Embed Size (px)
Citation preview
Yair Amit, Co-‐Founder and CTO, Skycure
Adi Sharabani, Co-‐Founder and CEO, Skycure
The Four Horsemen of Mobile Security
© 2015 RSA Conference. All rights reserved.
The Four Horsemen of Mobile Security
IntroducJons
The Mobile Threat Landscape
Example ANacks
Hacking Demo
© 2015 RSA Conference. All rights reserved.
Introduc)ons
Adi Sharabani CEO, Co-‐Founder
Skycure
Yair Amit CTO, Co-‐Founder
Skycure
IDF 8200
30 Patents
IDF 8200
© 2015 RSA Conference. All rights reserved.
4
1.5B 400M
10-‐100X 3.1M
Smartphones
Tablets
Networks
Apps
© 2015 RSA Conference. All rights reserved.
Old Endpoint Vs. New Endpoint
? IPS
IDS
Firewall
DLP
Data EncrypJon
Wireless Security
ApplicaJon Control AV
© 2015 RSA Conference. All rights reserved.
Modern Mobile ALacks
© 2015 RSA Conference. All rights reserved.
Physical Security
Loss
TheV
Unauthorized Access
© 2015 RSA Conference. All rights reserved.
Network Security
Wi-‐Fi/ Cellular
Off-‐the-‐shelf
hacking gear
24x7 Exposure
© 2015 RSA Conference. All rights reserved.
Network Security
0%
23%
30% 35%
41%
0%
25% 30%
38% 43%
0%
10%
20%
30%
40%
50%
0 1 Month 2 Months 3 Months 4 Months
% affe
cted
devices
Affected Devices Over Time
2014 2015
Source: Skycure Threat Intelligence
© 2015 RSA Conference. All rights reserved.
Malware Security
External Android Stores
Repackaged Apps
New infecJon vectors
© 2015 RSA Conference. All rights reserved.
Vulnerabili)es
OS & App Level
Patching Challenges
Never Ending Story
© 2015 RSA Conference. All rights reserved.
Known iOS Vulnerabili)es (by Year)
0
20
40
60
80
100
120
140
160
180
2007 2008 2009 2010 2011 2012 2013 2014 2015
Number of CVEs Trajectory
Source: Skycure analysis based of CVEdetails.com
1. Physical ANacks
© 2015 RSA Conference. All rights reserved.
The Physical Layer
• Threat vector • Lost / Stolen / Temp Access
• Basic physical security needs: • Remote wipe • Locate device • Backup • Local storage • Passcode protec)on
• OS responsibility • MDM solu)ons
2. Network ANacks
ImplementaJon vs. Design Issues
© 2015 RSA Conference. All rights reserved.
Implementa)on Issues
• Coding piWalls • Ubiquitous • Usually easy to fix once iden)fied
© 2015 RSA Conference. All rights reserved.
Example 1: GoToFail
© 2015 RSA Conference. All rights reserved.
Example 1: GoToFail static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { … if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;
err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, /* plaintext */ dataToSignLen, /* plaintext length */ signature, signatureLen); …fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err;}
Always goto “fail”, even if err==0
Code is skipped (even though err == 0)
FuncJon returns 0 (i.e. verified), even though sslRawVerify was not called
Source: Apple’s published source code
© 2015 RSA Conference. All rights reserved.
Example 2: Heartbleed
© 2015 RSA Conference. All rights reserved.
Example 2: Heartbleed
© 2015 RSA Conference. All rights reserved.
iOS crashes
“No iOS Zone” exploited again
iPhone crashes again
Device restarts
and again
and again
and again
Example 3: “No iOS Zone”
© 2015 RSA Conference. All rights reserved.
Design-‐Based Vulnerabili)es
• Logical issue. Harder to fix. Usually persist longer • Two types:
• General “protocol” vulnerabili)es • Design issues affec)ng mobile OS
• Mobile -‐ more suscep)ble: • Classical security solu)ons are inadequate • Excessive use of untrusted networks
© 2015 RSA Conference. All rights reserved.
Example I: SSLstrip
ALacker removes redirec)ons and links to HTTPS
Vic)m con)nues to interact via HTTP instead of HTTPs
Server returns a redirec)on to HTTPS
© 2015 RSA Conference. All rights reserved.
Example 2: SSL Decryp)on
92% of users click on “ConJnue” compromising their Exchange idenJty (username and password)
ConJnue 92%
Cancel 8%
© 2015 RSA Conference. All rights reserved.
Example 3: WiFiGate
© 2015 RSA Conference. All rights reserved.
Real)me Threat Intelligence
100K+ global threats iden)fied in 2014
hLps://maps.skycure.com
hLps://maps.skycure.com
3. Malware ANacks
© 2015 RSA Conference. All rights reserved.
Evolu)on of Android Malware
Google introduces technologies such as “Bouncer” and “Verify Apps”
Google Play is riddled with malware
3rd party stores are riddled with malware 2011 2015
© 2015 RSA Conference. All rights reserved.
Malware Scanners Effec)veness
More InformaIon at RSA ASIAPAC (July 23rd, 2015)
© 2015 RSA Conference. All rights reserved.
Malware is Not Just an Android Problem
Malicious Profiles
© 2015 RSA Conference. All rights reserved.
iOS sandbox approach
Source: Apple’s App Sandbox Design Guide
App Characteristics Profile Characteristics
iOS Security Model
• No Store • No Screening • No Sandboxing
• One Store • Heavy Screening • App Sandboxing
© 2015 RSA Conference. All rights reserved.
Par)cipa)on Instruc)ons
1. Open your Safari 2. Tap the blue buLon 3. Click on ‘Install’ 4. Click on ‘Install Now’ 5. Click on ‘Done’
Start demo by opening Safari and browsing to:
aLack.skycure.net
© 2015 RSA Conference. All rights reserved.
Removing The Infec)on
34
1. Go to Senngs 2. Click on General 3. Click on Profiles 4. Click on “Movies for Free” 5. Click on Remove
Try again with Skycure installed on your device.
4. VulnerabiliJes
© 2015 RSA Conference. All rights reserved.
Example 1: Plain HTTP
© 2015 RSA Conference. All rights reserved.
Example 2: SwikKey Vulnerability
• 600 million Android (Samsung) devices vulnerable
Pre-‐installed Keyboard
Unencrypted Updates MITM System
Access
© 2015 RSA Conference. All rights reserved.
Example 3: HTTP Request Hijacking
© 2015 RSA Conference. All rights reserved.
- (void)fetchArticles { NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl]; ! [request setValue:@"application/json” ! forHTTPHeaderField:@"Content-Type"]; self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self]; }
NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl];
NSURL *serverUrl = ! [NSURL URLWithString:@"http://attacker.site/skycureJournal"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl];
@"http://journal.skycure.com"
@"http://attacker.site/skycureJournal"
HTTP Request Hijacking
© 2015 RSA Conference. All rights reserved.
Vic)m interacts with the malicious server
A while later, vic)m opens the app
App logic has changed!
ALacker returns a 301 direc)ve specifying a
permanent change in URI
Vic)m opens the app in an untrusted environment
App con)nues to connect to the malicious server!
Malicious server can return actual results from the target server
© 2015 RSA Conference. All rights reserved.
Summary
• Mobile security threat landscape • Physical, Network, Malware, Vulnerabili)es
• Mobile is a low hanging fruit for aLackers
• Recommenda)ons • Awareness • Focus on visibility as a baseline to security • Security solu)ons for personal and business needs
© 2015 RSA Conference. All rights reserved.
Next Steps
hLps://www.skycure.com
hLps://blog.skycure.com
@YairAmit, @AdiSharabani, @SkycureSecurity
/Skycure
