"Your Phone Hates You"

hey there b-sides dfw today we're going to talk about your phone we're going to talk about why it hates you and some of the things you can do to take care of that [Music]

so greetings my name is mark i am a security researcher i have been a security researcher for 21 years professionally and i've also been before that an avid what you call enthusiast or amateur in essence i've been a hacker since before a lot of you were probably even born and with that comes a very healthy dose of paranoia hence this talk now the mobile phone is both wonderful and evil now over the years i've collected a good number of them a few of them are pictured here i've taken them apart i've hacked them i've reverse engineered apps i perform man in the middle attacks against their traffic and i have come to the conclusion that

while you might care about security and privacy well your phone doesn't it hates you okay maybe it doesn't hate you but it's indifference and betrayal that it shows the modern phone it just makes it border on evil for sure anyway what we're going to do is i'm going to talk about this and to do that i need to divide things up into a different category so we're first going to talk about hardware issues and then we're going to cover software issues then after that we will get into some solutions and we'll get into some mitigation and uh in areas where there's really not some mitigation we'll kind of cover with we'll we'll label that opsec for

now and see how that works out

the modern phone has five radios four of them are transmittable transmittable four of them can transmit and one of them is basically receive only the four that can transmit they can potentially betray you uh the ability to do so uh can vary uh we're going to cover all five of them though we're going to start with the one that is receive only that cannot transmit and that's the gps radio gps is basically it's receive only gps stands for global positioning system and this basically is for doing location services it helps you locate where you're at there are 24 satellites required for this to work these satellites are orbiting at 20 000 kilometers or roughly 12 and a

half thousand miles above the earth they complete their orbits twice per day uh 24 is the minimum i think right now there's like 31 of them so there's some redundancy there in place um but for this whole gps thing to actually work you need to do uh communication with four of these so you need to acquire the signal from four different satellites now on a modern phone this can take up to 15 minutes depending upon certain conditions which is that can be kind of bad so anyway the idea there is that if you can get the four great now you're able to roughly approximate where you are on the planet now the problems that occur with this is

that occasionally because this is such a battery drain up to 15 minutes to acquire the satellite signals the operating system sometimes takes it upon itself to kind of help the gps get going and figure out where it's at and so it will borrow information from other radios such as your cellular or your wi-fi and that helps speed things up this is why you sometimes see when you're using applications that say hey turn on wi-fi for better gps support that's why it's doing that it's trying to not only get those satellites but also maintain them uh maintain the the position and use a combination of the two to actually give you fairly accurate gps fine and dandy but that's basically how

these things uh in particular work now the second radio uh is the cellular one and this is one where we're sort of getting into some areas where we start getting a little bit evil with it it can transmit and receive typically it's got a range of about a mile or two sometimes up to five miles in an urban setting you get out into urban areas where towers may be mounted up a little bit higher and have slightly more power to them and you can get well with line of sight in good conditions you can potentially in these uh rural areas get up to 20 miles although that's kind of a bit unusual but nonetheless in the city they have multiple towers

uh in in urban areas and so or yeah and so what happens is then as you're moving through uh town it will acquire new uh cell tower signals uh older ones will go away as you're moving through it that's how you're able to be on the phone while you're driving around town or on your uh either on a phone call or you know doing something with uh with data so that's how that works now the thing that's interesting about those how they start end up betraying you is because these towers they gather information about the phone that identifies it as unique one of the things they gather is the is the international mobile subscriber identity number the imsi or

mc and you may have heard of things like mc catchers and things like this what these are these are these uh imsi numbers these are unique numbers that are associated with your phone number they're put on the sim that you plug into your card and so with this uh someone could potentially figure out by tracking your your mc where you're physically located or where you've been at one point or another and this is like how repressive governments they'll fly drones around with these mc catchers or you know helicopters or airplanes or even those infamous unmarked vans and with that what will happen is they will gather data about like say they can you know who's there in a crowd that's gathered

outside some building where they're protesting or something like that mccatcher they get everybody's info and they know who everyone was that was there or happened to be walking by at the time that kind of thing so it's and even if they can't draw using the mc catcher they can of course go and get the records from the uh the towers themselves uh and from the phone companies and they can do that with a subpoena and they can still track your movements that way now the thing is though there's a second number that's called the imei or the international mobile equipment identity now this is a value that's a number that's burned into a chip on your phone so it's

basically in there as a permanent identifier that's unique now with this you can still do the same level of tracking on cell towers this is how you're able to do something like dial 911 and the call actually goes through even though you don't have a sim plugged in there it's using imei to at least help establish that you're a unique device on the cellular network okay so with that you can still be tracked and whatnot so you have to keep that in mind if you pull the sim out you're still going to potentially be tracked by that um the third radio i wanted to talk about was uh wi-fi uh with that the unique number

associated with it of course is the mac address that's associated with the wi-fi interface i really am not going to go into too much detail with wi-fi there have been entire presentations on wi-fi and wi-fi security one can do an entire presentation on a single flaw in one company's implementation of wi-fi first off i just wanted to let you guys know i am uh releasing a zero day uh in this talk but i want to point out that it's lame okay so i'm not going to go into a huge amount of detail here just bear in mind how awful wi-fi is wi-fi doesn't have a huge range but it can reach out from your phone for

dozens of meters line of sight within conditions that could do uh well over a hundred meters so it's a pretty pretty uh powerful little uh radio the fourth radio is bluetooth now there are three classes uh bluetooth uh ranging from 1 meters 10 meters to 100 meters respectively we're concerned with class 2 which is the one that's 10 meters or 33 feet roughly it has its own mac address as well and while there are uh things like i know like on an iphone depending upon the applications you're using it'll actually randomize uh the mac address for that for privacy purposes i do realize that the mac address of the bluetooth is one digit off from the mac address of

the wi-fi so if you can get one then you can figure out what the other one is so that's uh that's interesting with that now the fifth radio we're going to talk about is near field communications or nfc now this is the background of nfc this gets back into rfid and again there's whole presentations that have been done on rfid and whatnot but nfc there's three different types of nfc and there's four technology types that are associated with those three different types uh that it can extend those three and your phone speaks all of them okay now that may sound a little bit daunting but it's not as scary as it sounds i mean there is a mac address

associated with this technology the ip stack that is is one thing okay tcp that's one thing the nfc stack is insane it is all kinds of levels of complexity uh and but the thing is is it's only activated via an app that has to use uh the apis in the lower parts of the of the technology stack itself so there's no like direct access they have to go through apis to get down into there so there is some lower level isolation uh from the upper ranges of the uh of the phone at the app level and also couple that with the fact that the transmission range of nfc is like roughly four centimeters something like that

inch and a half so it's not very uh not very wide range so this drastically reduces the chance of compromise with that particular radio now from a hardware standpoint with 405 radios capable of transmitting one can safely state that if the phone has power it's traceable and it is widely believed that even if the battery in the phone is uh still there with power in it but the phone is powered off it is still traceable even then give you an example of that in 2003 then president george bush made a surprise thanksgiving trip to visit troops in iraq this is during the iraq war and to maintain all kinds of security and privacy and secrecy around

this reporters were instructed not only to shut off their phones but they were told to remove the batteries because 2003 every phone had a removable battery they gave the reporters fresh phones when they were on the way back from iraq so that they could actually begin reporting on what was going on um now this level of phone spying is probably only going to apply to nation state attackers but it is a possibility uh and considering that was in 2003 i can only imagine where the technology for doing that kind of thing is now so if you're thinking oh i've got to stay away from the nation state actors they're going to be the ones that are

coming after me well then there you go this is something to keep in mind

as far as software goes there are a few things to keep in mind each operating system either android or ios will perform various queries back and forth to the respective homes the main reason for these is for updates for the os or for the included apps other reasons might include telemetry data now this can be the health of the system usage statistics location data other bits and pieces of information that can be rather revealing some people don't have a problem with it say for example if they constantly lose their phone and they want to use some type of thing like find my phone to be able to retrieve it other people want to be able to keep an eye on their

children obviously if there are malicious use cases then that's the ones we want to kind of keep in mind for the truly paranoid all of this data that's collected it can be subpoenaed by the us government in some cases for foreign nations there may not be even a subpoena process in place the government just gets access to it such as china gps can be the source of a bit of unwanted tracking as we stated before it can take up to 15 minutes to acquire a signal this is known as ttff or first or time to first fix that's tricky to remember to improve upon that there are several techniques that are put into play here wi-fi

uh using information about the surrounding available wi-fi networks uh you know such as collecting uh network names associated mac addresses etc a database can be accessed by the phone that helps establish location using what it sees versus what's in the database google's infamous street view surveys have been collecting this data during street mapping for years now uh now of course this all depends upon the wi-fi radio being on cell slide i have to this is kind of tricky to say cell site multilateralization which is a fancy term for using data from available cell sites to approximate your location and obviously that depends on your cellular radio being on um there's also something called a gps

the a stands for assisted or augmented mainly it stands for assisted in the stuff i've seen written up on it it does require access to servers for a gps to work so and also this is interesting depending upon local tariffs in your country data plan etc this does count against your data plan if you're not connected to a wi-fi network for example a gps has been known to be invoked even if the cellular radar radio has not been turned on which is interesting in itself most modern phones will use a combination of all of the above they'll use just regular gps wi-fi cell sites and even agps and use those to actually put together exact location data one more protocol to

keep in mind is aml this is called this is advanced mobile location and what this is for it conceptually is roughly the same as a gps but what this is for is when you dial emergency services instead of like a gps querying internet-based servers it will turn on location services long enough to get gps coordinates from whatever it can and then send them via an sms message to emergency services now the standard is called aml but if you see a reference to els or emergency location service that's google's name for it so you may see that pop up with android related stuff but it is the exact same thing the thing is is just remember that

anytime there is a query to wi-fi or cellular there is potential logging and increase to your overall digital footprint apps on the phone those however are absolutely the worst as most protocols used by apps are web protocols apps are basically glorified web browsers without the built-in features plugins and extensions that one normally might use to protect a normal web browser now apps are typically written in a language referred to as cut and paste which is basically a lot of coding choices made by googling a particular problem or you know situation that a coder is encountering and then just using whatever's popular whether that choice is recent or secure or not and that's that pretty much sums it up right there

that is why apps have been such a disaster

all right for mitigation something you should do update your operating system and apply patches security holes get closed but just as importantly new features are often added that add granular control over some of the security settings and control over what the application can actually do while on your phone be sure to delete any unused apps and turn off everything that you can that improves uh privacy then basically you go back and only turn on what you need for those critical apps you just can't live without if you're not using wi-fi or bluetooth turn them off turn them on when you need to if you're worried about background apps eating up your data plan while wi-fi is

off you can adjust those apps to make sure that they only try to talk to the internet when wi-fi is on and they don't go against your data plan you simply just turn things on when needed and i would say also with gps and nfc radios i wouldn't worry as much even though you can't be turned off but the thing is as long as you're not using an app that invokes their use uh you're not going to be activating the the radios for nfc usually nfc apps themselves have some built-in extra security features such as maybe a biometric or something like that before you can perform some action there's also things like i know that

like with android 10 they recently introduced secure nfs which means the nfs radio cannot be activated even though you may have the application active and open but it cannot be activated with the screen lock on so that's something that you may want to turn on just for a little bit of added added safety once you've figured out which apps you can't live without you may want to take a slightly deeper dive into those particular apps that have made it onto your list and you know basically after you've done some tweaking on the privacy controls i'll cover my testing setup first and then i'll go through the steps and then i also want to talk about

a few uh business related apps that i've looked at for testing i have my get lab issued because i my employers get lab my get lab issued a dell precision 5530 i have it upgraded to run ubuntu 2004 mainly because of the drivers the drivers work really well with pretty much everything that i plug into the laptop it's it's wonderful one of the things i plug in is an anchor usbc hub and this has a whole bunch of different things that you can connect up to it but the thing that i'm using it for in this test environment is it has ethernet because the dell doesn't come with an ethernet jack so i mainly use it for

this one gigabit ethernet in this situation i have three phones that i use for doing my testing that includes a an iphone 10 a i have an x a nexus 5 that is only running android 8 so that's considered old and is about ready for retirement at this point and it's going to be replaced with the motorola moto g7 which is currently running nine i need to get it upgraded and then once that's uh all upgraded to the to at least ten then i'm gonna be uh retiring the uh the nexus uh from the uh pile of phones that i are considered active and it'll go into the deactivated pile software that i have loaded on the linux

system i have the an assortment of adb related tools so i can manipulate the the android phone um because you can get apps in downloadable form for android and they are basically a big zip file that's as in a specific format i use a decompiler for that the one i use right now is called jadex jadx i think i'm pronouncing that roughly correctly i also use wireshark heavily and i also use man in the middle proxy which is a a really really fun product to to play with i do have a detailed blog post that covers all of the technical steps for getting network sniffing going so you can check that out for specifics and i'll make sure that

there is a link available for that so you can look that up and go through those steps here are the rough steps i perform number one set up the uh linux sniffing station and i connect up the phone to a hotspot that i launch on the uh on the linux system i fire up wireshark i get a baseline by sniffing off of the hotspot interface uh and i just do that without the app i just get a baseline so i kind of know what the os is doing and get familiar with the traffic then i launch the app and use it to get an idea what the traffic looks like when the thing's in use

and in particular at that point i usually note all the dns lookups that are occurring because there will be some that are from the app that have nothing to do seemingly with the app so and those you want to kind of explore and say hey why is it talking to this other website and things like that i do those steps with both ios and android now like i said since you can download the apk file of the android version and go through and decompile the thing once i get it back into its java source code state i can poke around and look at things the things that i end up looking for uh there's a list of those as well

i look for all the included packages that happen to be there i i want to know what version they are of those of the of those particular packages sometimes they'll include a version number if you look through the source code it'll have a a version number in there however for some of these packages you really can't tell if the source code is available for those packages conceivably i've done this before where you look through the readmes and the the release notes and stuff like that for a particular package and when some when feature x was available uh and if let's say became available in a version that came out in 2017 and you look for that code in

the package in your decompiled version and it's not there then that means that the version that you're looking at is at least 2017 or or or even older so i go through and do that while i'm in there i also am looking for stored secrets including passwords plain text or otherwise any stored urls or ip addresses any pointers to any type of internet based resources i included libraries occasionally there's like a full-blown executable that is included in there and i typically go through and try to check that out um with the manifest you can go through and look to see what kind of permissions are required for the application you also will note that of course when

you install it it may ask for certain accesses and permissions and whatnot but this will show you uh them in kind of a written form i'll look to see if there's any local accesses that go on and uh the combination of uh looking at the source code but also i'll poke around with adb and see particularly what what's changed since i added this app on there uh fun things to look for sometimes they'll be like a small local database or something like that that is installed just for storing information and then you could i've done this on occasion i don't do it all the time i'm just getting the right tools that i want to use for

this but run static analysis tools against the source code so you can kind of look for i mainly at this point with these steps i'm looking for low-hanging fruit so i just get an idea of how well the thing is put together now this sets me up for the next phase of testing of the app where i fire up man in the middle proxy and i use the app and going through my sniffing station and i can now look at decrypted data assuming that i can get man-in-the-middle proxy to to work and then i examine that data to see if there's any uh excessive information that's being uploaded or downloaded or whatever and just kind of take a look to see how

it's handling data once i've done that i've got a pretty good idea where i stand at that point i may decide on some potential attack scenarios and stuff like that that might that i might launch against these apps and then i'll go ahead and see if i can actually perform those but this at least gives me a fairly decent baseline to start with as far as okay this is i have a rough idea of how good the app is at least from a security perspective as i mentioned i work at gitlab as a security researcher and one of the things i look at are mobile apps that access critical data i'm going to go through a few of those

talk about you know basically how i applied some of the steps that we just went through and then i'll give you the results for a few of the apps that i've looked at and the first one up is going to be zoom

okay we're taking a look at the zoom application what version i looked at which was 5.2 this was after 4 dot whatever was that at the beginning of the pandemic everyone was freaking out there was a lot of research being done most of the research that i did was just confirming other people's research i knew that five was coming out and so i waited for five and then just give it a good a good look and checked out the data stream i made sure that they're using decent encryption i made sure that the certificate pinning was being done correctly and it was done exceptional there were some packages that they were using uh that were

a little outdated and some of these outdated ones had security issues associated with them all of this was reported to them and they have taken care of those problems the main problem that i did find was as far as local storage of the end-to-end encryption keys and client-side pem that was inside a a sqlite database i also reported that to zoom and said hey this is just being protected by local permissions on whatever device and this is for all clients not just for the uh for the phone app but also for the app on linux as well as on the mac so the attack scenario would be that someone would intercept the encrypted zoom call and if they could

additionally get into a client and get directories and whatnot where this data was being stored then they could actually use that to decrypt the data so it was kind of an unlikely scenario and the fact that at the gitlab there's a few meetings that we don't record but for the most part we record all meetings and since everything's being recorded that means that the end encryption is essentially defeated but all that was reported to them they are going through and they're going to actually in the future i don't think they've done it yet but those keys are going to be stored on secure hardware uh on on on chips on on computers and on mobile devices

so they won't be storing it in a in an insecure way in the future so that that didn't work out good so for us we deem that to be an acceptable and acceptable thing and and that's why we're still using zoom and we'll continue to use it for the near future okay we're going to be taking a look at the expensify phone app and uh the particular version we looked at at the time was 8.5.10.12. that's just several months ago good encryption uh their csp policy was a little sparse there were some problems with some of the packages some of them uh the main ones that we had problems with there was this one for uh

a package called urban airship one of these app measurement kinds of things so it will tell it gathers uh information on app usage uh it did gather a couple of questionable things uh while it was in there doing that the worst one though was uh from a branch io anyway branch they are a deep link analysis company which basically means they gather information from a whole variety of sources and then put this data together to identify unique individuals so that they could actually do a fairly sophisticated ad tracking and and shoving ads at people i don't know why it was included with expensify and by looking at the encrypted data uh by decrypting it and getting in there

with a man-in-the-middle proxy you could see that the setting for ad tracking enabled had been marked to true again this is one of these things where if you had a regular browser it wouldn't have been so much a problem but since it's you know an application there's no browser protection in there um so that was probably the uh the worst bit of it right there that was was found uh everything else was was okay they were able to go through they did fix it reasonably quickly and we're continuing to use expensify to this day and everything is working fine we're looking at bamboo hr the app for the phone and this was tested several months ago uh

the version that i looked at was 3.1.2 with it a decent use of encryption there was a couple of odd things in the csp but uh there was a inline dynamic javascript was allowed the firebase logging was uploading a lot in a firebases one of these statistic gathering apps there was a lot of stuff that was being uploaded from that there was a few packages on there that were pretty old and um the code itself was pretty pretty rough i was able to successfully perform a man-in-the-middle attack against the application there was a lot of problems with it simply because there were so many things out of date and the fact that it was gathering so

much data and whatnot we had decided because we were having a terrible time reporting anything to bamboo hr we decided to go ahead and just make it a policy within gitlab that we would stop using bamboo hr on the phone in the web browser it seemed fine it's just using their app it was it was less than desirable so we made the decision to say okay we're just not going to use that at all until they at least get it up to date okay last one we're looking at here is slack and i looked at version 20.04.20.0 they used uh good encryption uh this was the first for any app i've looked at ever and that was that the libraries were

all up to date or only one version out and there were no packages with security issues whatsoever that was that was wonderful that they were that much up to date uh there was a lot of personal data that was being stored in local database files and that included various configuration settings there were some things from private channels and and everything it it wasn't great but it was okay i could live with it and uh it handled uh all kinds of uh attacks thrown at it i would didn't uh find anything really wrong with it just like well this is really this looks pretty good so there was nothing to report to the company nothing to to speak of so

we went ahead and just said a big thumbs up for slack which made us feel really good as a remote only company we live in zoom and in slack when it comes to being online so this was uh this was good this is very good opsec this is probably the most entertaining part of the talk at least for me it's the most entertaining part basically what this boils down to is this has to do with behavior what you're doing with your phone remembering that wherever you go with that phone whenever it has power you're potentially leaving a footprint somewhere a digital footprint that shows where you were at a particular time what you were looking at

that's rather unnerving so to kind of help reduce that digital footprint if you've gone through the mitigation steps you're saying well there's still some more things i wish i could do well there are and we're going to cover those real quick the first one is well you could just leave your phone at home and just only use it at one particular place and never carry it with you that's rather impractical the whole idea behind a mobile phone is the mobile part you can take it anywhere so a lot of people don't do that you could get a second phone just for travel or just for travel into risky areas if you wanted to i may do a

video in the future about that whole idea of having that second phone that we would refer to as probably a hacker burner phone and we'll i'll probably get to that at some point there is one other area that you can do and that is where you can actually keep your phone with you but selectively allow it to leave that digital uh footprint where you could actually turn it off without having to take your phone apart and pull out the battery that one is kind of interesting because that one involves a technology known as faraday bags and not only do i have some examples of faraday bags i've actually gone through the trouble to put them to the

test and i put them to the test out in the real world so let's take a quick look

[Music] right now i'm looking for a spot to do some testing of faraday bags now faraday bags come in different shapes and sizes i've just got some sample ones here i mean they make some that are big enough to put laptops in and whatnot i don't need that i need something fairly simple uh just to hold the cell phone i've got three different versions uh this one's from a company called uh onver on ever i don't know it's one ver i'm assuming it's on ever i have no idea but anyway this is a kind of a kind of a cheap one and then kind of a mid-range price one is this guy this is from uh mission

darkness and this is uh got a bunch of uh extra features on it and then i have this one this is from a silent pocket and this is the most expensive one and we're going to see whether it makes any difference whether you spend the extra money or not on the inside they look exactly the same they have the same type of material and whatnot i believe at least two of them i think the silent pocket and the mission darkness ones i think what they have is a um a lining inside them that's supposed to be mil standard 188-125 and they particularly mission darkness uses that as a selling point saying we meet government standards well that's

one standard and that's for uh high altitude emp attacks that your electronics will be safe from that i'm not concerned about that i'm concerned about whether it actually blocks phone signals and whatnot i did some rudimentary rudimentary testing early on when i first got the bags and they seemed to work okay but what i'm going to do now is an actual fairly thorough test of them to make sure they actually work all right first up is the on ever faraday bag i'll put my phone in here and give it a call now this is underneath the big towers ringing see i can feel a buzzing in here so it did not block that's disappointing to try the

mission darkness faraday bag it has all kinds of extra goodies and features but essentially looks the same on the inside put that here and

okay this one it's actually blocking it's not buzzing in here i can't feel it buzzing so this one works okay the last one is the silent pocket and we will oh this is a lot tighter

all right fire away hey it's me go ahead and leave a message thanks all right that went straight to voicemail very good all right so that worked so we know the cheap one is the one that did not perform very well okay let's go ahead it's in the on ever let's go ahead and try it out here with two

bars all right it's not buzzing the mission darkness one

it's not buzzing so that's good silent pocket faraday bag

nothing not buzzing at all three good responses when we're away from a tower the one that seems to do the worst though is the on ever which does not block when you're right under a tower and that's not surprising considering this is the actual cheapest one so there we go one other interesting thing for opsec that i wanted to talk about and that is understand how insidious the devices are out there that can record you okay you have such things as bluetooth beacons that can be in brick and mortar locations these bluetooth beacons can not only do things such as pop-up ads on your phone if you have bluetooth on but if you were had the phone in your

pocket and had the bluetooth uh active on it at the same time beacon can pick that up and then phone home with it and if you're one of those deeply analysis firms that's using this data and gathering it and coupling it with other data all of a sudden you're at the mall you walk into a luggage store you walk back out you didn't even get your phone out the entire time you leave the mall you come home next thing you know you're getting ads on your computer for luggage from that luggage store another one is cell phone towers now this one's really weird it is not unusual i mean you've seen them up on the top of other structures i've

seen them on water towers i've seen them on the sides of buildings designed to look like a part of the architecture but i've also seen them where they've been actually inserted into church steeples and uh not too far from my home there is actually a giant tree that's not a tree it looks like a tree sort of you look at it closely and there's it's the only thing around that's even remotely close to that but it's a it's a cell tower now when you look at how small the 5g towers are now right now they're uh they're barely noticeable because it's just like a telephone pole without any wires attached to it they have to have a whole lot more of

them in a smaller space because of the fact that they don't have as near as strong of a signal because the frequency is a is a much tighter i wanted to thank besides dfw for having me talk to you all this has been a lot of fun hopefully you really enjoyed this kind of talk where it's not just me and slides it's actually just uh you know you know a little bit more visually interesting hopefully anyway thank you very much

don't