SchmooCon to Cover Hot Mobile Security Topics

The ShmooCon security conference takes place in Washington D.C. this weekend. There will be a good number of mobile and embedded talks, covering attacks on and defense of Bluetooth, Android, NFC, RFID, and more.

Disposable computers
A number of years ago at DefCon a team of penetration testers showed how to infiltrate a corporate network by mailing an iPhone with a large backup battery to the target company. This allowed them to exploit vulnerable host on the internal network and then ship any acquired data back to themselves. In that case they eventually recovered this expensive portable computer (iPhone), but it would have been better if they didn’t have to worry about getting the computer back. There are other cases where one might want to use a computer without spending a lot of money on a smartphone, say, doing data collection in your near-space balloon.

In the talk “Sacrificial Computing for Land and Sky,” researcher Brendan O’Connor will explain how to build throw-away computers for less than US$80. These are computers that can be left at a target location without concern for recovering them.

If the last time you followed Bluetooth security was more than a couple of years ago, you might think that Bluetooth is a broken protocol. Things have improved, though, with many of the old bugs and vulnerabilities fixed. There have been new attacks and new tools created for testing Bluetooth, but there are also techniques for protecting yourself from attackers. Researcher JP Dunning’s talk “Defending the King of Denmark with a BLADE” will cover his toolkit for detecting such attacks.

Near Field Communications and Radio Frequency Identification
New models of iPhones and Android smartphones are coming with NFC capabilities. These will eventually allow you to use your phone to buy goods and services just by tapping to pay. Having your credit cards tied to your phone or an RFID chip can be risky if security hasn’t been tested. Chris Paget, an expert on radio and GSM security, will present on the security vulnerabilities in today’s credit cards with RFID. Fortunately he will also cover ways to protect your credit cards.

Your phone-based credit cards aren’t necessarily safe. Researchers Corey Benninger and Max Sobell will go after NFC-enabled smartphones in “Intro to Near Field Communication (NFC) Mobile Security.” This is an extension to their Sector conference talk, but updated with new information on Google Wallet and the latest version of Android.

You might be familiar with RFID proximity cards used in your workplace to “badge in” and “badge out.” Penetration testers regularly bypass access-control systems that use such cards. Foundstone’s Brad Antoniewicz will showcase methods of attacking these RFID systems from multiple points of entry.

Android malware is taking off with maliciously modified pirated apps and premium-rate SMS-sending Trojans. As threats increase, the need to analyze suspicious apps and compromised devices also increases.

Two talks will cover these aspects of securing an Android device: Matthew Rowley’s “A Blackhat’s Tool Chest: How We Tear Into That Little Green Man” and Joe Sylve’s “Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility.”  Both talks will include tool releases to help other researchers reverse-engineer malicious apps and dump memory from a running Android device.

The iPhone does not escape scrutiny from these security researchers. David Schuetz will update his talk on the iPhone’s device-management interface. Device management allows your company’s system administrator or IT head to supply your iPhone with your corporate email or remotely wipe all the data when it is lost or stolen. He will cover changes in iOS 5 and other details.

Mobile exploitation
Smartphones aren’t always targets, sometimes they’re also used to attack. Researcher Pedro Joaquin will give a FireTalk, “ROUTERPWN: A Mobile Router Exploitation Framework.” Penetration Testers who need to test routers, access points, etc. can now pull out their smartphones and have access to ready-to-run exploits. The framework is written in JavaScript and HTML, so it doesn’t really matter what kinds of smartphones they have.

These are just a few of the mobile and embedded-related talks at ShmooCon. The weekend should be full of many more enlightening security-related presentations.