Black Hat, Other Conferences to Dig Into Mobile Security

This week many security researchers will converge on Las Vegas for the annual Black Hat USA, Security B-Sides Las Vegas, and DefCon security conferences. As in previous years, we’ll present and discuss many new security techniques and methods used by computer criminals, attackers, and defenders. A good portion of the new research will be related to mobile phones and devices.

Android Malware and Exploits

Google introduced an interesting security service, Bouncer, for its app market (Google Play). The company left out details on implementation or what exactly will prevent bad apps from entering the market. While this sounds like a good step to make it more difficult for attackers, this move also makes it much more difficult for security researchers to defend against those same bad guys. Security through obscurity doesn’t work and is only a delaying tactic.

Charlie Miller and Jon Oberheide presented their findings on Bouncer at SummerCon earlier this year. And they weren’t the only ones looking at Bouncer: Researchers Nicholas Percoco and Sean Schulte have also thrown their hats in the ring. They’ll present methods that their proof-of-concept (PoC) Android app used to bypass the security checks put in place with Bouncer.

The Android file format DEX hasn’t received as much attention as the portable executable (PE) format on Windows, though DEX serves a similar purpose. Malware researcher Tim Strazerre will fix that oversight when he presents his research on DEX and the tricks one can play with it to bypass the common tools that we use to analyze Android malware. While he presents PoC DEX files that crash or otherwise render our analysis tools useless, he will also provide a deep dive into the format and give out pointers and advice on robustly fixing flaws in those same tools. If your work involves dealing with Android malware, Strazerre’s talk is a can’t-miss event.

Mobile security researcher Bob Pan, owner of the dex2jar project, will present a PoC file infector for APK files. This will most likely involve injecting code into the classes.dex file in a legitimate APK and re-signing the APK with the attacker’s key. This is already possible manually and has been demonstrated in malware families such as Android/DrdDream. What we haven’t seen yet is an automated infection method or tool in the wild.

iOS Threats and Security

Apple’s iOS has been getting progressively more secure with each new update, closing holes and adding preventive measures. We’ll hear about improvements in platform security from the manger of Apple’s Platform Security Team.

Researcher Jonathan Zdziarski–a well-known name in jailbreaking, forensics, and security–will put on an iOS app hacking workshop. It looks like he’ll cover how attackers can obtain our private data and financial information from the embrace of our apps.

Stefan ‘ionic’ Esser, developer of address-space layout randomization for jailbroken iOS devices, will present on advanced heap exploitation on iOS. He’ll show a technique to control kernel memory and execute arbitrary code. Because this is in the kernel, memory and other security protections can be bypassed by skilled attackers. Will this result in easier jailbreaks or aid in the development of better iOS rootkits?

Mobile Hardware Exploitation

Other talks will involve OS specifics. Researchers Stephen Ridley and Stephen Lawler bring their experience on attacking ARM processor-based devices. They will cover the research process that enabled them to create their two-day ARM exploitation training. They will attack Linux-based devices and build a test lab of devices.

Sometimes attackers don’t want to restrict themselves to one OS. The Smartphone Pen Test Framework (SPF) makes Android and Apple iOS devices into targets of a penetration test. Previously when we wrote “pen test” and “smartphone” in the same sentence, it meant that someone was exploiting a PC from a phone. Now it’s the other way around.  The framework’s creator Georgia Weidman, an innovator in offensive security research on smartphones, will demonstrate the DARPA Cyber Fast Track-funded project throughout the week. The SPF tests for jailbroken or rooted phones and other security vulnerabilities.

The Smartphone Pen Test Framework can connect to an agent on the phone to execute further attacks.

Attacking the OS and application processor are the two most common attacks on smartphones. Researcher Ralf-Phillip Weinmann will remind us that the baseband processor, which controls the phone’s radio and access to the mobile phone network, is still susceptible to attack. His previous demonstrations involved using a fake base station, but the current attack appears to require only a standard network connection to succeed.

Researcher Ang Cui ,who convinced us that attackers really can harm our printers, is back with a framework to help protect us from bad firmware. His FRAK, Firmware Reverse Analysis Konsole, provides security researchers with a toolkit that eases the search for vulnerabilities.

Near-field communications (NFC) hardware and security has been getting coverage in the press lately. We’ve talked about how attackers can use fuzzing to find vulnerabilities; now Charlie Miller, a researcher who has successfully used fuzzing to find holes in Android and iOS, returns with new attacks on NFC-enabled hardware. At first glance the attacks don’t go after the payment portions of NFC capabilities, but Miller has apparently managed to take over every other aspect of the devices.

Researcher Collin Mulliner isn’t sitting on the sideline. Having previously worked on SMS fuzzing with Miller and NFC fuzzing independently, he continues with his research into mobile carrier networks. Normally it’s difficult to find out what lives on a mobile carrier’s network, yet Mulliner will provide details on exploring cellular networks the way we do most other Internet-connected networks.

Microcells (or femtocells) are tiny cell towers that use your home network to increase the range of your moble phone. Marketed as a way to increase reception within residences, they dial home to your mobile carrier for billing and establishing a connection. All good things, but perhaps they aren’t as secure as we think. Researcher Mathew Rowley will show how he reverse-engineered a modern microcell.

Network forensics are useful for discovering new attacks and communication from malware. Mobile network forensics hasn’t yet received as much attention. Researcher Eric Fulton will rectify that with his workshop showing what real mobile malware and botnets look like over the network.

Wealth of Mobile Talks

There are more mobile talks than anyone has time to attend at the three conferences. This may be the year that mobile security receives as much attention as that on other platforms.