Smartphone Security - SecureComm, Inc

Smartphone Security

A Holistic view of Layered Defenses

David M. Wheeler, CISSP, CSSLP, GSLC

1 (C) 2012 SecureComm, Inc. All Rights Reserved

The Smartphone Market

• The smartphone security market is expected to grow at a rate of 44 percent annually to be worth US $3 billion by 2015 (from: Canalys analyst report)

(C) 2012 SecureComm, Inc. All Rights Reserved 2

• Many vendors are jumping into the race to provide security solutions

• Solutions can be categorized based on whether or not they require OEM/manufacturing support or not

Source: Juniper Networks

Current Stats & Trends


Android growth is out- Pacing all other phones

Smartphone use is increasing 48% of Americans use

Smartphones Today

National Vulnerability Database Reported Android Vulnerabilities 2011: 83 Total Vulnerabilities 2012: 60 As Of April (217% increase)

8 of top 50 malware reported by F-Secure

is for Android

Smartphone Security Solutions

• Trust Anchor &

Trusted Boot

• SoC & HW

Encryption

• Encrypted File

System

• Hypervisor

• Secure OS


Boot Environment

Driver

Full Disk EncryptionPre-BootAuthentication

Operating System

Storage

Encryption Decryption

• Remote Wipe

• App-Level Security

• Anti-Virus

• App Disablement

Hardware/OEM Solutions Software/3rd Party Solutions

How effective are these protections against modern malware that is active today?

The Malware Problem

SecureComm, Inc. Proprietary Copyright © 2012 SecureComm, Inc. All Rights Reserved

Sampling of Android Malware • Angry Birds Malware: (April 2012) Android GingerBreak exploit

– http://nakedsecurity.sophos.com/2012/04/12/android-malware-angry-birds-space-game/ – Legitimate software from questionable source – Includes Trojan (Andr/KongFu-L) that gains root and loads malware – GingerBreak: http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html

• HippoSMS: (July 2011) Mis-use permissions allowed by user – http://www.csc.ncsu.edu/faculty/jiang/HippoSMS/ – Sends SMS messages to premium services (all Java)

• SimChecker.A: () Trojan collects geolocation and other confidential information from a device and sends out this stolen info via e-mail and SMS.

– http://www.f-secure.com/v-descs/monitoring-tool_android_simchecker_a.shtml

• GinMaster.A: (April 2011) steals confidential info & sends it to a website. – http://www.f-secure.com/v-descs/trojan_android_ginmaster_a.shtml

• DroidKungFu.C: () roots the phone & collects senstive info, – Uses various exploits, including RageAgainstTheCage. – Exploits are stored in the malware package and encrypted with a key. – http://www.f-secure.com/v-descs/trojan_android_droidkungfu_c.shtml


8 of top 50 ANY malware reported by F-Secure is for Android (including Windows & Mac OS)

National Vulnerability Database holds 83 Android Vulnerabilities for 2011 as of 4/15/2012 60 vulnerabilities are already reported

http://nakedsecurity.sophos.com/2012/04/12/android-malware-angry-birds-space-game/�

http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html�

http://www.csc.ncsu.edu/faculty/jiang/HippoSMS/�

http://www.f-secure.com/v-descs/monitoring-tool_android_simchecker_a.shtml�

http://www.f-secure.com/v-descs/trojan_android_ginmaster_a.shtml�

http://www.f-secure.com/v-descs/trojan_android_droidkungfu_c.shtml�

DroidKungFU

• DroidKungFu discovered in 2011 • Multi-Function Malware

– Perform malicious commands (operates as a Bot) – Download new software & files – Install and Delete software (Apps) – Start programs/Apps – Visit Web sites

• Complex Construction – Uses both Java & Native C code

• Bypass Anti-Virus & make reverse-engineering harder

– Includes two exploits to root phone – Uses AES encryption to hide functions/features – Provide instructions on how to root your phone


Source: AndroidAuthority.com

http://blog.fortinet.com/clarifying-android-droidkungfu-variants/

Collects User Information • Downloads IMEI to remote server • Reports phone model and OS Version • Access any file from any App on phone

Protection from DroidKungFu • Anti-Virus/Malware Scanners not effective

– Malware code is encrypted • Different versions used different keys (polymorphic)

• Encrypted File System affords no protection – Malware accesses files through OS just like legit Apps – If User unlocks phone for use (for any App), the file system is unlocked for the malware

also • Hyper Visors not fully effective

– Does not prevent rooting the OS • Once root, would not prevent breaking out of VM

– Does not protect other Apps in VM • SE Linux / Secure OS possibly effective

– Must have NO privilege escalation vulnerabilities • Root access opens up entire OS

• Trusted Boot – Detect Root kit modifications on reboot – Would not prevent initial exfiltration


Protection Requires… • App-Level file encryption

to prevent unauthorized data access • Host Firewall on smartphone

to prevent data exfiltration & Bot communications

Applying Hardware & OS Enhancements

• Control rests with Untrusted Parties – Handset OEMs and Carriers control HW, OS, & SW – Government has no control over manufacturing and OEM process

• Most Manufacturing is done in ITAR class D countries – Some attributed to the “Advanced Persistent Threat” – Office of the National Counterintelligence Executive

• Hardware Trojans through supply chain – Known and unknown trojans

• OS changes require OEM cooperation – Dictated by Market demand – If you take control, then have Root’ed phone issues

• Create a backdoor into the OS • Other (untrusted) SW can utilize this backdoor

– Software trojans through supply chain


Trust Anchors & Trusted Boot

• Looking at Intel’s Wireless Trust Module Patents – Boots the phone into a trusted state

• Based upon Hardware Key in OTP Flash or Fuses – Flexible provisioning process

• Ensures boot loader and base OS are valid and authorized • Cannot be modified except by holder of private key

– Protects against rooting of a phone to replace the base OS or hypervisors if present

– Vulnerabilities: • Does not prevent privilege escalation attacks or rooting of

phone to add services or malware • Hardware trojans added in manufacturer or OEM supply

chain

(C) 2012 SecureComm, Inc. All Rights Reserved

10

SoC & HW Encryption

• Integrated System-on-a-Chip – Part of all smartphone hardware today – Densely packed, multi-layer boards – Often includes encryption modules embedded in chip – Android device drivers are not available for the encryption

engines and other advanced security features • Vulnerabilities

– dense packaging make hardware attacks on buses difficult (impossible for most attackers)

– Physical attacks have high probability of damage to chips (even for national labs - will discuss further)


Smartphone Architecture: Physical


iPhone 4 Hardware http://www.ifixit.com/Teardown/iPhone-4-Verizon-Teardown/4693/1

Processor with PoP DDR SDRAM Power Management Power Management Touch screen Controller Power Amplifier Power Amplifier Baseband/RF Transceiver 16 GB NAND Flash DRAM & Flash MCP WiFi & Bluetooth & GPS

PoP = package on package

http://www.ifixit.com/Teardown/iPhone-4-Verizon-Teardown/4693/1�







Encrypted File System • Encrypts all data stored to a file system • Protection occurs at the device driver layer • Prevents access to phone/files/Apps if phone is lost or accessed by

unauthorized user • Very slow performance on Flash architecture

– Much faster in PC (for disk drives) – Characteristics of flash memory block size

• Vulnerabilities – Only as secure as encryption key storage

• Is a HW trust anchor present? – Susceptible to root kits – OEM partnership required (to integrate into OS, or root phone) – Does not protect App data from a malicious App (if malware escapes

the sandbox)


Boot Environment

Driver

Full Disk EncryptionPre-BootAuthentication

Operating System

Storage

Encryption Decryption

Hypervisors • Hosts one or more guest OS, presenting a virtual operating platform • Sits one level above the supervisory (HW drivers) of the platform • Built for a specific HW platform • Restricts a Guest OS from direct access to HW (in most cases), but

introduces performance penalties • Vulnerabilities

– Does not prevent root kits (which are now VM-aware) – Requires OEM or Manufacturer partnership – Highly susceptible to rooting of the phone – Are all the drivers and physical resources (SIM card, SD Card, network)

equally accessible to all guest OS’s – there could be a cross-infection between hyper visors

– Google labs is currently researching vulnerabilities • Dominant players:

– VM Ware; Greenhills; WindRiver


Secure OS • Linux SE & Android SE from same architect • Must be provided by OEM • Linux SE requires MAC policy (static view of Apps and drivers)

– Does not offer flexible use of the Smartphone App Open Market Place concept

– Adding a new App requires changes to be made in the OS policy • Not likely to allow User to do this – return to depot?

• Vulnerabilities – Android OS vulnerabilities are growing – requires frequent patch

updates (how will this impact certifications?) • Will appropriate amount of resources be applied to keep Android SE updated?

– Susceptible to rootkits (if vulnerability found) – PC security patching history


Rooting the Smartphone

• All security solutions, except third party add-ons, root the phone unless working with the OEM or manufacturer

• Some attacks are now checking to see if phone is already rooted (Droid KungFu)


• New versions of Android are fixing know rooting vulnerabilities o Did we get them all? History => there are always more

Anti-virus SW

• Scans incoming SW & performs signature based detection of known viruses

• Can be installed by user or enterprise without difficulty

• Cannot scan SW brought in by non-standard mechanisms

– Malware directly downloading file from remote host

• Vulnerabilities – Android does not support parallel processing, so cannot

monitor run-time activity for abnormal behavior – This significantly reduces efficacy limiting function to static

signatures scans only (no dynamic analysis of behavior)


App Disablement

• Go Mobile: stop certain Apps and services when a sensitive App is activated, or when a protected network is attached – Not effective if OS is compromised since root kit

will “lie” to it. Exp: “wireless is disabled” when it really isn’t


Remote Memory Wipe

• System or add-on SW that removes data on flash after receiving a remote command

• Android OS feature • Vulnerabilities

– Cannot work unless phone is connected, or on removable media if not attached

– May not wipe all forensic data from flash


APP Security • Wrap around each App or Wrap

around a group of Apps • Either way, need to modify the App

slightly to call the security services • Usually supports commonly used

security services (integrity, confidentiality, passwords for authentication)

• Tends to be unnoticeable to the user – Little to no performance impact

• Vulnerabilities: • Crypto key protection is minimal to

non-existent – FIPS 140-2 level 1

• Susceptible to malware interference, root kit driver replacement


Backup


Hardware Attacks

• What about Bus Attacks & Hardware Attacks? – Must be a physical attack (possession of phone)

• National Lab? Anything goes But there is danger of damage to HW

• Well-Funded Attacker? De-Lit, Chip Replacement, Advanced Forensics Labs available to de-Lit for small fee

• Hacker Org? Software-based attacks, Root Phone, Memory Dumps, Privilege Escalation, Root-Kit, Data Exfiltration, Malware Insertion


Requires Type-1 HW Protections

Requires Special HW Chips

Security: Multi-Layered Security

• Security is all about asking the right questions – What do you want secured?

• Data Only? App usage? App code?

– From whom do want it secured? • Remote attackers? Other Users? • Other Apps? Thieves? Lost Phone?

– When do you want it secured? • During system operation? At boot? • System turned off?

– What does secured mean? • Confidentiality? Integrity? Availability?


PhysicalAccessRemoteAttacker EXPLOITWireTapVirus GingerBreak PayloadSourceCodeTrojan Divert ProtectionTrust Injection Sniffing FROYO ScriptBrowserRageAgainstTheCage

EXPLOIT phone Infected Bug System nastyMemoryDumpBackDoor

installPhysicalAccessPhysical AccessTrojanDivert Trust Bug System

InjectionFROYOScriptBrowser Infected

To realize a cost effective, COTS-based security solutions, a layered security approach is required

to achieve assured information sharing Mobility Capability Package v1.1, 2012, NSA

Documents

Smartphone Security - SecureComm, Inc