Security flaws in mobile devices - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Security flaws in mobile devices

Description:

... as a program which would offer new wallpapers and icons for Symbian OS. ... It is FREE ! - Desktop manager Official Symbian desctop manager. - Happy Birthday! ... – PowerPoint PPT presentation

Number of Views:91
Avg rating:3.0/5.0
Slides: 29
Provided by: christia4
Category:

less

Transcript and Presenter's Notes

Title: Security flaws in mobile devices


1
Security flaws in mobile devices
  • Seminar on Software Engineering,
  • Long Presentation
  • 06.03.2008
  • Christian Gruber

2
Quick overview of mobile device security
  • Modern technologies integrated with each other.
  • Mobile phones are more and more intelligent and
    becoming like computers ? security problems?
  • Mobile phones and other mobile devices are coming
    more attractive to virus writers.
  • This presentation is dedicated to the threats
    currently posed by malicious code to mobile
    devices which run under portable operating
    systems and are equipped with wireless
    technologies.

3
Quick overview of mobile device security
  • This overview focuses on some of the severe
    malwares found in the following major mobile
    operation systems
  • - Symbian OS
  • - Windows CE .NET
  • - Apple OS X for the Apple iPhone

4
Symbian operating system
  • A smartphone is a mobile phone offering advanced
    capabilities beyond a typical mobile phone, often
    with PC-like functionality.
  • Symbian is the leading OS in the smart mobile
    device market.
  • It is designed for the specific requirements of
    advanced 3G mobile phones. Symbian OS combines
    the power of an integrated applications
    environment with mobile telephony, bringing
    advanced data services to the mass market.
  • Statistics published February 2007 showed that
    Symbian OS had a 67 share of the smart mobile
    device market, with Microsoft having 13 through
    Windows CE and Windows Mobile and RIM having 10.

5
First malicious code for Symbian OS.
  • 2004 a group of professional virus writers known
    as 29A created the first virus for smartphones
    called Cabir.
  • Cabir is the first network worm capable of
    spreading via Bluetooth.
  • It infects mobile phones which run Symbian OS.
  • Creators stated it was purely proof of concept
    just to show malicious code could be created for
    Symbian OS.
  • Source code was published on the Internet ? many
    modified version surfaced.

6
how does Cabir work?
  • It is design to load at phone boot up and send
    itself to available devices using Bluetooth.
  • It sends itself as a Symbian installation file
    (as CARIBE.SIS) the receiving phone will
    recognize it as an installable package.
  • Before the virus can successfully infect a phone,
    the virus must be first accepted by the user.
  • When the virus is received and accepted, the
    phone then begins installing the installable
    package file ? phone infected.
  • Later version named as Cabir.k was able to self
    replicate itself via MMS.

7
Second malwre for Symbian OS
  • Soon after Cabir spreaded the first Trojan was
    found for Symbian OS.
  • Normally a Trojan is a piece of software which
    appears to perform a certain action but in fact
    performs something else.
  • The Trojan was a cracked version of a popular
    game called Mosquitos.
  • It sent SMS messages without the knowledge of the
    user.
  • It was intended that the program secretly sent a
    SMS message to alert developers if an unlicensed
    copy was being used.

8
Mosquitos Trojan
  • This program is not strictly a Trojan, but, it is
    classified as a Trojan as it sends SMS messages
    to premium rated services without the knowledge
    of the user.
  • The numbers which messages were sent to were
    coded into the program.
  • Does not spread using its own means. It must be
    installed and run by the user.
  • One message cost 1,5 2

9
The Skuller Trojan
  • Skuller was the first real Trojan for the Symbian
    OS.
  • The Trojan appeared as a program which would
    offer new wallpapers and icons for Symbian OS.
  • Installing the program led to the standard
    application icons to be replaced with a skull and
    crossbones.
  • At the same time it would overwrite the original
    application ? application ceased to work.
  • Once the smartphone has been infected it can only
    be used to make calls.

10
The Skuller Trojan continued
  • Skuller demonstarted two unpleasent things about
    Symbian architecture.
  • - System files can be overwritten
  • - Symbian lacks stability when presented with
    corrupted or non-standard system files.
  • There are no check designed to compensate these
    vulnerabilities.

11
The Locknut Trojan
  • These vulnerabilities was quickly exploited and
    the second Trojan appeared the Locknut.
  • Locknut was spread as a critical patch.
  • The idea behind Locknut was that Symbian OS did
    not check file integrity.
  • Locknut disables a phone using a malformed file
    to crash internal Symbian process.
  • ? causing the phone to lock down so that no
    applications can be used.
  • The .app extension makes the OS believe that the
    file is executable.

12
The Locknut Trojan continued
  • The .app file contains simply just text rather
    than structured code.
  • The system will freeze when trying to launch any
    application.
  • Rebooting wount help as Locknut is started
    automatically ? making it impossible to even turn
    on the phone.
  • First malware on Symbian to prevent making even a
    call.

13
Most dangerous Symbian worm Comwar
  • The second worm found for mobile devices was the
    Comwar.
  • The worm spread via Bluetooth and MMS.
  • The executable worm file is packed into a Symbian
    archive (.SIS).
  • Once launched the worm will search for accessible
    Bluetooth devices and send the infected .SIS
    archive under a random name to these devices.
  • The name of the file varies. When spread via
    Bluetooth, the worm creates a random file name,
    which will be 8 characters long, e.g.
    bg82o_s1.sis.

14
Comwar continued
  • The worm also sends itself via MMS to all
    contacts in the address book. The subject and
    text of the messages varies.
  • Some example subjects found
  • - Norton AntiVirus Released now for mobile,
    install it!
  • - 3DGame 3DGame from me. It is FREE !
  • - Desktop manager Official Symbian desctop
    manager.
  • - Happy Birthday! Happy Birthday! It is present
    for you!
  • - Internet Accelerator Internet accelerator, SSL
    security update 7.
  • - Security update 12 Significant security
    update. See www.symbian.com
  • - Symbian security update See security news at
    www.symbian.com
  • - SymbianOS update OS service pack 1 from
    Symbian inc.

15
Symbian OS 6.0 and newer
  • Before discussed malware work in earlier Symbian
    OS versions 6 and 7.
  • Newest Symbian OS 9.x also known as S60 platform
    3rd Edition has adopted a capability model.
    Installed software will theoretically be unable
    to do damaging things without being digitally
    signed thus making it traceable.

16
First malware for Windows CE
  • Duts is the first virus for devices running under
    Windows CE .NET.
  • It is also the first file infector for
    smartphones.
  • Duts is also made by the group 29A, which made
    the first Symbian virus.
  • A proof of concept virus.
  • It can infect devices running the following
    operating systems PocketPC 2000, PocketPC 2002,
    PocketPC 2003.

17
Duts continued
  • The virus itself is an ARM processor program and
    is 1520 bytes in size.
  • When the program is run, it raises a dialog box
    Dear user, Am I allowed to spread?
  • If confirmation is given, the virus will infect
    executable files which correspond to the
    following criteria ARM processor, more than 4KB
    in size, located in the device's root directory.
  • The virus writes itself to the last section of
    these files and establishes an entry point at the
    beginning of the file.

18
Duts continued
  • The Duts virus exploited a clever workaround of
    the operating system architecture in order to
    gain access to the coredll module.
  • Windows CE was designed with a protected kernel.
    User-mode applications are not permitted to
    interact directly with the kernel. This was
    designed to enhance the security and stability of
    Windows CE.
  • Microsoft has left the function "kdatastruct"
    acessible to usermode. This provided the key to
    the entrypoint of the virus.

19
Brador
  • Brador is a backdoor (a utility allowing for
    remote administration of the infected machine).
  • Designed for PocketPC based on Windows CE and
    newer version of Windows Mobile.
  • It is written in ASM for ARM-processors and is
    5632 bytes in size.
  • After Brador is launched it creates an
    svchost.exe file in the /Windows/StartUp/ folder,
    thus gaining full control over the handheld every
    time it is restarted.

20
Brador continued
  • Brador identifies the IP address of the infected
    device and sends it to the remote malicious user
    to inform him that the handheld is connected to
    the Internet and that the backdoor is active.
    Brador then opens port 2989 and awaits further
    orders.
  • The backdoor responds to the following commands
  • d - lists the directory contents
  • f - closes the session
  • g - uploads a file
  • m - displays MessageBox
  • p - downloads a file
  • r - executes the specified command

21
Windows CE security
  • Windows CE is extremely vulnerable from the point
    of view of system security. There are no
    restrictions on executable applications and their
    processes. Once launched, a program can gain full
    access to any operating system function such as
    receiving and transmitting files, phone and
    multimedia functions etc.
  • Creating applications for Windows CE is extremely
    easy, as the system is totally open to
    programming, making it possible to use not only
    machine languages (e.g. ASM for ARM) but also
    powerful development technologies such as .NET.

22
Apple iPhone
  • Within two weeks after iPhone was released I.S.E.
    (Independent Security Evaluators) found a way to
    take full control of the device.
  • Apple's Safari web browser exposes the
    vulnerability.
  • The exploit can be delivered via a malicious web
    page opened in the Safari browser on the iPhone.
  • When the iPhone's version of Safari opens the
    malicious web page, arbitrary code embedded in
    the exploit is run with administrative
    privileges.
  • After the Exploit is run the attacker has full
    control of the device.

23
Damages
  • In various proof of concept it has been shown
    that the attacker can
  • - Read/send SMS, MMS and emails,
  • - Read the address book,
  • - Read call history,
  • - Read voicemail data.
  • - Read users mail and other passwords,
  • - Record audio clips,
  • - Gain access to all files.
  • The attacker can transmit all this information
    without the knowledge of the user.

24
iPhone DoS vulnerability
  • Recently a Denial of Service (DoS) vulnerability
    was discovered in iPhones web browser.
  • The DoS exploit can be triggered by visiting a
    maliciously crafted webpage.
  • The page will insert code into the iPhone, which
    continually eats up available system memory
    before causing a kernel panic.
  • It has been stated that the Exploit could be used
    for malicious purposes ? e.g. executing remote
    code.

25
What can mobile viruses do?
  • In short what can mobile viruses do?
  • - Spread via Bluetooth, MMS
  • - Send SMS messages
  • - Infect files
  • - Enable remote control of the smartphone
  • - Modify or replace icons or system applications
  • - Install false or non-operational fonts and
    applications
  • - Combat antivirus programs
  • - Install other malicious programs
  • - Block memory cards
  • - Steal data

26
Protection against mobile viruses
  • For a smartphone to become infected, the user has
    to twice confirm that an unknown file should be
    uploaded and launched.
  • At the moment there are several anti-virus
    solutions designed to protect mobile devices from
    viruses.
  • For worms which spread via MMS, the optimal
    solution is for the network operator to install
    an antivirus product which scans traffic that
    passes.

27
Forecast?
  • It is difficult to forecast the evolution on
    mobile viruses. This area is constantly evolving.
  • Todays mobile viruses are very similar to
    computer viruses in terms of their payload.
  • It took computer viruses over twenty years to
    evolve, and mobile viruses have covered the same
    ground in a few years.
  • Without doubt, mobile malware is the most quickly
    evolving type of malicious code, and clearly
    still has great potential for further evolution.

28
Sources
  • Alexander Gostev, Mobile Malware Evolution An
    Overview, Kaspersky Lab
  • Symbian.com http//www.symbian.com/
  • Geekzone http//www.geekzone.co.nz/content.asp?co
    ntentid3379
  • Viruslist.com http//www.viruslist.com
  • Kaspersky http//www.kaspersky.com/
  • FastCompany.com http//www.fastcompany.com/articl
    es/2007/11/hacking-the-iphone.html?page02C1
  • Security Evvaluators http//www.securityevaluator
    s.com/iphone/
  • I.S.E http//www.securityevaluators.com/
  • iPhone World http//www.iphoneworld.ca/
  • AvertLabs http//www.avertlabs.com/research/blog/
    index.php/2008/02/20/iphone-dos-vulnerability/
Write a Comment
User Comments (0)
About PowerShow.com