10:00 AM
to 11:00 AM
Zane Lackey & Luis Miras: Attacking SMS
135 Attendees
Location
Milano Ballroom 1-2-3-4
Type Mobile
Zane Lackey, Luis Miras
With the increased usage of text messaging around the globe, SMS provides an ever widening attack surface on today's mobile phones. From over the air updates to rich content multimedia messages, SMS is no longer a simple service to deliver small text-only messages. In addition to its wide range of supported functionality, SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
11:15 AM
to 12:30 PM
Charlie Miller & Collin Mulliner: Fuzzing the Phone in your Phone
123 Attendees
Location
Milano Ballroom 1-2-3-4
Type Mobile
Charlie Miller, Collin Mulliner
In this talk we show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). We show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, we present the results of this fuzzing and discuss their impact on smart phones and cellular security.
1:45 PM
to 3:00 PM
Kevin Mahaffey, Anthony Lineberry & John Hering: Is Your Phone Pwned?
127 Attendees
Location
Milano Ballroom 1-2-3-4
Type Mobile
Kevin Mahaffey, Anthony Lineberry, John Hering
The world has never been more connected. Over a billion mobile devices ship every year, five times the number of PCs in the same period. The iPhone and Android have accelerated the mass adoption of smart devices, mobile applications, and high speed mobile networks. Meanwhile, mobile devices are now a material target: they contain sensitive personal and corporate data, access privileged networks, and routinely perform financial transactions. The question remains, how do we keep these devices safe?
Learn about how to detect vulnerabilities on mobile devices, exploitation techniques, how the security architecture of major mobile platforms work, and how to protect your mobile device(s) in the threat landscape of a constantly evolving mobile world. We'll be demonstrating a new mobile device vulnerability (we're also providing a hotfix tool) and analyzing other vulnerabilities that affect major mobile platforms, one of which is already being actively exploited in the wild. To top it off, we will be releasing our 'Sniper' mobile fuzzing framework, a tool specifically designed to fuzz mobile platforms that includes support for major file formats and protocols typically present on mobile devices.
Learn about how to detect vulnerabilities on mobile devices, exploitation techniques, how the security architecture of major mobile platforms work, and how to protect your mobile device(s) in the threat landscape of a constantly evolving mobile world. We'll be demonstrating a new mobile device vulnerability (we're also providing a hotfix tool) and analyzing other vulnerabilities that affect major mobile platforms, one of which is already being actively exploited in the wild. To top it off, we will be releasing our 'Sniper' mobile fuzzing framework, a tool specifically designed to fuzz mobile platforms that includes support for major file formats and protocols typically present on mobile devices.
3:15 PM
to 4:30 PM
Jesse Burns: Exploratory Android Surgery
57 Attendees
Location
Milano Ballroom 1-2-3-4
Type Mobile
Jesse Burns
It's hard to resist open, Linux-based phones with sophisticated programming environments and a novel security model. Android has application-level isolation, new kernel primitives for communication, and fancy UI features wrapped around its open source heart. This talk will explore Android's fancy new kernel and user mode security mechanisms, how to test them, and how to mess around inside your droid.
Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.
In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.
Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.
In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.
4:45 PM
to 6:00 PM
Vincenzo Iozzo & Charlie Miller: Post Exploitation Bliss - Loading Meterpreter on a Factory iPhone
59 Attendees
Location
Milano Ballroom 1-2-3-4
Type Mobile
Vincenzo Iozzo, Charlie Miller
IPhones are now widely used by people; as a consequence the number of factory phones is ever increasing. Until very recently, researchers focused on exploitation techniques for jailbroken phones. Most of these approaches are not usable on factory phones due to a number of protections including code signing and additional memory protections. For that reason, even with the ability to execute arbitrary code in an exploit, it is very hard to know what to do. This presentation will show how is it possible to effectively run high level payloads on a factory phone by defeating code signing protections after exploitation. Specifically by injecting an arbitrary non-signed library in the victim's process address space, an attacker is able to run his own code thus granting a much higher attack efficacy. This is especially important because on factory iPhones, there are no useful utilities, not even a shell. With this technique, an attacker can bring along their own tools, including the ability to get directory listing, upload and download files, even pivot attacks, in the form of Meterpreter!
