. . . . . .

Your smartphone - a spy in the pocket?

Denis Simonet
February 23, 2014
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 1 / 23
. . . . . .
Outline
...
1
Malware on smartphones
...
2
GSM issues
...
3
Conclusion
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 2 / 23
. . . . . .
Malware analysis
Juniper Networks Third Annual Mobile Threats Report
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 3 / 23
. . . . . .
Malware analysis
Juniper Networks Third Annual Mobile Threats Report
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 3 / 23
. . . . . .
Malware analysis
Technical report from the Northwestern University
A majority of [anti-malware products] can be trivially defeated by
applying slight transformation over known malware with little
eort.
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 4 / 23
. . . . . .
Malware analysis
WiFi vs. Cellular networks
WiFi GSM, UMTS, LTE
Very popular Very popular
License-free radio spectrum Licensed radio spectrum
Cheap hardware Expensive hardware
Available to anyone Typically limited to professional operators
Easy to monitor No popular analysis tools available
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 5 / 23
. . . . . .
Malware analysis
Base station
sysmoBTS for 2500AC (on the
market since 2012)
Operated with the free software
project Osmocom
Network in the box

GSM voice

SMS

GPRS
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 6 / 23
. . . . . .
Malware analysis
Our set-up
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 7 / 23
. . . . . .
Malware analysis
Capturing with Wireshark
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 8 / 23
. . . . . .
Malware Analysis
Two tests:
Jewels Star 2, a free game from Google Play Store
iSpyoo, spyware as a service
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 9 / 23
. . . . . .
Malware Analysis
Jewels Star 2
Sends information to at least ve advertising providers
Uses HTTP (i.e. no transport encryption)
Captured requests include information on the device
and its location
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 10 / 23
. . . . . .
Malware Analysis
iSpyoo
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 11 / 23
. . . . . .
Malware Analysis
iSpyoo
Remote control target phone through web interface
Easy to handle
Functionality dependant on a monthly fee
Data is sent to a dedicated server in plain text
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 12 / 23
. . . . . .
Malware analysis
Findings by ct: Foursquare
Find friends transmits:

eMail adresses

phone numbers
Do your friends agree on that?
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 13 / 23
. . . . . .
Malware analysis
Findings by ct: Other apps
Shazam: Position, IP address, Android ID
Who Wants to Be a Millionaire?: List of installed apps
Samsung Chat On: IMEI, phone number
MyXperia: Position, IMSI, phone number, hardware information
(without enabling this service!)
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 14 / 23
. . . . . .
Malware analysis
Does a ash light need to know your location?
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 15 / 23
. . . . . .
Malware analysis
Does a ash light need to know your location?
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 15 / 23
. . . . . .
Malware analysis
Reactions
Many people do not seem to really care

I have nothing to hide

My data is not important

I dont care
The NSA is interested in advertising providers!
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 16 / 23
. . . . . .
GSM issues
Osmocom
Osmocom (the software used) provides many possibilities:

Run an own baseband on cheap cell phones

Run an own GSM network

Play with SIMs

. . .
Facilitates GSM research
Interesting summary at 30C3 by Nohl/Melette: Mobile network
attack evolution
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 17 / 23
. . . . . .
GSM issues
Known GSM issues
No mutual authentication between phone and network
Weak encryption algorithms
Encryption is optional
Network can obtain positional information from phone
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 18 / 23
. . . . . .
GSM issues
Sning GSM
OsmocomBB can be used to analyse GSM trac
E.g. nd whether a cell phone is in your vicinity. . .
. . . or even decrypt phone calls! (Nohl/Munaut @ 27C3)
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 19 / 23
. . . . . .
GSM issues
Baseband processor
Closed and closed-minded business
Lacks modern security features (stack protection, address space
randomisation, . . . )
Stability: Wrong messages lead to crashes. They did not even
intentionally send wrong information and phones already crashed.
GSM spec have many options which no real network uses. Potential
attack vectors.
See: Harald Welte @ Linux Kongress 2010
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 20 / 23
. . . . . .
GSM issues
SIM card attacks
Remote injections on the SIM card by anybody
Applications can break out of the sandbox and read any data
E.g. send the current location every 5 minutes
Stays installed on the SIM even if you put it into a new phone
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 21 / 23
. . . . . .
What to do?
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 22 / 23
. . . . . .
What to do?
Only industry can x most of the issues
Be careful what applications you install
Disable pre-installed applications
Do not consider GSM as a secure channel
Denis Simonet () Your smartphone - a spy in the pocket? February 23, 2014 23 / 23