docSample attack scenario (cont.)
download 
Reklamacja Transkrypt
Sample attack scenario (cont.)
Mobile threats Artur Maj, Prevenity Agenda • Cellular phones – Historic overview – Mobile operating systems • • • • • Security of smartphones Smartphones in banking Threats to banking Demonstration of bank account intercepting Our recommendations © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 1 Historic overview 1980 1982 2000 1990 2005 2007 © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Mobile operating systems Linux 3,70% Other 0,70% Windows Mobile 6,80% Android 9,60% Apple iOS 15,40% Symbian 44,30% BlackBerry 19,40% Source: Gartner, Worldwide Smartphone Sales 1Q 2010 © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 2 Security of smartphones • Privilleges levels • Access control lists (ACLs) • Antivirus and antispam software, personal firewalls – de facto standard • Simplified privilleges levels* • Limited possibilities of access control* • Security software rarely used © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Security weaknesses of smartphones • Technology weaknesses (GSM, Bluetooth itp.) • Security vulnerabilities in operating system • Security vulnerabilities in mobile applications Known security vulnerabilities in mobile operating systems, source: OSVDB © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 3 Smartphones’ infection methods • Synchronization with PC – Active Sync, Nokia PC Suite etc. • • • • • • Web browser E-mail messages SMS, MMS, WAP Push 3rd parties’ applications Memory cards Wireless network – 3G, EDGE/GPRS, UMTS, Wi-Fi, Bluetooth etc. © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Mobile malware • Future or reality? © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 4 Mobile malware (cont.) © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Mobile malware (cont.) • Development of mobile malware © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 5 Mobile malware (cont.) • Examples – Trojan horses • SymbOS/AppDisabler • SymbOS/Cabir • SymbOS/Skulls – Viruses and worms • • • • • SymbOS/Beselo SymbOS/Commwarrior SymbOS/Mabir iPhoneOS/Ikee WinCE.InfoJack – Spyware • SymbOS/Flexispy • SymbOS/Mopofeli © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Smartphones in banking 6 Smartphones in banking • Popular appliances of mobile phones in electronic banking: – Possibility of making money transfers – User authentication – Banking transaction authentication – Alarms and notifications (SMS) – Micropayments (SMS, USSD) • The above appliances seem to be secure… © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Smartphones in banking (cont.) … but they only seem as such © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 7 Smartphones in banking (cont.) • Mobile phone’s infection very serious threat to internet banking • In conjuction with PC infection – the real risk of loosing even all the money from victim’s bank account • Examples of attacks: – Redirection of short text messages (SMS) – Remote access to phone’s graphics interface © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Smartphone in banking (cont.) • Redirection of text messages Telecommunication operator Unaware victim Intruder © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 8 Smartphone in banking (cont.) • Remote access to phone’s graphics interface © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Sample attack scenario • Infection of PC and smartphone Step 1 • • • • • Infection of PC by malware Zero-day exploit Infected PDF document Vulnerable web browser Vulnerability in Adobe Flash Trojan horse in downloaded software © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 9 Sample attack scenario (cont.) • Infection of PC and smartphone (cont.) Step 2 Infection of smartphone while copying pictures to PC • Automatic • Several versions of mobile malware for different mobile operating systems • Manual • Intruder creates and remotely install software for specific mobile device © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Sample attack scenario (cont.) • Infection of PC and smartphone (cont.) Step 3 Malware sends to the intruder victim’s credentials • URL to Internet banking application • Data intercepted by keylogger: • User’s login • User’s password • Data regarding mobile phone: • Number and type of mobile phone © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 10 Sample attack scenario (cont.) • Infection of PC and smartphone (cont.) Step 4 Attacker remotely enables SMS redirection „feature” on victim’s phone • Since this moment all SMSes are redirected to intruder’s phone without victim’s awareness • One time passwords • Alarms and notifications © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Sample attack scenario (cont.) • Infection of PC and smartphone (cont.) Step 5 Intruder performs unauthorized banking transaction • What the intruder possesses? • URL to internet banking application • Login to victim’s account • Password to victim’s account • One time passwords send via SMSes © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 11 Sample attack scenario (cont.) Will transaction be carried out? Will anti-fraud systems detect fraud? Can bank avoid fraud? © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Sample attack scenario (cont.) • Multiple variants of attack exists: – Using phone’s API directly from PC – Remote GUI access via wireless network (a’la Remote Desktop) – Infection of smartphone only © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 12 Sample attack scenario (cont.) • Multiple targets of the attack: – – – – – – – Transaction confirmations Applications downloaded and installed in phone’s memory Applications on SIM card Software authentication tokens USSD micropayments SMS micropayments Alarms and notifications © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Sample attack scenario (cont.) • Security mechanisms can be circumvented: – One-time passwords „scratched” – Hardware authentication tokens – Software authenitcation tokens – Virtual keyboards – „captcha” mechanisms – PKI tokens © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 13 Demonstration Interception of bank account based on the example of MS Windows Mobile infection © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Attack – easy or complicated? © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 14 Summary • Smartphone = computer • The impact of successfull attack on smartphone can be more dangerous than in case of PC • Good and bad news (from security point of view) © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Summary (cont.) • Good news: – Older phones not vulnerable for these kind of attacks – Majority of users uses smartphones only for voice and text messaging purporses – Only some users synchronize phones with PC – Diversity of mobile operating systems and versions complicated performing successful attacks – Operating systems possess different capabilities that can be leveraged by malware © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 15 Summary (cont.) • Bad news: – Smartphones’ market share grows every quarter – Growing popularity may lead to increase number of vulnerabilities and infection methods found – Whether or not the user utilized advanced features of smartphones may not matter (e.g. intruder can leverage vulnerabilities in handling MMSes) – Using security software on mobile phones still not popular © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone Our recommendations • Considering to leverage alternative methods of electronic transaction authentication • Treating smartphones as untrusted devices (as in case of PCs) • Including threats related to mobile devices in the process of risk assessment • Build users’ awareness to apply best security practices also in case of cellular phones © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 16 Contact [email protected] © 2010 Prevenity Sp.Sp. z o.o. Wszelkie prawa zastrzeżone. © 2010 Prevenity z o.o. Wszelkie prawa zastrzeżone 17
