SlideShare uma empresa Scribd logo

Ransombile: yet another reason to ditch sms

Martin Vigo
Martin Vigo

The general belief is that a mobile device that is locked, encrypted and protected with a PIN or biometrics is a secure device. The truth is, major OS including iOS and Android help and encourage you to downgrade security on locked devices through certain features and default to insecure settings. Personal assistants on mobile devices are very popular. Siri, OK Google and Cortana are just a few of them. They can perform multiple tasks including calls, sending emails and reading SMS among other sensitive actions. How secure are they? Can we trust our personal assistants to keep our data safe? How about displaying your notifications on the lock screen? On the other hand, with the proliferation of cheap SDR hardware, DIY IMSI catchers, open source tools and still supported broken GSM protocols, targeting mobile communications is easier than ever. But what are the real consequences? It is well known that SMS is not a secure channel but the industry is still hesitant to move away from it. This presentation is yet another nail in the SMS coffin and aims to help push the industry away from supporting it. Ransombile is a tool that can be used in different scenarios to compromise someone's digital life in less than 2 minutes. Email accounts, financial data, social networks... all gone. Have you ever left your phone on the desk unattended? Do you belief losing your phone only impacts your wallet? Do you feel safe when crossing the border when entering USA since they can't force you to reveal the passcode? This presentation is for you.

Tecnologia
1 de 36
Baixar para ler offline
Ransombile Yet another reason to ditch SMS Martin Vigo @martin_vigo | martinvigo.com 123456
Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
Have you left your phone unattended?
Did you disable the assistant on lock screen?
Did you disable notifications on lock screen?
What can the assistant do while the device is locked? ?
How to steal $2,999.99 in less than 2 minutes https://www.martinvigo.com/steal-2999-99-minute-venmo-siri
Goal Broadening the impact
Well known issues for years “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
Objective Help push the industry to stop relying on SMS as a secure channel
Finding more SMS services usshortcodedirectory.com
Password reset
2-factor authentication
Verification
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
Obtain victim’s email “Send an email to attacker@domain.com about subject saying content”
Obtain secret codes from SMS SMSs are displayed on locked home screen “Read my texts”
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
Lots to compromise, limited time We need automation
Ransombile Ransomware + Mobile Automates the entire password reset process over SMS Uses Selenium for UI automation rather APIs there is even a Firefox plugin that records your mouse movement and generates code for you Does not require any backend/API knowledge to add new SMS services
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
Ransombile … 1. “Send an email to victim.ransom@gmail.com about subject saying content” 3. Initiate password reset process 4. Send codes over SMS 5. Read codes and enter in Ransombile 2. Get email address 6. Send secret codes and complete password reset
Ransombile Demo Hi, my name is Tom Promise and I am a millenial!
Open source github.com/martinvigo/ransombile
Conclusions A locked mobile device is still insecure Unattended mobile devices can be a bigger risk than unattended computers and companies tend to ignore this Consequences of losing your phone are not only monetary
Can we do better? Getting rid of the physical access requirement
Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords Requires physical access
Chaouki Kasmi & Jose Lopes Esteves “Remote Command Injection on Modern Smartphones” Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner & Wenchao Zhou “Hidden Voice Commands” Obtain victim’s email without physical access Guoming Zhang, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, Wenyuan Xu “DolphinAtack: Inaudible Voice Commands”
Dolphin Attack
Obtain secret codes from SMS without physical access SS7 attacks 2G downgrade attacks and broken A5/1 cipher Femtocells Defcon 21 - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell DEF CON 18 - Kristin Paget - Practical Cellphone Spying CCC - Tobias Engel - SS7: Locate. Track. Manipulate. SIM Swapping
Conclusions It is possible to perform these attacks without physical access to the device (In theory…) POC||GTFO SMS wasn’t designed with security in mind nor to be used as a secure channel Online services should encourage app-based temp codes and make SMS opt-in
Recommendations for you Don’t leave your mobile device unattended Disable the assistant in the lock screen Disable notifications preview in the lock screen Use apps for 2FA Don’t provide your phone number if not required unless it’s the only way to get 2FA use a virtual number to prevent OSINT and SIM swapping attacks Check the settings to disable security challenges over SMS
THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo Come see my DEF CON talk: “Compromising online accounts by cracking voicemail systems” Friday, 1PM in Track 1

Recomendados

Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Martin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Modicare Mighty Guard
Modicare Mighty GuardModicare Mighty Guard
Modicare Mighty Guard
Amritansh Barnwal
 
Infosec 4 The Home
Infosec 4 The HomeInfosec 4 The Home
Infosec 4 The Home
jaysonstreet
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Spoofing
Spoofing Spoofing
Spoofing
paulina villanueva
 
Lenovo
LenovoLenovo
Lenovo
fbivirusalert
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
Klaus Drosch
 

Recomendados

Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Martin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Modicare Mighty Guard
Modicare Mighty GuardModicare Mighty Guard
Modicare Mighty Guard
Amritansh Barnwal
 
Infosec 4 The Home
Infosec 4 The HomeInfosec 4 The Home
Infosec 4 The Home
jaysonstreet
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Spoofing
Spoofing Spoofing
Spoofing
paulina villanueva
 
Lenovo
LenovoLenovo
Lenovo
fbivirusalert
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
Klaus Drosch
 
Block numbers on any i phone simple process
Block numbers on any i phone simple processBlock numbers on any i phone simple process
Block numbers on any i phone simple process
sagar_raj
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
JoshuaWisniewski3
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
Quick Heal Technologies Ltd.
 
Learn awesome hacking tricks
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricks
Sudhanshu Mishra
 
Avoid the Hack
Avoid the HackAvoid the Hack
Avoid the Hack
Jason Jakus
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst
 
travel Safely
travel Safelytravel Safely
travel Safely
ssuser4b758a
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Nuzhat Memon
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Smantha Brooks
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
PECB
 
7 Cybersecurity Sins When Working From Home
7 Cybersecurity Sins When Working From Home7 Cybersecurity Sins When Working From Home
7 Cybersecurity Sins When Working From Home
DallasHaselhorst
 
Enhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time PasswordEnhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time Password
Chandrapriya Rediex
 
Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 
ECSM - Ce faci dacă ți-au fost compromise conturile bancare
ECSM - Ce faci dacă ți-au fost compromise conturile bancareECSM - Ce faci dacă ți-au fost compromise conturile bancare
ECSM - Ce faci dacă ți-au fost compromise conturile bancare
One-IT
 
Phone cloning
Phone cloning Phone cloning
Phone cloning
Subhrajit Paul
 
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightMahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Paritosh Sharma
 
52 mobile phone cloning
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloning
SALMAN SHAIKH
 
Mobile Phone Cloning
Mobile Phone CloningMobile Phone Cloning
Mobile Phone Cloning
Shivam Jaiswal
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
ManojMudhiraj3
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
Sai Srinivas Mittapalli
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
MOBILE PHONE CLONING-Steginjoy2013@gmail.com
MOBILE PHONE CLONING-Steginjoy2013@gmail.comMOBILE PHONE CLONING-Steginjoy2013@gmail.com
MOBILE PHONE CLONING-Steginjoy2013@gmail.com
christ university
 

Mais conteúdo relacionado

Mais procurados

Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst
 
7 Cybersecurity Sins When Working From Home
7 Cybersecurity Sins When Working From Home7 Cybersecurity Sins When Working From Home
7 Cybersecurity Sins When Working From Home
DallasHaselhorst
 
Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 

Mais procurados (14)

Block numbers on any i phone simple process
Block numbers on any i phone simple processBlock numbers on any i phone simple process
Block numbers on any i phone simple process
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
 
Learn awesome hacking tricks
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricks
 
Avoid the Hack
Avoid the HackAvoid the Hack
Avoid the Hack
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
 
travel Safely
travel Safelytravel Safely
travel Safely
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
 
7 Cybersecurity Sins When Working From Home
7 Cybersecurity Sins When Working From Home7 Cybersecurity Sins When Working From Home
7 Cybersecurity Sins When Working From Home
 
Enhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time PasswordEnhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time Password
 
Password hacking
Password hackingPassword hacking
Password hacking
 
ECSM - Ce faci dacă ți-au fost compromise conturile bancare
ECSM - Ce faci dacă ți-au fost compromise conturile bancareECSM - Ce faci dacă ți-au fost compromise conturile bancare
ECSM - Ce faci dacă ți-au fost compromise conturile bancare
 

Semelhante a Ransombile: yet another reason to ditch sms

52 mobile phone cloning
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloning
SALMAN SHAIKH
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and security
Akhil Kumar
 

Semelhante a Ransombile: yet another reason to ditch sms (20)

Phone cloning
Phone cloning Phone cloning
Phone cloning
 
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightMahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
 
52 mobile phone cloning
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloning
 
Mobile Phone Cloning
Mobile Phone CloningMobile Phone Cloning
Mobile Phone Cloning
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
MOBILE PHONE CLONING-Steginjoy2013@gmail.com
MOBILE PHONE CLONING-Steginjoy2013@gmail.comMOBILE PHONE CLONING-Steginjoy2013@gmail.com
MOBILE PHONE CLONING-Steginjoy2013@gmail.com
 
Mobile cloning modified with images and bettermented
Mobile cloning modified with images and bettermentedMobile cloning modified with images and bettermented
Mobile cloning modified with images and bettermented
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and security
 
Web Security
Web SecurityWeb Security
Web Security
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law Practice
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Making your Asterisk System Secure
Making your Asterisk System SecureMaking your Asterisk System Secure
Making your Asterisk System Secure
 
Cloning. (4)
Cloning. (4)Cloning. (4)
Cloning. (4)
 
Secure your Voice over IP (VoIP)
Secure your Voice over IP (VoIP)Secure your Voice over IP (VoIP)
Secure your Voice over IP (VoIP)
 
Clonning
ClonningClonning
Clonning
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
 
Mobile phone-cloning
Mobile phone-cloningMobile phone-cloning
Mobile phone-cloning
 

Mais de Martin Vigo

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Martin Vigo
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Martin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
Martin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 

Mais de Martin Vigo (11)

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Ransombile: yet another reason to ditch sms

  • 1. Ransombile Yet another reason to ditch SMS Martin Vigo @martin_vigo | martinvigo.com 123456
  • 2. Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
  • 3. Have you left your phone unattended?
  • 4. Did you disable the assistant on lock screen?
  • 5. Did you disable notifications on lock screen?
  • 6. What can the assistant do while the device is locked? ?
  • 7. How to steal $2,999.99 in less than 2 minutes https://www.martinvigo.com/steal-2999-99-minute-venmo-siri
  • 8.
  • 10.
  • 11. Well known issues for years “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
  • 12. Objective Help push the industry to stop relying on SMS as a secure channel
  • 17. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  • 18. Obtain victim’s email “Send an email to attacker@domain.com about subject saying content”
  • 19. Obtain secret codes from SMS SMSs are displayed on locked home screen “Read my texts”
  • 20. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  • 21. Lots to compromise, limited time We need automation
  • 22. Ransombile Ransomware + Mobile Automates the entire password reset process over SMS Uses Selenium for UI automation rather APIs there is even a Firefox plugin that records your mouse movement and generates code for you Does not require any backend/API knowledge to add new SMS services
  • 23. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords
  • 24. Ransombile … 1. “Send an email to victim.ransom@gmail.com about subject saying content” 3. Initiate password reset process 4. Send codes over SMS 5. Read codes and enter in Ransombile 2. Get email address 6. Send secret codes and complete password reset
  • 25. Ransombile Demo Hi, my name is Tom Promise and I am a millenial!
  • 26.
  • 28. Conclusions A locked mobile device is still insecure Unattended mobile devices can be a bigger risk than unattended computers and companies tend to ignore this Consequences of losing your phone are not only monetary
  • 29. Can we do better? Getting rid of the physical access requirement
  • 30. Attack vector 1. Obtain victim’s email 2. Use it to initiate password reset in all services 3. Obtain secret codes from SMS 4. Use them to complete password reset process in all services 5. Set new passwords Requires physical access
  • 31. Chaouki Kasmi & Jose Lopes Esteves “Remote Command Injection on Modern Smartphones” Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner & Wenchao Zhou “Hidden Voice Commands” Obtain victim’s email without physical access Guoming Zhang, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, Wenyuan Xu “DolphinAtack: Inaudible Voice Commands”
  • 33. Obtain secret codes from SMS without physical access SS7 attacks 2G downgrade attacks and broken A5/1 cipher Femtocells Defcon 21 - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell DEF CON 18 - Kristin Paget - Practical Cellphone Spying CCC - Tobias Engel - SS7: Locate. Track. Manipulate. SIM Swapping
  • 34. Conclusions It is possible to perform these attacks without physical access to the device (In theory…) POC||GTFO SMS wasn’t designed with security in mind nor to be used as a secure channel Online services should encourage app-based temp codes and make SMS opt-in
  • 35. Recommendations for you Don’t leave your mobile device unattended Disable the assistant in the lock screen Disable notifications preview in the lock screen Use apps for 2FA Don’t provide your phone number if not required unless it’s the only way to get 2FA use a virtual number to prevent OSINT and SIM swapping attacks Check the settings to disable security challenges over SMS
  • 36. THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo Come see my DEF CON talk: “Compromising online accounts by cracking voicemail systems” Friday, 1PM in Track 1