The general belief is that a mobile device that is locked, encrypted and protected with a PIN or biometrics is a secure device. The truth is, major OS including iOS and Android help and encourage you to downgrade security on locked devices through certain features and default to insecure settings. Personal assistants on mobile devices are very popular. Siri, OK Google and Cortana are just a few of them. They can perform multiple tasks including calls, sending emails and reading SMS among other sensitive actions. How secure are they? Can we trust our personal assistants to keep our data safe? How about displaying your notifications on the lock screen?
On the other hand, with the proliferation of cheap SDR hardware, DIY IMSI catchers, open source tools and still supported broken GSM protocols, targeting mobile communications is easier than ever. But what are the real consequences? It is well known that SMS is not a secure channel but the industry is still hesitant to move away from it. This presentation is yet another nail in the SMS coffin and aims to help push the industry away from supporting it. Ransombile is a tool that can be used in different scenarios to compromise someone's digital life in less than 2 minutes. Email accounts, financial data, social networks... all gone. Have you ever left your phone on the desk unattended? Do you belief losing your phone only impacts your wallet? Do you feel safe when crossing the border when entering USA since they can't force you to reveal the passcode? This presentation is for you.
2. Martin Vigo
Product Security Lead
From Galicia, Spain
Research | Scuba | Gin tonics
@martin_vigo - martinvigo.com
Amstrad CPC 6128
Captured while playing “La Abadía del crímen”
11. Well known issues for years
“Changing the pre-registered telephone number SHALL
NOT be possible without two-factor authentication at the
time of the change. OOB using SMS is deprecated,
and will no longer be allowed in future releases of this
guidance.”
17. Attack vector
1. Obtain victim’s email
2. Use it to initiate password reset in all services
3. Obtain secret codes from SMS
4. Use them to complete password reset process in all services
5. Set new passwords
20. Attack vector
1. Obtain victim’s email
2. Use it to initiate password reset in all services
3. Obtain secret codes from SMS
4. Use them to complete password reset process in all services
5. Set new passwords
22. Ransombile
Ransomware + Mobile
Automates the entire password reset process
over SMS
Uses Selenium for UI automation rather APIs
there is even a Firefox plugin that records
your mouse movement and generates code
for you
Does not require any backend/API knowledge
to add new SMS services
23. Attack vector
1. Obtain victim’s email
2. Use it to initiate password reset in all services
3. Obtain secret codes from SMS
4. Use them to complete password reset process in all services
5. Set new passwords
24. Ransombile …
1. “Send an email to
victim.ransom@gmail.com
about subject saying content”
3. Initiate password
reset process
4. Send codes over SMS
5. Read codes and enter in Ransombile
2. Get email address
6. Send secret
codes and complete
password reset
28. Conclusions
A locked mobile device is still insecure
Unattended mobile devices can be a bigger risk than unattended
computers and companies tend to ignore this
Consequences of losing your phone are not only monetary
29. Can we do better?
Getting rid of the physical access requirement
30. Attack vector
1. Obtain victim’s email
2. Use it to initiate password reset in all services
3. Obtain secret codes from SMS
4. Use them to complete password reset process in
all services
5. Set new passwords
Requires physical access
31. Chaouki Kasmi & Jose Lopes Esteves
“Remote Command Injection on Modern Smartphones”
Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner & Wenchao Zhou
“Hidden Voice Commands”
Obtain victim’s email
without physical access
Guoming Zhang, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, Wenyuan Xu
“DolphinAtack: Inaudible Voice Commands”
33. Obtain secret codes from SMS
without physical access
SS7 attacks
2G downgrade attacks and broken A5/1 cipher
Femtocells
Defcon 21 - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell
DEF CON 18 - Kristin Paget - Practical Cellphone Spying
CCC - Tobias Engel - SS7: Locate. Track. Manipulate.
SIM Swapping
34. Conclusions
It is possible to perform these attacks without physical access to the device
(In theory…) POC||GTFO
SMS wasn’t designed with security in mind
nor to be used as a secure channel
Online services should encourage app-based temp codes
and make SMS opt-in
35. Recommendations for you
Don’t leave your mobile device unattended
Disable the assistant in the lock screen
Disable notifications preview in the lock screen
Use apps for 2FA
Don’t provide your phone number if not required
unless it’s the only way to get 2FA
use a virtual number to prevent OSINT and SIM swapping attacks
Check the settings to disable security challenges over SMS