates an svchost.exe file in the /Windows/StartUp/ folder, thus gaining full control over the handheld every time it is restarted.

  20. Bradorcontinued • Brador identifies the IP address of the infected device and sends it to the remote malicious user to inform him that the handheld is connected to the Internet and that the backdoor is active. Brador then opens port 2989 and awaits further orders. • The backdoor responds to the following commands: d - lists the directory contents f - closes the session g - uploads a file m - displays MessageBox p - downloads a file r - executes the specified command

  21. Windows CE security • Windows CE is extremely vulnerable from the point of view of system security. There are no restrictions on executable applications and their processes. Once launched, a program can gain full access to any operating system function such as receiving and transmitting files, phone and multimedia functions etc. • Creating applications for Windows CE is extremely easy, as the system is totally open to programming, making it possible to use not only machine languages (e.g. ASM for ARM) but also powerful development technologies such as .NET.

  22. Apple iPhone • Within two weeks after iPhone was released I.S.E. (Independent Security Evaluators) found a way to take full control of the device. • Apple's Safari web browser exposes the vulnerability. • The exploit can be delivered via a malicious web page opened in the Safari browser on the iPhone. • When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. • After the Exploit is run the attacker has full control of the device.

  23. Damages • In various proof of concept it has been shown that the attacker can: - Read/send SMS, MMS and emails, - Read the address book, - Read call history, - Read voicemail data. - Read user´s mail and other passwords, - Record audio clips, - Gain access to all files. • The attacker can transmit all this information without the knowledge of the user.

  24. iPhoneDoSvulnerability • Recently a Denial of Service (DoS) vulnerability was discovered in iPhone’s web browser. • The DoS exploit can be triggered by visiting a maliciously crafted webpage. • The page will insert code into the iPhone, which continually eats up available system memory before causing a kernel panic. • It has been stated that the Exploit could be used for malicious purposes → e.g. executing remote code.

  25. What can mobile viruses do? • In short what can mobile viruses do? - Spread via Bluetooth, MMS - Send SMS messages - Infect files - Enable remote control of the smartphone - Modify or replace icons or system applications - Install “false” or non-operational fonts and applications - Combat antivirus programs - Install other malicious programs - Block memory cards - Steal data

  26. Protectionagainst mobile viruses • For a smartphone to become infected, the user has to twice confirm that an unknown file should be uploaded and launched. • At the moment there are several anti-virus solutions designed to protect mobile devices from viruses. • For worms which spread via MMS, the optimal solution is for the network operator to install an antivirus product which scans traffic that passes.

  27. Forecast? • It is difficult to forecast the evolution on mobile viruses. This area is constantly evolving. • Today’s mobile viruses are very similar to computer viruses in terms of their payload. • It took computer viruses over twenty years to evolve, and mobile viruses have covered the same ground in a few years. • Without doubt, mobile malware is the most quickly evolving type of malicious code, and clearly still has great potential for further evolution.

  28. Sources • Alexander Gostev, Mobile Malware Evolution: An Overview, Kaspersky Lab • Symbian.com: http://www.symbian.com/ • Geekzone: http://www.geekzone.co.nz/content.asp?contentid=3379 • Viruslist.com: http://www.viruslist.com • Kaspersky: http://www.kaspersky.com/ • FastCompany.com: http://www.fastcompany.com/articles/2007/11/hacking-the-iphone.html?page=0%2C1 • Security Evvaluators: http://www.securityevaluators.com/iphone/ • I.S.E: http://www.securityevaluators.com/ • iPhone World: http://www.iphoneworld.ca/ • AvertLabs: http://www.avertlabs.com/research/blog/index.php/2008/02/20/iphone-dos-vulnerability/

More Related