All the Looks without the Price Tag: A Case Study of Device Security - Jake Valletta

[Applause] [Music] consultant they didn't repent New York office folks mobile security but I'm so fancy chairs response just a quick agenda go through wide research how I said you know some of the tools we used to actually be the testing results and now hopefully we've got five minutes for some questions it's a kind of motivation can set up it was around Christmas time on Black Friday don't move blocks and a little security company at West Coast they basically bought a bunch of cheap tablets from Walmart Best Buy Target they use their own app the paper to test and security of them so you see here it's kind of small the prices range from about thirty

five dollars to one hundred dollars and they assigned the score for each device securely but the boss so one one ah did you see you're actually like the suspicious which I thought was kind of interesting and I want to look into this before not tablets or phones because there are you know not all phones that people do buy out there sure people in the room have aunts and uncles scooter phone $40 by Amazon you will bring I compared insecurities danceplug these phones to flagship devices like LCDs HTC's and cetera I wanted to test them with tools that I created to do this we talked about presentations the first thing I did is I just lied again I just type it

enjoyed 4.4 but she's got kidnapped I'm a beggar you can see there's fourteen thousand five out those things for both of them just having a port outboard in the first two listen there again don't have brands it just says come five-minute a motor fuel soon all bands etc if there's at least 2000 people that bought that phone and what I end up doing is I bought 5 different kind of cotton brand development five different Chinese brands moans does anyone play with any of these prints do you know no yeah so I bought five phones and a boxy mobile safeguarding that goes up they're all locked phones they work and I also had a gene for the baby so kind of makes

money we're talking too much about that so the tools that I use for doing the testing so I created my home tools beginning for the past two years I call the device testing framework it's available on github and it's for me to do this work across both with my sister obviously interests it's done you know bulwark right these it's wolvox casa this talks I'm really going to be an intro and pro security that should be ok so good idea but those are some great tools if you're gonna actually do and good reversing drillers and out the pages written by fwr labs or UK based company that was useful for interacting with other absence also an explication framework so

it's good to have that your tool set and the last two are automated scanners so the first one is probably about palindrome it just looks for various versions on the device to tell you colonel impersonal themselves using it'll mess up again see if these last one is possible which is the app that blue box used for during search so in addition to doing some the manual something I did I want to use these automated scanners just to have a baseline comparison we know the research out there so the device has a crimp the tools that I've created I'm calling it a framework for device exploration I thought little sound sexy well it's not it's not a net

vulnerability scanner it's not on a cloak the agent framework well I kind of think of it so if anyone's done sort of network testing you get outside and run that withstands you feel like the operating system may be smoking sports and then as a tester you don't look for things with that beefy sir if you'll check the version and see if it's got more gonna check for a time just read or write the tools that I can kind of do the same thing it's not gonna like take a building it's gonna say hey this this is opener this is exactly that you can actually begin to you'd be surprised how much nothing fine so if you were gone

getting up right now there's 34 modules that I've added that do various things a lot of them focus on these four sections so understanding the application telephone understanding just a block beside the system services any binaries shared libraries and also any Linux devices that's kind of a software stack perspective the highest level moving down quarter notes of the areas that I focus on when I'm testing advice isn't hold all over the place there when I created them the question that I really wanted the answer was is one here what did the OEM add a page to and not is it bonusing so all they'll do you have to start out by using the Android Open

Source project in an 8 they have this and we'll have this companies print this out and ends up with this big bloated operating system that looks not much like a written record so I don't understand what's changed it does the audience who are not they're not as good not secured against them so the testing process how actually what did testing them this was boring I just you know install the tube absolutely not interests of all right just score for trust pulses semi-custom this one comes to screech other versions there I'm getting into more manual testing I actually just push this late hour ago so time but if you're going to use as cool as I have you have to do a

lot of pre-processing and it's really about a way to do it now but what you're doing is using all those robots out to get you full content off the device and then process it almost all into a database query indexing stuff like that and this was great that's those other things you have to run if you wanted to get into point and I have an hour process all with it does this crazy on that so I'm like it really thought my putting stuff up it's not exciting but I can talk about is actually doing the testing what you can look for so as far as applications on devices usually hundreds of them I'm even these small Chinese phones so I've

only started any Android development or inter pen testing its concept of components which is what main stock Android applications you get activities with your visual components services with your things that are own background receive areas which are listening for system events the design coding text message you know content provided with your data source and you can share them between applications that's why I don't suppose you can say hey I have a text message database I want to write a text again that uses that data do that get an information on things are snared them there should it be or other shared with the wrong information so I always need a second one permission issues that are

huge we have hundreds of apps there's going to be tons that just have incorrect submissions basic permissions etc finally privileged applications is a huge attack vector for somebody to write malware who wants to improve your phone these are the apps here to look at dude was there running under privileged IDs which system so two examples here if you wanted to be where the components that are exposed in an application uses MVP much and what this is going to do is it's going to look for export issues so we have something that's an export that shouldn't be it's going to print out for three years it's gonna set a pace even the application come in for a system you

want which is a privilege distant process there's a new database that was not part of annually that's been added by the millions called the slowly notify convert work it has no read or write permissions sorry what's in there so if you want to look into it you could use those here it shell your license and query activities and what this actually is what it is it's the lay-up home screen so URLs actual activity Vegas watchman impressive automatic so you can actually fully manipulate the home screen of all five of these phones just by ladies database so you can think of it to get an app on a phone and the users using local bank America

I can have my faith faith America release it and many possible potentials they actually defeated credentials match you don't want to thank the variable or something so this is a problem and it should be right back permissions so I just mentioned that that wasn't really right permissions beside you hide over there but this is the actual definition for that provider and it's a little hard to read mother bar reading too many missions here so how come I said they were done it turns out that just because you say mission required to access something it doesn't mean that it has to actually exist on so you can use those missions module list out permissions and Here I am just listening I'm not looking

for that mission and it doesn't exist it no one has to find definition so what you do is just happens to say hey I'm in a department the comment I wanna share permission about me settings and I'm gonna grant myself access to it and now there's doing nothing can stop me from actually interacting with that constantly so it's essentially not having provisions some other cool things you can do with the permissions model is you can also look at what components are secured by a confirmation so in the last example the reading settings one I wouldn't find out every sort of component that I can interact with that secured by that mission I can look up

here it turns out that I was the only one but here's just an example to all of me that want you to possess the and revision3 Decimus so it's really the best best messages and there's no surprise those were all databases there however it is for building their five four are all added by video games so the first three I just don't think those are and great databases there's four more that need ascription so I'm not really sure what's getting there and the final thing that posted school to do is you can look at which apps they're showing that they want access to a vision so it is example one looking at all apps that once you have the map on

metal file system so it's the system level Commission that usually going into for like over-the-air update again but how about this one the FM reading lab wants to read out my file system for this I don't know I don't think that that should be available for that well the file manager oh I'm straightening feedback that on shared IDs images so those four IDs there the system radio phone media are all for those processes that run under different contexts you have a system little app it's essentially route without actually being the rules to use at that point you already had access to the entire different sandbox you can do anything except basically groove the phone turns out the high

school you can do everything else in one team so this should be listing all the apps that are running that system so the top ten are ones that are part of Android protection part of Google's code and the bottom ones as well and are one of that the owner to that so those are the ones do you want to folks take these and you want to use that to stop be be level so look at the attack service of these because these two ones are kind of all nobility it's going to be something big moving on in frameworks the second area dimensions use cannot get to the big things here chromosome is clearly program off of or was actually running

in system context so system services everything an inter-district back fighting system service that are commissioned of course that you want to get phone number you're using a guy that essentially pong back for system service and there's tons of vulnerabilities in system I just by nature that there it's not as good of Commission checks available for developers for system services the second one is modifications to the platform that XML file which I'll talk about a few slides but just know these are these for the eight guys and things you can actually develop yes and consistent with the framework VB Michael you can list all the at afraid works that are part of a device so the only

loop classpath once those are ones that are available to design go you can actually use those methods you see the google on some papers in to surprise the maps api that's obviously part of the phone but not part of the original android those smelly ones you know in software erm custom drop interface like you can look in that framework and see what the a guys build lar and it might do something that you don't want normal map view system services the sister is the DB module lets you list all your attic system services so here's a list of about one of yourself added system services these are new things that you can actually interact with potentially

there might be commissions woman I want to have that you're just I think it's not funny this one well again we've done ferry service and if you look at the Java class patents is really doc when every time every number but that's not a very quick service that's something that the only haven't added and they just call it an emergency wouldn't think it's suspicious something if anything it would be commenting so I thought it was funnier than that resultant service on all these phones moving on if you find another system service for example the search engine one was in the last slide you can then use the sisters BB Michael getting to show me actually API so the search

engine system service has five F to pop if I'm looking on a baby seat get false search engine set the false order to get that hashing etc you can go ahead and use Colts that you can use the building tool service for signing phone ma'am I or you can write a Java madness interacting that way but you can see here I'm calling them get default search engine and it's printing be Willa but as I mentioned there is a set of all searches on here which also has before which means that I can rewrite this to be my website calm and then when the user searches for something it's going to fall through my website and I'm gonna

see what they're doing I can just pour that this is also the last thing with my boxes and services you can also look at what changes have been made to invoices and services so the power service is useful at controlling weight on the screen rebooting the device etc these are all because they add to the power source and will circle back around but you can look at all the take away it is excessive is going to slash that's all because there's going to be most like 600 assistance services and this like you know between ten and a hundred eighty icons for each of them and know what they did I mentioned the platform that I smell about really quickly

gobbled it up here it's a really low level while Edward that masculine age group to ignition this is how the Internet Commission works on enjoyed so dirty you ask for the internet provision it's going to add you to the item for next group which is a group that's a lot of great sockets in the kernel and it's also my person if you are in group you getting these provisions that are listed here so you can want to change this at our maker now I'm going to leave this on your producer step but there's some interesting things to look at here in terms of the OEM atom mappings there in terms of permissions and one groups you

add to my cabinet like I said on the back of that you want to look at system letters which are sort of shared object files that potentially have J&I on your face or the Java native interface like it's just too many interfaces there but these are methods these are libraries that potentially called job that even the right circumstances like importing socket or supporting Apple could be you didn't colonel whenever I see an apple or I assume it's doing some sort of kernel connection and it was a child on your piece I mean that's something that I wanted in series one here calm music engineer mode and this is very soon as the events here this doesn't help me

find out where this actually existed in application but I can use a different module to actually find it aah aah small applications of this phone tell me where native it Isabella it's like boom here it is comedy tech engineering oh it takes a couple seconds because it's all processing index and then we can look into that app I understand how these methods are being used and the last thing is system devices so thankfully with device drivers these are ways for you to do the level thing for classes that you could potentially have expose device drivers by you're having announcer of other groups so unless you have an owner group other you can have a little black thing

there and you just out of that one look at the owner is system in the group is item that means any of the hesitancy like driver and there's a lot of phones that actually pretty because of that this one is starting to go away is about se Android really pushing for oh you're just have a good policy on devices because they know what's such a big deal so I do her bones like lollipop looking forward a lot of devices are not accessible to the shell user or is a regular graph so it's a bummer but these will review that so all right to now getting on a more exciting that quite a feat there but the results will be

basically this is just general information a hat on phones unless that was the LG g4 on their baseline all of iPhones have stayed kernel version and the same a guy and country so that's those person problems or have five of them is got a bargain when I purchased the bones plugged it in it was already pre-configured for me so you don't really buy him father and say about hey I'm gonna set up your accounts and stuff these were already set up gives out of the home screen ready to go okay it's a little strange four out of five of them had USB debugging back home so it was already once I plug it in artist art install

drivers gonna go should I should have done that wanted it had developer options enable USB debugging cluster so the duty of their objection the best one so far in the last column is uh testes putting believe this one so the testes being that big platform actual oh that's designed by Google's public key available on the Android Open Source Project somebody everyone wants the line can get that public private key and actually sign your own application and now you have a system uh black line was two months so the phone is already routed of there's any announcements probably apps out there I'll be there are signs of those private keys so that in terms of content on device and I can

go over all these these are justified areas I've got touch done and some numbers accommodated art but one thing I want to point out here is look at the LG compared to all the Chinese from the LG has twice as many applications Frankfurt province and it's one point six times for these services so there's only about twenty added from you know the emulator to do be but there's 70 added more than the angular so there's seven BLG system services so a lot more times than the LG in terms of recap there's no surprise here they're all basically pieces of jump right they these are all external abilities there's 83 months across all of them it was wonderfully elevated and

I can picture that was a false positive so there's another if you didn't have enough for you to steal rubies now you have a lot more CD's flavors I mentioned entrust clot trustful scores all the want to mind got suspicious the other four got seven trust Bowl and the LG gotta trust go look that in it was you're just of the highlights and again that was good Alsace is going to be LG had a large number of Caesars which means to trust a lot of things like government agencies and you know that you use and stuff like that got any different pressure phones but it's a lower district anything four or five of them had known

vulnerabilities this is an addition to the kernel month this is like the end room master key towel room all those fun things so fortified you can also read that in two or five unrecognized keywords where these are not rules and your keywords if somebody else patents keyboard that's kind of scary because the key word being policy capture keystrokes so I invite you to look into that who do you see if they had any sort of novel writing the keyboard that's how again even though the J dot was fell victim to this there's a large amount of apps that have system level visions not on these ones that was probably 1012 on the LG there's like three system

elastic random things on there most fun thing is the results of the manual testing I did so actually going through looking at the device using my tools and testing that way there was so many more than I didn't fit and I'm trying to talk about but I am limit of all time here I'd love that I thought were the best and we're gonna go threesies proximal first one I found was Piazza limited to the device drivers for a demo gala and I kind of looked up what that was it looks like it's meant to serve an image G when you read from so if you're briefed on it like two minutes or something returns like the innovation

image put there's like no bound checks on this and it's world readable so what it does if you agree from this it just starts walking the flash starting up for you what I tested it I got to like several gigs of data just as a Shelby from here in the example I just create a file an SD card and then I rinse Springs on public and there's my date so you can you can see erratically find any content Hawker device in this dump here and you can just run this to background like you know iris it in there only the to move is going to this the second one system level access using the missional stock so I want to state a

surprise now but there's no amount of minutes is if you have the access MTA and then HW missions you've automatically added to the system video camera and the tools nice not tell you that that's only a normal level vision so you have to fish through the varying levels you have normal which is basically no no alert to the user since global it get a dangerous which goes at hey you know it's gonna read you SMS and then you have to signature system which one is the third party yes Kansas but normal is basically nothing it's like yeah anyone can add it that's fine so just by saying I want this permission your automatic this system out so I just

wrote it up and head excuse man's I just right I need my system here I've got you and that's all I bump it's like he's hot it's just a joke because I've never seen anything that bad it was so shot but if that wasn't enough system access again I'm using it different this one I think it's for students so this is a system level application I basically give but pop out this little taps and then I ran that exposure multiple the show of an explosion so here's one is a broadcast receiver so it's listening for commands it's literally about the right command receivers and getting steps an argument called CMV so my little nervous system

so again these are huge issues like being event why you eat something like this so I mean it looks like it's mostly since we're a lot over the air that's a how healthy a dinner but I'm not crazy I'm not getting all five phones screen capture on video the do Depot there's a method added to a system sir this is a Android system service to be status bar which is obviously the status bar on top they haven't been called thct screenshot and there's no Commission checks on this and you call it it takes a screenshot or don't you see partly conveniently and you just keep running at the screen only one phone hold on this one was kind of fun not be able to

roll it security but the duty phone people dislike app lock features and hey tech graphs our readiness set up a password and access the internet so I just enabled browser I launch the browser and as I pay any password and if you actually interact with the app and I haven't wanted to we call the aqua blue complete receiver that's called right and there's a nullpointerexception there that cost the app crash and then the browser ready for us to go so she overlays it dies and the last one I have on her lucid Evelyn was a denial service one another system service the power service I showed it earlier because maybe I'll set it back like break this

off that also doesn't have any permission so we call this it turns back it off turns it display off there's nothing you can do except call it again Oracle battery up the bottom is no longer respond you can't use the screen the phone just like your off statement a chaser and yeah that's all five phones so if you just want to recap all these things over here you get all these things as an happen literally request one permission and it's that system that's all you need you can do all these things and that to me but really that's really scary to do offices what I'm not sure the connection to that is that Indian joint pain or changes in Bank

just changing so everything I talked about here just either something added or changed by Gillian's

what you're still working with in the ignoring Pringle it still is so it's like if you took they'd all be in the same project and they add content to it it kinds of that they have it was vulnerable so you got a custom wedding sister yeah did you like that feel good on the hexans reviews on all these engine right so it's interesting because of the power services for example is a privilege service you need to have permission to see attractiveness both the way that system services work is that when you call a guide of it you have the manual check hey who's calling me baby do they happen it's not something like that so we mother twenty

or thirty minutes of power service our permission out well these ones are because these ones are just one day at it they don't develop kind of do security they just have these here and that also getting into that revolutionary so I mean it should be it should make it easier or well my video games what you just why I'd try to find these and report them but I mean it just have to know these things if you're going if you're building a poem I hope you know the platform security problems so you know you should know that you can't just change this file in this house by eight o'clock that it's not this is huge warning the products like

do not under any circumstances do not I think I'm spot and you see this like I [Music] mean it is an issue with I guess waiter using anchor but it's not like older building that reports another to Google people love these computer with WordPress screams oh yeah right right we have something that they've done that speaking insecure okay it's unfortunate over the course if you explain like all these things have been introduced and in my mind calls so like okay what's the intent like is there actually intent like is this done because of like a lack of knowledge are they actually like saying we're going to make people pay for us to explain them what so I

mean I'm gonna leave it I'm hoping that these are just them not going to do security but these are cheap phones from China you notice a people I felt a lot positive on it basically yeah make you pay for and then make inquiries I mean there's a lot of things you can do amazing I'm going to try there for these but I mean who knows without God I need to know who to report to something I'm gonna talk about another slide but I mean yeah I don't know if these are their purpose or if they're there or other reasons or at least come on and doing them some of them are so obvious [Music] yes sir it looks like across identify

their device is there a lot about these same abilities are strong guys whatever interviews do it like are they sure before I said oh I just had this here my last question friends I would not recommend anybody uses phones regardless of how cheap they are they're really bad and just some takeaways here there's huge holes across all of them system level access multiple vectors we all we have security controls and application space her vulnerability is operating system multiple crazies out there maybe Mac this question over here no you only as much content added by other pumps it's all added by mediatek hungry so I'm a little bit of a native chip so I'm a huge coyote teaching any

better and they have all their code I'll give them so they had like most like the Android code but it's definitely some project that be text on and I I think these phone companies they just for about that it's like it currently wonderful because of issues immediate Xcode a lot of these puzzles do you need to have like an excellence they're operating out of one eBay stores it like I was gonna leap out our team wallet is crazy Chinese even our stores so like they buy ice and we're gonna make big moments and they just copy the exact compile that they're done like they don't do anything else so yeah I was a little disappointed

I was a special baby I got these songs would be kind of different to eat and how all those different things but that's all testing oh my god but I'm gonna build you okay it's on okay just one bite just this one believe there was only a few one devices homie I'm on them that lock babies alone but yeah it's just the way that all right said this but like I just wonder these are intentional I'm assuming the device ones lobby of the state but they're there right and operator money started submitting pull requests see even enough except they want people honorable intentions in might have exactly yeah that's I was time they don't saying I'm

not sure if I should submit these bugs can be is that poor the mitten belts and all sorts of tax to the when you need your testing show day to be child uninitiated so one thing I did look for I didn't look like that when I would for without usage of these end points so for example that one commission that grants to system access I hope to see if any app is actually requesting access to that because then maybe that could mean someone was using this there wasn't any out shutting the phones are working today and I couldn't find any evidence of any out using that right command operator requested man however who know there

could be opposition in there the encryption I'm trying to Springs first across source file centimeters millions of miles probably that point there's no way I can find out without my party to run time you see their cooking group is ready miss termination finding they're actually politic like we're just letting quick overview ready to see anyone actually been using these things but that does mean that know if I'm charging like apples on that they might not even forgive that person but that's something else that's definitely workable news started you know approximate rap about these folks would just see how many apps are after certainly directly it's probably anything I see clear tech stuff that's something that I have a nominee to do

just wasn't part of the vision test that wasn't looking to morkul Mallory data then I have a problem and that's how I got cells rated there's a few months really you guys have any questions or Palestinian issue the harbor I wouldn't even I don't know nothing about that stuff that would be able to make decisions though probably not I don't know I wouldn't trust any of these folks if it rejects big like if you actually put that up they make a lot of processors and they're actually even in some like HTC phones are mediatek processor they're very big company leave us yeah so any of these revenue just exclude them um would you actually use one of these

offensive later right keep engaging and you've got the onion having to know nothing to do it now it's absolutely killer yeah you could do a lot of really cool stuff with an app that looks like it does nothing it could be a flashlight happen I think it's just talked on I have a pictures talked to anyone except you guys so the first one here be I'm trying to report these I have no idea how far together even less than an uneven eloquent email address to send to comment on the retailing are you satisfied better than say to do that yeah I guess you do that's it yeah but for one thing that would be interesting to know would be if you

learn to the media tag it up source under and if you kind of took it out it in the most easiest very important fashion possible would you give these results I can definitely compare each other I would say yes I would I would sail you know yeah

[Music] oh yeah you see do you feel yeah it's another thing didn't work mediate a can have if you never do it you can see that it just costs that much more money to fix these issues when a that poor guy yeah yeah very yeah that'd be that ones mission is there that's almost every meeting cyclone so there actually are quite a bit mediatek hope you put all these five brands and then the hundreds of other million grains and really don't want to eat like that I think like everyone's anything else meat processors so they might also be moment because of this soggy night I haven't done any bees which outside of these excuse my phone

but it could be three widespread that every phone from China it's not a system that was good at one issue but I still don't trust any other questions all right I'll be around from all played several questions or requests talk when I come through the first part but I think you're still pretty good again here's the mics if you want to get only my blog only posting my time tomorrow so busy but nah I did you screw you my fight website I said we shouldn't couple hours ago so there's any bugs I'm sorry for that but there is a lot of that rotation had or the schools there because everyone said wow this is really cool I like

using well like forty minutes and then run this one but yeah not gonna use is then so I'm gonna make some documentation so people actually want to use it and people usually composite better yes that's all I got thanks [Applause]