Smartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved

Transcription

1 Smartphone Security A Holistic view of Layered Defenses David M. Wheeler, CISSP, CSSLP, GSLC 1

2 The Smartphone Market The smartphone security market is expected to grow at a rate of 44 percent annually to be worth US $3 billion by 2015 (from: Canalys analyst report) Many vendors are jumping into the race to provide security solutions Solutions can be categorized based on whether or not they require OEM/manufacturing support or not Source: Juniper Networks 2

3 Current Stats & Trends National Vulnerability Database Reported Android Vulnerabilities 2011: 83 Total Vulnerabilities 2012: 60 As Of April (217% increase) 8 of top 50 malware reported by F-Secure is for Android Android growth is out- Pacing all other phones Smartphone use is increasing 48% of Americans use Smartphones Today 3

4 Smartphone Security Solutions Hardware/OEM Solutions Software/3 rd Party Solutions Trust Anchor & Trusted Boot SoC & HW Encryption Remote Wipe App-Level Security Anti-Virus App Disablement Encrypted File Boot Environment Operating System Driver System Pre-Boot Authentication Encryption Full Disk Encryption Storage Decryption Hypervisor Secure OS How effective are these protections against modern malware that is active today? 4

6 Sampling of Android Malware Angry Birds Malware: (April 2012) Android GingerBreak exploit Legitimate software from questionable source Includes Trojan (Andr/KongFu-L) that gains root and loads malware GingerBreak: HippoSMS: (July 2011) Mis-use permissions allowed by user Sends SMS messages to premium services (all Java) SimChecker.A: () Trojan collects geolocation and other confidential information from a device and sends out this stolen info via and SMS. GinMaster.A: (April 2011) steals confidential info & sends it to a website. DroidKungFu.C: () roots the phone & collects senstive info, Uses various exploits, including RageAgainstTheCage. Exploits are stored in the malware package and encrypted with a key. 8 of top 50 ANY malware reported by F-Secure is for Android (including Windows & Mac OS) National Vulnerability Database holds 83 Android Vulnerabilities for 2011 as of 4/15/ vulnerabilities are already reported 6

7 DroidKungFU Source: AndroidAuthority.com DroidKungFu discovered in 2011 Multi-Function Malware Perform malicious commands (operates as a Bot) Download new software & files Install and Delete software (Apps) Start programs/apps Visit Web sites Complex Construction Uses both Java & Native C code Bypass Anti-Virus & make reverse-engineering harder Includes two exploits to root phone Uses AES encryption to hide functions/features Provide instructions on how to root your phone Collects User Information Downloads IMEI to remote server Reports phone model and OS Version Access any file from any App on phone 7

8 Protection from DroidKungFu Anti-Virus/Malware Scanners not effective Malware code is encrypted Different versions used different keys (polymorphic) Encrypted File System affords no protection Malware accesses files through OS just like legit Apps If User unlocks phone for use (for any App), the file system is unlocked for the malware also Hyper Visors not fully effective Does not prevent rooting the OS Once root, would not prevent breaking out of VM Does not protect other Apps in VM SE Linux / Secure OS possibly effective Must have NO privilege escalation vulnerabilities Root access opens up entire OS Trusted Boot Detect Root kit modifications on reboot Would not prevent initial exfiltration Protection Requires App-Level file encryption to prevent unauthorized data access Host Firewall on smartphone to prevent data exfiltration & Bot communications 8

9 Applying Hardware & OS Enhancements Control rests with Untrusted Parties Handset OEMs and Carriers control HW, OS, & SW Government has no control over manufacturing and OEM process Most Manufacturing is done in ITAR class D countries Some attributed to the Advanced Persistent Threat Office of the National Counterintelligence Executive Hardware Trojans through supply chain Known and unknown trojans OS changes require OEM cooperation Dictated by Market demand If you take control, then have Root ed phone issues Create a backdoor into the OS Other (untrusted) SW can utilize this backdoor Software trojans through supply chain 9

10 Trust Anchors & Trusted Boot Looking at Intel s Wireless Trust Module Patents Boots the phone into a trusted state Based upon Hardware Key in OTP Flash or Fuses Flexible provisioning process Ensures boot loader and base OS are valid and authorized Cannot be modified except by holder of private key Protects against rooting of a phone to replace the base OS or hypervisors if present Vulnerabilities: Does not prevent privilege escalation attacks or rooting of phone to add services or malware Hardware trojans added in manufacturer or OEM supply chain 10

11 SoC & HW Encryption Integrated System-on-a-Chip Part of all smartphone hardware today Densely packed, multi-layer boards Often includes encryption modules embedded in chip Android device drivers are not available for the encryption engines and other advanced security features Vulnerabilities dense packaging make hardware attacks on buses difficult (impossible for most attackers) Physical attacks have high probability of damage to chips (even for national labs - will discuss further) 11

12 Smartphone Architecture: Physical Processor with PoP DDR SDRAM Power Management Power Management Touch screen Controller Power Amplifier Power Amplifier iphone 4 Hardware Baseband/RF Transceiver 16 GB NAND Flash DRAM & Flash MCP WiFi & Bluetooth & GPS PoP = package on package 12

13 Encrypted File System Encrypts all data stored to a file system Protection occurs at the device driver layer Prevents access to phone/files/apps if phone is lost or accessed by unauthorized user Very slow performance on Flash architecture Much faster in PC (for disk drives) Characteristics of flash memory block size Vulnerabilities Only as secure as encryption key storage Is a HW trust anchor present? Susceptible to root kits OEM partnership required (to integrate into OS, or root phone) Does not protect App data from a malicious App (if malware escapes the sandbox) Boot Environment Pre-Boot Authentication Encryption Operating System Driver Full Disk Encryption Storage Decryption 13

14 Hypervisors Hosts one or more guest OS, presenting a virtual operating platform Sits one level above the supervisory (HW drivers) of the platform Built for a specific HW platform Restricts a Guest OS from direct access to HW (in most cases), but introduces performance penalties Vulnerabilities Does not prevent root kits (which are now VM-aware) Requires OEM or Manufacturer partnership Highly susceptible to rooting of the phone Are all the drivers and physical resources (SIM card, SD Card, network) equally accessible to all guest OS s there could be a cross-infection between hyper visors Google labs is currently researching vulnerabilities Dominant players: VM Ware; Greenhills; WindRiver 14

15 Secure OS Linux SE & Android SE from same architect Must be provided by OEM Linux SE requires MAC policy (static view of Apps and drivers) Does not offer flexible use of the Smartphone App Open Market Place concept Adding a new App requires changes to be made in the OS policy Not likely to allow User to do this return to depot? Vulnerabilities Android OS vulnerabilities are growing requires frequent patch updates (how will this impact certifications?) Will appropriate amount of resources be applied to keep Android SE updated? Susceptible to rootkits (if vulnerability found) PC security patching history 15

16 Rooting the Smartphone All security solutions, except third party add-ons, root the phone unless working with the OEM or manufacturer Some attacks are now checking to see if phone is already rooted (Droid KungFu) New versions of Android are fixing know rooting vulnerabilities o Did we get them all? History => there are always more 16

17 Anti-virus SW Scans incoming SW & performs signature based detection of known viruses Can be installed by user or enterprise without difficulty Cannot scan SW brought in by non-standard mechanisms Malware directly downloading file from remote host Vulnerabilities Android does not support parallel processing, so cannot monitor run-time activity for abnormal behavior This significantly reduces efficacy limiting function to static signatures scans only (no dynamic analysis of behavior) 17

18 App Disablement Go Mobile: stop certain Apps and services when a sensitive App is activated, or when a protected network is attached Not effective if OS is compromised since root kit will lie to it. Exp: wireless is disabled when it really isn t 18

19 Remote Memory Wipe System or add-on SW that removes data on flash after receiving a remote command Android OS feature Vulnerabilities Cannot work unless phone is connected, or on removable media if not attached May not wipe all forensic data from flash 19

20 APP Security Wrap around each App or Wrap around a group of Apps Either way, need to modify the App slightly to call the security services Usually supports commonly used security services (integrity, confidentiality, passwords for authentication) Tends to be unnoticeable to the user Little to no performance impact Vulnerabilities: Crypto key protection is minimal to non-existent FIPS level 1 Susceptible to malware interference, root kit driver replacement 20

21 Backup 21

22 Hardware Attacks What about Bus Attacks & Hardware Attacks? Must be a physical attack (possession of phone) National Lab? Anything goes But there is danger of damage to HW Well-Funded Attacker? De-Lit, Chip Replacement, Advanced Forensics Labs available to de-lit for small fee Requires Type-1 HW Protections Requires Special HW Chips Hacker Org? Software-based attacks, Root Phone, Memory Dumps, Privilege Escalation, Root-Kit, Data Exfiltration, Malware Insertion 23

23 Security: Multi-Layered Security Security is all about asking the right questions What do you want secured? Data Only? App usage? App code? From whom do want it secured? Remote attackers? Other Users? Other Apps? Thieves? Lost Phone? When do you want it secured? During system operation? At boot? System turned off? What does secured mean? Confidentiality? Integrity? Availability? PhysicalAccessRemoteAttacker EXPLOITWireTapVirus GingerBreak PayloadSourceCodeTrojan Divert ProtectionTrust Injection Sniffing FROYO ScriptBrowserRageAgainstTheCage EXPLOIT phone Infected Bug System nastymemorydumpbackdoor installphysicalaccessphysical AccessTrojanDivert Trust Bug System InjectionFROYOScriptBrowser Infected To realize a cost effective, COTS-based security solutions, a layered security approach is required to achieve assured information sharing Mobility Capability Package v1.1, 2012, NSA 29