Playing boogie buggy
Bogdan ALECU
Topics
▪ About me
▪ The buggy world
▪ Where does your data go?
Bogdan ALECU
About me
Bogdan ALECU
▪ Independent security researcher
▪ Sysadmin @ LEVI9
▪ Passionate about security, specially when it’s related to mobile devices, CISSP, CEH, CISA,CCSP
▪ #infosec conferences: DeepSec, DefCamp, EUSecWest
▪ Started with NetMonitor, continued with VoIP and finally GSM networks / mobile phones
▪ @msecnet / www.m-sec.net / [email protected]
The buggy world
Bogdan ALECU
▪ Developers
▪ Testers
▪ Customers
▪ How do you test?
▪ But is it enough?
The buggy world
Bogdan ALECU
READY FOR SOME REAL LIFE EXAMPLES?
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
NEVER trust the user’s input!
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
NEVER trust the user’s input!
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
NEVER trust the user’s input!
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
▪ 20K application
▪ Two factor authentication
▪ ACL IP
▪ User authenticated automatically if …
… coming from the right internal IP
The buggy world
Bogdan ALECU
PLEASE CHECK YOUR
ERS
The buggy world
Bogdan ALECU
▪ How was the IP address checked?
The buggy world
Bogdan ALECU
▪ X-FORWARDED-FOR HTTP header
The buggy world
Bogdan ALECU
▪ Modify Headers – Firefox Extension
▪ https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
▪ Try accessing the website while pretending to be browsing from your mobile device
▪ You would be surprised of the instant access you get
▪ No luck? Try Googlebot!
▪ If your log shows a sensitive access being made by GoogleBot, will you worry ?
The buggy world
Bogdan ALECU
▪ Those damn headers …
DEMO time
The buggy world
Bogdan ALECU
▪ Having the right headers (security by obscurity) can open a lot of doors
The buggy world
Bogdan ALECU
▪ Those damn headers … AGAIN!
Yet another demo
The buggy world
Bogdan ALECU
▪ Don’t bullshit me: admit your weakness!
The buggy world
Bogdan ALECU
▪Implementation gone wild
▪ How many of you use the Internet on your mobile device?
▪ Do you know what DNS is?
The buggy world
Bogdan ALECU
Setup a VPN server on port 53, UDP (DNS port)
… and connect to your server
… pass the traffic to the Internet
UNLIMITEDMOBILE DATA TRAFFIC!
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
▪ The standard itself may have issues
The buggy world
Bogdan ALECU
▪ SIM Toolkit
The buggy world
Bogdan ALECU
▪ SIM Toolkit
The buggy world
Bogdan ALECU
▪ SIM Toolkit
▪ Vulnerability discovered in June 2010
▪ Reported on August 26 2010
▪ CVE-2010-3612
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
The buggy world
Bogdan ALECU
▪ SIM Toolkit
… and the demo
The buggy world
Bogdan ALECU
▪ FIX THIS NOW!
Where does your data go?
Bogdan ALECU
Where does your data go?
Bogdan ALECU
▪ Is the data securely transferred?
▪ What info is the app sending?
▪ When does it sends the info?
▪ Does the app accept any certificate?
▪ What is it stored locally?
Where does your data go?
Bogdan ALECU
▪ Mallory gateway
http://intrepidusgroup.com/insight/2010/12/mallory-and-me-setting-up-a-mobile-mallory-gateway/
Where does your data go?
Bogdan ALECU
▪ Short demo
Call to action
Bogdan ALECU
▪ Don’t rely on thing that most users have no idea how to check if your app is secure. You might meet someone like me and it will get ugly
▪ Write your code in a secure way
▪ Testers: learn how to really tests mobile apps. It’s not all about the usage experience!
The end?!?
Bogdan ALECU
Thank you all!
Don’t forget about feedback forms
www.m-sec.net / @msecnet