We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

On our fear and apathy towards smartphone attacks

00:00

Formal Metadata

Title
On our fear and apathy towards smartphone attacks
Title of Series
Number of Parts
126
Author
License
CC Attribution - ShareAlike 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Crowdsourcing mobile network security assessments.
31
68
107
Data acquisitionSmartphoneNeumann boundary conditionMultiplication signSystem callSoftwarePresentation of a groupInformation securityComputer animationLecture/Conference
SimulationInformation securityHacker (term)Computer networkMeasurementAuthenticationEmailInformationMobile appDigital photographyFigurate numberArithmetic meanData storage deviceWeb pageInformation securityPoint cloudDivisorComputer programPlastikkarteSystem callToken ringComputer animationMeeting/Interview
InformationEmailPoint cloudData storage deviceComputer networkAddress spaceAuthenticationPasswordToken ringTouchscreenHasse diagramInformation securityPersonal identification numberNumerical digitLevel (video gaming)Maxima and minimaPersonal identification numberSystem callRevision controlDigitizingAndroid (robot)TouchscreenPattern recognitionPattern languageFingerprintWordSocial engineering (security)Hand fanSummierbarkeitTraffic reportingGraph (mathematics)BitProcess (computing)XMLUML
Mach's principleVideoconferencingoutputAsynchronous Transfer ModePoint (geometry)Address spacePasswordPlastikkarteEmail2 (number)NumberMechanism designUltraviolet photoelectron spectroscopyTerm (mathematics)Amenable groupNeuroinformatikComa BerenicesMeeting/Interview
Numerical digitAsynchronous Transfer ModePersonal identification numberSmartphoneRadio-frequency identificationLimit (category theory)ForcePersonal identification numberLeakAsynchronous Transfer ModePasswordMathematicsWebsiteCAN busComputer animation
Personal identification numberHill differential equationLimit (category theory)ForcePresentation of a groupMathematicsElectronic mailing listPersonal identification numberReal numberMaxima and minimaMultiplication signEstimatorDefault (computer science)LeakPassword1 (number)DigitizingHacker (term)Set (mathematics)CodeRight angleType theoryProjective planeMessage passingRoboticsInformation securityComputer animationLecture/ConferenceMeeting/Interview
Personal identification numberComputer configurationVideoconferencingElectronic mailing listRobotics1 (number)DigitizingSlide rulePersonal identification numberMeeting/Interview
Personal identification numberLimit (category theory)ForceComputer configurationVideoconferencingStandard deviationNumerical digitAsynchronous Transfer ModePasswordPattern languageFingerprintSurfaceSmoothingPasswordPersonal identification numberDigitizingForcing (mathematics)CodeStandard deviationPattern languageTouch typingFingerprintRight angleGoodness of fitNumberSlide ruleControl flowInformation securityTheory of everythingMultiplication signComputer animation
FingerprintComputer-generated imageryDigital photographyAuthenticationInformation securitySharewareProcess capability indexMathematicsInformation securityComputer animationLecture/ConferenceMeeting/Interview
FingerprintDigital photographyComputer animation
Digital photographyContrast (vision)AirfoilLetterpress printingGoodness of fitSound effectPattern languageVideo gameMultiplication signFingerprintLevel (video gaming)Algebraic closureEmailComputer animation
FluidArithmetic meanMoment (mathematics)BitFingerprintDifferent (Kate Ryan album)Lecture/ConferenceComputer animation
FingerprintComputer-generated imageryDigital photographyInformation securityAuthenticationSharewareProcess capability indexPersonal identification numberLogic gatePoint cloudComputer networkPresentation of a groupPasswordControl flowInformationMessage passingAbsolute valueTouchscreenCheat <Computerspiel>Video gameBitDigital photographyFilm editingPersonal identification numberGame controllerMultiplication signNumberFingerprintVideoconferencingLimit (category theory)PasswordPlastikkarteVirtual machineInheritance (object-oriented programming)Greatest elementBackupSlide ruleDatabase transactionFunctional (mathematics)Real numberInformation securityEmailMeeting/InterviewComputer animation
Maxima and minimaTouchscreenDatabase transactionLine (geometry)NumberPasswordDigitizingPhysical lawMultiplication signMessage passingLecture/ConferenceMeeting/Interview
Computer fileTouchscreenSharewareTwitterNeumann boundary conditionPersonal digital assistantSeries (mathematics)Software maintenanceDigital photographyPersonal identification numberVirtualizationSlide rule
Logical constantIdentity managementMessage passingFamilyAddress spaceEntire functionInformationDatabase transactionSocial engineering (security)Online helpInternetworkingMessage passingNumber
Control flowInformationTelecommunicationTouchscreenMessage passingSharewarePasswordRandom numberPersonal identification numberProxy serverPattern languagePresentation of a groupPasswordMultiplication signTouch typingCodeSet (mathematics)TwitterPaderborn Institute for Scientific ComputationRemote procedure callInformation securityTouchscreenEmailPersonal identification numberProxy serverWordFlow separationBitLecture/ConferenceXML
Neumann boundary conditionSmartphoneRemote procedure callSoftwareType theoryTouchscreenPhysical systemTheoryOpen sourceMalwareForm (programming)NumberFunctional (mathematics)Lecture/ConferenceMeeting/Interview
Server (computing)Pay televisionDependent and independent variablesComputer networkOperator (mathematics)Service (economics)Service (economics)Message passingMalwareCartesian coordinate systemType theoryNumberMobile appAndroid (robot)InternetworkingPay televisionSinc functionBounded variationDerivation (linguistics)Computer programFreewareForm (programming)EstimatorProcess (computing)SoftwareComputer animation
Internet service providerBasis <Mathematik>Message passingSpywareService (economics)InternetworkingService (economics)MalwareLeakRemote procedure callSystem callMessage passingComputer animation
CodeInformation securityHeat transferAuthenticationBlock (periodic table)TelebankingAuthenticationCartesian coordinate systemElectronic mailing listTrojanisches Pferd <Informatik>PasswordHeat transferConnected spaceNeuroinformatikDatabase transactionMoment (mathematics)Metropolitan area networkBounded variationDifferent (Kate Ryan album)Token ringComputer animationLecture/Conference
CodeInformation securityHeat transferAuthenticationBlock (periodic table)Term (mathematics)Database transactionCartesian coordinate systemAuthenticationCodeService (economics)Content (media)Electronic visual displayTelebankingSmartphoneSheaf (mathematics)NumberWebsiteNeuroinformatikForm (programming)Trojanisches Pferd <Informatik>Information securityServer (computing)Message passingToken ringFlickrMalwareInstallation artComputer animation
Computer networkOperator (mathematics)EncryptionType theorySystem callGroup actionInformation securityHausdorff dimensionLikelihood-ratio testInvertible matrixInformationInstant MessagingAverageIdentity managementPresentation of a groupSoftwareWordVulnerability (computing)BitDegrees of freedom (physics and chemistry)Dimensional analysisMathematical analysisPerspective (visual)Software developerSystem callRing (mathematics)Multiplication signSound effectWebsitePoint (geometry)Open sourceMobile appClosed setCartesian coordinate systemInformation securityLengthSupercomputerLevel (video gaming)Identity managementGraph coloringIntercept theoremEncryptionBusiness modelType theoryOperator (mathematics)Group actionDatabase transactionPay televisionInformationMeasurementoutputAndroid (robot)Configuration spaceMathematicsInternetworkingTraffic reportingMoment (mathematics)Uniform resource locatorKey (cryptography)TwitterService (economics)NumberRule of inferenceArmLine (geometry)Lecture/ConferenceXML
SmartphoneSoftwareNeumann boundary conditionComputer networkBitCartesian coordinate systemInformationMobile appAndroid (robot)CoroutineGoogolPresentation of a groupSoftware testingData storage deviceOpen sourceGraph coloringTraffic reportingCompilation albumInformation securitySoftwareForm (programming)System callEstimatorWeightDatabase transactionEndliche ModelltheorieQuicksortProjective planeObservational studyMeasurementLevel (video gaming)Lecture/Conference
User interfaceMalwareDifferent (Kate Ryan album)Mobile appoutputBit rateLecture/Conference
Neumann boundary conditionMoment (mathematics)Computing platformCartesian coordinate systemTerm (mathematics)Endliche ModelltheorieSound effectAndroid (robot)Wireless LANSocial classComputer fileGoodness of fitMalwareMultiplication signoutputLecture/ConferenceMeeting/Interview
Drum memoryMultiplication signAsynchronous Transfer ModeAndroid (robot)outputTrailInformation securitySet (mathematics)Different (Kate Ryan album)Revision controlWritingPersonal identification numberDensity of statesDesign by contractLecture/ConferenceMeeting/Interview
Neumann boundary conditionSmartphoneComputer networkSoftwareGroup actionMultiplication signAsynchronous Transfer ModeWeb pageComputer programModemMobile appGoogle+Sinc functionComputer hardwareComputer configurationAndroid (robot)Lecture/ConferenceMeeting/Interview
Figurate numberPoint (geometry)EncryptionSmartphoneOpen setInformation securityDifferent (Kate Ryan album)Order (biology)Term (mathematics)Lecture/Conference
Different (Kate Ryan album)Self-organizationMultiplication signMalwareProjective planeComputer hardwarePoint (geometry)Radical (chemistry)EmailTerm (mathematics)NumberRule of inferenceKey (cryptography)InformationSmartphonePresentation of a groupEncryptionSet (mathematics)Fiber bundleBitRevision controlInformation securityPersonal digital assistantSemiconductor memoryAntivirus softwareOpen setoutputFitness functionMiniDiscMeeting/InterviewLecture/Conference
1 (number)Phase transitionLevel (video gaming)Information privacyBeta functionFingerprintImage resolutionLetterpress printingLecture/ConferenceMeeting/Interview
Image resolutionMetreInstance (computer science)Flash memoryDigital photographyGoodness of fitMeeting/Interview
Line (geometry)Thermal conductivityComputer configurationMoment (mathematics)Social engineering (security)Open setArchaeological field surveyEmailReduction of orderLecture/ConferenceMeeting/Interview
NeuroinformatikMeeting/Interview
Data acquisitionSineBootingMusical ensembleMultiplication signLecture/ConferenceMeeting/InterviewComputer animation
Transcript: English(auto-generated)
Good morning. Thanks a lot for coming.
As the title of the presentation suggests, we're going to do this in English. This will be a challenge for me and none for Ben, who is a native speaker. We got the idea for this presentation during our work in mobile network and mobile phone security, where you engage in all this research and develop all these complicated attacks and threat scenarios
and talk about them all the time. And then you get a call from your mother at night and she says, well, nice, but how can I protect myself? And you just realize you're not able to answer that question. So we thought about the measures that users can take to protect themselves against at least the most prominent threat scenarios.
We want to introduce those and show you how you can protect yourselves. All right. And today we're going to be talking first about attacks on lost and stolen phones.
And as the title of the talk mentions, this is about not only fear but also apathy. So first I want to convince you to not be so apathetic about the security of the data on your phones. But I also do want to relieve unfounded fears.
So first let's think about what kind of data is actually stored on my iPhone, for example. This is just one page of apps and it has apps on there that if a thief had access to them,
would give him immediate access to all of my email, all of my messaging accounts, my cloud storage, I use Dropbox. My photos also contain geotagging information so they could see where those photos were taken and figure out where I live or where even my secret girlfriend lives because I took photos at her house as well.
My calendars, my social networks, all my friends, all my contacts, their birth dates, locally stored documents on the phone. And that's just immediate access.
The phone also gives a potential attacker the means to escalate his privileges. So he can have SMS sent to the phone that will allow him to gain access to other online accounts that he realizes I have by looking at the phone.
I have an authentication token program on there that will give him the second factor that he needs to get into other accounts. And he also, of course, has my SIM card so he can send SMS and receive SMS and also make phone calls
and create huge social engineering attacks, which I'll try to demonstrate in a little minute. So even though we have all of this on our phones, it turns out that most users don't protect their phones at all.
Most people don't have a PIN. This graph was made from data from June 2013 by Consumer Reports that usually do a good job getting data. But it is, of course, biased towards the U.S. crowd.
I hope this audience does have a PIN already. But if this were an American audience, there would be a 64% chance that you don't have a PIN. There's a 23% chance that you have a four-digit PIN. I'll go into that in a little bit more detail in a minute.
And there is only 13% of you that have something other than a PIN. So for a lot of Android users, that's the swipe pattern that you see on the screen. Some versions of Android have face recognition. Newer phones have fingerprint.
So back when this data was collected, there weren't many fingerprint phones in the U.S., but nonetheless. So I'll show you first what can happen to the 64% of you that don't have any protection at all.
So this is a short video that I made last October when I found kind of a loophole in the new iOS that had just come out that allowed an attacker to even get around the protection that you're supposed to have by sending out a wipe command to your phone.
So the attacker is already in the phone, but there's a wipe command on it.
There's a wipe command on it. You can see it's in airplane mode. He just goes in and sees the email address that the phone is registered to. Then on his computer, he goes to iforgot.apple.com and has a password reset email sent to the owner of the account.
Because he has the phone, he can just connect it to Wi-Fi for just a second and wait until he hears a ping. In a minute, you would hear a ping if there were one. The attacker hears a ping and turns off Wi-Fi.
The ping means that the password reset token just arrived. He goes into the email account. How to reset your Apple ID and password? Here we go. So there's a wipe command on the phone. The owner who lost the phone on the subway or was mugged and had it stolen immediately sent a wipe command.
But it doesn't matter. He just turned on airplane mode or took the SIM card out or did any number of other things to keep the wipe command from coming. But email gets retrieved first. So he just waits a couple of seconds. So point being, even the protection mechanisms that are in place aren't enough unless you protect your data.
Now let's talk about four-digit pins. This is the responsible 23% compared to the 64% that have nothing. Four-digit pins were invented to protect 10-pound ATM withdrawals in the 60s.
Now, 10 pounds back in the 60s was a lot of money. But the pins were truly random. They weren't chosen by the users. They were limited to three attempts. And you weren't allowed to change the pins to make it, say, one, two, three,
four, which is, of course, on the top of everyone's mind as the most obvious pin. And all of the password leaks agree.
1234 is the most common pin. In fact, it's 11% roughly. About one in ten of you, if you were American or Korean or whoever had their data leaked, would have the pin 1234. Does anyone have that pin?
No? Well, if you see your pin on this list, change it now. This presentation, you can kind of play along. You can change things as we go along, hopefully, and feel a lot more secure when you leave. But also more conscious that there are a few dangers out there.
So the top ten pins represent 17%. So this data comes from Justin Engler's project. He put together other people's. Nick Barry's data is on the right.
He put together a bunch of data from all over the place. Real password leaks and then kind of artificially stolen pins. But it's a pretty realistic estimate compared to previous estimates of what the most common pins are. Now, you see on there, 0000 is a very common one, as are repeated individual digits.
But then there are some seemingly random ones. So, for example, 2580. If you look at the keypad, it becomes pretty obvious that people are lazy, though. 2580 is straight down the middle. Now, 5683. That one's truly random.
Why is it in the top ten? Well, if you ever watch the movie Hackers from 1992 starring Angelina Jolie, love is the most common password. And that spells L-O-V-E on the keypad. In Korea, I hear 1004 is the most common pin, or one of the most common pins,
because Jeon-sa, anyone speak Korean, means angel. And it also sounds like 1004. Now, so a four-digit pin should give an attacker a zero... So, typing in ten pins should give an attacker 0.1% chance of unlocking your phone.
Turns out he has about a one in five chance. Now, a nine-digit pin should give an attacker about a one in ten to the sixth chance. The top ten should give an attacker one in ten to the sixth.
It ends up giving him 45%, because people are lazy. Right? So, 123456789 is not a nine-digit passcode. It's not. It's the first guess anyone would make.
So, only long, truly random pins can make your device secure. And before you think that brute forcing a pin is something that no one would ever do, think about the time it would take. On Android, it would take me a maximum of six hours with default settings
to have a four in five chance. So, if I have 100 phones, I'll get into 80 of them within six hours. And I can do that using a handy 3D printable robot released last year at DEF CON by Justin Engler.
It's called R2-B2, and this is what it does. It goes through the list from top to bottom, because that's the most efficient way. You can see up there, it's not going 1234, it's actually going through the probability list.
There you go, the fifth most common. So, a four-digit pin, if it's one of the ones that are more likely, is not good protection at all. But also, why four digits?
You saw on the previous slide, the iPhone, if you have a simple passcode, gives away that you have a four-digit pin. Why does anyone need to know that you have a four-digit pin? It could just, say, enter your passcode, and you could enter whatever you like,
but it gives away that you have a four-digit pin, so the brute forces know exactly what to do. Four digits is completely arbitrary. The inventor of the ATM and PIN said that his wife told him that she thought four digits would be a good number for ATM pins back in the 60s,
so that became the world standard and is somehow set in our minds as what it's supposed to be. Now, that was the 23% of pretty responsible people. What about the 13 that think they're tricking the system, or think they're doing something out of the ordinary?
Well, non-password pins are also not necessarily secure. The newest version of Android basically says as much, so a swipe is just so it doesn't unlock in your pocket, there's no security at all. A pattern is what you see in the middle, right here, and that's those patterns that you swipe onto the phone,
and it turns out you put it in your pocket, you take it back out, you can still see the swipe on the phone, the swipe pattern. They're easy to forget as well, so they're backed up by a pin. So, even if you couldn't break the swipe, you can break the pin through brute forcing,
and people are lazy about pins, so it doesn't matter. Now, fingerprints. Fingerprints are pretty interesting. Some of you might recall last September when the Chaos Computer Club here in Berlin and Starbug broke into Apple's Touch ID.
Touch ID had a bounty on it. I think it was $10,000 and a porn book and a bottle of whiskey and all kinds of stuff. It was prizes that everyone really wanted, so there was a lot of competition, and sadly, Starbug actually beat me to it and got into Touch ID.
But the reason why fingerprints aren't so secure and the way that the Chaos Computer Club and I can get into phones and anyone who follows my handy instruction manual later is because your fingerprints are left all over the place,
even on the phones they protect. Also, you can't get rid of your fingerprint as easily as you can the pin 1234. You can only do that 10 times, and then you have to start using your toes, and then it's done. I've changed my password hundreds of times, and I still have as many left as I could ever need.
And also, even on the newest devices that try to do better, they're backed up by a pin or passcode anyway because maybe the sensor will fail.
So I mentioned my handy dandy instruction manual. Linus, can you be my cameraman for a minute? Let's hope this works. Wait, this is great.
Okay. So command F1, I hear. There we go. Done. Someone just tweeted, if you have one of these pins, change it now. Thanks.
Okay. Come on. Okay. Is this going to work? Yes. Magic. All right. Cameraman, just feel my hand.
So the way that you can spoof a fingerprint, first, get a fingerprint. It may be difficult to see, but with the right lighting, you can find it. And then you take a photo. You just take a photo of the fingerprint.
Last year, I did it with my iPhone 4S. I've since upgraded to the phone that I hacked. Then you edit the photo. You make it black and white, increase the contrast, and print it out on one of these overhead projector foils
or specifically kind of this milky white paper. Then you put it on a PCB. This didn't used to have fingerprints on it before I exposed and developed and etched this PCB.
There you go with my fingerprints. Then you go to the hardware store and buy some graphite lubrication spray. Let it dry.
Don't inhale. Wood glue? You got it? I got it.
Okay. Get some wood glue, smear it around on there. And then magically, just like in any good cooking show, it dries.
And what's foie-fue effect called in English? You're the native speaker. The thing is, this usually works. This has worked a hundred times and now we're going to try it live on stage. So that's why it probably won't work. Okay. Oh, wait. I need to warm it up first. It's a cold morning.
Wood glue is a non-Newtonian fluid for anyone who's interested. What does that mean? It means that like silly putty, it can actually crack.
Even though it should kind of be flexible. Okay. And then you peel it off. All right. The moment of truth. I took the fingerprint off of his phone. You can see the owner can get in with his finger.
Moment of truth. Here we go. Ooh, it's ripped a little bit.
So I believe that's a world's first. I believe that's a world's first. That's a live, a completely live demonstration. This, yeah, absolutely no cheating. Not even a camera cut. It's brilliant. Just a bit of preparation.
Yeah. All right. So is this going to work? It worked. Okay. So here's the recipe for anyone who wants to quickly take a photo of it. For anyone who's a fingerprint aficionado, yes, this is Starbucks fingerprint.
I just went through the entire recipe with you, so I'll go to the next slide. So hopefully I've made you a little bit afraid.
So hopefully I've instilled a little bit of fear about being apathetic. Now, what can you do to fix these security problems that everyone faces? So for one thing, you can limit the number of times that a thief can even try a pin.
Brute forcing doesn't work on an ATM because it's limited to three tries and then the machine eats your card and it's over. So this is online brute forcing that doesn't work. Limit your pin to a set number of times and ideally have the phone erase all of the data.
Destroy it. You have a backup anyway, right? Depending on who you work for, you might have a Microsoft Exchange account or something else. My phone has an Exchange account which is why the button down there under erase data
is a little bit hazy. I can't even turn that feature off. Another feature is find my iPhone. In the video earlier, the thief was able to get around find my iPhone and get around the remote wipe feature by sending a password reset email to himself and he then was
able to actually own the phone. He would have been able to sell it. But it's still a nice backup. Thieves are also stupid. So basically not just cell phone users but also cell phone thieves are lazy and stupid.
So here for iPhone users, we have the exact instructions. This is only for iPhone because we figured that anyone who uses Android already knows how to use Bing.
So another thing that you can do is turn on command and control, sorry, turn off the preview function in the control and notification center. So you just saw a pin, actually a 10, a transaction number arrive on my phone.
This is a real transaction number and by playing around with that, I really got my account locked. Thank you. But Linus mentions an attack later on where you can use a transaction number to basically steal any amount of money you like
from an account that you've taken over otherwise. I think here in Germany has a five-digit password, which I'm not sure that's long enough. But combined with this, it's definitely not long enough.
So turn off these message previews. Next time you're at your mother-in-law's house and you get an embarrassing message that you don't want your mother-in-law to see, it's also a nice feature. Turn off these previews. You can go to settings, notification center, messages, and turn off show preview.
Another feature that a lot of people aren't very aware of, and I think there was a Haiza article yesterday on Siri that kind of exposed these virtual assistants or voice assistants.
Let's see if I can do this. Pardon. Okay, here we go.
Ooh, photographiona is now following me. Turn off these previews. So you can see it says slide to unlock.
And there's no way that I could get into this because you can't even guess what my pin is. Okay. Cancel. So what do I do? I'm a thief. I find this phone on the subway. Who's my girlfriend?
Okay.
Okay, so here's the contact information for fakegirlfriend.gmail.com. Send a message to my girlfriend. Babe, I need help. Send me $1,000 by Western Union and send me the transaction number.
Come on, internet. That worked. Come on, internet. Okay, I did that from a locked phone. I can do that to my mom, to my brother, to everyone.
It doesn't need to be my voice. And anyone can do this on my phone. The article yesterday exposed that by making an unclear request, so not who's my girlfriend, but give me Dr. Schnemmerer.
You'll ask which one of these doctors and then you press other and you get into the entire address book with all of their birth dates, all of their addresses, all of their information, and all the tools you need to do this kind of social engineering attack.
Okay, back into the presentation. Time's still running. So, the way you deactivate this is go into settings, passcode or touch ID and passcode on iOS,
sorry, on the iPhone 5S, and just deactivate everything that's there. And don't let your tweets show up in front of an audience of hundreds of people. So, a few things that you can do will drastically increase your protection from this kind of attack.
First, activate the screen lock at all. Even 1111 is a little bit, maybe better than nothing. But use a long random pin or better yet passcode using alphanumeric characters.
Thank you, that's the word. Deactivate the bypass possibilities. So, that was Siri just now. Deactivate the bypass possibilities I just talked about and keep a password reset account off of your phone.
So, if you lose your phone, you don't want the thief to have the exact same email account that you do now. So, keep a separate email account for your password resets, ideally.
After that, that's hopefully relieving some of your fears, giving you some tools that you can use to feel better about phone security. And I'll pass it on to Linus for remote attacks. Thanks a lot.
So, remote attacks are of course one thing that everybody thinks about when they talk about smartphones because you have this neat little device that has so many sensors and so many functionalities. And an open source operating system and lots of people that want to download software for it.
So, you really, really want to infect such a phone when you're an attacker. And consequently, of course, people are very afraid that that may happen to them. And they have all kinds of theories of how their phone was hacked and what strange things happened to them. And yesterday, suddenly it crashed and there was something else on the screen.
And I believe somebody, you know, I think they're after me. So, what we want to show here is the kind of malware that is actually built for smartphones and that we actually see out there in the wild. And of course, in the end, give you at least some hints on how to avoid these types of infections.
The number one type of malware, surprisingly, is targeting money yet again, as attackers usually do. So, this is a piece of malware that sends premium SMS. You may know this service. It's oftentimes advertised for donations. You know, you send an SMS with I love all children now to donate $10 to the Children Protection Foundation.
And anybody can register such a number. Attackers can do too. So, what you do is you just build a little piece of malware, put it out there in the wild, advertise it as a, you know, cracked application, which is quite easy for Android applications since they're built in Java derivative.
So, you can actually merge infections into existing programs with just a reasonable effort. And then you just distribute this cracked application to users. Or oftentimes it's also found in these kind of useful tools, easy to program stuff that you find on markets.
Like, look at my little flashlight app. Isn't that a great idea? You can use your cell phone as a flashlight. Download this now. It's free. So, you hide this in there. People willfully install your software. And then what you do is you have this piece of malware connect to the internet to find out where it's supposed to send premium SMS to.
And it sends these SMS without alerting the user. Now, these premium SMS are then conveniently billed to your phone bill. And if you just keep it low and you don't get too greedy, or you satisfy your greed by infecting a lot of phones instead of sending hundreds of messages from one phone,
chances are you go unnoticed for quite a while. So, a dollar or five from one account likely nobody will notice. So, this is one thing we see quite a lot out there. Recently there was a little variation of this where the attackers did not actually do this to get the money themselves,
but to just save the money. So, they were paying for other services. So, paid content services on the internet that were targeting adults that were paid by these SMS. And you needed to send an SMS there and then you received a token back that would give you access. And they were aiming for these tokens.
So, the malware was also stealing SMS from the users. Another thing we see, not as much as I thought we would see it, but still it's out there, is spy malware. So, that's what people are afraid of, right? So, your phone is infected by somebody that then intercepts your short messages, keeps your call log,
and may turn on the microphone remotely, those kinds of scary attacks that people would do on you. Turns out, it doesn't seem to be the government that does it, it seems like it's your boyfriend that does it. So, people infect other people's phones with malware that is available as a service on the internet.
And this malware actually does all these attacks, completely takes over the phone, and leaks all the data to a service in the cloud, where then the attacker can conveniently log in and see what their target was doing. So, not only is the data leaked to one of your closest friends that was able to infect your phone while they had their hands on it,
it's also leaked to this data service that they're using. Fortunately, these guys don't have a remote infection service. So, again, everything that Ben just told you helps you to defend against this attack.
One more thing, this is a beautiful one, I have to admit. When online banks started moving from these ten lists that people just didn't like anymore, because they were losing them, or they were just scanning them and storing them to their computer,
they moved from these ten lists to SMS authentication. So, not only do I need to have the password to log into my online banking application, I also need to possess my phone to receive the authentication token that the bank sends to me when I want to wire transfer money somewhere.
So, that, of course, kind of ruined the whole thing for attackers that wanted to, that used Trojans on computers to just sniff the banking credentials and then cut off the connection in the moment that you're typing in the ten,
to steal the ten and then make their own transaction, or different variations of this attack in a man-in-the-middle fashion. So, banks move from sending SMS to the user that say, you want to transfer this amount to the following account number, and this is the authentication token.
So, this is actually an increase in security, because the authentication token is then limited to this single transaction. And all the attackers that built malware to sniff online banking now needed to also move to the phone. So, what they did was they added something to their malware that displays warnings to the user and says,
your computer is fine, you're secure, but we worry about your smartphone. Why don't you download this little security edition from this website that we have here for you to make sure that your phone is secure as well? User does that and has an SMS Trojan on his phone
that enables the attacker to selectively hide messages that the phone receives and instead forward them to the attacker. So, the attacker has infected the computer, has the banking credentials, then tells the phone to listen. There will be an SMS. Please don't display that to the user.
Just forward the contents to my server so I can finish my banking transactions. So, there's a few ways around it. As usual, try not to get your phone infected. If you can live with some less convenience, you may want to opt for one of those Flickr code readers, but of course, you can tell that they are definitely a drawback in terms of security.
So, what do you want to do against those remote attacks? Try to stay away from pirated applications. Install only what you actually need on your phone and don't trust security advice you didn't ask for unless it came from us.
So, I want to finish this presentation with just a few words on the stuff that we usually do, that our team usually publishes on, and those are the weaknesses of mobile networks. So, these are the things where your degrees of freedom of protection are quite limited.
So, I also want to talk a little bit about these. We generally categorize three types of attacks that mobile networks facilitate. The first and most obvious one is tracking of your location. The mobile network needs to know where you are so that it can make your phone ring.
It's impossible for all mobile networks all around the world to send the signal, hey, there's a call for Linus at this moment, all over the world. So, the mobile network knows roughly where I am, which is fine, and it's needed for the mobile network's operation. Unfortunately, some mobile networks tend to disclose this information
to other parties in what is called the SS7 network, which is where mobile networks interconnect with other mobile networks. And this has led some people to create business models where they offer tracking services. So, there are websites on the internet where you can type in a phone number,
and it will tell you where this person is at the moment. There are network operators that don't support these services, and you're probably well off to choose one of those if you want to be protected from those type of attacks. Intercept is, of course, the most famous attack on mobile phones, demonstrated, I guess, by now oftentimes,
often enough by people of our team and people of other security teams so that you read other people's SMS while sniffing them from over the air. So, there's nothing you have. There's just an antenna. Nothing anybody can detect. You just sniff the transaction and decrypt it.
I think a very convenient way and a cool way, in a sense, around this is to use end-to-end encryption applications. There are a lot out there. I'm not going to tell you which one to buy on the preferred Android or iOS market that you want to opt for.
And I guess when you get to this point, this is where security often becomes, well, where people overestimate how important security is or how secure security needs to be.
So, oftentimes, there are people that say, well, but this is a closed source application and I can't trust the people that issue this and this is using a key length of only 128-bit and the NSA only needs 10 years on a supercomputer to crack it and I don't trust these guys. The point is, you're probably better off in using one of these applications than you're off if you're not using one.
So, I definitely encourage the use of these kind of apps and special phones also for just calling your mom and telling her how to secure a phone. Also, of course, you may want to opt for networks that have better types of encryption running. One last attack, Ben already talked a bit about it,
is the impersonation attack where you steal another user's identity and then perform actions on their behalf, for example, sending premium SMS. Now, I talked a lot about how you should choose a network that is more secure than the other and, of course, if I tell you to do that,
I probably also need to tell you how you can do it. So, this is why we operate a little website called GSM Map where we measure and assess the security of mobile networks all around the world. So, what you see here are some countries in Germany and the color indicates how secure the networks are in this country in general
and then if you look at the country, you can see how the networks in that country perform. So, we're doing quite okay in Europe, I may say. And this, for example, is the intercept protection in Germany. Needless to say, we've covered, I think, far more than 50 countries by now.
I forgot to count them again. We do the risk analysis in the three dimensions that I just explained and we now recently added a longitudinal perspective where you can see how mobile network security developed from back in 2011 when we started doing this.
So, this is the development in Germany. So, you see some networks don't really change their configuration over time. Some other networks do. And one interesting effect I see here is that at the end of last year, there was a sudden peak for at least three of the German networks
that then made some configuration changes. Rumors say that this has something to do with this young lady in the picture. I have to admit that I know that it's not, I mean, this is a temporal coincidence. Oh, wow. Coincidence.
This is a coincidence. It takes much longer to prepare these upgrades than just a few months or weeks. So, mobile networks in Germany are currently rolling out a more secure ciphering. And you can read all about it in our detailed country reports
that we have created for more than, I think, 27 countries on the map where we give a lot of background on how these attacks work, how you defend against them, and what security measures each network in a given country has taken to protect you. Now, of course, a big question is how do we get all this data?
And this is why I think, what I'm a bit proud of. We don't do it all by ourselves because that would be a bit too expensive to fly to every country and do the measurements. We've just created an app. So, there's an Android app that you can download to your phone, which has the feature to locate you and detect your network
and inform you about the security of the network you're currently in, and also gives you the opportunity to contribute data. So, you go through a little testing routine where the phone makes a couple of test calls, sends a couple of test SMS, has some incoming transactions,
and logs all this information and then submits it to gsmmap.org, where it will then end up in reports like these and nice colors and charts on our map. The application is available for Android. For technical reasons, it's limited to the Galaxy S2 and S3 models,
which I have to defend myself among the most common phones that we find out there, so that's why we support them. It's available on the Google Play Store or at opensource.srlabs.de for all of you who want to download and compile themselves, and I'd be glad if you would seize the opportunity to contribute to this nifty little project.
That's about the end of the presentation. I hope that you now have some ideas on how to protect your smartphone, that you'd be a bit more cautious when installing applications to it, and, of course, I'd be happy if you now take the chance to contribute some data to gsmmap.org.
Maybe not from Berlin, because we live here, so that's why we tend to contribute a lot of data from here ourselves. Thanks a lot. Questions?
And, of course, we're taking questions. That's why we finished 10 minutes early. Does anyone have any questions about anything we talked about? I think there's a microphone.
Now in English. You were talking about malware in apps. Is there a difference between iOS and Android? There is a difference. It's a difference that is mostly caused by the way Apple tries to protect their business interests.
So the Apple platform is generally more locking in, in terms of you're not even able to install pirated applications. They make it quite hard for you to jailbreak the phone, while Android makes it much easier and has all this open spirit behind it.
And the side effect of this protection of commercial interests of Apple is that we find less malware for iOS devices. Which is also good PR for them. It's also good PR for them. For example, the spy malware that I just showed is available for iOS, Blackberry and Android.
Any other questions? And back. Hi. I use an Android device at the moment, and I've always used Android devices for quite some time.
But I don't understand why it's not possible to lock the safe mode, or the download mode for your phone, where you can't wipe the cache, reset the phone and reload it. I'm sorry, I didn't understand the beginning of the question, did you?
He uses Android. He's not sure why you can't. Lock the download mode. Lock the download mode. I'm just an ignorant iOS user. In my experience, every phone is different. Every manufacturer has a different version of Android on there.
It depends on what accounts you have on the phone. So I know, for example, that if you tie a Google account to the phone, a lot of security settings are improved. So instead of unlimited pins, for example, you delete your phone unless you enter a Google account. On the download mode, I don't know what you're talking about.
I use a Galaxy Nexus, and I run Vanilla Android on it. And when you press all the three buttons, when your phone is off, you come to this DOS-like mode, where you can really wipe all the security that you've uploaded before,
and just restart your phone like brand new. So as soon as you've lost your phone, and someone knows how to wipe it, it's gone. You can't track it anymore. Oh, okay, well, I think that's a good thing. And I've written to Google a couple of times on their Google Plus page, and they just say it's not possible, but don't give any reasons why it's not possible to lock that mode.
And I think that you just need an app that builds a kill switch for this mode, since I'm not a programmer. So your concern is that a thief is then able to keep your device. And that's, of course, a valid concern. These devices sell for, you know, 600 euros.
So they're expensive, but that's the least of our concern, is that you lose a piece of hardware because they can be replaced. The fact that you can delete a phone, I'm actually surprised that Android doesn't have some option
to completely kill the device. They're thinking about it. But generally speaking, I tend to agree with Ben. I'm quite happy as long. You know, thieves are thieves, they got a thief. And if they thief my phone, I just want them to have the phone,
because I probably care more about the data that the phone gives access to. So my main concern is that people get access to the stuff that's on my phone. Hi, thanks for your great talk. But I think you missed two points here.
On the one hand, you did not talk about smartphone encryptions. And as far as I know, there are possibilities to encrypt your smartphone. And then when somebody finds your smartphone and turns it off, then it's blocked. So I think this is a great feature.
The second point is not that close related to smartphones, but I think it's a very, very important point. It's the security in an open Wi-Fi against different man-in-the-middle attacks. So I would be glad if I hear something from you next time
when you talk about these points. And I've got one question. Where do I get reliable information about the smartphone malware? Because all the information I get is from the security measures manufacturers,
like antivirus manufacturers, and I don't trust their numbers. Okay, first, hardware or full disk encryption on smartphones is a great idea. It just didn't fit this presentation because it's a bit more complicated to set up and very specific to the device. Also, one of the settings that I recommended, the wipe feature,
that actually automatically bundles in encryption on the newest version of iOS. So wiping in this case is not done by deleting all 64 gigabytes of memory, but it's just by trashing the encryption key. Open Wi-Fi, lots of presentations on those, I guess.
And malware transparency, there are quite some projects out there that bundle malware that was found for phones. This is where we get most of the samples from that we analyze. And there are also projects like transparency projects operated by different users to create malware transparency.
As I'm not sure whether the ones I know are still in a private beta phase or already in a public beta phase, I'll tell you later and not on stage.
About the fingerprint attack, the PCP etching step, can it be replaced by 3D printing? I don't know. I've never seen a 3D printer that has, I think the iPhone has a sensor that reads 500 dpi.
I know that that resolution isn't required because an iPhone 4S photo taken from a meter away probably doesn't have that resolution, but that'll do. A good 3D printer should be able to do it.
There are definitely other methods. This was invented by members or a member of the CCC and they of course have PCBs and etching solution lying around. I recently found something called flash foam.
They use it to make stamps and that also gives you an immediate like instant 3D beveled surface. So that step can definitely be made easier. I think a 3D printer poses three main challenges.
First is usually they're just not that fine. So you have to spend a lot of money to get a 3D printer that is able to create such fine lines. Also, there is a reason that Ben is using this stuff because it has some physical features regarding the conductiveness of the material.
He was just talking about the mold though, not the... Ah, okay. I guess the PCB is definitely the cheaper option. Yeah, it's definitely the cheaper option at the moment. Right up here in front.
You talked one hour about pretty sophisticated data theft options. Do you have any data, any surveys from all these stolen phones in the subway how often a thief even tries to social engineer with the open email or your SMS or Siri?
So the thing is thieves don't like giving their data to scientists usually. So I don't know. We don't know. But I do know that if I found a cell phone
with no prior knowledge of the device, I would try a few things to get in. And if I needed money, then I would also be able to do it easily without any advanced computer skills. As you saw, I used wood glue, not...
And the PCB. And the PCB. The PCB step you can actually outsource. You can order it online. Yeah, I don't know any specifics, but Linus, what were you... No, I was just trying to save your ass by saying that you would only access the phone
to see whom it belongs to so that you can inform the person that lost it. If I were a criminal. I forgot that key sentence. Zero, okay. All right, so we've just been given the boot and the Oscar music is gonna start playing. So we'd like to thank you all again for coming this early in the morning.
Thanks for all of your good questions. And please contact us if you'd like to know more or have any more comments. Thanks very much.