It looks like that the Perfidious Albion is not what one should exactly define a Paradise for Mobile Security. Not only the echoes of the Scandal concerning “voicemail hacking” led the infamous tabloid News Of the World to close on Sunday, the 10th of July 2011, and Rebekah Brooks to resign as CEO of News International today; but also the flow of events has unexpectedly brought mobile security issues to the attention of a wider audience, no more confined to the sole and exclusive attention of information security professionals.
This is partially due to the relative easiness in implementing similar hacking techniques in mobile communications, which is raising doubts and misgivings in many other countries. As a matter of fact, as actually happened, voicemail hacking is relatively easy to implement and is based, as usual, on two factors:
- From the user perspective, on the poor attention for default (in)security settings;
- From the operator perspective, on the necessary trade-off between security, user experience, and convenience, (almost) always favoring the latter, which turns out not to be an optimal choice from a security perspective.
A lethal mix wich may be quite easily exploited by a balanced blend made of (little) hacking and (a lot of) social engineering. At this link a really complete and interesting description very helpful to understand how relatively easy is to perform voicemail hacking with some U.K. operators (but keep in mind that procedures vary from Operator to Operator). Accorrding to the above quoted article, in theory, it is possible to elude the meshes of the security procedures of the operators, simply calling the voicemail of the victim impersonating the legitimate user, claiming to have forgotten the PIN and voila, that’s it!
Voicemail hacking does not need further components, but unfortunately is not the only issue that may happen: in theory entire conversations may be hijacked (and unfortunately it is something we are quite familiar to, here in Italy). The Security Process of a phone conversations is an end-to-end chain, inside which technology is only a component, and the human factor is the weakest link. In this context weak means leak so that often it happens that some information that should not be disclosed are delivered to media (even if irrelevant to any ongoing investigations) with devastating aftermaths for investigations themselves and for victims’ privacy.
The scenario is further complicated with the new generation of smartphones, where technology (and the ongoing process of Consumerization of Information Technology) leaves virtually no limits to the imagination of attackers: not only voicemail hacking, but also mobile malware (a threat which does not need the unintended cooperation of the Operator) capable of extracting any information from devices. The dramatic events in U.K. involved using stolen data for squalid journalistic purposes, but, since mobile devices are nowadays indispensable companions of our everyday lives, nothing prevents, in theory, to use the same or different methods to steal other kinds of information such as confidential data, banking transaction identifiers, etc… Do you really need a confirm? For instance the recent evolution of the Infamous ZiTMo mobile malware that has just landed on Android (the continuing metamorphosis of this malware is really meaningful: born on the Windows platform, it has rapidly spread on Windows CE, Symbian, and now, last but not least, Android). Since it is expected that 5.6% of iPhones/Android handsets is going to be infected in the next 12 months, there is much to worry. In this context what happened in U.K. may constitute a dangerous precedent and a dramatic source of inspiration for organized cybercrime.
Fears that similar occurrences could happen in other countries are rapidly spreading. As a consequence some countries are moving fast to prevent them.
In the U.S., in wake of U.K. Hacking, Representative Mary Bono Mack, a California Republican who chairs the House subcommittee on commerce, manufacturing and trade, is contacting handset manufacturer companies including Apple, Google, Research in Motion, and wireless companies as well, such as AT&T, Verizon Wireless and Sprint Nextel, to determine if there are any vulnerabilities in cell phones or mobile devices which can be exploited by criminals and other unscrupulous individuals. Clearly the final target is to prevent similar events from ever happening in the United States.
For the Chronicle, on June 13 Bono Mack released draft legislation which aims to tighten data security for companies victims of data breaches. Under the proposal, companies that experience a breach that exposes consumer data would have 48 hours to contact law enforcement agencies and begin assessing the potential damage.
Immediately after U.S. Attorney General Eric Holder is considering investigation into News Corp. for the same reson.
Anyway U.S. is not the only country worried about, as similar concerns are raising in Canada, and I may easily imagine that other countries will soon deal the same stuff.
A final curious notice: a further confirm that U.K. is not the paradise for mobile security came this morning when I stumbled upon this wiki which happily shows how to hack a Vodafone femto cell (just released to public) in order to, among the other things, intercept traffic, perform call frauds (place calls or send SMS on on behalf of somebody else SIM card).
The best (or the worst, it depends on the points of view) is yet to come…
- How not to get your phone hacked (blogs.journalism.co.uk)
- Hacking into U.S., U.K. phones easier than in Canada, but remain wary (canada.com)
- Lawmakers Question Cell Phone Privacy In Wake Of Hacking Scandal (techdailydose.nationaljournal.com)
David has shown me another example of the strict connection between real warfare and mobile warfare come from Afghanistan. Few days after the revelations about the Internet in Suitcase project funded by the Obama Administration and aimed to deploy a “shadow” Internet and an hidden mobile phone network to be used by dissidents, an indipendent, but somehow similar project has been implemented in Afghanistan. It is called FabFi and it is essentially an open-source, FabLab-grown system using common building materials and off-the-shelf electronics to transmit wireless ethernet signals across distances of up to several miles. Said in few words, the main component of this home made network can be built out of trash.
The Afghan city of Jalalabad has built a high-speed DIY Internet network with main components built out of trash found locally. A FabFi node can be buolt out of approximately $60 worth of everyday items such as boards, wires, plastic tubs, and cans that will serve a whole community at once.
SInce January 2009, the Jalalabad FabLab demonstrated the capability of the FabFi system by bringing high-speed internet to a village, hospital, university, and a non-governmental organization in Jalalabad, Nangarhar Province, Afghanistan. These low-cost, locally-produced networks can be easily spread across isolated villages and towns, placing them in touch with the outside world and facilitating socio-economic development from the ground up.
Jalalabad’s longest link is currently 2.41 miles, between the FabLab and the water tower at the public hospital in Jalalabad, transmitting with a real throughput of 11.5Mbps (compared to 22Mbps ideal-case for a standards compliant off-the-shelf 802.11g router transitting at a distance of only a few feet). The system works consistently through heavy rain, smog and a couple of good sized trees.
The project is important from a double perspective: from a technological point of view it allows high speed connectivity for war zones, or rather zones lacking conventional broadband. From a sociological point of view it confirms the strict relationship between Internet and Democracy, and, (in)directly it also confirms that the Internet is a fundamental weapon for fights in favor of the democracy, what we called the Mobile Warfare.
I could not help noticing, by tweeting with my colleague David:
@cencio4 if you make a parallelism with real warfare, it is like building home made weapons for guerrilla.
And, as a matter of fact, in order to further emphasize the parallelism, he replied:
@paulsparrows that’s exactly what rebels did in Libya with parts of helos on Mad Max-like vehicles
Take the examples of Afghanistan and Libya, invert respectively the terms Internet Connectivity and Weapons, and result is exactly the same.
- Consumerization of Warfare (paulsparrows.wordpress.com)
- Internet In A Suitcase (paulsparrows.wordpress.com)
- Shareable: Afghans Build Open-Source Internet From Trash (mbcalyn.wordpress.com)
The last malware inside the Android Market, dubbed Plankton, has been discovered by the same team which discovered DroidKungFu led by Xuxian Jiang, Assistant Professor at North Carolina State University. Although the brand new malware does not root the device, it has the bad habit to hide itself inside familiar apps related to the popular game Angry Birds. The suspected apps were removed on 6/5/2011, but since the malware leverages a new evasion technique which allowed it to stay in the market for more than 2 months without being detected by current mobile anti-malware software, but being downloaed more than 100.000 times.
Plankton is included in host apps by adding a background service: when the infected app runs, it will bring up the background service which collects information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server discovered by Sophos to be hosted in the Amazon Cloud.
The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.
Once the JAR file is downloaded, Plankton uses a technique for loading additional code from non-Market websites demonstrated by Jon Oberheide about a year ago, providing a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.
The downloaded code launches another connection to the Command server and listens for commands to execute.
Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.
As a consequence the pressure on Google is building on two fronts: on one side, users are demanding better security and on the other side security vendors are asking for better operating system interfaces to make security software more effective against the ever-increasing tide of Android malware.
- Plankton malware drifts into Android Market (nakedsecurity.sophos.com)
Not even a week after the light version of DroidDream, a new nightmare rises from the Android Market to menace the dreams of glory of the Google Mobile OS (which has just confirmed his #1 Rank on the comScore April 2011 U.S. Mobile Subscriber Market Share Report).
Curiously, also the new malware, discovered by F-Secure, and dubbed Android/DroidKungFu.A, “has its roots” on DroidDream since it uses the same exploit, rageagainstthecage, to gain root privilege and install the main malware component.
Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package.
Of course, who is familiar with Android malware may easily imagine the next step of the infection: the malware is in fact capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory.
In few words, the device is turned into a member of a botnet (without realizing it we are closer and closer to Phase 4 of Mobile Malware, consult slide 9 of my presentation for the different phases of Mobile Malware).
Guess where the malware was detected first? Of course from some parallel Markets in China, at least according to some Researchers of the North Carolina University who detected two infected applications in more than eight third-party Android app stores and forums based in China. Nothing new under this sun of June. Luckily the researchers haven’t found infected apps in non-Chinese app stores… At least so far.
As previously stated DroidKungFu takes advantages of the same vulnerabilities than DroidDream, but this time the situation seems to be much worse. As a matter of fact it looks like DroidKungFu is capable of avoiding detection by security software.
The malware makes its best with Android 2.2 and earlier, but the owners of later versions of Android are not entirely safe: the security patches severely limit DroidKungFu, but the malware is still able to collect some user data and send them to a remote site.
Again, follow basic, common-sense guidelines for smartphone security in order to mitigate the risks of infection (here you may find some useful suggestions), even because Google Wallet is at the gates and I dare not even think to the aftermaths of a malware leveraging vulnerabilities on the Secure Element…
- DroidDream is Back! (paulsparrows.wordpress.com)
There is a new nightmare on the Android Market, and again many Android devices are not going to have a good awakening.
The last security advice for the Google Mobile OS comes from Lookout, which has discovered a new variant of the infamous DroidDream, the first malware conveyed by the Official Android Market capable of infecting at the beginning of March, according to Symantec, between 50.000 and 200.000 devices.
This time the brand new version, dubbed DroidDreamLight, was found in 26 repackaged applications from 5 different developers distributed in the Android Market. According to Lookout DroidDreamLight is no less than is “noble” predecessor, since was able to affect between 30.000 and 120.000 users.
According to Lookout, the malicious components of DroidDream Light are invoked on receipt of an android.intent.action.PHONE_STATE intent (e.g. an incoming voice call). As a consequence DroidDream Light does not depend on manual launch of the installed application to trigger its behavior. The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages. It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention.
The list of the infected applications (already removed from Google) is available at the original link. I must confess I could not help noticing the rich amount of “hot” applications, which confirm (unfortunately) to be a lethal weapon for carrying malware.
This event will raise again the concerns about the security policies on the Android Market, and about the apparently unstoppable evolution of the mobile threat landscape which has brought for the Android a brand new malware capable of sending data to a remote server. A further step closer to a mobile botnet even if, at least for this time, with limited capabilities of auto-installing packages,.
I will have to update my presentation, meanwhile do not forget to follow the guidelines for a correct mobile behavior:
- Avoid “promiscuous” behaviours (perform rooting, sideloading or jaibreaking with caution, most of all in case of a device used for professional purpose);
- Do not accept virtual candies from unkown virtual individuals, i.e. only install applications from trusted sources, always check the origin and their permissions during installation;
- Beware of unusual behavior of the phone (DroidDream owes its name to the fact that he used to perform most of its malicious action from 11 P.M to 8 A.M.);
- Beware of risks hidden behind social Network (see my post of yesterday on mobile phishing);
- Use security software;
- Keep the device updated.
- DroidDreamLight malware hits dozens of Android apps (venturebeat.com)
- Malicious apps removed from Android Market (news.cnet.com)
- Malicious apps removed from Android Market (news.cnet.com)
- Lookout Teams Pegs 25 Android Market Apps Infected With DroidDreamLight Malware (androidpolice.com)
- 30,000 to 120,000 Android Users Affected by New Variant of Droid Dream Malware (readwriteweb.com)
- New Android malware spotted: DroidDream Light (intomobile.com)
One of the most surprising things I noticed concerning the Lockheed Martin Affair, was the affirmation contained in the Reuters Article, made by Rick Moy, president of NSS Labs, indicating that the initial RSA attack was followed by malware and phishing campaigns seeking specific data to link tokens to end-users (an indirect evidence of the same authors behind the infamous RSA breach and the Lockheed Martin attack.
My initial surprise only lasted few seconds, since, this year is showing us a brand new role for the phishing attacks which are more and more targeted to steal corporate sensitive data, and constitute the first level of attack for Advanced Persistent Threats.
At first sight could be quite difficult to believe that users are still tricked by old-school phishing techniques, but a deeper analysis could show in my opinion, a possible (in part psychological) explanation relying on the fact that the users themselves are still used to think to phishing as something targeted to steal personal information (often with pages crafted with gross errors), and seems to be unprepared to face the new shape of phishing which targets corporate information with cybercrime purposes and industrial methods, which definitively means to perpetrate the attack with plausible and convincing methods, and most of all leveraging arguments the user hardly doubts about (I could doubt of an E-mail from my bank asking me to provide my account and credit card number, maybe, most of all in case I am not an infosec professional, I could feel more comfortable in providing my username to a (fake) provisioning portal of my Company).
But my information security beliefs are falling one after the other, and after reading this really interesting article by Adrienne Porter Felt and David Wagner of the University of California (the marvelous LaTeX layout!) I can only confirm that mobile devices will be next frontier of phishing.
According to this paper the risk of a success of a phishing attack on mobile devices is dramatically greater than traditional devices due to some intrinsic factors such as the smaller size of the screen, the fact that many applications embed or redirect to web pages (and vice versa some or web pages redirect to applications), the fact that mobile browsers hide the address bar, and most of all the absence of application identity indicators (read the article and discover how easily a fake native application can resemble completely a browser page) which makes very difficult to discover if a certain operation is calling a fake application on the device or it is redirecting the user to a fake application resembling a legitimate login form.
Moreover, the intrinsic factors are worsened by (as usual) the user’s behavior: as a matter of fact (but this is not a peculiarity of mobile devices), users often ignore security indicators, do not check application permissions and are more and more used to legitimate applications continuously asking for passwords with embedded login forms and. Last but not least I would add the fact that they are not still used to think to mobile applications as targets of phishing (Zitmo Docet).
Guess what are the ideal candidates for Mobile Phishing attacks? Easy to say! Facebook and Twitter since they are the most common linked applications used by developers to share their creations (the power of free viral marketing!).
Given the speed with which these devices are spreading in the enterprise (see for instance this GigaOM infographic), there is much to worry about in the near future. An interesting solution could be the operating system to support a trusted password entry mechanism. Will SpoofKiller-like trusted login mechanisms be our salvation as the authors of the paper hope?
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- Mobile Phones Are Great for Phishers, Researchers Find (pcworld.com)