nearby threats reversing analyzing and attacking google s
play

Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby - PowerPoint PPT Presentation

Apr 26, 2023 •378 likes •671 views

NDSS 2019 @ San Diego, US Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2

  1. NDSS 2019 @ San Diego, US Nearby Threats: Reversing, Analyzing, and Attacking Google’s ‘Nearby Connections’ on Android Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2 CISPA Helmholtz Center for Information Security 3 University of Oxford Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android 1

  2. What are Google Nearby Connections? • Public API for Android and Android Things ◮ In-app proximity-based services ◮ E.g. peer-to-peer file editing • Implemented in the Google Play Services ◮ Available across different Android versions ◮ Applications use it as a shared library Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Motivation 2

  3. Why Analyzing Nearby Connections? • Wide attack surface ◮ Android (version ≥ 4.0) and Android Things ◮ Uses Bluetooth and Wi-Fi (at the same time) • Proprietary technology ◮ No public specifications ◮ Implementation is closed-source and obfuscated Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Motivation 3

  4. Our Core Contributions • First (security) analysis of Nearby Connections ◮ Uncovers its proprietary mechanisms and protocols ◮ Based on reversing its Android implementation • Re-implementation of Nearby Connections (REarby) ◮ Exposes parameters not accessible with the official API ◮ Impersonates nearby devices from any application • Attacking Nearby Connections on Android ◮ Connection manipulation and range extension attacks ◮ Responsible disclosure with Google Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Motivation 4

  5. Nearby Connections Public Information • Server advertises a service, client discovers it ( sid ) • Connection strategies: P2P_STAR and P2P_CLUSTER Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Background 5

  6. Nearby Connections Public Information 2 • Client and server connect using Bluetooth and/or Wi-Fi • Nodes exchange encrypted payloads (peer-to-peer) Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Background 6

  7. Our Dynamic Binary Instrumentation • Workhorse: Frida, https://www.frida.re ◮ Profiling of processes, e.g. NC-App, NC-GPS ◮ Hook function and methods calls ◮ Override parameters and return values ◮ Read and write processes’ memory Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Setup 7

  8. Reversed Phases of a Nearby Connection Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  9. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  10. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  11. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  12. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  13. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  14. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  15. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys 7 Optional Physical Layer Switch : Bluetooth BR/EDR to Wi-Fi Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  16. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys 7 Optional Physical Layer Switch : Bluetooth BR/EDR to Wi-Fi 8 Exchange Encrypted Payloads : 30 seconds timeout Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  17. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys 7 Optional Physical Layer Switch : Bluetooth BR/EDR to Wi-Fi 8 Exchange Encrypted Payloads : 30 seconds timeout 9 Disconnection Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  18. Key Exchange Protocol (KEP) Client Server C S Generate sk C , pk C Generate sk S , pk S Pick N C Pick N S c C = Hash( pk C ) Kep 1 : 1, endpointId , ncname , version Kep 2 : 2, N C , c C , algo Kep 3 : 3, N S , pk S Kep 4 : 4, pk C ( S x , S y ) = sk C · pk S Verify c C ( S x , S y ) = sk S · pk C • Based on ECDH, NIST P256 curve, shared secret is S x Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 9

  19. Optional Physical Layer Switch • Bluetooth to soft access point (Wi-Fi Direct, hostapd) ◮ Server instructs the client over Bluetooth ◮ Client contacts the server over Wi-Fi Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 10

  20. Range Extension MitM Attack Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 11

  21. Range Extension MitM Attack Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 12

  22. Soft Access Point Manipulation Attack Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 13

  23. Victim Connects to Attacker’s REarby Server Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 14

  24. Attacker Manipulates Bluetooth to Wi-Fi Switch Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 15

  25. Victim Connects to Attacker’s Wi-Fi AP Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 16

  26. Attacker Configures Victim’s Network Interface Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 17

  27. Attacker Eavesdrops All Wi-Fi Traffic Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 18

  28. Conclusions • First security analysis of Nearby Connections • Reversed its Android implementation and re-implemented it (REarby) • Range extension and soft access point manipulation attacks • Try the Soft Access Point Manipulation attack: https://github.com/francozappa/REarby/tree/master/poc-hostapd Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Conclusions 19

Recommend

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse Vrije Universiteit Amsterdam Finse Winter School 2018 Acknowledgements Brett Stone-Gross (Dell SecureWorks) Tillmann Werner, Christian Dietrich

1.02k views • 99 slides
Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking

Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking

Presenting a live 90-minute webinar with interactive Q&A Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking and Defending Preference Status of Lender, Creditor and PE Sponsor Secured Claims

443 views • 32 slides
Peeling Google Public DNS Onion ANALYZING CACHE COHERENCY AND LOCALITY OF GOOGLE PUBLIC DNS

Peeling Google Public DNS Onion ANALYZING CACHE COHERENCY AND LOCALITY OF GOOGLE PUBLIC DNS

Research Project 1 Peeling Google Public DNS Onion ANALYZING CACHE COHERENCY AND LOCALITY OF GOOGLE PUBLIC DNS Tarcan Turgut & Rohprimardho Under supervision of Roland M. van Rijswijk-Deij from SURFnet 4 February 2015 Research Questions

282 views • 24 slides
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing security research for the last

774 views • 48 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

1.27k views • 96 slides
Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

1.09k views • 92 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
WFIRST Infrared Nearby Galaxy Survey Ben Williams (University of Washington) Nearby Galaxies Are

WFIRST Infrared Nearby Galaxy Survey Ben Williams (University of Washington) Nearby Galaxies Are

WFIRST Infrared Nearby Galaxy Survey Ben Williams (University of Washington) Nearby Galaxies Are Great for Astrophysics Detailed view and context simultaneously Sensitive to galaxy evolution and cosmology Anchor our knowledge for

682 views • 45 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
arXiv:1706.03762v5 [cs.CL] 6 Dec 2017 Llion Jones Aidan N. Gomez ukasz Kaiser

arXiv:1706.03762v5 [cs.CL] 6 Dec 2017 Llion Jones Aidan N. Gomez ukasz Kaiser

Attention Is All You Need Ashish Vaswani Noam Shazeer Niki Parmar Jakob Uszkoreit Google Brain Google Brain Google Research Google Research avaswani@google.com noam@google.com nikip@google.com usz@google.com

295 views • 15 slides
Exploits of a TAG analyst chasing in the wild Clement Lecigne <clem1@google.com, @_clem1>

Exploits of a TAG analyst chasing in the wild Clement Lecigne <clem1@google.com, @_clem1>

Exploits of a TAG analyst chasing in the wild Clement Lecigne <clem1@google.com, @_clem1> Whoami Why this talk and what not to expect? Security @ Google What is TAG Understand targeted threats. Build intelligence systems. ~30 people (US

1.23k views • 61 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
Nearby Galaxies as measures of Feedback Brent Groves (MPIA) Quenching & Quiescence MPIA,

Nearby Galaxies as measures of Feedback Brent Groves (MPIA) Quenching & Quiescence MPIA,

Nearby Galaxies as measures of Feedback Brent Groves (MPIA) Quenching & Quiescence MPIA, Heidelberg July 14-18, 2014 Why Nearby? In nearby galaxies we can resolve the physics of feedback processes (J. Gallaghers talk)

466 views • 43 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

1.07k views • 103 slides
Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as quickly as possible without having to read disassembled code Advantages Active Reversing reveals contextual relationships between user actions,

1.41k views • 91 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
Watup, could you pick up this thing for me NEARBY? HOME NEARBY After 20 metres After 10 metres

Watup, could you pick up this thing for me NEARBY? HOME NEARBY After 20 metres After 10 metres

Watup, could you pick up this thing for me NEARBY? HOME NEARBY After 20 metres After 10 metres After 5 metres Destination HOME NEARBY After 20 metres After 10 metres After 5 metres Destination You have to check out this RESTAURANT on your

860 views • 33 slides
Google AdWords & Google Analytics Jenn Davidson What are they? Several different Google

Google AdWords & Google Analytics Jenn Davidson What are they? Several different Google

Google AdWords & Google Analytics Jenn Davidson What are they? Several different Google Ad certification exams. Sales, shopping, mobile sites etc. Google Ads- online advertising service where advertisers pay to display brief

706 views • 9 slides
Franois Rochon - Giverny Capital "The Art of Investing: Analyzing Numbers and Going

Franois Rochon - Giverny Capital "The Art of Investing: Analyzing Numbers and Going

MicroCapClub Investor Transcript Franois Rochon - Giverny Capital "The Art of Investing: Analyzing Numbers and Going Beyond" Google Talk December 5 th , 2017 Saurabh Madaan: Hello and welcome, everyone. We have a very special guest

364 views • 20 slides
Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries Magda Lovei Prac&ce Manager for Environment and Natural Resources, World Bank I. Present

461 views • 18 slides

More recommend