Monday, February 5, 2018

What are the real mobile security threats? Part 1: Network

Lately the concern for the safety of our beloved smartphone has begun to grow, after some attacks such as the so-called DoubleLocker, had a lot of media impact perhaps greater than its actual impact.

However, data from specialized analysts suggest that mobile threats will represent, within 1 or 2 years, 25% of all threats, although Windows will remain the focus of all attention ...

This post is divided in 3 parts: this first part will deal with network threats, the second with apps and configuration threats, and the last part will propose some actions and solutions to protect yourself.

ARP Spoofing.

Smartphones are confronted with an additional threat, by their very essence: they are mobile devices, and they move, much more than a laptop.

We all have had to connect to public Wi-Fi networks in airports, cafeterias, restaurants, or even when visiting the offices of a client or supplier.

And the main danger comes from these unknown Wifis: using Google with a few well-chosen keywords, it's easy to find free programs that allow you to spy on any device that is on the same network as your laptop or even smartphone or tablet.

ARP Spoofing using Cain and AbelOne can settle quietly in a Starbuck and start intercepting the internet traffic of this man in suit sitting 2 tables away.

Intercept traffic only requires a simple technique called ARP Spoofing. This technique is usually detected immediately when used in the networks of companies that have minimally advanced security equipment, but this is not the case in the Wifis of the street, or at home, and smartphones are completely defenseless against these attacks.

Not only Wifi: GSM Man in the Middle (MiTM)

And this danger is not limited only to the Wifis. With a minimum of technical knowledge and a hardware investment of less than $1000, an attacker can simulate a network of a public 3G / 4G operator in a 10-20 meter beam, deceiving nearby smartphones that plan to communicate with their usual operator. 

GSM MiTM Fake BSS allows hackers to eavesdrop on conversations, read texts, and track your smartphone locationNormally, the data circulating in the operator's network cannot be seen, as they circulate encrypted to a remote point in the operator's network. For this reason, the attacker simulating an "antenna" of the operator will try to force the devices to communicate using the 2G protocol whose encryption is very weak or even disabled (2G fallback mode downgrade). In this way the attacker will be able to access all the IP traffic of the device, as if it were in the same Wifi, and start analyzing the data traffic.

These kind of attacks are becoming each day more difficult to be carried out since smartphone operators and manufacturers are slowly retiring 2G networks and disabling the possibility of unsafe 2G data communications.

Interception of unsafe traffic

Once an attacker has access to internet traffic by having interposed between a device and the rest of the internet (Man In The Middle), all the information that is not encrypted using SSL, TLS or any other method, is accessible to the attacker:

You can for example access session identifiers, certain passwords encrypted in an unsafe way, connections to databases, and any personal data that is not encrypted.

You can even redirect a query to one Web to another and in this way force the execution by the attacked device browser of a malicious code to access data within the device, control it or force download an application.

Falsification of digital certificates (Fake SSL)

Some attackers go further and try to also intercept the encrypted traffic, supplanting the server to which the device wants to connect.

To understand it, it is enough to know the simple mechanism that these types of connections use:

  • The device that connects to the server receives a "digital certificate" from this server, which contains a key that will be used by the device to encrypt everything transmitted to it.
  • What the attacker does is request the certificate to the server on behalf of the device: once it has it, it returns a false certificate to the device: the device will communicate with the attacker using this false certificate known by the attacker, and will be able to decrypt all the exchanges.
  • In turn, the attacker will communicate with the server with the real certificate, relaying the data back and forth, as if it were the device, as an intermediary that sees everything that happens.

Digital certificates are all issued by Certifying Authorities (CA), and the information of who issued the certificate is within the certificate. Anyone can generate certificates, however, there are reputable entities called trusted CAs. The devices have a "factory" list of these trusted CA entities (about 100).

  • Most attackers use certificates generated and signed by themselves in the moment the connection is established (self signed). When these certificates are used, any browser gives an alarm message for the reason that the entity that has issued this certificate is not trusted.
  • You must also know that a certificate contains the information of the domain for which it can be used to communicate, as an additional check mechanism.
  • However, some mobile apps accept the certificate despite not coming from a trusted entity, exposing their communications to the attackers: These apps are vulnerable to this kind of attack.
  • There have even been cases of trusted CAs that have been tricked by attackers into issuing certificates for large public domains (i.e., and these "false true certificates" have been used by attackers: in this case browsers and applications cannot detect the attack, since the Certificate is authentic, and issued by a trusted CA.
Fake SSL man in the middle attacks
Some of these attacks have even been performed by powerful organization, like that of a government, as was the case of the Iranian government in 2011 who was able to simulate access to the gmail website with a false certificate and access accounts of thousands of people.

But it can also be performed by less organized people. From time to time some false / true certificates leaks to the dark web and are used by all kind of hackers. To counter this weakness of the certification mechanism, between 2016 and 2017 a public, non-forgery record of the issued certificates has been launched so that everyone can consult them and verify that the certificates they receive are really from who they say they are ("Certificate Transparency System").

Other threats: malwares, configurations

If you are interested in getting more information about non network threat such as apps or configuration, please also read our next post.

No comments:

Post a Comment