Your mobile device lives in an Orwellian world of surveillance, intrigue and promiscuity. While your phone is safely tucked away in your pocket, it lives an alternate existence selling you out, betraying you and offering up your secrets whenever it can. While you're sleeping, driving, buying coffee or checking email, your phone is busy divulging your location, storing your credentials and documenting everything you do. This presentation from the 2014 (ISC)2 Security Congress walks through a day in the life of your mobile device and shows you what it's telling the world about you.
A Day in the Life of your Mobile Phone (or: How Your Phone Hates You)
1.
2. A Day in the Life of Your Mobile Phone
(or: how your phone hates you)
Rob Barnes, CISSP®, CSSLP®
Software Security Architect
The College Board
#YourPhoneHatesYou
Strengthening Cybersecurity Defenders #ISC2Congress
3. Reality:
Your phone hates you.
3 #ISC2Congress
How we like to think our
phones protect our privacy:
4. Things you do every day
4 #ISC2Congress
» Check email
» Check weather
» Check stocks
» Use social media
» Take photos
» Post photos
» Buy coffee
» Sync device with phone
» Join Wi-Fi access points
» Send email
» Navigate with map
» Research restaurants
» Place hands-free calls
» Browse websites
» (Plus all the things your kids
do that you don’t know
about)
5. Things your phone does every day
Collects location information
(Divulges location information.)
Collects personal information
(Divulges personal information.)
Collects usage information
(Divulges usage information.)
5 #ISC2Congress
6. 6 #ISC2Congress
Does it matter?
97% of mobile applications access personal
address books, social media pages and
connectivity options like Bluetooth or Wi-Fi.
86% of mobile applications are insecure.
But it doesn’t matter. 100% of what
you do reveals something about you.
http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.VA2ntvlr6Cc
http://threatpost.com/insecure-applications-we-are-84-percent-120711/75961
7. Don’t think like an attacker.
7 #ISC2Congress
Think like:
a marketer.
a parent.
a forensic investigator.
10. When you (or an app) access a web page or web service,
it sends the following information:
Browser version
(a two-for-one bonus!)
10 #ISC2Congress
Firmware version = iOS
6.1.4
Belongs to Verizon FiOS in Chantilly,
VA
Device make and model
(OLD!)
Location and Device Privacy
108.28.101.205
08/Sep/2014:14:18:45 -0400
Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X)
Version/6.0 Mobile/10B350 Safari/8536.25
11. Location Privacy: Using apps
Are you sure you’re just checking the weather? As a
bonus to you, Weather Channel shares your usage
statistics!
» http://or1.sc.omtrdc.net/b/ss/twciiphonescroll/0 . . .
» Resolution=640x1136
» AppID=iPhone 6.2.1 (420573)
» TimeSinceLaunch=58
XY
» Z
DeviceName=iPhone6,1
» action=weather:data-refresh-requested
» OSVersion=iOS 7.1.2
» CarrierName=Verizon
» actionTracking=weatherdatarefreshrequested
» ts=1408722639 (which translates to 8/22/2014 11:50:39 AM)
XY
Z
11 #ISC2Congress
13. Why should you care?
“Big Data” marketing can infer:
13 #ISC2Congress
When you’re at home
When you’re at work
When you’re driving
14. …and when you’re not
Why should you care?
14 #ISC2Congress
An attacker can infer:
When you’re at home
15. Device Privacy: Using Wi-Fi
Hi! Can I please join your network?
My MAC address is
DC:9B:9C:xx:xx:xx!
Sure!
(Ah…so you’re an Apple
device…)
Thanks! Oh, also, my name is
“Rob Barnes’s iPhone 5”!
OK, thanks. Welcome!
(Welcome, indeed, “Rob Barnes”!)
15 #ISC2Congress
16. Device Privacy: Using Wi-Fi
Hey, it’s “Rob Barnes’s iPhone 5”
again. Sorry to bother you. What is
the IP address for
email.mycompany.com?
It’s 209.48.123.456.
16 #ISC2Congress
17. Why should you care?
17 #ISC2Congress
Dear Rob Barnes:
Congratulations! Your iPhone 5 is eligible
for a free upgrade! Please click here for
details, or visit your local Atlanta Apple
retail store.
This message was sent to
rbarnes@mycompany.com. Click here to
unsubscribe from future emails.
Sincerely,
The Apple Customer Loyalty Team
18. Device Privacy: Using Wi-Fi
18 #ISC2Congress
belkin.d36
belkin.d36.guests
HoundNet_Guest
xfinitywifi
DUKE
LCPS-OPEN
Residence_GUEST
Marriott_Guest
Kimpton
Marriott_CONFERENCE
Dunn_Bros_337!
Carlton
My stored Wi-Fi networks
(com.apple.wifi.plist)
20. Device Privacy: MAC
Ever get the feeling that you’re being watched?
This recycling bin is tracking
you.
http://qz.com/112873/this-recycling-bin-is-following-you/
20 #ISC2Congress
21. Device Privacy: MAC
Ever get the feeling that you’re being watched?
Your supermarket is
tracking you.
http://www.moxieretail.com/storage/heat_map2.jpg
21 #ISC2Congress
23. A picture is worth1,000 words…
http://sophosnews.files.wordpress.com/2012/12/mcafee-exif.jpg?w=640
23 #ISC2Congress
24. …and some EXIF data as well…
Exif Image Size 470 × 353
Make Apple
Camera Model Nam
iPhone 4
e
Orientation Horizontal (normal)
Date/Time Original 2012:12:03 12:26:00
Create Date 2012:12:03 12:26:00
Flash Off, Did not fire
GPS Latitude Ref North
GPS Latitude 15.658167 degrees
GPS Longitude Ref West
GPS Longitude 88.992167 degrees
GPS Altitude Ref Above Sea Level
GPS Altitude 7.152159468 m
Resolution 72 pixels/inch
24 #ISC2Congress
26. Usage Privacy: Using email
26 #ISC2Congress
iOS mail header:
X-Mailer: iPhone Mail (10B350)
[10B350 = iOS 6.1.4]
Android mail header:
X-Mailer: YahooMailAndroidMobile/3.1.3
27. Usage Privacy: Using Bluetooth
http://cnet3.cbsistatic.com/hub/i/r/2013/08/22/2cbcf893-6de6-11e3-913e-14feb5ca9861/resize/620x/e604bfe06973383ec0c3ca6323c35487/142B6607.jpg
27 #ISC2Congress
28. How to Protect Yourself
28 #ISC2Congress
» Location Services
• Turn it off
• Use it selectively
» Browsing
• Use Onion browser (or other Tor equivalent)
• Maintain awareness
» Wi-Fi
• Do not connect to untrusted networks
– (But if you do, assume everything you do is monitored)
– (Also, tell your device to “forget” the network when you’re
done.)
29. How to Protect Yourself
29 #ISC2Congress
» EXIF Data
• iOS
– TrashExif
– Metadata Cut
• Android:
– EXIF Stripper
– Photo Editor
30. How to Protect Yourself
30 #ISC2Congress
» MAC Tracking
• iOS
– Upgrade to iOS 8
• Android
– Pry-Fi (requires rooting the device)
» Bluetooth
• Delete any data from synced devices
– This becomes increasingly applicable with iOS 8’s HealthKit
31. The End.
31 #ISC2Congress
Rob Barnes
rbarnes@collegeboard.org
ww.linkedin.com/in/robertdbarnes
#YourPhoneHatesYou
Notas del editor
What this presentation is not about:
BYOD
Mobile application security
Carrier vectors
What this presentation is about:
Privacy (and the distinction from security)
Awareness of fingerprints you leave
Awareness of information you store
How to protect yourself
How to use your phone more responsibly
Points:
Privacy is equal parts forensics and penetration testing
Not everything here is specific to mobile devices, but the implications can be different
Location
Phone capabilities are different from laptop
Phone calls
Pictures
Contacts
…
Who knows you’re here? Your manager? Your co-worker? Your spouse? Verizon, AT&T, Comcast, Google, Yahoo, Facebook, Twitter? They know where you are because of what you’re doing with your phone.
Consider all the things you do throughout the day.
Whatever your transactions are, your phone collects and divulges it. All of it. Consider Redbox and Wreck-it-Ralph.
We use mobile devices because of the convenience and utility. Most apps are insecure, but it doesn’t matter. There is a principle named for the French forensic scientist Dr. Edmond Locard called the “Locard Exchange Principle.” Wherever you go and whatever you do, you leave something behind, such as DNA.
Remember Wreck-it-Ralph? Consider the Redbox example, where an app collects name, address, credit card, and location. We provide it willingly to companies, but what do they do with it? Redbox forms a business partnership with Verizon, and oh by the way, Verizon was hit this summer with a record fine by the FCC for $7M for using your private information in unauthorized and undisclosed ways.
When thinking about privacy, it’s perhaps to think like a marketer, parent, or forensic investigator. Attackers often have to work hard to get personal information. But you volunteer this information anyway, but how are companies using it?
Mobile devices are constantly emitting beacons searching for cell towers, wireless networks, and Bluetooth devices. Consider my visit to Tucson over the summer. It was hot. I went to the pool-twice. And my phone knows about it.
However, this information stays on the phone. Think like a parent or an investigator!
Consider another example of location awareness. This map represents every access to a web service. Web services know where you are.
Also consider the use of synchronized browsers: is your Google Maps search showing up on your home computer? (similar to photo streaming)
IP resolution service example:
http://ipinfo.io
But what about apps? They typically use web services as well, which is just another HTTP request. Companies whose apps are constantly used (Facebook, weather, etc.) can establish patterns of usage to determine where you live and work.
Apps do the same thing—they call web services.
Consider IP sourced-edits in Wikipedia.
Full URL:
http://or1.sc.omtrdc.net/b/ss/twciiphonescroll/0/OIP-4.1.0/s18379378?AQB=1&ndh=1&t=00/00/0000 00:00:00 0 240&c.&pe=lnk_o&pev2=weatherdatarefreshrequested&a.&Resolution=640x1136&AppID=iPhone 6.2.1 (420573)&TimeSinceLaunch=58&DeviceName=iPhone6,1&action=weather:data-refresh-requested&OSVersion=iOS 7.1.2&CarrierName=Verizon&.a&actionTracking=weatherdatarefreshrequested&.c&ts=1408722639&aid=431F9AD4E6BB4875-36C94AF890F3FE33&ce=UTF-8&pe=lnk_o&pageName=iPhone/420573&pev2=AMACTION:weather:data-refresh-requested&AQE=1
Seems mostly innocuous. But what is it doing with the data?
Facebook and other frequently used services might use this data for direct marketing.
Wikipedia records and displays IP address for content changes (ref: Diebold changes from Diebold, Snowden changes from US Senate).
Browser fingerprinting.
Home automation can reveal a great deal about patterns.
Apple MAC address range is DC:9B:9C:00:00:00 - DC:9B:9C:FF:FF:FF
Connected devices use the Wi-Fi router’s DNS lookup.
Just by using a wireless access network, your profile can be cobbled together and used against you.
At least this information is just stored on the device. Or is it? Where are backups stored? How are they protected? Is the backup included with service-managed backups?
Autojoining known networks.
Tracking MAC addresses is like tracking people with video surveillance.
MAC tracking is already being done in supermarkets to create customer traffic heatmaps. MAC tracking improves on camera-based tracking because it can identify unique devices (you) and perhaps your identity.
Where is the milk located? Where is the produce? Supermarkets can use heatmaps to analyze shopper traffic.
Your device can often be associated with some other factor that when together can identify you with your phone.
In one example, a company compiled a profile of a customer whom it expected was pregnant and sent coupons to the house of a man who didn’t realize his daughter was pregnant.
Case study: John McAfee
Wanted in Belize
Picture taken in Guatemala
Consider
pictures of kids
pictures of white boards at work locations
Smart phones can include an X-Mailer header that divulges device details.
Do you use hands-free in the car?
Have you transferred the contact information to the car?
Do you still have the car?
Did you wipe the contact information from your car?