Mobile threats Artur Maj, Prevenity Agenda Cellular phones Historic overview Mobile operating systems Security of smartphones Smartphones in banking Threats to banking Demonstration of bank account intercepting Our recommendations 1
Historic overview 1980 1982 1990 2000 2005 2007 Mobile operating systems Windows Mobile 6,80% Linux 3,70% Other 0,70% Android 9,60% Apple ios 15,40% BlackBerry 19,40% Symbian 44,30% Source: Gartner, Worldwide Smartphone Sales 1Q 2010 2
Security of smartphones Privilleges levels Access control lists (ACLs) Antivirus and antispam software, personal firewalls de facto standard Simplified privilleges levels* Limited possibilities of access control* Security software rarely used Security weaknesses of smartphones Technology weaknesses (GSM, Bluetooth itp.) Security vulnerabilities in operating system Security vulnerabilities in mobile applications Known security vulnerabilities in mobile operating systems, source: OSVDB 3
Smartphones infection methods Synchronization with PC Active Sync, Nokia PC Suite etc. Web browser E-mail messages SMS, MMS, WAP Push 3 rd parties applications Memory cards Wireless network 3G, EDGE/GPRS, UMTS, Wi-Fi, Bluetooth etc. Future or reality? Mobile malware 4
Mobile malware (cont.) Mobile malware (cont.) Development of mobile malware 5
Mobile malware (cont.) Examples Trojan horses SymbOS/AppDisabler SymbOS/Cabir SymbOS/Skulls Viruses and worms SymbOS/Beselo SymbOS/Commwarrior SymbOS/Mabir iphoneos/ikee WinCE.InfoJack Spyware SymbOS/Flexispy SymbOS/Mopofeli Smartphones in banking 6
Smartphones in banking Popular appliances of mobile phones in electronic banking: Possibility of making money transfers User authentication Banking transaction authentication Alarms and notifications (SMS) Micropayments (SMS, USSD) The above appliances seem to be secure Smartphones in banking (cont.) but they only seem as such 7
Smartphones in banking (cont.) Mobile phone s infection very serious threat to internet banking In conjuction with PC infection the real risk of loosing even all the money from victim s bank account Examples of attacks: Redirection of short text messages (SMS) Remote access to phone s graphics interface Smartphone in banking (cont.) Redirection of text messages Unaware victim Telecommunication operator Intruder 8
Smartphone in banking (cont.) Remote access to phone s graphics interface Sample attack scenario Infection of PC and smartphone Step 1 Infection of PC by malware Zero-day exploit Infected PDF document Vulnerable web browser Vulnerability in Adobe Flash Trojan horse in downloaded software 9
Sample attack scenario (cont.) Infection of PC and smartphone (cont.) Step 2 Infection of smartphone while copying pictures to PC Automatic Several versions of mobile malware for different mobile operating systems Manual Intruder creates and remotely install software for specific mobile device Sample attack scenario (cont.) Infection of PC and smartphone (cont.) Step 3 Malware sends to the intruder victim s credentials URL to Internet banking application Data intercepted by keylogger: User s login User s password Data regarding mobile phone: Number and type of mobile phone 10
Sample attack scenario (cont.) Infection of PC and smartphone (cont.) Step 4 Attacker remotely enables SMS redirection feature on victim s phone Since this moment all SMSes are redirected to intruder s phone without victim s awareness One time passwords Alarms and notifications Sample attack scenario (cont.) Infection of PC and smartphone (cont.) Step 5 Intruder performs unauthorized banking transaction What the intruder possesses? URL to internet banking application Login to victim s account Password to victim s account One time passwords send via SMSes 11
Sample attack scenario (cont.) Will transaction be carried out? Will anti-fraud systems detect fraud? Can bank avoid fraud? Sample attack scenario (cont.) Multiple variants of attack exists: Using phone s API directly from PC Remote GUI access via wireless network (a la Remote Desktop) Infection of smartphone only 12
Sample attack scenario (cont.) Multiple targets of the attack: Transaction confirmations Applications downloaded and installed in phone s memory Applications on SIM card Software authentication tokens USSD micropayments SMS micropayments Alarms and notifications Sample attack scenario (cont.) Security mechanisms can be circumvented: One-time passwords scratched Hardware authentication tokens Software authenitcation tokens Virtual keyboards captcha mechanisms PKI tokens 13
Demonstration Interception of bank account based on the example of MS Windows Mobile infection Attack easy or complicated? 14
Summary Smartphone = computer The impact of successfull attack on smartphone can be more dangerous than in case of PC Good and bad news (from security point of view) Summary (cont.) Good news: Older phones not vulnerable for these kind of attacks Majority of users uses smartphones only for voice and text messaging purporses Only some users synchronize phones with PC Diversity of mobile operating systems and versions complicated performing successful attacks Operating systems possess different capabilities that can be leveraged by malware 15
Summary (cont.) Bad news: Smartphones market share grows every quarter Growing popularity may lead to increase number of vulnerabilities and infection methods found Whether or not the user utilized advanced features of smartphones may not matter (e.g. intruder can leverage vulnerabilities in handling MMSes) Using security software on mobile phones still not popular Our recommendations Considering to leverage alternative methods of electronic transaction authentication Treating smartphones as untrusted devices (as in case of PCs) Including threats related to mobile devices in the process of risk assessment Build users awareness to apply best security practices also in case of cellular phones 16
Contact artur.maj@prevenity.com 17