際際滷

際際滷Share a Scribd company logo

MobSecCon 2015 - CertifiGate

R
Ron Munitz

Check Point's Avi Bashan & Pavel Berengoltz's talk on MobSecCon, September 3rd, 2015. A PDF is available in: http://thepscg.com/events/MobSecCon

1 of 43
Download to read offline
1 F r o n t D o o r A c c e s s to Pwning hundreds of Millions of Androids Avi Bashan Pavel Berengoltz CERTIFIGATE
2 AG EN DA Mobile Threats and Research Motivation Mobile Remote Support Tools Overview Pwning Mobile Remote Support Tools Conclusions Q & A
3 ABOUT US PAVEL BERENGOLTZ 牟 Decade of experience researching and working in the security space 牟 Former Director of Research @Lacoon Mobile Security 牟 Mobile Threat Detection Group Manager Manager @Check Point AVI BASHAN 牟 Security researcher for over a decade in the PC and mobile areas 牟 Former CISO & Security Researcher @Lacoon 牟 Security Technology Leader @Check Point MAJOR CONTRIBUTORS 牟 Daniel Brodie 牟 Andrey Polkovnichenko 牟 Denis Voznyuk
4 Used by malicious threat actors Provides unauthorized and stealth access to mobile devices Known mRATs MOBILE REMOTE ACCESS TROJAN (mRAT)
5 mRAT CAPABILITY ANALYSIS mRAT
6 mRAT Exploit Usage App Installation Screen Access User Input Control mRAT CAPABILITY ANALYSIS
7 Exploit Usage App Installation Screen Access User Input Control ? mRAT mRAT CAPABILITY ANALYSIS
8 Exploit Usage App Installation Screen Access User Input Control mRST mRAT mRAT CAPABILITY ANALYSIS
9 MOBILE REMOTE SUPPORT TOOLS (mRST) Used by 牟 IT Departments 牟 Mobile Carriers 牟 Device Manufacturers Main Players
10 MOBILE REMOTE SUPPORT TOOLS
11 ANDROID PERMISSION MODEL 101 ANDROID IS A MODERN OS Sandboxing features Permission based access 牟 Must be obtained to access a resource 牟 User can view upon app installation 牟 Take it or leave it approach
12 SOME PERMISSIONS are considered privileged Permissions Action INSTALL_PACKAGES App installation READ_FRAME_BUFFER ACCESS_SURFACE_FLINGER Screen access INJECT_EVENTS User Input Control GRANTED ONLY TO PRIVILEGED SYSTEMS APPS ROM Pre-installed apps located under /system/priv-app OR Apps signed with the OEMs certificate ANDROID PERMISSION MODEL 101
13 mRST PERMISSIONS Access Internet Get device network info Query installed app list Access to device storage Install apps Capture screen User input control PRIVILEGED PERMISSIONS
14 AOSP OEMs Carriers ANDROID CUSTOMIZATION CHAIN
15 mRST ARCHITECTURE MAIN APP Signed by mRST developer Regular permissions Network connection User interface PLUGIN Signed by OEM privileged permissions Exported service No user interaction Binder Verification Mechanism?
16 What do we know? Plugin signed by the OEM Obtained from Google Play ; Pre-Installed Designed to communicate with other apps VALIDATION CODE IS RE-INVENTED BY EACH VENDOR!
17 WHAT DID WE FIND?
18 TEAM VIEWER OVERVIEW
19 mRST PLUGIN VERIFICATION A plugin is an exported service Any app can connect to the plugin over Binder (IPC) Plugin needs to verify the requesting apps identity
20 WHERES WALDO? Extract the requesting apps certificate serial number and compare it Set an hardcoded serial number
21 RFC 2459 Internet X.509 Public Key Infrastructure 4.1.2.2 Serial number The serial number is an integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate)
22 ANDROID APPS SIGNATURE Who signs applications on Android? Where do they get the certificate?
23 Pwned!
24
25 DEMO TIME!
26 VULNERABILITY RECAP Wildcard permissions Androids security restrictions bypassed Secure containers arent enough
RSUPPORT OVERVIEW Samsung & LG flagship devices has the plugin pre-installed 牟 LG G4, G3, G2 and G Pro 2 牟 Samsung Galaxy S5 and S4 (Some ROMs) Invisible to user (no launcher icon) Cannot be uninstalled
28 RSUPPORT CODE OVERVIEW The plugin compares the connecting apps certificate hash code to a hardcoded hash code Get the certificate hashCode
29 Try to compare it to a few hash codes, if its equal - continue RSUPPORT CODE OVERVIEW (Cont.)
30 HASHCODE? But wait, what is the Signatures hashCode? MD5? SHA1? SHA256? CRC32??? Android is open source, so we can just see its implementation
31 HASHCODE! Executes the Arrays.hashCode function on the certificate 32-bit signed integer Only 232 ~= 4 billion Possibilities!
32
33 WHAT ELSE? We found multiple vulnerable plugins We didnt check them all Left as an exercise for the reader Verification flaw is not limited to mRSTs Certificates cannot be revoked
34 mRST PLUGIN ANOTHER ANGLE Manipulate the main app logic, in order to take control of the OEM signed plugin
35 COMMUNITAKE One of the commands can modify the subdomain of the CnC server <xxx>.communitake.com The subdomain can be altered without requiring authentication The app does not sanitize the subdomain properly Enables the addition of the '/' character to the subdomain - www.evil.com/.communitake.com Main app allows changing settings by SMS
An attacker can send a command which changes the CnC server to a malicious CNC server Enabling them to take full control of the device with a single SMS message without user intervention! COMMUNITAKE VULNERABILITY
37 DEMO TIME!
38 VULNERABILITIES DISCLOSURE TIMELINE MID APRIL Reported to Vendors, OEMs, Google AUGUST Still waiting for some vendors responses.. MID APRIL MAY Got responses from most of the vendors, which started to work on resolving the issues MAY JUNE New version of the plugins were uploaded to the Play Store
39 CONCLUSION Androids eco-system is flawed Google delegated the responsibility to the OEMs and carriers No way to patch it Hundred of millions of Android devices are vulnerable
40 SO WHAT SHOULD I DO? Check if you device is on the list of vulnerable OEMs Can be found in our blog post Check if you have one of the plugins installed Remove it (If you can)
41 A LAYERED MOBILE SECURITY APPROACH VULNERABILITY ASSESSMENT System, OEM and 3rd party apps, and plugins Continues monitoring THREAT DETECTION Horizontal escalation from 3rd party apps RISK MITIGATION Alert user to remove vulnerable plugins Track patching progress
42 CHECK POINT SCANNER Google Play
43 QUESTIONS? Google Play

More Related Content

MobSecCon 2015 - CertifiGate

  • 1. 1 F r o n t D o o r A c c e s s to Pwning hundreds of Millions of Androids Avi Bashan Pavel Berengoltz CERTIFIGATE
  • 2. 2 AG EN DA Mobile Threats and Research Motivation Mobile Remote Support Tools Overview Pwning Mobile Remote Support Tools Conclusions Q & A
  • 3. 3 ABOUT US PAVEL BERENGOLTZ 牟 Decade of experience researching and working in the security space 牟 Former Director of Research @Lacoon Mobile Security 牟 Mobile Threat Detection Group Manager Manager @Check Point AVI BASHAN 牟 Security researcher for over a decade in the PC and mobile areas 牟 Former CISO & Security Researcher @Lacoon 牟 Security Technology Leader @Check Point MAJOR CONTRIBUTORS 牟 Daniel Brodie 牟 Andrey Polkovnichenko 牟 Denis Voznyuk
  • 4. 4 Used by malicious threat actors Provides unauthorized and stealth access to mobile devices Known mRATs MOBILE REMOTE ACCESS TROJAN (mRAT)
  • 6. 6 mRAT Exploit Usage App Installation Screen Access User Input Control mRAT CAPABILITY ANALYSIS
  • 7. 7 Exploit Usage App Installation Screen Access User Input Control ? mRAT mRAT CAPABILITY ANALYSIS
  • 8. 8 Exploit Usage App Installation Screen Access User Input Control mRST mRAT mRAT CAPABILITY ANALYSIS
  • 9. 9 MOBILE REMOTE SUPPORT TOOLS (mRST) Used by 牟 IT Departments 牟 Mobile Carriers 牟 Device Manufacturers Main Players
  • 11. 11 ANDROID PERMISSION MODEL 101 ANDROID IS A MODERN OS Sandboxing features Permission based access 牟 Must be obtained to access a resource 牟 User can view upon app installation 牟 Take it or leave it approach
  • 12. 12 SOME PERMISSIONS are considered privileged Permissions Action INSTALL_PACKAGES App installation READ_FRAME_BUFFER ACCESS_SURFACE_FLINGER Screen access INJECT_EVENTS User Input Control GRANTED ONLY TO PRIVILEGED SYSTEMS APPS ROM Pre-installed apps located under /system/priv-app OR Apps signed with the OEMs certificate ANDROID PERMISSION MODEL 101
  • 13. 13 mRST PERMISSIONS Access Internet Get device network info Query installed app list Access to device storage Install apps Capture screen User input control PRIVILEGED PERMISSIONS
  • 14. 14 AOSP OEMs Carriers ANDROID CUSTOMIZATION CHAIN
  • 15. 15 mRST ARCHITECTURE MAIN APP Signed by mRST developer Regular permissions Network connection User interface PLUGIN Signed by OEM privileged permissions Exported service No user interaction Binder Verification Mechanism?
  • 16. 16 What do we know? Plugin signed by the OEM Obtained from Google Play ; Pre-Installed Designed to communicate with other apps VALIDATION CODE IS RE-INVENTED BY EACH VENDOR!
  • 17. 17 WHAT DID WE FIND?
  • 19. 19 mRST PLUGIN VERIFICATION A plugin is an exported service Any app can connect to the plugin over Binder (IPC) Plugin needs to verify the requesting apps identity
  • 20. 20 WHERES WALDO? Extract the requesting apps certificate serial number and compare it Set an hardcoded serial number
  • 21. 21 RFC 2459 Internet X.509 Public Key Infrastructure 4.1.2.2 Serial number The serial number is an integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate)
  • 22. 22 ANDROID APPS SIGNATURE Who signs applications on Android? Where do they get the certificate?
  • 24. 24
  • 26. 26 VULNERABILITY RECAP Wildcard permissions Androids security restrictions bypassed Secure containers arent enough
  • 27. RSUPPORT OVERVIEW Samsung & LG flagship devices has the plugin pre-installed 牟 LG G4, G3, G2 and G Pro 2 牟 Samsung Galaxy S5 and S4 (Some ROMs) Invisible to user (no launcher icon) Cannot be uninstalled
  • 28. 28 RSUPPORT CODE OVERVIEW The plugin compares the connecting apps certificate hash code to a hardcoded hash code Get the certificate hashCode
  • 29. 29 Try to compare it to a few hash codes, if its equal - continue RSUPPORT CODE OVERVIEW (Cont.)
  • 30. 30 HASHCODE? But wait, what is the Signatures hashCode? MD5? SHA1? SHA256? CRC32??? Android is open source, so we can just see its implementation
  • 31. 31 HASHCODE! Executes the Arrays.hashCode function on the certificate 32-bit signed integer Only 232 ~= 4 billion Possibilities!
  • 32. 32
  • 33. 33 WHAT ELSE? We found multiple vulnerable plugins We didnt check them all Left as an exercise for the reader Verification flaw is not limited to mRSTs Certificates cannot be revoked
  • 34. 34 mRST PLUGIN ANOTHER ANGLE Manipulate the main app logic, in order to take control of the OEM signed plugin
  • 35. 35 COMMUNITAKE One of the commands can modify the subdomain of the CnC server <xxx>.communitake.com The subdomain can be altered without requiring authentication The app does not sanitize the subdomain properly Enables the addition of the '/' character to the subdomain - www.evil.com/.communitake.com Main app allows changing settings by SMS
  • 36. An attacker can send a command which changes the CnC server to a malicious CNC server Enabling them to take full control of the device with a single SMS message without user intervention! COMMUNITAKE VULNERABILITY
  • 38. 38 VULNERABILITIES DISCLOSURE TIMELINE MID APRIL Reported to Vendors, OEMs, Google AUGUST Still waiting for some vendors responses.. MID APRIL MAY Got responses from most of the vendors, which started to work on resolving the issues MAY JUNE New version of the plugins were uploaded to the Play Store
  • 39. 39 CONCLUSION Androids eco-system is flawed Google delegated the responsibility to the OEMs and carriers No way to patch it Hundred of millions of Android devices are vulnerable
  • 40. 40 SO WHAT SHOULD I DO? Check if you device is on the list of vulnerable OEMs Can be found in our blog post Check if you have one of the plugins installed Remove it (If you can)
  • 41. 41 A LAYERED MOBILE SECURITY APPROACH VULNERABILITY ASSESSMENT System, OEM and 3rd party apps, and plugins Continues monitoring THREAT DETECTION Horizontal escalation from 3rd party apps RISK MITIGATION Alert user to remove vulnerable plugins Track patching progress