Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Your cell phone is covered in spiders
1. Your Cell Phone is
Covered in Spiders
An overview of the cell phone
security landscape
Cooper Quintin
@cooperq
cooper@radicaldesigns.org
2. We are becoming increasingly dependent
on mobile devices
●
We are storing more and more data on them
●
Pictures
●
Videos
●
Contacts
●
Email
●
Social Graphs
●
Location History
●
Etc
3. ●
As the amount of data increases
●
The complexity increases
●
The desirability increases
●
The number of vulnerabilities increases
5. Things to Keep in Mind
physical access == phone can and will be
completely compromised.
Also, you should assume that your phone will
be compromised at some point.
6. Security is a Journey Not a Destination
The more hurdles that you put up, the harder you
make it for an attacker.
Time to compromise > Determination of attacker
Just because there are so many threats to cellular
security doesn't mean you shouldn't take security
seriously. There are still things you can do.
7. Threat Model
●Random attacks
●
Malicious apps
●
Stolen / Lost phone
●Targeted attacker
●
Law Enforcement
●
Corporate Espionage
●
Personal Enemies
●Signal Interception
●Your Phone Company
9. iPhone
The Bad
●
Closed source
●
Very little in the way of security apps
●
Default screen lock is a four digit number
●
Encryption tools that aren't free or open source
●
FDE keys are stored on phone and can be recovered
The Good
●
There is a stronger screen lock that can be enabled
●
Off The Record (OTR)
●
Chatsecure (works with gibberbot)
●
PrivateGSM (Encrypted VOIP)
●
oh and an unofficial tor app (covert browser)
●
Less Malware
10. Android
●
IMO The best phone for security
●
Open source
●
Lots of security tools
●
Lots of encryption tools
●
Strong Screen lock
●
Guardian Project
12. Currently in California (and many other states)
an arresting officer can search your phone if it
does not have a password lock on it.
CA Supreme Court, People vs. Diaz
“Therefore, under Diaz, if you're arrested while carrying
a mobile phone on your person, police are free to rifle
through your text messages, images, and any other files
stored locally on your phone. Any incriminating evidence
found on your phone can be used against you in court. “
13. Law Enforcement Investigators are Looking
for:
●
Subscriber & Equipment Identifiers
●
Contacts
●
Appointment Calendar
●
SMS, Text Messages, Instant Messages, Email
●
Call Logs
●
Photos, Audio and Video
●
Documents
●
Location Data
14. Forensic Methods
● Recovering screen lock
– Recovery mode or google account
● Recovery Mode
● Cellbrite and UFED
● JTAG
15. Solutions
●
Have a strong screen lock and a short timeout
●
Turn USB Debugging off
●
This makes forensics a lot harder
●
Don't tell them your password
●
Encryption (Text Secure, LUKS, Device encryption)
16. Signal Interception
Threats
●
Fake Cellular Towers / Drones
●
USRP/GNU Radio
●
Snooping as a Service
●
Cellular companies will provide wiretaps without even
a warrant
Solutions
●
Encrypted Calls (Redphone)
●
Encrypted Text (Textsecure)
●
Talk in Person (This is the Most Secure)
18. This is all Useless if an Attacker can
Circumvent Your Lock Screen
●
Physical access to a rooted phone
with USB debugging on
●
Recovery mods
●
JTAG Interface
19. Solutions
●
Choose a strong screen lock
●
TURN OFF USB DEBUGGING
●
Disk Encryption
●
Use 2 factor authentication on google
20. Lost and Stolen Phones
●
Phone Finding Applications
●
Remote wipe
●
Prey (Cross platform, open source)
●
Poison Pill (Open Source)
●
Lookout
●
Droid Tracker
●
Strong Screen lock
●
Report to The Provider?
●
They probably don't give a damn.
21. Malware
Vendor and Espianage malware
●
This stuff is extremely sophisticated
●
FinFisher
●
CarrierIQ
●
Voodo carrierIQ
Standard, untargeted malware
●
Personal Data Theft
●
Premium SMS
●
The usual suspects (spyware, trojans, phishing)
●
Facebook
22. Solutions
•
Droidwall (require root)
●
Unfortunately no longer open source
●
Try Android firewall or AFwall
•
Be careful what you install
•
Antivirus (lookout, etc.)
•
Be wary of third party app stores
•
Permission Selection Apps (require root)
•
Permissions Denied
•
Cyanogenmod
•
Root your phone and remove the bloatware
23. Of Course, Even an App with
No Permissions Can do a Lot
●
Read files from SD card
●
Get a list of packages
●
Access insecure application files
●
Read gsm and sim vendor ID's
●
Read android id (unique to your phone)
●
Call home with a get request
24. Other Attacks
● NFC
– Can completely control the phone just by
touching it.
– Can open up a browser, get photos, videos,
contacts, etc.
– Even Bugger overflows
● QR Phishing
● Baseband Attacks
25. Disk Encryption
●
On some devices since android 3 (honeycomb)
●
Encrypts the /data partition
●
Encrypts the /sdcard sometimes, YMMV
●
DM_Crypt : tried and true
●
Uses your lockscreen pin/password as the key
●
VULNERABLE TO COLD BOOT ATTACK (Frost)
●
Truecrypt (Cryptonite)
●
Luks Manager (can be used to encrypt SD card)
●
IOCypher (for devs, still alpha)
●
Allows you to create an encrypted virtual FS for
your app.
26. Call Encryption
OSTN
●
Open {Secure, Source, Standards} Telephony (Network)
●
Federated, Open Source
●
Does not stop censorship or provide anonymity
http://ostel.me
Red Phone
● Open Source client, Closed source server
● Easy to use
● Does not stop censorship or provide anonymity
27. Other Encryption
●
Gibberbot (OTR, encrypts chat)
●
APG (PGP for Android)
●
Orbot and Orweb (Technically anonymity not enc.)
●
OpenVPN (encrypts your internet connection)
●
Notecipher
●
Sqlcipher
●
Text Secure
●
RedPhone
28. Other Usefull Apps
●
Duck Duck Go – Alternateive search engine
●
Keepass - Password Vault
●
Adaway - Adblocking for Android
●
Fdroid – Alternative Open Source App Store
●
Obscuracam - Block peoples faces in sensetive photo
●
Cacert manager – Revoke untrusted root ca certs
●
Firefox
●
Iptableslog – Log the traffic coming from your phone
●
Shark – Capture packets from your phone
●
Alogcat – View Android Logs
29. In Conclusion...
●
Turn off USB debugging!
●
Keep your phone on you
●
Trust what you install (Open Source Rules!)
●
Root and install custom firmware
●
Use a stronger screen lock
●
Audit your phone
●
Encrypt Everything!