3. Who is SpiderLabs®?
SpiderLabs is the elite security team at Trustwave, offering clients the
most advanced information security expertise available today.
The SpiderLabs team has performed more than 1,000 computer
incident response and forensic investigations globally, as well as over
10,000 penetration and application security tests for clients -- more
than any other provider.
Companies and organizations in more than 50 countries rely on the
SpiderLabs team’s technical expertise to identify and anticipate cyber
security attacks before they happen.
Featured
Speakers
at:
Copyright Trustwave 2011
4. SpiderLabs – Our Mission
To
con2nually
deliver
the
most
advanced
exper2se
in
informa2on
security
in
order
to
protect
the
digital
assets
of
clients
worldwide
from
a
growing
spectrum
of
malicious
a=acks.
We achieve this by:
• Recruiting top of market talent from the
information security community
• Performing research in lab facilities in
Chicago, London, Sydney and Sao Paulo
• Using Standardized methodologies and
central QA processes to ensure quality and
consistency
5. SpiderLabs International Footprint
In
country
presences:
Australia
-‐
Brazil
-‐
Canada
-‐
Hong
Kong
-‐
India
-‐
Mexico
-‐
Spain
United
States
-‐
United
Kingdom
Languages
spoken:
English
French
Spanish
Greek
German
Portuguese
Mandarin
Cantonese
Japanese
Hindi
Zulu
Ndebele
Xhosa
Setswana
Sesotho
Shona
Copyright Trustwave 2011
22. Mobile Attack Cookbook – The Recipe
Ingredients
• Motivation
• Reversing Skills
• Creativity
• Motivation
Process
• Step 1 – Pick a Platform to Target
• Step 2 – Find a Vulnerability
• Step 3 – Select a Payload
• Step 4 – Build the Payload
• Step 6 – Select a Payload Delivery Method
• Step 5 – Test it Out
Copyright Trustwave 2011
23. Mobile Attack Cookbook – The Recipe
Step 1 – Pick a Platform to Target
• Es2mated
are
20%
of
the
Smartphone
Marketshare
• Many
users
are
non-‐technical
• Jailbreak
community
does
the
vulnerability
research,
so
you
don’t
have
to
• Many
user
don’t
EVER
update
their
device
to
the
latest
iOS
Copyright Trustwave 2011
24. Mobile Attack Cookbook – The Recipe
Step 2 – Find a Vulnerability
• Leverage the “Jailbreakme.com” vulnerabilities
• Affect iOS 4.0.2 or earlier – still likely 50% of the user base
• What is it?
• The “star” PDF Exploit – Code execution
− Classic stack overflow
− Leverages IOSurface (IOKit) bug for privilege escalation and sandbox escape
• The IOKit Vulnerability – Priv. escalation / escaping the sandbox
− Kernel integer overflow in handling of IOSurface properties
− Calls setuid(0) inside Safari getting root
• The Jailbreak Phase – Set up residence on the iDevice
− Patches out Kernel code signing
− Installs a basic jailbreak filesystem along with Cydia (apt-get)
Copyright Trustwave 2011
25. Mobile Attack Cookbook – The Recipe
Step 3 – Select a Payload
Implement a Weaponized Jailbreak
• Patch out a “security” check comex had incorporated
• The jailbreakme.com PDFs had code to ensure they’d been downloaded from
“jailbreakme.com”.
• Patching out all the GUI pop-ups
• Didn’t want the victim to realized they were being hacked
• Build a modified wad.bin with our “rootkit”
Copyright Trustwave 2011
26. Mobile Attack Cookbook – The Recipe
Step 4 – Build the Payload
SpiderLabs Research built Custom-written iOS “Rootkit”
• Patched UNIX utilities like ‘ls’, ‘ps’, ‘find’, ‘netstat’ from the JB filesystem
• Hiding our tools from actual jailbreakers
• Port knock daemon called “bindwatch” fakes its name on argv[0]
• Spawns a bind-shell called, wait for it …. “bindshell” also fakes argv[0]
• Trivial app to record AIFF on the mic – remote eavesdrop
• Patched VNC to hide itself a little better
• Nice Open Source iPhone VNC server by saurik
• Runs via a DYLIB in MobileSubstrate
• Mostly just removed the GUI config plist from System Preferences
• Coded a trivial CLI obj-C program to configure and start VNC
without the GUI
Copyright Trustwave 2011
27. Mobile Attack Cookbook – The Recipe
Step 5 – Select an Payload Delivery Method
Many methods can be used:
• Fake Jailbreak site
• SEO optimized site to target an organization
• Phishing attack
• Hack a popular site and install within the mobile version
Copyright Trustwave 2011
28. Mobile Attack Cookbook – The Recipe
Step 6 – Test it Out
Credit:
Eric
Mon2,
Trustwave
SpiderLabs
Research
Copyright Trustwave 2011
30. Motivations For Attackers
• There
are
over
a
half-‐billion
devices
on
3G
networks
• By
2020,
there
will
be
10
billion
devices
• 60%
of
all
users
carry
their
devices
with
them
at
ALL
Fmes
• For
high-‐profile
and
business
folks
that
is
near
100%
• A
typical
smartphone
today
has
the
same
processing
power
as
a
PC
from
8
years
ago,
plus:
• Always-‐on
network
connec2vity
• Loca2ons
aware
thanks
to
GPS
Copyright Trustwave 2011
31. Motivations for Attackers
• Users
accessing
highly
sensiFve
informaFon
via
smartphones
is
the
norm
• Users
trust
a
smartphone
over
a
public
computer
or
kiosk
• Never
ques2on
their
smartphones
integrity
• CommunicaFon
Services
Providers
(CSPs)
must
allow
for
governments
to
access
subscribers
communicaFons
• Case:
In
the
UAE,
E2salat
pushed
a
“performance
update”
to
all
their
Blackberry
subscribers.
• Reality:
Malware
was
inten2onally
pushed
down
to
allow
intercep2on
of
data
communica2ons.
Copyright Trustwave 2011
32. Conclusions
• It
is
possible
and
feasible
to
write
malware
for
a
mobile
device.
• With
a
li"le
work,
automated
funcFonality
can
be
embedded
• Li"le
a"enFon
is
being
paid
to
smartphone
security,
while
everyone
trusts
their
device
to
perform
criFcal
tasks.
• In
the
next
10
years,
we
will
see
an
explosive
growth
in
the
number
of
a"acks
against
smartphones
and
other
mobile
compuFng
device
plaUorms.
Will
we
be
prepared?
Copyright Trustwave 2011
34. SpiderLabs®
SpiderLabs® is an elite team of ethical hackers advancing the
security capabilities of leading businesses and organizations in
over 50 countries.
More Information:
Web: https://www.trustwave.com/spiderlabs
Blog: http://blog.spiderlabs.com
Twitter: @SpiderLabs
Copyright Trustwave 2011