Smartphone Security A Holis(c view of Layered Defenses David M. Wheeler, CISSP, CSSLP, GSLC (C) 2012 SecureComm, Inc. All Rights Reserved 1 The Smartphone Market • The smartphone security market is expected to grow at a rate of 44 percent annually to be worth US $3 billion by 2015 (from: Canalys analyst report) • Many vendors are jumping into the race to provide security solu(ons • Solu(ons can be categorized based on whether or not they require OEM/ manufacturing support or not Source: Juniper Networks (C) 2012 SecureComm, Inc. All Rights Reserved 2 Current Stats & Trends Na$onal Vulnerability Database Reported Android Vulnerabili(es 2011: 83 Total Vulnerabili(es 2012: 60 As Of April (217% increase) 8 of top 50 malware reported by F-Secure is for Android Smartphone use is increasing (C) 2012 SecureComm, Inc. All Rights Reserved Android growth is out-­‐ Pacing all other phones 48% of Americans use Smartphones Today 3 Smartphone Security Solutions Hardware/OEM Solu$ons • • • So@ware/3rd Party Solu$ons Trust Anchor & • Remote Wipe Trusted Boot • App-­‐Level Security SoC & HW • An(-­‐Virus Encryp(on • App Disablement Encrypted File System • Hypervisor • Secure OS Boot Environment Operating System Pre-­‐Boot Authentication Full Disk Encryption Driver Encryption Decryption Storage How effec(ve are these protec(ons against modern malware that is ac(ve today? (C) 2012 SecureComm, Inc. All Rights Reserved 4 The Malware Problem SecureComm, Inc. Proprietary Copyright © 2012 SecureComm, Inc. All Rights Reserved Sampling of Android Malware • Angry Birds Malware: (April 2012) Android GingerBreak exploit – – – – hfp://nakedsecurity.sophos.com/2012/04/12/android-­‐malware-­‐angry-­‐birds-­‐space-­‐game/ Legi(mate sogware from ques(onable source Includes Trojan (Andr/KongFu-­‐L) that gains root and loads malware GingerBreak: hfp://c-­‐skills.blogspot.com/2011/04/yummy-­‐yummy-­‐gingerbreak.html • HippoSMS: (July 2011) Mis-­‐use permissions allowed by user – – hfp://www.csc.ncsu.edu/faculty/jiang/HippoSMS/ Sends SMS messages to premium services (all Java) • SimChecker.A: () Trojan collects geoloca(on and other confiden(al informa(on from a device and sends out this stolen info via e-­‐mail and SMS. – hfp://www.f-­‐secure.com/v-­‐descs/monitoring-­‐tool_android_simchecker_a.shtml • GinMaster.A: (April 2011) steals confiden(al info & sends it to a website. – hfp://www.f-­‐secure.com/v-­‐descs/trojan_android_ginmaster_a.shtml • DroidKungFu.C: () roots the phone & collects sens(ve info, – Uses various exploits, including RageAgainstTheCage. – Exploits are stored in the malware package and encrypted with a key. – hfp://www.f-­‐secure.com/v-­‐descs/trojan_android_droidkungfu_c.shtml 8 of top 50 ANY malware reported by F-­‐Secure is for Android (including Windows & Mac OS) Na(onal Vulnerability Database holds 83 Android Vulnerabili(es for 2011 as of 4/15/2012 60 vulnerabili(es are already reported (C) 2012 SecureComm, Inc. All Rights Reserved 6 DroidKungFU Source: AndroidAuthority.com • DroidKungFu discovered in 2011 • Mul(-­‐Func(on Malware – – – – – Perform malicious commands (operates as a Bot) Download new sogware & files Install and Delete sogware (Apps) Start programs/Apps Visit Web sites • Complex Construc(on – Uses both Java & Na(ve C code • Bypass An(-­‐Virus & make reverse-­‐engineering harder – Includes two exploits to root phone – Uses AES encryp(on to hide func(ons/features – Provide instruc(ons on how to root your phone hfp://blog.for(net.com/clarifying-­‐android-­‐droidkungfu-­‐variants/ Collects User Informa$on • Downloads IMEI to remote server • Reports phone model and OS Version • Access any file from any App on phone (C) 2012 SecureComm, Inc. All Rights Reserved 7 Protection from DroidKungFu • • • • An$-­‐Virus/Malware Scanners not effec$ve – Malware code is encrypted • Different versions used different keys (polymorphic) Encrypted File System affords no protec$on – Malware accesses files through OS just like legit Apps – If User unlocks phone for use (for any App), the file system is unlocked for the malware also Hyper Visors not fully effec$ve – Does not prevent roo(ng the OS • Once root, would not prevent breaking out of VM – Does not protect other Apps in VM SE Linux / Secure OS possibly effec$ve – Must have NO privilege escala(on vulnerabili(es • Root access opens up en(re OS • Trusted Boot – Detect Root kit modifica(ons on reboot – Would not prevent ini(al exfiltra(on Protec$on Requires… • App-­‐Level file encryp(on to prevent unauthorized data access • Host Firewall on smartphone to prevent data exfiltra(on & Bot communica(ons (C) 2012 SecureComm, Inc. All Rights Reserved 8 Applying Hardware & OS Enhancements • Control rests with Untrusted Par$es – Handset OEMs and Carriers control HW, OS, & SW – Government has no control over manufacturing and OEM process • Most Manufacturing is done in ITAR class D countries – Some afributed to the “Advanced Persistent Threat” – Office of the Na(onal Counterintelligence Execu(ve • Hardware Trojans through supply chain – Known and unknown trojans • OS changes require OEM coopera$on – Dictated by Market demand – If you take control, then have Root’ed phone issues • Create a backdoor into the OS • Other (untrusted) SW can u(lize this backdoor – Sogware trojans through supply chain (C) 2012 SecureComm, Inc. All Rights Reserved 9 Trust Anchors & Trusted Boot • Looking at Intel’s Wireless Trust Module Patents – Boots the phone into a trusted state • Based upon Hardware Key in OTP Flash or Fuses – Flexible provisioning process • Ensures boot loader and base OS are valid and authorized • Cannot be modified except by holder of private key – Protects against roo(ng of a phone to replace the base OS or hypervisors if present – Vulnerabili(es: • Does not prevent privilege escala(on afacks or roo(ng of phone to add services or malware • Hardware trojans added in manufacturer or OEM supply chain (C) 2012 SecureComm, Inc. All Rights Reserved 10 SoC & HW Encryption • Integrated System-­‐on-­‐a-­‐Chip – Part of all smartphone hardware today – Densely packed, mul(-­‐layer boards – Ogen includes encryp(on modules embedded in chip – Android device drivers are not available for the encryp(on engines and other advanced security features • Vulnerabili(es – dense packaging make hardware afacks on buses difficult (impossible for most afackers) – Physical afacks have high probability of damage to chips (even for na(onal labs -­‐ will discuss further) (C) 2012 SecureComm, Inc. All Rights Reserved 11 Smartphone Architecture: Physical Processor with PoP DDR SDRAM Power Management Power Management Touch screen Controller Power Amplifier Power Amplifier Baseband/RF Transceiver 16 GB NAND Flash DRAM & Flash MCP WiFi & Bluetooth & GPS iPhone 4 Hardware hfp://www.ifixit.com/Teardown/iPhone-­‐4-­‐Verizon-­‐Teardown/4693/1 PoP = package on package (C) 2012 SecureComm, Inc. All Rights Reserved 12 Encrypted File System • Encrypts all data stored to a file system • Protec(on occurs at the device driver layer • Prevents access to phone/files/Apps if phone is lost or accessed by unauthorized user • Very slow performance on Flash architecture – Much faster in PC (for disk drives) – Characteris(cs of flash memory block size • Vulnerabili(es Boot Environment Operating System Driver – Only as secure as encryp(on key storage • Is a HW trust anchor present? Pre-­‐Boot Authentication Full Disk Encryption Encryption Decryption Storage – Suscep(ble to root kits – OEM partnership required (to integrate into OS, or root phone) – Does not protect App data from a malicious App (if malware escapes the sandbox) (C) 2012 SecureComm, Inc. All Rights Reserved 13 Hypervisors Hosts one or more guest OS, presen(ng a virtual opera(ng platorm Sits one level above the supervisory (HW drivers) of the platorm Built for a specific HW platorm Restricts a Guest OS from direct access to HW (in most cases), but introduces performance penal(es • Vulnerabili(es • • • • Does not prevent root kits (which are now VM-­‐aware) Requires OEM or Manufacturer partnership Highly suscep(ble to roo(ng of the phone Are all the drivers and physical resources (SIM card, SD Card, network) equally accessible to all guest OS’s – there could be a cross-­‐infec(on between hyper visors – Google labs is currently researching vulnerabili(es – – – – • Dominant players: – VM Ware; Greenhills; WindRiver (C) 2012 SecureComm, Inc. All Rights Reserved 14 Secure OS • Linux SE & Android SE from same architect • Must be provided by OEM • Linux SE requires MAC policy (sta(c view of Apps and drivers) – Does not offer flexible use of the Smartphone App Open Market Place concept – Adding a new App requires changes to be made in the OS policy • Not likely to allow User to do this – return to depot? • Vulnerabili(es – Android OS vulnerabili(es are growing – requires frequent patch updates (how will this impact cer(fica(ons?) • Will appropriate amount of resources be applied to keep Android SE updated? – Suscep(ble to rootkits (if vulnerability found) – PC security patching history (C) 2012 SecureComm, Inc. All Rights Reserved 15 Rooting the Smartphone • All security solu(ons, except third party add-­‐ons, root the phone unless working with the OEM or manufacturer • Some afacks are now checking to see if phone is already rooted (Droid KungFu) • New versions of Android are fixing know roo(ng vulnerabili(es o Did we get them all? History => there are always more (C) 2012 SecureComm, Inc. All Rights Reserved 16 Anti-virus SW • Scans incoming SW & performs signature based detec(on of known viruses • Can be installed by user or enterprise without difficulty • Cannot scan SW brought in by non-­‐standard mechanisms – Malware directly downloading file from remote host • Vulnerabili(es – Android does not support parallel processing, so cannot monitor run-­‐(me ac(vity for abnormal behavior – This significantly reduces efficacy limi(ng func(on to sta(c signatures scans only (no dynamic analysis of behavior) (C) 2012 SecureComm, Inc. All Rights Reserved 17 App Disablement • Go Mobile: stop certain Apps and services when a sensi(ve App is ac(vated, or when a protected network is afached – Not effec(ve if OS is compromised since root kit will “lie” to it. Exp: “wireless is disabled” when it really isn’t (C) 2012 SecureComm, Inc. All Rights Reserved 18 Remote Memory Wipe • System or add-­‐on SW that removes data on flash ager receiving a remote command • Android OS feature • Vulnerabili(es – Cannot work unless phone is connected, or on removable media if not afached – May not wipe all forensic data from flash (C) 2012 SecureComm, Inc. All Rights Reserved 19 APP Security • Wrap around each App or Wrap around a group of Apps • Either way, need to modify the App slightly to call the security services • Usually supports commonly used security services (integrity, confiden(ality, passwords for authen(ca(on) • Tends to be unno(ceable to the user – Lifle to no performance impact • Vulnerabili(es: • Crypto key protec(on is minimal to non-­‐existent – FIPS 140-­‐2 level 1 • Suscep(ble to malware interference, root kit driver replacement (C) 2012 SecureComm, Inc. All Rights Reserved 20 Backup (C) 2012 SecureComm, Inc. All Rights Reserved 21 Threats • Addi(onal threats – Bluetooth & WiFi drivers – App Services • Intents and Broadcasts to Phone Services can be intercepted, replaced, or misused – Java, Zygote process, memory access (C) 2012 SecureComm, Inc. All Rights Reserved 22 Hardware Attacks • What about Bus Afacks & Hardware Afacks? – Must be a physical afack (possession of phone) • Na$onal Lab? Anything goes Requires T ype-­‐1 But there is danger of damage to HW HW Protec$ons • Well-­‐Funded AXacker? De-­‐Lit, Chip Replacement, Advanced Forensics Requires HW C hips S pecial Labs available to de-­‐Lit for small fee • Hacker Org? Sogware-­‐based afacks, Root Phone, Memory Dumps, Privilege Escala(on, Root-­‐Kit, Data Exfiltra(on, Malware Inser(on (C) 2012 SecureComm, Inc. All Rights Reserved 23 Smartphone Architecture: Physical Processor with PoP DDR SDRAM Power Management Power Management Touch screen Controller Power Amplifier Power Amplifier Baseband/RF Transceiver 16 GB NAND Flash DRAM & Flash MCP WiFi & Bluetooth & GPS iPhone 4 Hardware hfp://www.ifixit.com/Teardown/iPhone-­‐4-­‐Verizon-­‐Teardown/4693/1 PoP = package on package (C) 2012 SecureComm, Inc. All Rights Reserved 24 App Design Techniques Can Also Lead To Vulnerabilities • Android uses JAVA. • Apps are managed – Framework enforces permissions on Apps • However Android allows Java Na(ve Interfaces – Allows an App to call out to na(ve C code • Problem: – JAVA code is enforced by permissions but C code is not! Thus, there is a door out of the managed protected sandbox; C code runs in LINUX and is unprotected. Thus find a vulnerability in LINUX and a hacker can use special C code to afack through this door – In this context, if any security func(ons are in C code, the smartphone and the network could be exposed. SecureComm, Inc. Proprietary Copyright © 2012 SecureComm, Inc. All Rights Reserved Security: Multi-Layered Security • Security is all about asking the right ques(ons – What do you want secured? • Data Only? App usage? App code? – From whom do want it secured? • Remote afackers? Other Users? • Other Apps? Thieves? Lost Phone? – When do you want it secured? • During system opera(on? At boot? • System turned off? – What does secured mean? • Confiden(ality? Integrity? Availability? PhysicalAccessRemoteAfacker EXPLOITWireTapVirus GingerBreak PayloadSourceCodeTrojan Divert Protec(onTrust Injec(on Sniffing FROYO ScriptBrowserRageAgainstTheCage EXPLOIT phone Infected Bug System nastyMemoryDumpBackDoor installPhysicalAccessPhysical AccessTrojanDivert Trust Bug System Injec(onFROYOScriptBrowser Infected To realize a cost effec(ve, COTS-­‐based security solu(ons, a layered security approach is required to achieve assured informa(on sharing Mobility Capability Package v1.1, 2012, NSA (C) 2012 SecureComm, Inc. All Rights Reserved 26 Android Architecture (C) 2012 SecureComm, Inc. All Rights Reserved 27 Smartphone Architecture: Logical Add miniature App pictures here Location Mgr Blue-Z 802.11 Networking WiFi, BT, GPS Screen Mgr Screen FFS Telephony Mgr WLFS Modem IF Flash File System Networking CDMA/GSM CDC-Eth Mass Storage CPU, Memory Graphics, USB (C) 2012 SecureComm, Inc. All Rights Reserved 28