Mobile Security In Practice - Autumn 2013

Mobile Security In Practice- Autumn 2013Tomáš Rosacrypto.hyperlink.czMobile Payments, Prague, October 10th, 2013

Jailbreak (And Root)Mobile Payments, Prague, October 10th, 2013

What Does It Mean Anyway Besides obvious warnings, there is onemore thing to add.Do you wonder whether smart phoneOS security can be broken? You do not need to ask anymore.The worldwide verified proof is righthere. It is the Jailbreak in itself!Mobile Payments, Prague, October 10th, 2013

Failbreak Privilege escalation exploit that doesnot end up with the full-fledgedJailbreak or Root. Just a suitable exploit and payload.Can pass through Jailbreak detection.Developer’s profile is a perfect position toperform a kind of Failbreak.Mobile Payments, Prague, October 10th, 2013

X-Platform Attacking Cross-Platform Attack (CPA) Any dishonest interoperation of severalmalware components running on differentcomputing platforms.Cross-Platform Infection (CPI) Any way of CPA components spreading totheir respective destinations.Mobile Payments, Prague, October 10th, 2013

SMS-BasedTransaction Authentication Number (TAN) Very popular authentication method incontemporary banking systems. http://en.wikipedia.org/wiki/Transaction authentication numberParticular kind of the “must have” twofactor authentication. It uses the out-of-band SMS channel toexercise the second authentication factor.Also called mobile TAN – mTAN.Mobile Payments, Prague, October 10th, 2013

mTAN Becomes Risky CPA is becoming more and morefeasible every day, now. In other words, there is non-negligibleamount of cases where mTAN security isnot guaranteed anymore.Furthermore, such attacks usually onlyget better. We shall be prepared this will get worse.Mobile Payments, Prague, October 10th, 2013

True art-trojan-attack-a-5359/op-1Mobile Payments, Prague, October 10th, 2013

Let's Face ItMobile Payments, Prague, October 10th, 2013

Sleeping With The EnemyMobile Payments, Prague, October 10th, 2013

It's Here!Mobile Payments, Prague, October 10th, 2013

Experts Are ReadyMobile Payments, Prague, October 10th, 2013

Consultants Eager To HelpMobile Payments, Prague, October 10th, 2013

Clients Take It SeriouslyMobile Payments, Prague, October 10th, 2013

Criminals Sharpen Their AxesEvolution of the SMS broadcast receiver's"onReceive" method spotted in the wild recently.One MonthMobile Payments, Prague, October 10th, 2013

No Client Cooperation Required Contrary to the pioneering approachesused by ZitMo, Spitmo, and theEurograbber scenario the cross-platform infections reflectedhereafter run smoothly with no points ofparticular cooperation with the client.We can think about generation-2 attacks.Mobile Payments, Prague, October 10th, 2013

USB LinkCross-Platform Infection Discussed by Stavrou and Wang atBlackHat DC 2011. Exploits USB protocol stack vulnerabilitiesfor infection spreading in both ways (CPIcomputer mobile).The original proof-of-concept can befurther extended.Mobile Payments, Prague, October 10th, 2013

Yet-Another Incarnation Discussed by Lau, Jang, and Song atBlackHat US 2013 this summer. Malicious public charging station silentlyinstalls malware into connected iDevices.Exploits weak authorization concept of USBprotocol stack under iOS 6. Does not require (but allows instead) Jailbreak orFailbreak.Employes otherwise honest X-platform librarywww.libimobiledevice.org.Protection is expected to get better with iOS 7.Mobile Payments, Prague, October 10th, 2013

NY: Solar Malware For FreeMobile Payments, Prague, October 10th, 2013

Show Goes On. Gmail link X-platform infection Exploits Android services convergence atGoogle Play. Discussed by Rosa in 2011 - 2012. http://crypto.hyperlink.cz/files/rosa scforum12 v1.pdfWi-Fi link X-platform infection Exploits implicit trust of WLAN devices. Discussed by Dmitrienko et al. atBlackHat AD 2012.Mobile Payments, Prague, October 10th, 2013

Bring Your Own DeviceMobile Payments, Prague, October 10th, 2013

On the Other HandBring Break Your Own Device Since: "By agreeing to the profileinstallation, the user’s device isautomatically enrolled without furtherinteraction.“-- http://images.apple.com/iphone/business/docs/iOS 6 MDM Sep12.pdf Zdziarski in "Hacking and Securing iOS Applications", 2012Schuetz at BH US 2011 and Shmoocon 2012Sharabani at Herzliya 2013Medin at Shmoocon 2013Mobile Payments, Prague, October 10th, 2013

Hackers Are Ready Mobile Payments, Prague, October 10th, 2013

iOS Peripheral Channels They are managed by the External Accessoryframework. Actually, this is a dynamic library that providesstreaming Objective-C interface in betweenapplication processes and the operating systemdrivers.Communication with external iPhone NFCcontrollers is provided this way. In particular, this concerns PIN verification.Even with iPhone 5S, there is still no internal NFCcontroller available.Mobile Payments, Prague, October 10th, 2013

Sniffing in ActionEASniFF EAOutputStream 0x00453be0 wrote 9 B (of 9)EASniFF 00453be0 0000: c5 b1 05 00 20 00 80 08 ddEASniFF EAInputStream 0x004534f0 read 4 BEASniFF 004534f0 0000: c5 b1 03 00EASniFF EAInputStream 0x004534f0 read 3 BEASniFF 004534f0 0000: 00 20 67 . . . .gEASniFF EAOutputStream 0x00453be0 wrote 13 B (of 13)EASniFF 00453be0 0000: c5 b1 09 24 12 34 ff ff ff ff ff 00 fbEASniFF EAInputStream 0x004534f0 read 4 BEASniFF 004534f0 0000: c5 b1 04 00 .EASniFF EAInputStream 0x004534f0 read 4 BEASniFF 004534f0 0000: 00 90 00 f6 .Mobile Payments, Prague, October 10th, 2013PIN12 34 . F!.

TrustZone IllustrationARM Security Technology - Building a Secure System using TrustZoneTechnology, whitepaper, ARM Limited, 2009Mobile Payments, Prague, October 10th, 2013

Here Comes the Sticker Cool option if your device lacks NFC.But. what if your device does haveNFC already?Mobile Payments, Prague, October 10th, 2013

NFC InternalsMobile Payments, Prague, October 10th, 2013

So, You Want a StickerMobile Payments, Prague, October 10th, 2013

Be Aware of Mobile Malware! Malicious application can transparently skim the sticker(almost) any time it wants to (obviously). On Android, no special exploit is needed. Just as inthe case of mTAN interception.The NFC controller shall be turned off or strictly managed. On the other hand, it would not be that useful with thetransponder attached permanently anyway.Mobile Payments, Prague, October 10th, 2013

Bluetooth Low EnergyMobile Payments, Prague, October 10th, 2013

BLE a.k.a. Bluetooth Smart Redesigned Bluetooth radio network LE FFC versus NFC To consume much less power - it has to workfor years with a button-cell battery.To allow fast connection and pairing.To enhance quick short message exchange.Radiative Far Field vs. inductive Near FieldComfort vs. energy feedSmart devices vs. smart cardsHow about LE FFC and NFC ?Mobile Payments, Prague, October 10th, 2013

Biometric Identification.automated establishment of thehuman identity based on their physicalor behavioral characteristics.Mobile Payments, Prague, October 10th, 2013

Enrollment PhaseJain, Ross, Nandakumar: Introduction to Biometrics, Springer, 2011Mobile Payments, Prague, October 10th, 2013

Verification (1 : 1)Jain, Ross, Nandakumar: Introduction to Biometrics, Springer, 2011Mobile Payments, Prague, October 10th, 2013

Identification (1 : N)Jain, Ross, Nandakumar: Introduction to Biometrics, Springer, 2011Mobile Payments, Prague, October 10th, 2013

Biometric System TopologyJain, Ross, Nandakumar: Introduction to Biometrics, Springer, 2011Mobile Payments, Prague, October 10th, 2013

Match Score It would be nice if we had simple true/false result. As in conventional crypto. But we cannot.All we have is a random variable X thatfollows two conditional distributions. f(x impostor) f(x genuine)Mobile Payments, Prague, October 10th, 2013

Match Score Evaluationf (x impostor)threshold ηf (x genuine)Mobile Payments, Prague, October 10th, 2013

False Accept Rate FAR f (x impostor)dxηMobile Payments, Prague, October 10th, 2013

False Reject RateηFRR f (x genuine)dx Mobile Payments, Prague, October 10th, 2013

Real DET CurveDetectionErrorTradeoffJain, Ross, Nandakumar,2011Mobile Payments, Prague, October 10th, 2013

Contrasting Design Approach Classic cryptography infeasible mathematical problemsQuantum cryptography intractable physical problemsBiometric identification statistical signal analysis intractability is usually not the prime concern we hope the Mother Nature complexitysomehow guarantees the securityMobile Payments, Prague, October 10th, 2013

Open DetectionMobile Payments, Prague, October 10th, 2013TemplateRevocation

Convincing AlgorithmsMobile Payments, Prague, October 10th, 2013

Liveness Detection DemystifiedMobile Payments, Prague, October 10th, 2013

Safe Template RevocationMobile Payments, Prague, October 10th, 2013

Conclusion We have the best security mechanisms weever had.However, the attacks intensity is also very highand still increasing.The threat model is changing significantly.New attacks induced by new use-cases, ratherthan by e.g. astonishing cryptanalytic advances (Xplatform, SSL/TLS, etc.).Biometric identification is here and we have to face it.We really need to move very fast to even stand still. --JFKMobile Payments, Prague, October 10th, 2013

Thank You For AttentionTomáš Rosa, Ph.D.http://crypto.hyperlink.czMobile Payments, Prague, October 10th, 2013

Movie Snapshots Taken From Slunce, seno, erotika, Ateliery Bonton Zlín,a.s., ČR, 1991Slunce, seno, jahody, ČR, 1983Císařův pekař, ČR, 1951Mobile Payments, Prague, October 10th, 2013

Mobile Payments, Prague, October 10th, 2013 Failbreak Privilege escalation exploit that does not end up with the full-fledged Jailbreak or Root. Just a suitable exploit and payload. Can pass through Jailbreak detection. Developer’s profile is a perfect position to perform a kind of Failbreak.