Getting SSLizzard

Video thumbnail (Frame 0) Video thumbnail (Frame 916) Video thumbnail (Frame 1844) Video thumbnail (Frame 3087) Video thumbnail (Frame 4792) Video thumbnail (Frame 7191) Video thumbnail (Frame 9525) Video thumbnail (Frame 10848) Video thumbnail (Frame 12301) Video thumbnail (Frame 16272) Video thumbnail (Frame 19393) Video thumbnail (Frame 21063) Video thumbnail (Frame 23754) Video thumbnail (Frame 25437) Video thumbnail (Frame 26505) Video thumbnail (Frame 29295) Video thumbnail (Frame 31297) Video thumbnail (Frame 32499) Video thumbnail (Frame 33205) Video thumbnail (Frame 34298) Video thumbnail (Frame 37898) Video thumbnail (Frame 39056) Video thumbnail (Frame 39810) Video thumbnail (Frame 42243) Video thumbnail (Frame 43210) Video thumbnail (Frame 44315) Video thumbnail (Frame 45297) Video thumbnail (Frame 49733) Video thumbnail (Frame 51762)
Video in TIB AV-Portal: Getting SSLizzard

Formal Metadata

Getting SSLizzard
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The world has seen a seismic shift from browser-based web applications to GUI-rich semi-thick client applications running on handheld mobile devices. In the browser world, the industry had placed a great deal of time and energy towards providing users visual cues to indicate the level security and trust that their data being transmitted to the remote server is protected and not falling into the hands of unintended recipients. In the mobile device world, these visual cues are mostly nonexistent, resulting in the inherent trust that the underlying APIs are ensuring a level of security before transmitting a users sensitive data. In our research, we tested the most popular apps on both the iOS and Android platforms. We ran each app through a data transmission assault course that contained various historic, contemporary, and obscure SSL attacks and documented the results. In this presentation, we will discuss and demonstrate flaws at both the application an OS layer that need to be addressed by both the mobile app developers and well the mobile device manufactures. A utility called "SSLizzard" will also be released for use by mobile application developers to test their mobile apps and their behavior against SSL-based attacks discussed in this talk. Nicholas J. Percoco: With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwaveps premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal. Paul Kehrer is a web developer and programmer at Trustwave with extensive experience with X.509 and PKI, including writing and maintaining a registration authority. Since 2007, Paul has lead the team responsible for the design and infrastructure of Trustwave's Certification Authority. Paul enjoys baking cakes in his spare time.

Related Material

Video is accompanying material for the following resource
Mobile Web Source code Component-based software engineering Data transmission Mobile app Mobile Web Software testing Software testing Bit Resultant
Mobile Web Mobile app Information Software developer Software developer Multiplication sign Mobile Web Data storage device Disk read-and-write head Disk read-and-write head Wave Explosion Authorization Software testing Information Game theory Information security Information security Traffic reporting Game theory
Presentation of a group Mobile app Mobile Web Stress (mechanics) Web browser Uniform resource locator Internetworking Different (Kate Ryan album) Software testing Information security Hydraulic jump Computing platform Mobile Web Presentation of a group Touchscreen Information Software developer Android (robot) Stress (mechanics) Planning Computer network Bit Evolute Web browser Connected space Type theory Uniform resource locator Message passing Internetworking Software Time evolution Software testing Quicksort Information security Spacetime
Data transmission Presentation of a group Code INTEGRAL Local area network Multiplication sign Analogy Client (computing) Public key certificate Data transmission Data management Sign (mathematics) Network socket Symmetric-key algorithm Extension (kinesiology) Information security Identity management Data integrity Public key certificate File format Data storage device Bit Price index Public-key cryptography Symmetric matrix Telecommunication output Website Data logger Navigation Point (geometry) Netscape Server (computing) Mobile app Computer file Authentication Mobile Web Telebanking Login Latent heat Telecommunication Internetworking Profil (magazine) Communications protocol Symmetric matrix Mobile Web Key (cryptography) Validity (statistics) Server (computing) Android (robot) Interactive television Code Plastikkarte Client (computing) Computer network Cartesian coordinate system Software Network socket Key (cryptography) Netscape Communications protocol Identity management
Mobile Web Server (computing) Standard deviation Functional (mathematics) Touchscreen Proxy server Suite (music) Interior (topology) Server (computing) Weight Multiplication sign Similarity (geometry) Client (computing) Online help Local area network Front and back ends Connected space Software framework Diagram Software framework Quicksort Proxy server Metropolitan area network Physical system
Standard deviation Parsing Code Multiplication sign Source code Mereology Public key certificate Perspective (visual) Facebook Different (Kate Ryan album) Personal digital assistant Encryption Cuboid Error message Information security Public key certificate Moment (mathematics) Keyboard shortcut Data storage device Bit Price index Social engineering (security) Connected space Type theory Digital photography Chain output Quicksort Mobile app Connectivity (graph theory) Mobile Web Web browser Telebanking Chain Root Utility software Software testing Data structure Message passing Mobile Web Multiplication Standard deviation Validity (statistics) Client (computing) Line (geometry) Cartesian coordinate system Error message Software Personal digital assistant Library (computing)
Point (geometry) Standard deviation Presentation of a group Mobile app Functional (mathematics) Parsing Software developer Mobile Web 1 (number) Set (mathematics) Web browser Facebook Internetworking Different (Kate Ryan album) Energy level Software testing Information security Mobile Web Area Mobile app Information Validity (statistics) Software developer Plastikkarte Web browser Type theory Graphical user interface Function (mathematics) Website Codec Information security Library (computing)
Data transmission Mobile app Context awareness Dependent and independent variables Multiplication sign Radon transform Client (computing) Revision control Spherical cap Touch typing iPod touch Software testing Router (computing) Information security Error message Firmware Wireless LAN Physical system Mobile Web Mobile app Dependent and independent variables Electric generator Android (robot) Client (computing) Bit Cartesian coordinate system Component-based software engineering Type theory Personal digital assistant Intercept theorem Physical system Resultant Firmware
Data transmission 1 (number) Client (computing) Function (mathematics) Public key certificate Sign (mathematics) Type theory Spherical cap Different (Kate Ryan album) Flag Extension (kinesiology) Scripting language Source code Constraint (mathematics) Electric generator Bit Instance (computer science) Type theory Arithmetic mean Internet service provider Software framework Right angle Data structure Server (computing) Mobile app Module (mathematics) Identifiability Open source Codierung <Programmierung> Constraint (mathematics) Web browser Regular graph Field (computer science) Time domain String (computer science) Authorization Software testing Data structure Form (programming) Software development kit Domain name Authentication Module (mathematics) Multiplication Key (cryptography) Cellular automaton Line (geometry) Cartesian coordinate system Web browser Component-based software engineering Software Personal digital assistant Function (mathematics) Network topology Fuzzy logic Library (computing)
Mobile app Public key certificate Demo (music) Line (geometry) Software developer Web page Coroutine Directory service Cartesian coordinate system Time domain Centralizer and normalizer Function (mathematics) Revision control Gastropod shell Software testing Normal (geometry) Data structure Electric current Library (computing)
Domain name Conformal map Public key certificate Key (cryptography) Algorithm Web page Directory service Coma Berenices Electronic signature Hypercube Time domain Number Spherical cap Single-precision floating-point format Revision control Text editor Information Validity (statistics) Normal (geometry)
Mobile app Touchscreen Public key certificate Computer file Line (geometry) Mathematical analysis Directory service Multilateration Type theory Error message Spherical cap Function (mathematics) Flag Software testing Software testing Quicksort Normal (geometry) Error message Data structure Electric current
Android (robot) Mobile app Closed set View (database) Mobile Web 1 (number) Password Web browser Client (computing) Public key certificate Twitter Uniform resource locator Facebook Sign (mathematics) Software testing Message passing Error message Source code Slide rule Public key certificate Key (cryptography) Android (robot) Bit Open set Web browser Connected space Sign (mathematics) Type theory Error message Facebook Internetworking Software Chain Computing platform output Software testing Resultant Library (computing)
Web page Slide rule Mobile app Web crawler Closed set View (database) Mobile Web Password Public key certificate Web 2.0 Uniform resource locator Facebook Sign (mathematics) Latent heat Internet forum Software testing Message passing Error message Source code Touchscreen Slide rule Public key certificate Structural load Open set Sign (mathematics) Uniform resource locator Facebook Internetworking Error message Computing platform Software testing
Web page Mobile app Constraint (mathematics) Mobile Web Computer-generated imagery Time travel Virtual machine Exploit (computer security) Web browser Client (computing) Public key certificate Perspective (visual) Sign (mathematics) Software testing Internet Explorer Volumenvisualisierung Metropolitan area network Computing platform Vulnerability (computing) Source code Vulnerability (computing) Constraint (mathematics) Public key certificate Validity (statistics) Web page Client (computing) Bit Complete metric space Web browser Virtual machine Software Chain Website Computing platform Internet Explorer
Domain name Touchscreen Server (computing) Touchscreen Public key certificate Server (computing) Public key certificate Time domain Personal digital assistant Blog Software testing Software testing Error message
Touchscreen Dot product Software testing Software testing Coma Berenices
Blackboard system Degree (graph theory) Quicksort Information security Error message
Point (geometry) Android (robot) Touchscreen Server (computing) Mobile app Closed set Constraint (mathematics) Multiplication sign Mobile Web Complete metric space Web browser Client (computing) Software bug Twitter Revision control Facebook Software testing Information security Metropolitan area network Constraint (mathematics) Bit Complete metric space Flow separation Twitter Web browser Open set Frame problem Process (computing) Software output Software testing Sinc function Resultant Library (computing) Asynchronous Transfer Mode
Aliasing Point (geometry) Data transmission Mobile app Software developer Code Telebanking Perspective (visual) Data transmission Software bug Revision control Wave Single-precision floating-point format Computing platform Software testing Information security Absolute value Mobile Web Mobile app Validity (statistics) Software developer Cartesian coordinate system Type theory Software Blog Revision control output Right angle
those you don't know where you guys are sit in the getting slizzard talk so just
brief agenda here we're going to take you through during this talk go through some introductions you know about who we are go through a little bit of a primer on SSL talk about some mobile ssl user experiences research motivations research and implications talk a little bit about test lab that we built i'm going to introduce a tool for you guys so that the slizzard tool show you some of the results of us testing some of the mobile apps and the mobile devices and then there's gonna be an audience participation so real quick who we are
I'm Nicholas / cocoa I'm the head of the spiderlabs team at trustwave i started my enforce a career in the 90s doing penetration testing on this is my sixth DEFCON talk I actually had two others this weekend one was male or freak show on Friday and then the UM and the droid talk yesterday I'm also the primary author of Trustwave global security report and I'm Paul care i'm the lead ssl developer in the ca architect for Trustwave and since i don't have a whole lot of other bio information i can put up here so we decided to say also a mobile game developer in my spare time and also sometimes at work if you're going to hosting con in the next few
days we're releasing a game there so if we figure we'd hype it now at when the app store this morning I promise it's not malicious so before we start we have
some audience participation at the end of this presentation and so you can be able to help us find a final mobile ssl flaw so what you'll need so if you have a mobile device actually could have any type of device it has internet connectivity 3g 4g if you're on the DEF CON Network you can help us out you have to have the ability to enter a URL in your mobile browser and then you have let the trust that we're not gonna be doing anything malicious to you and then willingness to stand up if you're tastic successful so just to fort just to gauge the audience how many people here are willing to willing to help out ok great cool that's gonna be fun so let's jump
into the introductions here so what does this talk about so basically we are talking about you know Paul and I were discussing sort of planning for this talk and planning for the research really sort of the evolution of the security experience in mobile platforms you know obviously when you have a large giant screen 27 inch screen in front of you there's a lot of things you can do from a security standpoint or even security warnings messages and other things that you could present to users but when you cram it down into a small little device the space is limited and also the the developers of the platforms tend to try to abstract some of the the busy information that you may see on your desktop platforms or we want to say in your desk you have plan desktop platforms from your device itself we're also going to talk a little bit about you know some different types of SSL attacks the lack of testing tools testing isn't available for mobile applications specifically for mobile app developers we're also going to talk about how various apps and devices perform under SSL stress and so we did take some popular apps ran them through some tests and we're going to present you know how those actually how those actually reacted and then when we use a tool to help solve this problem so very
very briefly just new whenever I give talks I always want to make sure to start with a primer because hey I about 11 years ago I sat in the audience at Def Con it and saw plenty of talks and sometimes when I hate when I was staring at the presenter I was thinking I don't no idea what this guy's talking about so when I just you know bring everybody up to speed you know there could be some some some people in the audience who who maybe aren't familiar with ssl so basically SSL stands for secure socket layer it use their certificates digital files which are certificates defined by the x.509 on the specification it was actually developed by Netscape back in 1994 and was implemented in that scape navigator one point oh my personal history i remember when netscape navigator one point it was released i was sitting in my dorm room and the day it was raised actually nothing it was probably a couple hours after his least i went to a netscape store and actually bought it bought a t-shirt with a credit card it was my first experience with with SS salad sending a secure transmission across the internet I'm using that technology it's a protocol you know typically use a secure client to server communication data specifically most of you in this room interact with it every single day if you if you do anything online logging into sites if you're using mobile devices in your log in enter online banking account wherever you may be doing is you most people have interaction with it some people may not be aware they're interacting with it and then it uses I'm from a keen standpoint at Keith's standpoint it uses a symmetric keys basically public and private keys to establish a symmetric key to just abla SH the secure transmission so we're SSL
whereas SSL you physically certs we talked about to establish secure client to server communication it also is used to identity as well so when you visit a website that popular you know you know financial institution you often will see sometimes even something like an extended validation indications like the green bar that will establish that you are in fact or you hopefully are in fact connecting to that that done that that website that you think you're going to also used in app signing so the same technology used to sign applications specifically in the mobile world as well and then log file integrity lots of times you can actually sign there are tools out there that will sign your logs to ensure the integrity of those logs they haven't been tampered with after the fact and then very similar in the mobile world used for communication or public networks it's actually pretty important for for secure communication where public networks because we're all roaming around you know walking around in conferences walking down the street using our phones from untrusted networks such as you know coffee shops and places like that and when you submit data that you don't want anybody else to see you want to you want to submit you want to send it over the over the public internet or even public local networks in an encrypted format so establishes app to server communication i'm also using app code signing like we already talked about and then it's also used in mobile device profiles so you know if you if you work for a corporate a copy work for a company and they push down profiles to your church your iOS device they'll actually actually sign those using using SSL it's a little bit of a
sort of cartoon drawing about what man in the middle is and this is we're going to dive a little deeper into into our talk basically want to describe we know what is a man-in-the-middle attack and so you can see that diagram at the bottom very very cartoon-like but now the bad guy sitting in the middle there all the diagram the you or the end user is sitting over on the around the left-hand side of the screen and that's your mobile device you're actually you know he's injected into your interiors into your network similar so it may be on your local when it could be somewhere in the path between you and on the end of the place you want to visit the legitimate place you want to go and so basically you establish your connection with the attacker and the attacker then establishes a legitimate connection to the backend server so then when that's when that happens the attacker is able to then intercept the data that you're sending but also possibly modify that as well so what tools actually exist to
help with mana mental attacks there are quite a few we've got a thick net which is a man-in-the-middle framework developed by stevis epic who is a member of the trustwave spiderlabs team it's written in perl and is a modular system that allows you to add extra functionality to after you've set up your initial man of middle there's ettercap which is kind of the gold standard tool that everybody's familiar with although it hasn't been developed in quite some time it's still a very solid and very useful tool for doing this sort of thing you can also use more basic tools like ARP spoof that will just spoof ARP exactly what it sounds like to cause packets to be to redirect it to you and then you can use other tools to parson she's me intercept and modify those packets specifically things have such as SSL strip or SSL sniff and then there's also things like mainland Middle proxy which is just an SSL capable and intercepting HTTP HTTP proxy so why is true ssl man-in-the-middle
difficult well ssl-certificates have what's called a chain of trust the x.509 spec was based around the concept that you have roots or sometimes they're called trust anchors those roots are present in the certificate store of the device or application that you're attempting to use so for example you connect to facebook com using your web browser your web browser is now chaining it up see it obtains the ssl certificate at any intermediate certificates in the initial handshake and then it uses its own internal methods to try and find a chain of trust up to a root CA that it's already familiar with so you can't just go and sign your own certificate because it's not in there and if you add it to your own it's not in anybody else's and the reason for that is of course that well we don't want you to be able to create dub-dub-dub facebook com or API facebook com or any of those other certificates because why should you be the authoritative source for that now there are certain other ways of trying to develop a more distributed networks of trust but for the moment x509 is based upon the concept that there are trust anchors so now that we've established that you need a public CA for that you now need to find some way to attack in public CA now as proven in the past by moxie and others you can't attack public CAS however it's typically not particularly practical you need to take you need to focus on one specific one you may need to spend quite a bit of time and you may not be successful in the first place social engineering usually plays a fairly large component it rather than technical flaw so then you may want to generate malformed certs well the tooling around generating certificates is pretty streamlined these days and because the asn.1 spec which is what X 05 x509 utilizes is so complex they actually lock it down pretty heavily and almost all the tooling it's so easy to go wrong so you actually have to go down and play down in the lib SSL openssl layers or use something like the Ruby openssl bindings to be able to generate malformed dance and one structures so that's that that's usually an obstacle for people who aren't familiar with that kept type of code and then SSL parsing 0 days are difficult to come by as Moxie's demonstration of null character attacks worked he managed to find both a flaw in the way cas were validating certificates and a parsing error in the actual multiple different parsing engines because that flaw actually affected Firefox and the IE s channel validation routines so we'll
talk a little bit about mobile SSL experience from a user perspective so obviously there's no standard UI if you know if you have an Android device you have an iOS device or webos whatever you have there's no real standard for letting the end user know that they've established a secure connection so you've established an ssl connection emit most applications show nothing at all you know fire up your your online banking app and you just have to assume that maybe it's being sentient sent over SSL but it could be incentive in the clear you have note there's no indication from an end users experience of the difference now in most cases nothing like I said there's no UI at all there's no there's no lock that you see in a browser in a browser experience it just basically you it's basically non-existent there are there are things like that in some of the mobile browsers themselves but just because you see a lock there you have no ability to drill down deeper to actually check into the check out the certificates that are being presented to you and then of course there's cryptic warnings in so part of our research we had missed anyone we were doing some of the testing we noticed a lot of cryptic warnings some mornings just didn't even make sense for what was going on in the testing and then users don't know the difference so everybody in this room you'll be in security aware you would know the difference but but most end-users wouldn't and they wouldn't know if if they established a connection or if they didn't they wouldn't even know to look and then the pop-up could be lying so there's so there's the photo you see there the screenshot you see there was some an app that I actually went and downloaded it's it's a it's an app to find sort of boutique hotels when you travel around that are they're cheaper but um but maybe a little nicer than chains and so when I was using that app I noticed there was a lock in the corner and it says secured by and has trust click on it I mean you put your finger on that lock and a pop-up box comes up that says secure brooking powered by travel clock and protected by 256 bit ssl encryption so that could be just complete you know even you have no idea if that pop-up is line so
the browser community is now spent almost two decades tweaking their UI behavior when it comes to SSL I mean originally you had locks of padlocks in the corners and you've had padlocks move up next to the URL bar you've had yellow you've had you've had just white you've had green Lux that actually don't represent EV security the point is that there is always presentation even if that presentation has been changing so there's ways for you to both look at and validate what you're seeing however the mobile device market in essence destroyed that with info in less than five years it went from at least something to see to you need to trust that something good is happening when you open up your mobile app to connect to Google+ or Facebook or whatever your social network is you just assume that it's using SSL you have no way to tell so that's obviously something of a problem and you can't expect to see you I excuse me so if ssl fail silently on that front well the world probably doesn't end but maybe your personal world does so some of the research
motivations is well young you know most apps completing nor the UI aspect of security so that's something we wanted to look into you know like like like paul area mentioned but from it from the end user standpoint or even from a developer standpoint you know you're a mobile app developer there is from there's a zero functionality difference between sending data in the clear and sending data encrypted so there's no real no motivation otherwise other than the protection of the data that's being sent for them to implement it and so as an end user you just have to trust that when you're sending some things like credentials or bank account information or credit card information be an app that the developer care cares enough about you to to actually establish at SSL session and encrypt your data and we also we also thought there wasn't really any tools any an easy set of tools for people to run run their apps for these types of tests and then also you know when you find os-level problems the the Cascade to all apps where they can cascade to all apps so if there's an OS level you know ssl parsing problem it could affect every single app on a device not just not just the ones that are you did not just not just one single app and to be fair that is true of desktop as well but uh on the mobile side much more so than the desktop site people tend to use consistent ap is that go down to the OS hooks so for example on the desktop you could have several different libraries that are actually handling your SSL validation routines if you're using Firefox it uses its own an SS specifically and if you're using Safari or Chrome or Internet Explorer or whatever the inventor using s channel or the OS level libraries 40 is 10 however on the excuse me on them on the mobile side you're emphatically unless you've chosen to go around that very few do you're using the OS level libraries for handling that so whenever whenever
you're doing security research there's always the implications of your research and obviously you know something that that we talked about today could be used by someone to do something you know used to do bad things tomorrow and basically you know do two attackers really focusing on the mobile app world on a mobile device world obviously the results of our research can be used for like I said to do bad things specifically if there's problems with ssl they can be used for credential stealing data interception even even response manipulation back to the back to the client application but the other thing to think about is the these types of attacks will go unnoticed specifically if there's a lack of user awareness users users aren't aware even when they see error messages if they just click through them that's that that's that's a problem as well and then of course the lack of q IQ is within the amps compound that so like what we talked about earlier if the SSL fails and it fell silently the users are these are just basically you know blindly submitting their data on through through the networks and in being intercepted by attackers so how do you actually build a
test lab then well there's a lot of ways obviously but one of the simplest and cheapest ways is just go ahead and get yourself a cheap Soho switch our switch and router like a wrt54gl or something and that typically you'd like it to be able to run a third-party firmware like tomato or dd-wrt you want to want to attack her system in our case we went ahead and use Linux because it's much easier to compile light or cap there than anywhere else and we went ahead and also added a patch to it that will be discussing a little bit and then you need some victim clients in our case we have a nexus s that was running at the time the latest version of gingerbread and an ipod touch fourth generation which was running ios4 33 so what types of search dooney then
once you've got that all set up you're going to want ones that are valid for the target domain of course so you can validate that it works in the primary use case you're also going to want as many malformed just ssl certificate types as you can come up with cell sign which is a common one that many people deal with crl f which is a carriage return line feed that's actually something that in the past various libraries have had trouble with you feed a carriage return line feed inside the domain or wrapping domains and sometimes it will parse before after the crl f sometimes it'll just break and return true now that hasn't always been that hasn't it shouldn't be true now but that doesn't mean it isn't then the null prefix which of course was a one of Moxie's big ones recently which we discussed earlier invalid asn.1 structures where you can write fuzz errs where you can say i want to have various no broken loops and and miss nested forms inside my ass and one structures and then broken encodings in general where you can push utf-8 into BMP strings and things of that because asn.1 has type identifier so you can play around with that and then things like the basic constraints and key usage and extend Acacius extensions every certificate has things encoded in it that's it tell the browser or the OS what it should allow that cert to do for instance you when you have are using a regular server certificate it has an extended key usage called server off and when you're using it for client authentication it has one called client off and server auth certs can't be used for client off and vice versa and in the basic constraints extension there's typically a field that says see a colon false which means it's not a CA don't let anybody sign things so and then you may need a method of course to generate the above easily so what we went ahead
and did was wrote a ruby script called slizzard it's an open source tool kit to easily generate multiple types of invalid search for any given domain the output can then be used with Etta cap to run these attacks against your apps or others too see if these things are vulnerable we've successfully attempted test it with ettercap and we have a patch on the DEFCON 19 DVD that you can apply against any standard ettercap 073 ng tree which will allow you to add a new flag again documented in the patch but you passed dash X that allows you to pass any certificate in normally ettercap generates standard excuse me standard self-signed certificates on the fly and since we want to be able to provide different forms of broken certificates we need you use the flag to supply them there's also a thick net module being developed by Steve ascetic I believe that will be delayed a little bit but yeah Steve's doing the talk I think the next hour called blinky lights and so when that talk got accepted it delayed his men in the middle or his thick net module a little bit but he's gonna he's gonna put that out shortly after our talk right and this setup can be used against any OS application browser anything I mean as long as it's connected to the network that you've developed you can man in the middle it
so to use it all you have to do is run it you can either specify it on the command line or it will have an interactive shell for specifying as well and I guess we can do the demo yeah and you know the real motivation here was to
develop this toolkit so that app developers this will be app developers that may be used in their own libraries
to their own routines to validate SSL in their applications and this will be a a surprisingly short demo since it does exactly what you'd expect you specify the main you want it to spin to generate certificates for and they are generated so now we can say let's take a look at one let's go ahead and look at the null character attack one so as you can see
it generate for domain com with a null character openssl is actually capable of detecting and reap arcing Nell characters such that you can see it but in certain other tools you may not see the null character because it's a null character and unprintable but that's the kind of thing we're going ahead and generating and then you have
single key that of course wants all these certificates and in the UM and in
the editor cap into once you apply the patch you actually can specify the UM
specify the certs to use write them for your test as you can see there so you'll
go ahead and execute it generate your sorts set up better cap using the dash flag to specify the cert type you want to test and then you'll use your app is normal and see if you get error messages if you don't get errors then you should check out ur cap which you can tell it you can either have it out putting data to the screen or you can have it writing to a pcap file for later analysis using something like Wireshark and that'll let you see if the data was intercepted as you expect it you'll have to execute ettercap once per cert type generated by slizzard tujhe comprehensively test it oh we don't allow dynamic switching at the moment although we've been looking into improving the patch so now we're
going to talk a little bit about the mobile app test results so like we've mentioned earlier about setting up the test lab we actually set the test lab we had the various devices and then we um proceeded to basically men in the middle each of those devices and some popular apps and so on you know you want sure so on Android as you can see you in a lot of ways we didn't find a whole lot we ran through several hundred tests actually or across the asn.1 buzzers and a very various other ones and you can see that the self sign crl f null character and ASM ones all fail closed in the browser you get the what you'd expect which is the invalid certificate notification which an Android you can also actually click the view certificate and see a little bit of the details you can't see why the chain might not be working but you can see the end entity certificate itself some of the more interesting things around it worth it when you do these types of attacks some of the underlying OS libraries are getting upset because the Facebook Apple for example completely stopped responding quitting it reopening it doesn't seem to help you actually have to reboot the entire phone sometimes however and then there's the other thing we will get was confusing error messages none of them said bad ssl certificate they would say things like no network connection or you know server busy basically fall back error messages that just assumed that there couldn't be a problem with the ssl cert it was something else so that that was always there was a little bit of an interesting revelation for us so we also tested iOS based on the same exact fashion and so I mean it gets the big takeaway here you know you can see the same same keys if you can't really see it from the back of the room on the key basically FC the green FC means it fail close it did what it should you are means user request so it basically something popped up and ask the user do something and failed open so you know obviously this was a little bit disappointing at this stage in the research that we we didn't find anything but there was also some confusing error messages as well that we noted and then one thing to note on Twitter the twitter client actually had very nice accurate error messages I think all those apps that we tested was the only one that actually actually displayed what what the issue was that was being presented to the end user so now we're going to
crowd your question oh yeah sorry yeah so that's that's
interesting thanks for pointing that out yeah so basically went once you um when you went to the signup screen using the facebook app we noticed that every all data was being trans transmitted over HTTP yeah it takes you to a custom web view which just loads the page which is not over SSL and everything including this sign up forum posts over HTTP for some reason yeah the ad says that whether or not you're made of middling yeah it was just a little side thing we found so now we're going
to do the audience participation so so what are we going to do we're going to test for a specific ssl flaw by audience members so we need as many people as possible to test this so hopefully we'll we'll find some vulnerable devices out there you can be shown a URL on the next slide if you see a certificate error and when you when you visit that don't do anything we don't need to know that you got that error but if you see a spider labs logo and we'll show you what that looks like we'd like you to stand up so
what we're not going to do we're not we're not pushing anything malicious to your device and see I guess you have to trust this with that and we're not exploiting any known known or unknown browser flaws so this is this is an SSL negotiation test that's specifically what it is and in fact we don't actually even have any JavaScript on that page it's pure CSS and HTML so a little bit
of little bit about what we're going to test so basically if you take the way back in Wayback Machine you jump in the time machine and go back to 2002 Moxie actually published a serious microsoft internet explorer vulnerability is basically related to SSL validation checking yeah i mean this flaw happens when a client fails to validate the signers valid CA it allows a ssl negotiation to kirk and complete because from its perspective it found a chain so chains are actually again unrelated to whether or not the cert is allowed to be a signing see that's all in the basic constraints parameter so if something fails to check that it should or should not be capable of signing and it's just assumed to be capable assigning that you could sign a certificate underneath your own personal website for some other website and then just pass that as an intermediate and it will validate so that was what moxie found at the time yeah so we take us to the present day if we have a device or we found a device than our research that this was successful it's basically complete ssl failure so basically ssl man in the mill completely possible whether it's with a device or an app is operating on a public network so today at Def Con 19 we're going to go through and actually see if this exists on any mobile platforms in the audience so you
want to explain what we did to set up so what we did is we requested a cert from a public CA for a meaningless domain and specifically in this case we are we used assert that I personally have for my own blog then we use that certificate and slizzard to generate and sign a new certificate in private key just underneath it so basically we treated that end entity certificate as a sub CA and then we installed the resulting certificate and keon test server and passed the meaningless domain cert as the intermediate so the correct ver Savior when visiting this test server is a certificate error it just shouldn't work so let's do the test so everybody
in the room if you can visit SSL test dot spiderlabs calm and then if you if you see this logo on your screen without having to click through anything please stand up and you want to do it as well with the audience sure so I'll go ahead and just take a look at it myself here
oh sorry sorry guys sorry it is um ssl
test dot spiderlabs com so if you see that if you see the logo please stand up okay so you want to do it as well as show with the other so it looks looks like out of here key please keep keep
standing so this is what this is what
you should see if you're if you are vulnerable to this attack you should not see a security warning at all if you see the security warning that means your your phone is not vulnerable to this attack it's not working at all you get the error on the blackboard yeah that's good but you should okay let's go back into the so it's so we'll explain a little more here so that sort of the
problem here so so thanks everybody i
guess you can sit back down is way actually one question is why you're standing up Oh does anybody not using an iOS device who did get man in the middle we have someone back there okay if you can see us after the talk we'd love to talk to you yeah so actually yes what is your device sir that runs iOS thank you though oh we have one here Oh interesting yeah if you could see us after the talk they'll be great it was a samsung rogue he said yeah that isn't Android device yeah so let's well you can see us after I talk we'd be interested to talk to you so so basically you know anybody using anything less than iOS four dot 305 so if people are aware apple just pushed out a patch about a week ago a little bit set nine days ago on that specifically addressed this issue yeah and it's just for those of you who might be on verizon it's 4 to 10 is the patch version that fixes it and this patch was solely pushed out to fix only this bug there were no other fixes out there because of the severity of the issue yeah from the time frame you know Apple did a great job it was 10 days after we reported this problem to Apple on that they actually patched and pushed out the the newest release so what we show here on the results here so the basic constraints test browser Facebook mint Foursquare and Twitter also all failed open and so what that means is that we were able to establish complete man-in-the-middle via ssl and intercept all the traffic it was being sent from the from that from the client device to the server and a little side note here we estimate the iOS users exposure so the people who stood up are still exposed and are still vulnerable to this attack basically it was about 18 months everything since at least three dot one dot three right and since Apple tends to end of life after about two years each iphone 4 they're no longer eligible for updates security otherwise 313 was the last version for the original iphone four dot one something was the last version available for the iphone 3g so only 3gs and iphone 4 actually eligible to not be vulnerable so they gets to note to the people who are standing in this room all of you whether you're on the DEF CON Network or your any place else could be men in the middle via this method and and we probably recommend at this point you'd put your phone in airplane mode yeah the apple patch fixes the underlying library so it fixes it for browser and apps and everything else so
after our iOS disclosure Moxie was pretty tickled about the fact that one of his bugs had come back around and so he really sent updated version of SSL sniff that will fingerprint and do this to any device that you've got on your network Eric Monte one of our Trustwave spiderlabs guys has developed a workaround for iOS developers who want their app to work on earlier versions and not rely on iowa's to the validation checking we're going to be posting a blog post about that right after the talks for people who want to incorporate incorporate this code snippet we'd love more eyeballs on it because quite frankly we're not sure why it works but it does seem to mean what the one big implication there so say you are a financial institution and you have you have online banking customers who are using a banking app from an iOS device um if they're if those customers are not patched that means that all the customers in your ecosystem that are not using this latest version are now vulnerable so so so iOS developers may want to implement this or this visually that banking application developer may want to implement this to make it to fix it retro actively in older devices right and then just recently a Hubert or Hubert or whatever his name might be solely by this alias released a tool called I sniff which also does is SSL man-in-the-middle using for less than I OS less than 435 so you can check that out in github as well so so concludes I
guess just to conclude here in the basic basic takeaway is that we need more eyes on this on this type of technology on this testing so we want that's why we put together this toolkit for Iowa for developers to be able to be able to test their abs tester devices and define these problems and fix them but i guess it from a user perspective and we all have to insist that that develop the ssl is used for all data transmission but then we also need to also insist that the mobile device manufacturers the mobile platform developers and fix their UI so it's more it's more it's more recognizable to us and other end users that what's what's going on from a secure data transmission standpoint absent devices that fail should always fail close when there's an SSL problem so in that regard our testing is revealed that in general they try to do that that's a big improvement over the past years and it's an encouraging note i guess but uh yeah it results in a more larger dependence on a single failure point which hopefully people will continue to consistently test to make sure it doesn't have problems that have occurred in the past and it gets the one final piece the gentleman that actually had that Samsung device if you can meet us here and as we were when we were doing this this talk we knew that the iOS devices would be vulnerable because we released at advisory with with apple and we were we were hoping that that we might find another device obviously in our test lab we didn't have you know hundreds of flavors of devices to play with and the gentleman with the with the Samsung device if you could meet us we want to want to find a little more details about that device and it may have you may see an advisory come out very soon on that platform as well so that's that's our talk thanks everybody thank you