Disclaimer

2. Disclaimer • No Packets where injured in the making of this talk. All research results and analysis was done from the safety of my lab with my own equipment and my own packets and most importantly my own permission. • No packets were obtained by War Walking, War Dining or Stroll Trolling from unauthorized networks without permission. • Knowledge is a tool that can help or hinder society. Please wield it responsibly. • Caution: Just because we can apply a moral and ethical filter doesn’t mean everyone else will. Get informed then make decisions!

3. Objectives • Change Smart Phone Perceptions • Wi-Fi computer with phone capabilities vs. Phone with “ apps”. • Utilize No Cost High Availability Framework • Discuss and use free non-commercial tools from Google Play and the Internet. • Introduce Terms and Techniques that help facilitate discussions and awareness of mobile threats. • War Walking • War Dining • Wi-Fi Phaking • Stroll Trolling • Discuss and demonstrate remediation and mitigation techniques • Enterprise and personal best practices discussed.

4. Prerequisites: “Do Root Robots”* • A Smart Device - Android /Iphone • A jail broke Apple I-phone will also do the trick • Wi-Fi tablets are also an effective attack vector • Some phones may not be “root-able”…yet. • Popular Rooting Programs • Android 2.2 – Unrevoked • Android 2.3 – Revolutionary • Android 2.4 – Eris and More to Come • Iphone – Jailbreak.me • Remember your roots! • Rooting your device is accomplished by exploiting a vulnerability and dropping a payload that allows the capability to escalate privileges when requested. *http://jon.oberheide.org/files/bsides11-dontrootrobots.pdf

5. Risks and Rewards of Rooting • Pros • Increased Functionality and Control • Pen-test / Packet Acquisition tool • Wi-Fi Tethering • Enhanced File Management • Screen Capture • Free or Almost Free • No/Little cost for apps and programs • Freedom • Install other Operating Systems and Custom ROMS • (Ex. BackTrack Linux) • Cons • Support • You may void your warranty and support • Cost • You may brick the device

6. Super User World Domination!?

7. It’s Rooted, Now What? Data Gathering and Analysis • Packer Sniffer – Mobile Device • Used to record packets on a network • Wi-Fi Hotspot – Mobile Device • Mobile internet capable gateway • Data Aggregation Tool – Home Analysis • Used to find information in a capture file

8. Smart Phone Facts • Time reported in early 2012, 46% of Americans own a smart phone. • Most modern data plans have data limits. • Open network are highly available in public. • Smart phones send packets like computers.

9. Obtaining a Network Sniffer from Google Play

10. Packet Capturing – Making Pcap Files • Shark for Root • Free from Google Play a.k.a. Marketplace • Used to passively sniff packets using a smart device. • Gives network and security professionals the ability to analyze data to and from a target device. • Gives criminals the ability to gather and exploit sensitive data of the uninformed for profit. • Pirni for IPhone • Free on the internet – See references for link

11. Wireless in a Sea of Sharks!

12. 1 – 2 – 3 Hack Me! Step 1) Turn on the Wi-Fi Functionality.

13. Step 2: Join Public Network Step 2) Tell your phone to inform you of open connections.

14. Step 2: Join Public Network

15. Step 3: Start Shark for Root

16. War Walking Difficult To Detect • No backpacks or antennas • No sitting in a parked car for hours • No aircraft circling • No hot air balloon hovering • Passive sniffing so no network anomalies or IDS detection

17. War Walking The act of lingering or loitering in a geographical area for the purpose of gathering packets without prior authorized over a public wireless network using a smart phone or tablet.

18. War Walking • Scenarios • Walking a dog or playing with a kid at a park • Hanging out at a mall • Reading on a park bench • Watching a movie – War Watching • Eating a meal – War Dining

19. War Dining • The unauthorized act of gathering packets over a public wireless network with a smart phone or tablet while congregating in a Wi-Fi enabled establishment with the intent to eat or drink.

20. What if the Access Point Does Not Leak Data? • In WalksArpspoof! *https://github.com/robquad/Arpspoof/Arpspoof.apk/qr_code

21. Arpspoof • ArpSpoof is freely available on the Internet but was pulled from Google Play earlier this year. • It creates a MITM session by wait for it….spoofing arp. • It passes packets first to the device and then to the public Wi-Fi hotspot. • Packets become readable because they pass through the phone first and then the Shark for Root capture before being passed to the public Wi-Fi access point.

22. Just for Fun. Want to take a Peek with Piik?

23. PIIK • Piik can be purchased from Google Play for $1.99 • Allows images of captured and displayed from your smart phone • Easy way to confirm data is being captured after Arpspoof is initialized.

24. Data Analysis After Capture • Packet captures (.pcap’s) need analysis • NetWitness® Investigator 9.6 is the award-winning interactive threat analysis software • Free – non commercial • Effortlessly discovers and categorizes sensitive data

25. Using Netwitness 9.6 or Higher for Analysis • Download and install Netwitness on Win Machine • Start, register, and activate the free software

26. Using Netwitness 9.6 or Higher for Analysis

27. Using Netwitness 9.6 or Higher for Analysis

28. Using Netwitness 9.6 or Higher for Analysis

29. Using Netwitness 9.6 or Higher for Analysis

30. Using Netwitness 9.6 or Higher for Analysis

31. Using Netwitness 9.6 or Higher for Analysis

32. Using Netwitness 9.6

33. Look at all this cleartext!

34. Lots of Sensitive Data!

35. Passwords are not the only sensitive data at risk!

36. Lessons Learned • Email App – Leaked AD Permissions in clear text. • Pcap analysis found that mail synch was allowed with http and https. • Network credential where synching many times a minute in clear text! • Misconfiguration was identified and corrected by this analysis. • Many Apps will login in using http without users knowledge • Angry Birds Season is phoning home

37. No Access Point…No Problem? A Recipe for Trouble 1 Part – Bad Guy/Girl with Rooted/Jailbroke Phone 1 Part – Wi-Fi Tethering App 1 Part – Social Engineering _________________________________ = “Wi-Fi Phaking”

38. Introducing “Wi-Fi Phaking” The act of configuring a smart phone as a Wi-Fi hotspot using a socially engineered naming convention like “Free Internet” with the sole purpose of luring devices and individuals to join the network with the intent of capturing and exploiting personal/confidential data.

39. Introducing “Stroll Trolling” The act of lingering or loitering in a specific geographical location usually densely populated using a “Phaked” Wi-Fi connection with the intent of enticing unsuspecting individuals and devices into joining that network with the intent of capturing and exploiting clear text data leaked from the device.

40. Examples of Stroll Trolling • Name Mobile Wi-Fi Hotspot “Lions Free Wi-Fi” at the Detroit game. • Name Mobile Wi-Fi Hotspot “Free Internet” at the Mall or crowded area. • Name Mobile Wi-Fi Hotspot “GM Free Internet” when in the Renaissance Center.

41. Smart Phone Risk Assessment

42. Mitigation And Remediation So now that we know what can be done, how do we fix it? Three categories of corrective action: (Good) Personal - Free (Better) Personal - Low Cost (Best) Enterprise Level – Higher Cost

43. (Good) Personal - Free 1) Policy/Behavioral Change: Turn off Wi-Fi when in public areas if not needed. On Off This stops your device from auto-connecting to open available Hot Spots.

44. (Good) Personal - Free 2) Use httpsvshttp whenever possible if you are going to use a open Wi-Fi. However, not the best solution because data is still leaked. Ex. DNS and Apps are still clear text

45. (Good) Personal - Free 3) Paradigm shift - Treat a open connection as a public terminal. Do not perform sensitive searches and perform private confidential tasks like banking while joined to an open Wi-Fi connection unless absolutely necessary. Assume all actions are being watched and monitored.

46. (Good) Personal - Free Use your mobile Wi-Fi hotspot with WPA2 and > 10 character password for you tablet or laptop to join instead of the joining an available public hotspot when in public.** **This may quickly exhaust your data plan.

47. (Better) Personal - Low Cost • Use and inexpensive VPN service with your mobile devices which encrypts data from a public Wi-Fi hotspots. • VPN services as low as $3 dollars a month. Ex. IBVPN – Around $37 a year. • Cheaper than purchasing extra data from your mobile provider. • Encrypts all data to and from the public hotspot once active once active including DNS and App data.

48. (Better) Personal - Low Cost • Easy to configure the Encrypted Tunnel • Renders War Walking, War Dining, and Stroll Trolling ineffective once VPN is active. • Free VPN management applications available in the App Store and Google Play. (Ex. 5VPN) • Same account can be shared by any of your mobile devices including laptops, tablets, and phones.

49. (Best) Enterprise Level - Higher Cost • Some Mobile Device Attack Vectors • BYOD • Malware - Infections • MITM - War Walking, War Dining • Remote Access to Resources • MITM - War Walking, War Dining, Stroll Trolling • Theft/Forgery – Stolen/Lost phone

50. (Best) Enterprise Level - Higher Cost • Categorization and Management of Smart Devices • Smart phones are mini computers with phone capabilities. • Should be place firmly in the Remote Access Domain and be treated like work issue laptops and tablets. • This means SSL, Certificates and Corporate VPN solutions should be administered for all interactions with corporate resources.