Think like a Hacker Not So Smart Phone security Introduction - PowerPoint PPT Presentation

Partners in Information Security Think like a Hacker Not So Smart Phone security

Introduction  Peter Rietveld  Liviu Rombaut  Traxion

Smartphones will never be secure  Since security is not a simple notion  What & Whom are you protecting?  Since it is a very complex device  Comparable to a PC in 2003  Since it depends on many environmentals

Whom to secure?  Vendor  You must buy a new phone every 2 years  Stop updates  Result: orphaned phones  Promise new features every day  Rushed production  Result: bad software

App builder  Quick results  Promise the world  Skip ‘difficult stuff’  Security is not a focus  Result: broken software

User  Usability  Not pay for software  Install all kinds of stuff  Let everyone use the device  Result: broken systems

User’s company  ‘ BYOD ’ or company device  Install software  Block certain Updates ‘for compatibility’  Result: broken system

Governments  Surveillance requirements  Result: broken standards

Provider  Add own software  Block Updates (for compatibility)  Retain customer (SIM only)  Old phones stay

And that is the easy part  Now for something more technical

A smartphone is a crypto device  Trusted Platform  Code Signing  Theoretically good  Jail Breaking  Yet  An open platform  Result Appstore = First Line of Defence  And the only one

‘Trusted’ Platform  Depends on PKI Ecosystem  Designed mid-80s  Adopted in early 90s  Neglected since  Many well documented flaws  Better known to attackers since Flame and Stuxnet  Under reconstruction since 2010  Long way to go

Dependencies  Trusts ‘any’ network  Public and private  WiFi Onion  Money comes from adware  Adware networks are trusted – prime attack vector  Certificate names based on DNS names  Certificates depend on online validation  Slow and easily fooled  Updates depend on DNS  DNS issues  DNSSec?

Other challenges  Massive ecosystem  Exploding codebase  Every app in the appstore must be scanned  And rescanned when vulnerabilities emerge

Beat the Statistics  Mudge@BlackHat: 1 exploitable error per 1000 lines of code  Grey Hat Hacking Handbook: 5-50 errors per 1000 lines of code  "Code Complete" (Steve McConnell)  Industry avarage : 15 - 50 errors per 1000 lines of code  Microsoft : 0.5 errors per 1000 lines of code in released code  Harlan Mills 'cleanroom development', 0.1 defect per 1000 regels code in released product  Space-shuttle software - 0 errors in 500,000 lines of code

Codebase Android SLOC Drupal Average iPhone App Wordpress Ruby on Rails Joomla! Plone Space shuttle F22 Raptor Chrome Firefox Facebook Windows NT4 Android Linux 2.6 kernel Boeing 787 RHEL 7 Windows 7 Windows XP Debian 2.2 Potato OS-X 10.4 Tiger 0 20000000 40000000 60000000 80000000 100000000

Concluding  Smartphones are just computers  In consumer space  And they are just as (in)secure

Thank You