27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Ilja van Sprundel
Tag Day 1 - 2010-12-27
Raum Saal 2
Beginn 18:30
Dauer 01:00
ID 4265
Veranstaltungstyp Vortrag
Track Hacking
Sprache der Veranstaltung englisch

hacking smart phones

expanding the attack surface and then some

There's been a fair bit written and presented about smartphone's, and yet, when it comes to the attack surface of the operating systems running on them, and the applications running on top of those, much still has to be explorer. This talk will dive a bit deeper into that attack surface.

This talk will take a look at the smart phone attack surface, only from and end-to-end point of view. the baseband type stuff and things owned by the telco's will not be covered. Basically, it'll cover 5 major areas:

  • identifying operating systems (through for example the user-agent with mms)
  • identifying entrypoints
  • identifying trust boundaries
  • identifying bugs
  • exploiting bugs

There has been a fair amount of cellphone and smartphone reseach done in the past, and yet, when it comes to attack surface, we've barely scratched the surface. SMS alone allows for a dozen or so different types of messages, there's mms, all sorts of media codecs are build into smart phones. The entrypoints can be roughly categorized as:

primary entypoints: - zero-click remote attacks over default communication network (sms, mms, ...) secondary entrypoints: - zero-click remote attacks over non-default communication network (email, ...) tertiary entrypoints: - proximity attacks (wifi, bluetooth, irda, mitm wifi connection, ...) - not-zero click remote attacks (e.g. start application XYZ and connect to my evil server)

The main focus in this talk will be on the primary entrypoints, however some of the secondary and tertiary entrypoints will be talked about aswell, in particular irda, since unlike bluetooth and wifi, very little security research has ever been done with irda, which on itself is weird, since after less than a day of poking around it became quite clear most irda stacks are pretty weak (as a hilarious irda sidenote which got me started to look at idra, one should read the following microsoft bulletin http://www.microsoft.com/technet/security/bulletin/ms01-046.mspx).

once's the interesting entrypoints for various smartphones are explored the talk will dive into some of the trust boundaries on different smartphones, things their sandboxes allow, things they don't, wether or not it's documented and wether or not the documentation is actually accurate.

in the spirit of keeping the best for last, some of the bugs discovered during the smartphone research will be discussed, both the details of them, as well as the pains the speaker had to go through to make exploits for them.