Security Research At The Hague: The Mobile Malware Threat
The Growth of Mobile Malware
The other interesting demoes during our tour of The Hague Security Delta focused on specific malware concepts and device security. According to Gerben Broenink and Richard Kerkdijk of the Dutch organization TNO, the growth of mobile malware has continued to fly largely under the radar, despite the appearance of ever-more threatening attack vectors and security flaws.
One of the largest single threat vectors, it turns out, is the spread of third-party app stores. For all its flaws, Apple's own App Store has guidelines that have largely kept such problems to a minimum. Google Play suffers a relatively small number of problems, and according to the Dutch, Windows Phone actually has fewer intrinsic flaws than either of the other two platforms. Yes, that means Windows Phone may actually be the most secure platform you can buy today.
What the team from TNO showed us, however, was that it's trivially easy to load an exploit into an already existing Android package -- in this case, Angry Birds.
Even when downloaded from a third-party app store, this "bonus" version of Angry Birds runs and plays exactly like the original. We were able to run through several rounds and the game is indistinguishable from the real thing. The fun (or "fun") started several minutes later, when the TNO researchers revealed that while we'd been playing with the device, it had quietly been transferring its own contact lists, taking photos with the webcam, and even making video and audio recordings.
These kind of attacks are only becoming more frequent, and the attackers themselves are rapidly becoming more sophisticated, as evidenced by the recent OS X malware that exploits the USB protocol and actively waits on OS X systems to infect iDevices. Moreover, because of the way that antivirus programs are sandboxed on a phone or tablet, it's exceedingly difficult to do anything about them.
The final demo of the day: A small, unassuming black box that's functionally capable of acting like a Stingray.
For those of you who aren't aware, Stingrays are devices that have come under increased scrutiny in the United States. Stingray towers are capable of forcing cell phones to connect to them. Once a connection is made, the stingray serves as the relay for all data requests to and from the phone -- except it also creates a comprehensive log of where the device is located and what the end user is doing on it.
A small stingray like this one isn't capable of the comprehensive widescale interception of the units the police use, but it was more than enough to prove the concept. Unfortunately, the actual process is anticlimactic, precisely because it looks just like a normal network. A cell phone attaches and authenticates to it, just as any other Wi-Fi or cellular antenna.
It's what happens afterwards that's chilling. That display behind the box cheerfully lit up with a comprehensive list of every website, every ping, every scrap of data that was flowing out of my iPhone as I accessed various websites. While it doesn't automatically intercept other passwords that are encrypted, it can track which networks, which servers, and which data a user accesses.
The exact capabilities of stingrays remains unknown precisely because law enforcement officials have chosen to withdraw evidence from testimony rather than be forced to disclose what the devices can do and how they do it. Nonetheless, we know they're capable of broad interception of data from both suspects and non-suspects, and that the police have fought tooth and nail against being held accountable for how this information is collected or even reporting on the fact that it is collected.
One of the largest single threat vectors, it turns out, is the spread of third-party app stores. For all its flaws, Apple's own App Store has guidelines that have largely kept such problems to a minimum. Google Play suffers a relatively small number of problems, and according to the Dutch, Windows Phone actually has fewer intrinsic flaws than either of the other two platforms. Yes, that means Windows Phone may actually be the most secure platform you can buy today.
What the team from TNO showed us, however, was that it's trivially easy to load an exploit into an already existing Android package -- in this case, Angry Birds.
Even when downloaded from a third-party app store, this "bonus" version of Angry Birds runs and plays exactly like the original. We were able to run through several rounds and the game is indistinguishable from the real thing. The fun (or "fun") started several minutes later, when the TNO researchers revealed that while we'd been playing with the device, it had quietly been transferring its own contact lists, taking photos with the webcam, and even making video and audio recordings.
These kind of attacks are only becoming more frequent, and the attackers themselves are rapidly becoming more sophisticated, as evidenced by the recent OS X malware that exploits the USB protocol and actively waits on OS X systems to infect iDevices. Moreover, because of the way that antivirus programs are sandboxed on a phone or tablet, it's exceedingly difficult to do anything about them.
The final demo of the day: A small, unassuming black box that's functionally capable of acting like a Stingray.
For those of you who aren't aware, Stingrays are devices that have come under increased scrutiny in the United States. Stingray towers are capable of forcing cell phones to connect to them. Once a connection is made, the stingray serves as the relay for all data requests to and from the phone -- except it also creates a comprehensive log of where the device is located and what the end user is doing on it.
A small stingray like this one isn't capable of the comprehensive widescale interception of the units the police use, but it was more than enough to prove the concept. Unfortunately, the actual process is anticlimactic, precisely because it looks just like a normal network. A cell phone attaches and authenticates to it, just as any other Wi-Fi or cellular antenna.
It's what happens afterwards that's chilling. That display behind the box cheerfully lit up with a comprehensive list of every website, every ping, every scrap of data that was flowing out of my iPhone as I accessed various websites. While it doesn't automatically intercept other passwords that are encrypted, it can track which networks, which servers, and which data a user accesses.
The exact capabilities of stingrays remains unknown precisely because law enforcement officials have chosen to withdraw evidence from testimony rather than be forced to disclose what the devices can do and how they do it. Nonetheless, we know they're capable of broad interception of data from both suspects and non-suspects, and that the police have fought tooth and nail against being held accountable for how this information is collected or even reporting on the fact that it is collected.
