Cam Buchanan - Probe to Pwn (Rookie Track)

you do that you good go cool hi I'm cambi Canon um penetration tester I'm wearing the headbands because Robert made me and I did tough M at the weekend and I'm not injured that's why I'm wearing them uh I'm going to be talking to you about the uh mobile attack landscape and it's kind of like a high level overview of mobile testing if you've not done any mobile testing before this should probably be quite useful for you if you have done mobile testing before so is probably going to be incredibly boring and you're going Heckle me like hell so on the screen here I got laser pointer so I can do it we have phones we have routers we

have the internet and we have uh the intrnet so corporate internet the scenario that I'm working on here is that uh you have uh access to a corporate phone that has uh privileged access to the internet Tada forgive the uh the alignment there I don't know what happened cool so if we look at phones personal devices people carry around phones uh tablets small laptops and they have a lot of go a lot of crap going on with them they have a lot of data on them that kind of stuff and uh there are a lot of different issues that are associated with these devices so let's say you've you've lost your device okay you lose

your phone you dropped it in the park and somebody picks it up personal phone big wh whatever buid says otherwise boid is obviously the upand cominging way of solving mobile solutions for companies you have both your personal stuff and your corporate stuff on uh a phone you lose the phone you've lost corporate data big issue how do you solve that problem a compromised device you're downloading maybe applications maybe a bit of porn every now and then on your uh your your Bood device and uh yeah you know viruses happen they're out there in the wild you see them a lot on Android see a few here and there on iOS you see the uh the Pokémon um GBA oh sorry the

gba emulator that's just come out on uh iPhones circumventing the the iOS uh sorry the I stores uh permissions model you know it's possible to get around it it's possible to get data uh that shouldn't be on phones on phones uh and vulnerable Services phones uh you download your applications to do whatever and they open up all kinds of crap all over the place so what are the issues associated with that broadcasting leakage is the really big one so everybody thinks okay an iPhone is a fairly secure product if you put it on a network it's got reasonable number of services running at you guess AG you got various other things that's not the the massive issue

the massive issue is the various different uh adapters that run on the phone so we say broadcasting leage we can go probe requests so I'm sure most of you are aware but Wi-Fi devices are constantly looking out for the networks they've previously connected to you can record that data uh the Snoopy guys um put together some great tools for doing that but if you don't want to go and deploy you know on a r pie or all the crazy stuff they do there's just something called iiff uh it's a great tool it runs Straight Out of the Box you put on any device any laptop with a uh an adapter and you can listen to all the

uh the devices in the area where they've been and start to correlate that data with uh locations so if you use something like wiggle you can say okay this is the SSID name where is where has this s SSID been detected before GPS location work out where somebody lives work out where they work you can start to build up a profile of somebody just by being in the right area I was working in a corporate location uh this week I left it running for about half an hour and forgot it was there and came back and it picked up 1 and a half thousand devices looking for somewhere in the region of 3 and a half thousand networks

I would estimate with wiggle being um sort of volunteer run you could probably geoc about half of those when you've got sorry another another example is when we went to a different Corporation and uh people had named their networks after their own names so we could say okay you're John Doe is there any John Do's in the room oh yeah I'm John do right do you live here yes I live here and you work here yes so we can follow you home that's quite scary for some people and I think it's quite scary from a privacy perspective we look at blueooth um most security people don't use Bluetooth and I think that's fairly sensible but out

there in the wild uh normal people use Bluetooth we ar normal people I guess you get yourself something like the ubertooth from uh from hack five and you can start to do exactly the same thing with the probe request as you did sorry exact same with Bluetooth as you did on the probe request and start to see what people have connected to you can start snooping on their pairing and you can actually do a great deal of attacks on Bluetooth even now they have improved it it gets better over time but obviously with improvements there's more holes and more holes means more fun for us and NFC um we all know about Charlie Miller doing his crazy stuff um it's it's a

it's a big area that's being opened into now everybody wants to use it sort of contactless payments that kind of stuff there are a lot of attacks that you can throw at that um the stack I think has been fixed but it's only temporarily been fixed and getting some smiles from Tim which means it's not fixed CU Tim knows all so how can we solve these problems how can we mitigate the fact that the device you're carrying around in the pocket is telling everybody where you've been what you connect to and potentially like the payments you've done like that well there's a lot of work going into secure secure Android builds or secure phone builds um so the the black phone

is a good example uh user awareness training so training um individuals if you're a corporation to not leave their Wi-Fi on the phone not leave Bluetooth on the phone just strolling around when it's not connected to things um work on that antivirus of phones a lot of examples out there now people are pushing in that direction but is it working has anybody seen any working examples currently I would say that it's catching the obvious examples which Google Play Store are catching which the iOS guy is already boot out so you know is it actually working is it heris is it just a simple oh it matches this uh this signature therefore it's it's dodgy don't download it and yellow your

providers create some some some need for security from the the creators of these um devices like if the iPhone continues to sell then why do they care about security if Apple continues to sell devices they're not going to care if uh if us as the small people in the room going to get upset because you know it's it's dodgy until something big happens and people get really upset about it and you know everybody's mentioning harle today but hle is an excellent example of there being a great uproar people getting very upset about something and it getting fixed really quickly because it had that motivation behind it because it was uh because it was interesting so

I don't know get some more graphic designers involved in pentesting get some more logos make a couple more websites rooters so roters is a bit of a bit of an odd one really a lot of people don't think of roters as sort of normal PCS to attack that just you know that sort of piece of Kit over there that sits there and allows you to connect to the inter and that's fine but routas can be compromised and I've put them in the wrong order here but so the chameleon attack that came out this year I think got a lot more media attention in the wrong way than it deserved it said oh you know this is the new kind of virus

it goes like a human virus it spreads over the air it's pretty scary if it was a specific kind of rout if you manag to bring specific kinds of routs into similar areas to compromise devices to get to same kind of routs around the world it would spread like a virus what was interesting was that it created a situation where you could put something on a mobile device and take over their rout and get at everybody else's data it's that secondary step not the compromise not the spread that kind of thing that relies on every router being available to that attack what was interesting was that you could have something on a mobile phone that could

get onto the rout and compromise the data that's on it you could you could sniff all the traffic going through it instead of having to man in the middle somebody you man in you already took over the router it's an instant man in the middle and of course of course other users on rotters when you're connecting to your coffee shop Wi-Fi that kind of stuff other people can potentially see your traffic because Wi-Fi isn't Totally Secure so rout of compromise what can you do once you got it so either going after a rout or creating uh a rogue AP so Rogue Network that takes advantage of that probe request uh Pro request I mentioned earlier what can you do with

it you force somebody to connect to a network or they compromised uh a router that's hosting a network you're connected to what can you do obviously you can sniff HTTP credentials stuff in plain text that's really simple you can uh DNS spoof people onto going going from regular um correct uh IP address associated with URLs to your own ones that's pretty straightforward to do now as well SSL stripping didn't work for quite a while um there's a a sort of break in the development of that tool with the new pineapple uh it works like a dream it's absolutely amazing and there's some really upsetting people that are vulnerable to it um I'm not going to

name names cuz I'm on camera uh and uh Mar injection um we had some great work again with the pineapple using um captive portal um setups to push um malicious apks onto Android devices really easily just by a very basic social engineering attack I'm going to speed up quite a lot now so how can we mitigate these issues well you can um use a VPN you can just skirt straight through the router issue alt together everything's encrypted great um if you're a corporation and you can do proper patching on your roots and keep them up to date I mean that's going to mitigate some of the issue but not all of it and if you're an individual

again you're going to see a theme Here yell at your provider yell at the people that are doing the the network security for you if they're not doing it properly then you need to make sure they do if you get upset about things and make noise people eventually take notice the internet you're not really worried too much about me or him or you um sort of finding stuff on the internet that's going over but you do are worried about State surveillance and if you're not worried about States events you really should be or working in a hostile environment a lot of us do work going overseas and that kind of stuff going into countries where they do just sort

of intercept data as a matter of course if you're just connecting straight back to your corporations websites and everything like that uh in the clear text then uh you've got a serious problem on your hand and its vpns for you state surveillance hostile envirment as I said there State control of infrastructure in the UK you obviously you've got chelon in France you've got French Alon that's one of my favorite uh there uh over and covert control infrastructure we already all know that it goes through um um surveillance kit but uh there are other things going on that we don't know about and there's always things hinting about it in the leaks uh how do we mitigate against this

oh look it's a VPN again you couldn't possibly work out that work for a company that sells VPN um don't use a phone you know go back to using u a Nokia do do you really need uh do you really need an internet on your phone uh move to Sweden Sweden's a nice place more privacy concern over there and uh if the worst comes the worst cry deeply somebody might take pity on you and you can yell at your provider whilst you're crying finally the internet so this is what the the end goal is and it's less of uh sort of like vulnerabilities here uh more of uh what happens and uh a bit of focus on mitigations VPN end points

um so if you are using a VPN all the way through this you can go straight into um straight into the network uh in a lot of cases and they're not using proper Landing zones uh and yes pivoting power I'll just explain that now if you're not using a proper Landing Landing zone so when you VPN in you got access to everything on the internet and somebody picks up that phone and gets through the locking mechanism they can potentially or in numerous cases especially with Windows phones use those as a direct proxy to get straight into your network so people are carrying around tiny little proxies you can hook the PC up to it and you've got a full pen test it's a

standard methodology it's game over um whatever you've got on there everybody's got vulnerabilities on their internal Network and anybody who say they don't is lying mitigations for that proper Landing zones secondary authentication yeah okay you VPN in you've got the right SS on the the uh device but secondary authentication to access the privileged stuff on there you need to basically compromise both the phone and the person's account uh and restricted internet access so you know do you re need access to absolutely everything maybe you just need access to the mail server in a limited kind of way that was a quick run through because I run quite slowly at the beginning are there any questions

excellent done silence thank you very much thank you very much