nearby threats reversing analyzing and attacking google s
play

Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby - PowerPoint PPT Presentation

Apr 26, 2023 •378 likes •671 views

NDSS 2019 @ San Diego, US Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2

  1. NDSS 2019 @ San Diego, US Nearby Threats: Reversing, Analyzing, and Attacking Google’s ‘Nearby Connections’ on Android Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2 CISPA Helmholtz Center for Information Security 3 University of Oxford Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android 1

  2. What are Google Nearby Connections? • Public API for Android and Android Things ◮ In-app proximity-based services ◮ E.g. peer-to-peer file editing • Implemented in the Google Play Services ◮ Available across different Android versions ◮ Applications use it as a shared library Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Motivation 2

  3. Why Analyzing Nearby Connections? • Wide attack surface ◮ Android (version ≥ 4.0) and Android Things ◮ Uses Bluetooth and Wi-Fi (at the same time) • Proprietary technology ◮ No public specifications ◮ Implementation is closed-source and obfuscated Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Motivation 3

  4. Our Core Contributions • First (security) analysis of Nearby Connections ◮ Uncovers its proprietary mechanisms and protocols ◮ Based on reversing its Android implementation • Re-implementation of Nearby Connections (REarby) ◮ Exposes parameters not accessible with the official API ◮ Impersonates nearby devices from any application • Attacking Nearby Connections on Android ◮ Connection manipulation and range extension attacks ◮ Responsible disclosure with Google Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Motivation 4

  5. Nearby Connections Public Information • Server advertises a service, client discovers it ( sid ) • Connection strategies: P2P_STAR and P2P_CLUSTER Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Background 5

  6. Nearby Connections Public Information 2 • Client and server connect using Bluetooth and/or Wi-Fi • Nodes exchange encrypted payloads (peer-to-peer) Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Background 6

  7. Our Dynamic Binary Instrumentation • Workhorse: Frida, https://www.frida.re ◮ Profiling of processes, e.g. NC-App, NC-GPS ◮ Hook function and methods calls ◮ Override parameters and return values ◮ Read and write processes’ memory Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Setup 7

  8. Reversed Phases of a Nearby Connection Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  9. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  10. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  11. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  12. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  13. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  14. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  15. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys 7 Optional Physical Layer Switch : Bluetooth BR/EDR to Wi-Fi Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  16. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys 7 Optional Physical Layer Switch : Bluetooth BR/EDR to Wi-Fi 8 Exchange Encrypted Payloads : 30 seconds timeout Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  17. Reversed Phases of a Nearby Connection 1 Discovery : Bluetooth BR/EDR name and BLE reports 2 Connection Request : Bluetooth BR/EDR, not authenticated 3 Key Exchange Protocol : establishment of a shared secret 4 Optional Authentication : based on the shared secret 5 Application Layer Connection Establishment : interactive 6 Key Derivation Functions : session, AES and HMAC keys 7 Optional Physical Layer Switch : Bluetooth BR/EDR to Wi-Fi 8 Exchange Encrypted Payloads : 30 seconds timeout 9 Disconnection Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 8

  18. Key Exchange Protocol (KEP) Client Server C S Generate sk C , pk C Generate sk S , pk S Pick N C Pick N S c C = Hash( pk C ) Kep 1 : 1, endpointId , ncname , version Kep 2 : 2, N C , c C , algo Kep 3 : 3, N S , pk S Kep 4 : 4, pk C ( S x , S y ) = sk C · pk S Verify c C ( S x , S y ) = sk S · pk C • Based on ECDH, NIST P256 curve, shared secret is S x Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 9

  19. Optional Physical Layer Switch • Bluetooth to soft access point (Wi-Fi Direct, hostapd) ◮ Server instructs the client over Bluetooth ◮ Client contacts the server over Wi-Fi Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android RE 10

  20. Range Extension MitM Attack Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 11

  21. Range Extension MitM Attack Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 12

  22. Soft Access Point Manipulation Attack Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 13

  23. Victim Connects to Attacker’s REarby Server Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 14

  24. Attacker Manipulates Bluetooth to Wi-Fi Switch Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 15

  25. Victim Connects to Attacker’s Wi-Fi AP Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 16

  26. Attacker Configures Victim’s Network Interface Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 17

  27. Attacker Eavesdrops All Wi-Fi Traffic Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Attacks 18

  28. Conclusions • First security analysis of Nearby Connections • Reversed its Android implementation and re-implemented it (REarby) • Range extension and soft access point manipulation attacks • Try the Soft Access Point Manipulation attack: https://github.com/francozappa/REarby/tree/master/poc-hostapd Daniele Antonioli Nearby Threats: Reversing, Analyzing and Attacking Google’s ’Nearby Connections’ on Android Conclusions 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse Vrije Universiteit Amsterdam Finse Winter School 2018 Acknowledgements Brett Stone-Gross (Dell SecureWorks) Tillmann Werner, Christian Dietrich

1.02k views • 99 slides
Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking

Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking

Presenting a live 90-minute webinar with interactive Q&A Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking and Defending Preference Status of Lender, Creditor and PE Sponsor Secured Claims

443 views • 32 slides
Peeling Google Public DNS Onion ANALYZING CACHE COHERENCY AND LOCALITY OF GOOGLE PUBLIC DNS

Peeling Google Public DNS Onion ANALYZING CACHE COHERENCY AND LOCALITY OF GOOGLE PUBLIC DNS

Research Project 1 Peeling Google Public DNS Onion ANALYZING CACHE COHERENCY AND LOCALITY OF GOOGLE PUBLIC DNS Tarcan Turgut & Rohprimardho Under supervision of Roland M. van Rijswijk-Deij from SURFnet 4 February 2015 Research Questions

282 views • 24 slides
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing security research for the last

774 views • 48 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

1.27k views • 96 slides
Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

1.09k views • 92 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
WFIRST Infrared Nearby Galaxy Survey Ben Williams (University of Washington) Nearby Galaxies Are

WFIRST Infrared Nearby Galaxy Survey Ben Williams (University of Washington) Nearby Galaxies Are

WFIRST Infrared Nearby Galaxy Survey Ben Williams (University of Washington) Nearby Galaxies Are Great for Astrophysics Detailed view and context simultaneously Sensitive to galaxy evolution and cosmology Anchor our knowledge for

682 views • 45 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
arXiv:1706.03762v5 [cs.CL] 6 Dec 2017 Llion Jones Aidan N. Gomez ukasz Kaiser

arXiv:1706.03762v5 [cs.CL] 6 Dec 2017 Llion Jones Aidan N. Gomez ukasz Kaiser

Attention Is All You Need Ashish Vaswani Noam Shazeer Niki Parmar Jakob Uszkoreit Google Brain Google Brain Google Research Google Research avaswani@google.com noam@google.com nikip@google.com usz@google.com

295 views • 15 slides
Exploits of a TAG analyst chasing in the wild Clement Lecigne <clem1@google.com, @_clem1>

Exploits of a TAG analyst chasing in the wild Clement Lecigne <clem1@google.com, @_clem1>

Exploits of a TAG analyst chasing in the wild Clement Lecigne <clem1@google.com, @_clem1> Whoami Why this talk and what not to expect? Security @ Google What is TAG Understand targeted threats. Build intelligence systems. ~30 people (US

1.23k views • 61 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
Nearby Galaxies as measures of Feedback Brent Groves (MPIA) Quenching & Quiescence MPIA,

Nearby Galaxies as measures of Feedback Brent Groves (MPIA) Quenching & Quiescence MPIA,

Nearby Galaxies as measures of Feedback Brent Groves (MPIA) Quenching & Quiescence MPIA, Heidelberg July 14-18, 2014 Why Nearby? In nearby galaxies we can resolve the physics of feedback processes (J. Gallaghers talk)

466 views • 43 slides
On ParaVirualizing TCP: Congestion Control in Xen Virtual Machines Luwei Cheng, Cho-Li Wang,

On ParaVirualizing TCP: Congestion Control in Xen Virtual Machines Luwei Cheng, Cho-Li Wang,

On ParaVirualizing TCP: Congestion Control in Xen Virtual Machines Luwei Cheng, Cho-Li Wang, Francis C.M. Lau Department of Computer Science The University of Hong Kong Xen Project Developer Summit 2013 Edinburgh, UK, October 24-25, 2013

543 views • 33 slides
QoS Services with Dynamic Packet State Ion Stoica Carnegie Mellon University (joint work with

QoS Services with Dynamic Packet State Ion Stoica Carnegie Mellon University (joint work with

QoS Services with Dynamic Packet State Ion Stoica Carnegie Mellon University (joint work with Hui Zhang and Scott Shenker) Todays Internet Service: best-effort datagram delivery Architecture: stateless routers excepting

485 views • 33 slides
Swarm-based In Incast Congestion Control in in a Datacenter Serving Web Applications Haoyu Wang*

Swarm-based In Incast Congestion Control in in a Datacenter Serving Web Applications Haoyu Wang*

Swarm-based In Incast Congestion Control in in a Datacenter Serving Web Applications Haoyu Wang* , Haiying Shen * and Guoxin Liu ^ *U *Universit ity of of Vir irgin inia ia, ^C ^Cle lemson Univ iversit ity Outline Introduction

675 views • 25 slides
On the Design of Load Factor based Congestion Control Protocols for Next-Generation Networks

On the Design of Load Factor based Congestion Control Protocols for Next-Generation Networks

On the Design of Load Factor based Congestion Control Protocols for Next-Generation Networks Ihsan Ayyub Qazi Taieb Znati Department of Computer Science University of Pittsburgh, PA, USA Email:{ihsan,znati}@cs.pitt.edu Agenda Motivation

437 views • 22 slides
April 2020 CDS Connect Work Group Call Agenda Schedule Topic 3:00 3:02 Roll

April 2020 CDS Connect Work Group Call Agenda Schedule Topic 3:00 3:02 Roll

April 2020 CDS Connect Work Group Call Agenda Schedule Topic 3:00 3:02 Roll Call, Michelle Lenox (MITRE) 3:02 3:05 Review of the Agenda, Maria Michaels (CDC) 3:05 3:40 A FHIR-Based CDS Sandbox,

582 views • 21 slides
AK Connect! FACILITATED BY: ASHLEY SCHABER, PHARMD, MBA, BCPS I N P A T I E N T P H A R M A C Y

AK Connect! FACILITATED BY: ASHLEY SCHABER, PHARMD, MBA, BCPS I N P A T I E N T P H A R M A C Y

AK Connect! FACILITATED BY: ASHLEY SCHABER, PHARMD, MBA, BCPS I N P A T I E N T P H A R M A C Y M A N A G E R , A L A S K A N A T I V E M E D I C A L C E N T E R MICHELLE LOCKE, PHARMD T R A N S I T I O N S O F C A R E P H A R M A C Y

532 views • 22 slides
Low-loss connection of weight vectors: distribution-based approaches Ivan Anokhin, Dmitry

Low-loss connection of weight vectors: distribution-based approaches Ivan Anokhin, Dmitry

Low-loss connection of weight vectors: distribution-based approaches Ivan Anokhin, Dmitry Yarotsky ICML 2020 1 / 28 Introduction How much connectedness is there in the bottom of a neural networks loss function? Connection task: Given two

407 views • 28 slides
Inferring Strange Behavior from Connectivity Pattern in Social Networks Meng Jiang, Peng Cui,

Inferring Strange Behavior from Connectivity Pattern in Social Networks Meng Jiang, Peng Cui,

Inferring Strange Behavior from Connectivity Pattern in Social Networks Meng Jiang, Peng Cui, Shiqiang Yang (Tsinghua, Beijing) Alex Beutel, Christos Faloutsos (CMU) What is Strange Behavior? Who -follows- whom network with billions

1.15k views • 45 slides

More recommend