Posts Tagges "smartphone"

Fake MS Word 2012 in the Apple App Store right now

 

A user on Hacker News pointed out that there is an app in the Apple App Store right now that claims to be MS Word 2012. Which I found literally seconds after we were just chatting about this ThreatPost post regarding a fake Android app that is actually Zeus.

I’m not sure how long the app will stay in the App Store, but I’m thinking not very long. Screen show below:

Update: And it’s gone as of 21:00 6/18/2012 EDT.

-Trevor
@packetwerks

Follow us: @stratumsecurity

ABC Action News Smartphone Security Video Posted (with an additional Android exploit demo video)

 

WFTS posted the video of the Smartphone Security piece that aired last night. You can watch the video below.

Yes, that was my wife sending me the rigged SMS message. Thanks Honey!

In all seriousness, the exploit used in the video utilized the Webkit Floating Point Datatype Remote Code Execution Vulnerability (CVE-2010-1807). I used MJ’s exploit code to compromise a stock Verizon Motorola Droid (A855) running Android Eclair (2.1). The exploit code was about 33% reliable, but I found running it against an Eclair Emulator to be far more reliable (~80%).

You can watch a full length video of the exploit demo below. I had put this together to show Michael George of WFTS how an attack might work. This was against an emulated Motorola Droid (A855) running Eclair (2.1).

If you have any questions about either of the videos, or smartphone security, please post them in the comments below. Also, make sure you read the previous posts on our blog regarding smartphone security:

WFTS ABC Action News Smartphone Security Piece

 

ABC Action NewsToday I was interviewed by Michael George of Tampa’s WFTS ABC Action News. He was interested in doing a piece on smartphone security; specifically what are the threats, how attacks occur, and what (if anything) users can do to protect themselves. Michael had a very good understanding of the current state of smartphone security: “Don’t run for the hills yet, but soon it will be just as messy as your home computer.”

I figured it was appropriate to cover my talking points on this blog post, so that others can reference the materials, and hopefully we can start a great dialogue in the comments on how to best tackle smartphone security. I will post an update with a link to the story once it airs (Anticipated 11PM on 1/7/11).

Why should people care about smartphone security?

The mobile phone is arguably the most personal technology device that we own. People have a real relationship with the phone, the data it holds and what they do with it. There are three primary reasons why people should care about smartphone security:

  1. Protecting the integrity of the device so that you continue doing what you want to do on your phone (texting, surfing, shopping, calling, etc.) without the threat of information being made public.
  2. Securing the data on the device so that if it is lost, someone else cannot retrieve all of your data, such as passwords, emails, pictures, etc.
  3. Safeguarding the device itself so that you don’t have to buy a new one if you lose it.

What are the risks associated with using a smartphone?

Generally speaking, the risks of using a smartphone are similar to those of using your home computer. Specifically, the following personal data may be compromised by poor smartphone security:

  • Personal data (phone #s, email addresses, photos, etc.)
  • Account credentials (Facebook, Twitter, Bank of America)
  • Ability to use your device

GPS location data is unique to smartphones when compared to desktops and most laptops. This data can also be at risk if your phone was to be compromised by an attacker or rogue application.

How are smartphones attacked?

Much like how the risks of using a smartphone are similar to those of using your home computer, so are the ways in which smartphones are attacked. The following are examples of how smartphones are targeted by attackers:

  1. Trojans such as Gemini, which emerged in China, sends personal data from a user’s smartphone to remote servers. It can also potentially turn your phone into a zombie controlled by the attacker. Trojans are traditionally attacked to legitimate software (sometimes unknowingly) and are equitable to computer viruses.
  2. Rogue applications are applications that are supposed to be one thing, such as a game, but also include code that performs other actions. The TapSnake android game not only entertained its users, but also tracked their GPS locations every 15 minutes and allowed other people to pay to view this information.Jail-Broken iPhone
  3. By “hacking” your own phone, you can actually make it less secure. “Jail-breaking” or “rooting” your phone can leave you exposed to hackers. For example, rooting the iPhone enables remote access via SSH and the default root password is commonly known. The iBontNet.A worm used this insecure configuration to steal online banking credentials from ING Direct account holders. Also a Dutch hacker in 2009 held “jailbroken” iPhones for ransom by charging €5 to provide instructions on how to secure the affected phones and remove the “hacked” wallpaper

What can you do to help secure your smartphone?

Following the checklist below will go a long way in helping to secure your smartphone. However, realize that no smartphone is 100% secure, and always practice caution when installing applications, visiting websites, or clicking on links.

  • Only install applications from trusted sources, like Apple’s AppStore or Google’s Android Market
  • Review the permissions that applications ask for, and when they don’t seem right, do some research online before installing
  • Lookout Mobile SecurityInstall a security suite such as Lookout Mobile (Android, BlackBerry, Win7) or Trend Micro for iPhone that looks for malicious applications and/or websites
  • Install updates for applications and firmware
  • Don’t click on links from unsolicited emails or text messages
  • Set a strong password for your phone
  • Install a remote location identification application like Lookout Mobile or MobileMe so that you can locate and/or wipe your lost phone

More Information

For more information on smartphone security, you can watch Trevor’s ShmooCon 2010 presentation entitled, The New World of SmartPhone Security.

Shmoocon 2010 Slides Online

 

I have a feeling that Shmoocon 2010 (and all snow-themed variations of the name) will go down as one of the most unique security conference experiences ever. Given that some people still have not made it home Shmoocon might be one of the longest running security conferences ever. I had a great time hanging out with friends and a great time giving my first ever conference talk “The New World of Smartphone Security – What your iPhone Disclosed About You”.

Highlights for me included Michael Weigand’s talk “Build your own Predator UAV @ 99.95% Discount” about making your own autonomous aerial camera platform. Since the UAV uses a GPS to orient itself and lat/long coordinates to fly its route, I was thinking that it would be cool to send his UAV the coordinates of an iPhone user for the ultimate aerial tracking system.

Some have been asking where the archived uStream footage of my talk is. It turns out that the AV folks had some technical issues on Saturday morning and were unable to stream or record my talk. However, MediaArchives.com did catch all but the first 10 minutes. I bought the DVD and am waiting to hear from the folks at Shmoocon if I am cleared to rip and post the video. Once we hear back on that I’ll post the link to Vimeo.

In the mean time here is the slide deck:

Stratum Security-The New World of Smartphone Security-Shmoocon 2010.pdf

Thank you to everyone that attended the talk!

-Trevor