Think like a Hacker Not So Smart Phone security Introduction - - PowerPoint PPT Presentation

think like a hacker
SMART_READER_LITE
LIVE PREVIEW

Think like a Hacker Not So Smart Phone security Introduction - - PowerPoint PPT Presentation

Sep 04, 2022 140 likes •332 views

Partners in Information Security Think like a Hacker Not So Smart Phone security Introduction Peter Rietveld Liviu Rombaut Traxion Smartphones will never be secure Since security is not a simple notion What & Whom

slide-1
SLIDE 1

Partners in Information Security

Think like a Hacker

Not So Smart Phone security

slide-2
SLIDE 2

Introduction

  • Peter Rietveld
  • Liviu Rombaut
  • Traxion
slide-3
SLIDE 3

Smartphones will never be secure

  • Since security is not a simple notion
  • What & Whom are you protecting?
  • Since it is a very complex device
  • Comparable to a PC in 2003
  • Since it depends on many environmentals
slide-4
SLIDE 4

Whom to secure?

  • Vendor
  • You must buy a new phone every 2 years
  • Stop updates
  • Result: orphaned phones
  • Promise new features every day
  • Rushed production
  • Result: bad software
slide-5
SLIDE 5

App builder

  • Quick results
  • Promise the world
  • Skip ‘difficult stuff’
  • Security is not a focus
  • Result: broken software
slide-6
SLIDE 6

User

  • Usability
  • Not pay for software
  • Install all kinds of stuff
  • Let everyone use the device
  • Result: broken systems
slide-7
SLIDE 7

User’s company

  • ‘BYOD’ or company device
  • Install software
  • Block certain Updates ‘for compatibility’
  • Result: broken system
slide-8
SLIDE 8

Governments

  • Surveillance requirements
  • Result: broken standards
slide-9
SLIDE 9

Provider

  • Add own software
  • Block Updates (for compatibility)
  • Retain customer (SIM only)
  • Old phones stay
slide-10
SLIDE 10

And that is the easy part

  • Now for something more technical
slide-11
SLIDE 11

A smartphone is a crypto device

  • Trusted Platform
  • Code Signing
  • Theoretically good
  • Jail Breaking
  • Yet
  • An open platform
  • Result Appstore = First Line of Defence
  • And the only one
slide-12
SLIDE 12

‘Trusted’ Platform

  • Depends on PKI Ecosystem
  • Designed mid-80s
  • Adopted in early 90s
  • Neglected since
  • Many well documented flaws
  • Better known to attackers since Flame and Stuxnet
  • Under reconstruction since 2010
  • Long way to go
slide-13
SLIDE 13

Dependencies

  • Trusts ‘any’ network
  • Public and private
  • WiFi Onion
  • Money comes from adware
  • Adware networks are trusted – prime attack vector
  • Certificate names based on DNS names
  • Certificates depend on online validation
  • Slow and easily fooled
  • Updates depend on DNS
  • DNS issues
  • DNSSec?
slide-14
SLIDE 14

Other challenges

  • Massive ecosystem
  • Exploding codebase
  • Every app in the appstore must be scanned
  • And rescanned when vulnerabilities emerge
slide-15
SLIDE 15

Beat the Statistics

  • Mudge@BlackHat: 1 exploitable error per 1000 lines of code
  • Grey Hat Hacking Handbook: 5-50 errors per 1000 lines of code
  • "Code Complete" (Steve McConnell)
  • Industry avarage: 15 - 50 errors per 1000 lines of code
  • Microsoft : 0.5 errors per 1000 lines of code in released code
  • Harlan Mills 'cleanroom development', 0.1 defect per 1000 regels code in

released product

  • Space-shuttle software - 0 errors in 500,000 lines of code
slide-16
SLIDE 16

Codebase Android SLOC

20000000 40000000 60000000 80000000 100000000 OS-X 10.4 Tiger Debian 2.2 Potato Windows XP Windows 7 RHEL 7 Boeing 787 Linux 2.6 kernel Android Windows NT4 Facebook Firefox Chrome F22 Raptor Space shuttle Plone Joomla! Ruby on Rails Wordpress Average iPhone App Drupal

slide-17
SLIDE 17

Concluding

  • Smartphones are just computers
  • In consumer space
  • And they are just as (in)secure
slide-18
SLIDE 18

Thank You