Mobile App Corporate Espionage

presentation this is resyncing oh ok let me tell you what let's get started my name is X I'm under the organizers for b-sides this year and I got a question for you you're gonna talk about mobile app körper despot out of China yeah I read your book I read that you read a book or wrote a blog oh yeah so you have quite an interesting pedigree okay so my question is apple android or windows I'm an Android yet an Android garo you listen to him by the way right because it yeah so Mike let me turn this over to you great now delivered sounds great convince them they should go with Apple because it's secure right yeah cuz it

had almost three times the vulnerabilities android had in 2015 sorry um hey guys my name is mike ray go work for a mobile security company and today what I thought it would cover is mobile app corporate espionage sort of a mash-up of a lot of research have been doing over the years stemming from a lot of the data hiding covert communications and steganography research have been doing over the last 15 years in conjunction with a really really good friend of mine Chet Hosmer who also shares a lot of the same research then used to run a company by the name of whetstone technologies that did a lot of forensic research it also incorporates a lot of additional research around mobile

and mobile security so I just got back from hack on in Norway and presented a variety of Smart Watch security research and my SmartWatch attack tool known as sort tak so I'll highlight that in the presentation as well because there are also implications to mobile apps as they relate to smart watches and then if time permits I'll get into some mobile device Wi-Fi covert communications as well around some research have been doing for a long time as well so rather than get into who I am or my background just know that you know if you like what you see today a lot of it is cited in the research that Chet and I authored in our data hiding book and

then more recently mobile data loss threats and countermeasures so a lot of this is citations from that book and then also a little bit more deep dive into the actual research itself so we take a look at the mobile corporate espionage threat vector landscape certainly there's a lot of risky behaviors and malware that we've seen in particular recently around mobile apps um in the next few slides I'll talk a little bit more about mobile rafts or mobile remote access Trojan and talk about some of the behaviors that we see on an ongoing basis and then we'll talk more broadly a lot about the the data hiding apps that are that are out there in addition you know a lot of these

behaviors can also stem from a device that's become compromised jailbroken rooted proposed escalation custom roms and so forth and so as a result there are definitely unlocked behaviors that can happen as a result of a compromise device furthermore when I get deeper into some of the mobile app behaviors there's also concepts relating to decoy files things that allow you to remain covert despite the best detections that are out there so although somebody may be looking for a malicious mobile app or a mobile app that allows you to communicate covertly how you hide that data may not be singularly in other words they may not be hidden in a particular file but a series of files

that also include a bunch of decoy files thus making it infinitely more difficult to detect and then as I mentioned I'll talk if time permits i'll talk a little bit more about some of the Wi-Fi security research that i've been doing over the years as it relates to beacon stuffing virtual Wi-Fi I think it's important though to first take an initial look at the threat landscape and really you know why do people hide data well although we can certainly become increasingly concerned around corporate espionage whether that be cyber espionage or more related to our corporate network or an insider threat certainly also people especially in this day and age want to maintain their privacy as well and in addition to

that we may find covert communications as it relates to malware that may impact financial institutions and those particular mobile apps so although you may be looking for these risks you may be identifying a variety of mobile apps across your enterprise maybe the intent behind it isn't what you initially thought so sometimes we find organizations will have an initial knee-jerk reaction which is good because awareness is always good but there's also the intent and it's not always malicious just kind of an interesting history nugget that kind of urges this to mobile you may have seen a few years back where McAfee released some security research at black hat and Def Con related to operations shady rad and this

was something that they had tracked 45 maybe arguably seven years in terms of a remote access Trojan which allowed remote command and control and exfiltration of data from a variety of government agencies and impacted a lot of countries around the world it was probably one of the most impactful research around this particular topic in addition it does have correlations to mobile rats or remote access Trojans in particular if we kind of take a look at the flow here whether it's distributed through an email a phishing email with malicious link lagoon had done research now on by checkpoint had done research around identifying malicious links that were sent through whatsapp in the whatsapp app but however you distribute

this and convince the user to click on the link you can now of course leverage the ability to deploy one of these trojans onto a device okay so nothing special there right but where it gets into the interesting aspect is that now with that capability whether it be would WordPress or something else you can host a picture file or other types of content that this app can actually download and update itself dynamically so if you're looking for destination IPS that might be malicious if you're looking for malicious sites this now hides amongst you know somewhat innocuous sites like WordPress and then of course as it goes through those updates and cannot update dynamically then allow that remote

command and control and exfiltration of data all right so what the heck are we looking for here then you know if I have concerns around an individual in an organization that may be performing some form of corporate espionage maybe there's some type of suspicious behaviors what kind of apps kind of behaviors am I actually looking for well just like any other category there's a whole variety of covert communication data hiding steganography type apps littered across the Apple App Store Google Play and even the Windows Store as well sted droid is kind of interesting I picked a few here that we've done research around that we're a little bit different than your average like I took a picture and I hit a

message or another picture in it and then I emailed it this one takes advantage of audio files or an OGG format which you may be familiar with also sometimes commonly correlated to ringtones and allows you the ability to hide a message in some kind of audio recording but furthermore provides the ability of that once you've hit in your content and you want to send it it'll also purge it from the app once you perform that behavior thus kind of covering up any kind of Forensic Identification other than this strange you know known to be steganography type of app in addition you can also leverage encryption with it as well so Stig droid is for Android

open puff is also quite interesting open puff was one of the first steps that we identified a while back that actually provides the ability to disperse your hidden data across multiple files and additionally hit your own decoy files so you're sending out a flurry of files maybe 20 files only a couple of those contain the data which by the way is spread amongst multiple files along with a whole littering of decoy files too so you think about you know identifying this on the network identifying the behaviors in a mobile device makes it a lot more difficult of course but it's spread across a lot of decoy files and other things that lead you down dead

paths in addition you can go ahead and apply passwords and then these passwords get dynamically assigned to the specific files so you pick multiple passwords and then those passwords are dynamically assigned to the different files only the recipient who knows about this who receives the files can of course use the same app and any relevant passwords to go ahead and decipher and also set aside the decoy files themselves hide it pro is also a pretty cool app that's available for Android as well as Windows Phone I've used it in Android it's pretty cool it hides an app within an app so what looks to be kind of an innocuous multimedia app if you know to

click on it 10 times in a row it will unlock the hidden app feature which now appears prompts you for your password that you set when you initially installed it and then allows you to go ahead and hide data and then send that stegun eyes data in a overlay file to whoever you may want to send it to and then of course there's apps for iOS as well such as a Stiga is and also spy pics alright so I did some research and two weeks ago was out in Oslo Norway to speak at hacking and it was kind of interesting I had found a pin bypass vulnerability for the samsung smart watches and went through responsible

disclosure wrote a hacking tool around it and demoed it at Def Con last year Samsung by the way was awesome to work with and they issued a patch so I thought that was like the interesting aspect of the presentation that I did in at happen in Norway but quite frankly what was most fascinating or what kind of had a lot of people asking questions about was actually pairing apps and their behaviors and in particular one that I'm going to highlight here so they'll be posting some of the more detailed SmartWatch security research that that I presented at hack on on their site so if this is a particular interest to you around SmartWatch risks to the enterprise and various types of

hacking on smartwatches that's what the presentation more broadly covered and they'll be posting that to the site but let's focus on the mobile app for a moment so of course many of us have smartwatches today and when you go to use these smartwatches quite commonly there's a pairing app that's either comes by default in your iphone if it's your Apple watch or a pairing app that you can download for the relevant platform whether it's for Windows whether it's for iOS or for Android an interesting aspect about that is the pairing act is not really required so you can still many times hair your SmartWatch with your mobile device without the need for the pairing app

so in the research lab we took three common smartwatches and then kind of an uncommon watch and just we have like a nice cross section for our research they included the Samsung gear 2 neo which doesn't actually run Android wear but runs Tizen because Samsung has moved a lot of their smartwatches to the Tizen platform we also tested the Apple watch which of course runs watch OS we additionally tested the Moto 360 which arguably is the most popular Android wear SmartWatch and then fourthly this random watch we decided to buy off of the eBay which I now determined is by far the most common SmartWatch you can buy on eBay known as the the you eight

which runs a weird embedded operating system known as nucleus so if you are concerned about the android fragmentation just take a look at smartwatches and the quantity of different operating systems out there is pretty mind-boggling so one of the unrealized things that we kind of found in our research was you know this this Chinese SmartWatch were certainly suspicious about it and we couldn't find much online about it when we got it it came with a little slip of paper with a random IP address where you could download the pairing app for either iOS or for Android yep and so of course we did this in a test lab with stuff we could crash and burn with and so when we

went ahead and installed the pairing app we started to do some dynamic analysis and behavioral analysis and one of the things we actually discovered was that once we paired the SmartWatch with our iOS and Android devices that sort of communicating outbound over a random IP address to China we don't know what the IP was it didn't resolve to anything and it was an over encrypted channel so it's very difficult to determine what it was actually sending but it was definitely suspicious is definitely a mobile app right a pairing app related to a SmartWatch and so you know in terms of corporate espionage in terms of data exfiltration in terms of data risks there's definitely a lot of interesting

suspicious behaviors there we're taking a closer look at this and in the next version of a report that we release will hopefully have some new insights into that but it did prompt me to write a tool on that tool I wrote is attack SWAT tak can be either kind of a hacking tool or it can be a forensics acquisition tool so again if you have an individual that you're investigating you have suspicions around corporate espionage you can go above and beyond just actually looking at the mobile device and looking at the mobile apps but if there's a relevant SmartWatch involved there are ways in which you can acquire the data from it and perhaps even find

that hidden data on it I extended it even further and what I demonstrated at Def Con and and spoke about was that you could also use it to hide data too so some of the ingredients for running this a lot of times when you want to interact with these smart watches you need to download the relevant SDK as we mentioned a lot of them run a plethora of different operating systems and different versions in this example I ran this with the Samsung which runs Tizen so use the Tizen SDK and then in addition to that I used python USB cable if you're running an Android wear device that only communicates over Bluetooth it is possible to use the Android debug

bridge to communicate over Bluetooth and connect to the SmartWatch as well so I went ahead and took advantage of the fact that I could acquire the data from the device the suspicious device that you may be investigating and furthermore a lot of these devices don't require a pin and they have no resonant encryption on them but even in the case where it may require a pin we found a variety of different pin bypass vulnerabilities that still allowed us to not necessarily get to the interface on the SmartWatch but connect to it via the USB bypass the pin do privilege escalation and acquire the data from the smart one and just a little bit of output from the

SWAT tak tool so of course all these mobile devices and their communications have implications in terms of their network communications in this case over Wi-Fi for a long time there's been this capability in Windows to do virtual Wi-Fi and it still exists today as I've worked with a lot of organizations over the years I'm still quite surprised that most people are not not aware of this capability it does allow you to set up a virtual like what looks like an actual physical access point in a virtual nature far above and beyond an ad-hoc Network like we're traditionally used to this virtual Wi-Fi then can be set up as a rogue AP and can possibly use to be to

to communicate covertly over some kind of covert channels setting it up is quite easy just requires a few commands from the command line and in addition you can define hey if people are going to be connecting to my virtual Wi-Fi on my Windows laptop what level of security do I want to use or do I want to use none at all so I could set this up allow people to connect through my laptop to the corporate network the implications of this are quite interesting because whether the laptop is physically connected to the network or over the secure Wi-Fi you can allow somebody in the neighboring parking lot a neighboring building or someone else nearby to actually have access to the

corporate network and circumvent all of your best security in terms of wpa2 enterprise AES encryption certificates and all of that so in terms of the laptop you set up the virtual Wi-Fi user comes in for the day connects to the corporate network say over a physical network cable then proceeds to share that out over the virtual Wi-Fi maybe just an open network and allow anybody including them licious intruder to remotely connect in and steal the data through that actual laptop and in our testing this also works over enterprise access points using the best level of encryption any other type of authentication schemes so since that laptop which is a sanctioned device is allowed to connect to the

corporate network let's say using certificate based authentication AAS encryption wpa2 enterprise etc now that he's authenticated and on the network he can then set up that virtual Wi-Fi and share that out 10 a user he wants as an open Wi-Fi network and just have a clear pass right into the corporate network so of course this creates a nice channel for corporate espionage as well maybe a lot more localized but nonetheless allows you this really nice excellent 8x filtration type of mechanism how do I detect this well if you take a look at the packets in familiar with wireshark of course we're looking at this from a Wi-Fi perspective 99% of you know a lot of these Wi-Fi packets are more around

layer 2 than they are layer 3 and above and as a result even if I'm not associated to the access point I can go ahead and permit you asleep the wireless network and I can see all of these handshakes everything from the probe request to the probe response as well as the beacon packets and now if you actually want to detect this behavior you'll see that you've got devices that are communicating both as a client as well as an access point right you'll see beacon packets coming from an actual access point but realizes the same device as an actual physical laptop in your environment taking this a step further went ahead and modified a dd-wrt and allowed us to

go ahead and take advantage to something called beacon stuffing beaking stuffing is actually a concept that believe it or not that microsoft came up with which would allow you to hide data in the information element or ie field of an actual beacon packet of course beacon packets are wide open on authenticated and just randomly communicating clear text and as a result there are a lot of unused fields in the beacon packets including this ie field and so we're able to inject and high data in this ie field 256 bytes and randomize that over time to actually communicate data over these beacon packets just seemed to be just randomly broadcasting with hidden data in it so this just gives you a

little bit more insight into an actual packet where you could possibly hide data as we demonstrated in there our book and some presentations in the past for example at Def Con and hiding this data in these beacon packets thus allowing you to communicate that even over enemy lines if you wanted to and just a Wireshark packet capture that shows you kind of what that looks like in communicating and collecting the beacon packets and then deciphering all the element fields including informational element field

so in terms of mitigation and prevention you know I kind of covered a broad spectrum of different types of threats ranging from mobile remote access Trojan zor em rats to a lot of various types of covert communicating data hiding types of mobile apps to different types of techniques that we've seen across some of the SmartWatch pairing apps that could also allow for rogue covert communications unbeknownst to the user and even an enterprise environment and then lastly I'm also the ability over Wi-Fi which you could do with a lot of these mobile devices and communicate various types of covert data as well in terms of the detections though there are a variety of methods you could take

traditionally we've seen people try to blacklist mobile apps with their MDM or their EMM use some kind of a permutation or mobile threat prevention to actually categorize these apps on an ongoing basis across the App Store Google Play and the Windows Store and furthermore mapping out a lot of these apps that are not even in the curated app stores in addition some of these apps actually require maybe some type of side loading or actually that the device be rooted or jailbroken in order to install the app so if you're doing that you know OS compromised jailbreak and root detections certainly there's a lot of capabilities you could leverage there and furthermore with App categorizations and reputation and mobile threat

prevention and then if you're concerned about those Wi-Fi threats I know that there are a number of wireless IPS is out there that detect some of what I've outlined as well so that leaves just a couple minutes left um for QA go ahead

um not that I've seen yet yeah not that I've seen yet or that that we've detected we've been taking a look at some of the the network type of behaviors for example we have seen some of the apps communicate over Bluetooth does that mean that they communicate over Wi-Fi I would think likely so but we haven't detected that yet one of the apps though that I highlighted earlier will allow you to communicate over bluetooth so who Microsoft um kinda did in that they're trying to get retailers to use it to send out coupons kind of like a blue light special when you walk into a retail store they detect that you didn't turn off the Wi-Fi on your mobile

device maybe you have their particular app and you get a notification that there's a coupon because they detected you're in the store kind of thing yeah so I know motorola was messing around with that and Apple has a little bit as well since then so any other questions

yeah yeah so I think the question was related to other aspects of the actual mobile device itself like imei or udid or things like that yeah yeah so it's kind of a good point so if you you're doing a wireless analysis you're looking at the actual packets there may be other aspects of bubbly on just the mac address that you might be able to correlate to the actual device you see it in the air you don't know where the device is you know what is it certainly the oh you I in the mac address field might allow you to determine like oh okay this is an iOS device or this is a dell device or you know things like that

yep so great thank you awesome