Security flaws in mobile devices

1
Security flaws in mobile devices

• Seminar on Software Engineering,
• Long Presentation
• 06.03.2008
• Christian Gruber

2
Quick overview of mobile device security

• Modern technologies integrated with each other.
• Mobile phones are more and more intelligent and
  becoming like computers ? security problems?
• Mobile phones and other mobile devices are coming
  more attractive to virus writers.
• This presentation is dedicated to the threats
  currently posed by malicious code to mobile
  devices which run under portable operating
  systems and are equipped with wireless
  technologies.

3
Quick overview of mobile device security

• This overview focuses on some of the severe
  malwares found in the following major mobile
  operation systems
• - Symbian OS
• - Windows CE .NET
• - Apple OS X for the Apple iPhone

4
Symbian operating system

• A smartphone is a mobile phone offering advanced
  capabilities beyond a typical mobile phone, often
  with PC-like functionality.
• Symbian is the leading OS in the smart mobile
  device market.
• It is designed for the specific requirements of
  advanced 3G mobile phones. Symbian OS combines
  the power of an integrated applications
  environment with mobile telephony, bringing
  advanced data services to the mass market.
• Statistics published February 2007 showed that
  Symbian OS had a 67 share of the smart mobile
  device market, with Microsoft having 13 through
  Windows CE and Windows Mobile and RIM having 10.

5
First malicious code for Symbian OS.

• 2004 a group of professional virus writers known
  as 29A created the first virus for smartphones
  called Cabir.
• Cabir is the first network worm capable of
  spreading via Bluetooth.
• It infects mobile phones which run Symbian OS.
• Creators stated it was purely proof of concept
  just to show malicious code could be created for
  Symbian OS.
• Source code was published on the Internet ? many
  modified version surfaced.

6
how does Cabir work?

• It is design to load at phone boot up and send
  itself to available devices using Bluetooth.
• It sends itself as a Symbian installation file
  (as CARIBE.SIS) the receiving phone will
  recognize it as an installable package.
• Before the virus can successfully infect a phone,
  the virus must be first accepted by the user.
• When the virus is received and accepted, the
  phone then begins installing the installable
  package file ? phone infected.
• Later version named as Cabir.k was able to self
  replicate itself via MMS.

7
Second malwre for Symbian OS

• Soon after Cabir spreaded the first Trojan was
  found for Symbian OS.
• Normally a Trojan is a piece of software which
  appears to perform a certain action but in fact
  performs something else.
• The Trojan was a cracked version of a popular
  game called Mosquitos.
• It sent SMS messages without the knowledge of the
  user.
• It was intended that the program secretly sent a
  SMS message to alert developers if an unlicensed
  copy was being used.

8
Mosquitos Trojan

• This program is not strictly a Trojan, but, it is
  classified as a Trojan as it sends SMS messages
  to premium rated services without the knowledge
  of the user.
• The numbers which messages were sent to were
  coded into the program.
• Does not spread using its own means. It must be
  installed and run by the user.
• One message cost 1,5 2

9
The Skuller Trojan

• Skuller was the first real Trojan for the Symbian
  OS.
• The Trojan appeared as a program which would
  offer new wallpapers and icons for Symbian OS.
• Installing the program led to the standard
  application icons to be replaced with a skull and
  crossbones.
• At the same time it would overwrite the original
  application ? application ceased to work.
• Once the smartphone has been infected it can only
  be used to make calls.

10
The Skuller Trojan continued

• Skuller demonstarted two unpleasent things about
  Symbian architecture.
• - System files can be overwritten
• - Symbian lacks stability when presented with
  corrupted or non-standard system files.
• There are no check designed to compensate these
  vulnerabilities.

11
The Locknut Trojan

• These vulnerabilities was quickly exploited and
  the second Trojan appeared the Locknut.
• Locknut was spread as a critical patch.
• The idea behind Locknut was that Symbian OS did
  not check file integrity.
• Locknut disables a phone using a malformed file
  to crash internal Symbian process.
• ? causing the phone to lock down so that no
  applications can be used.
• The .app extension makes the OS believe that the
  file is executable.

12
The Locknut Trojan continued

• The .app file contains simply just text rather
  than structured code.
• The system will freeze when trying to launch any
  application.
• Rebooting wount help as Locknut is started
  automatically ? making it impossible to even turn
  on the phone.
• First malware on Symbian to prevent making even a
  call.

13
Most dangerous Symbian worm Comwar

• The second worm found for mobile devices was the
  Comwar.
• The worm spread via Bluetooth and MMS.
• The executable worm file is packed into a Symbian
  archive (.SIS).
• Once launched the worm will search for accessible
  Bluetooth devices and send the infected .SIS
  archive under a random name to these devices.
• The name of the file varies. When spread via
  Bluetooth, the worm creates a random file name,
  which will be 8 characters long, e.g.
  bg82o_s1.sis.

14
Comwar continued

• The worm also sends itself via MMS to all
  contacts in the address book. The subject and
  text of the messages varies.
• Some example subjects found
• - Norton AntiVirus Released now for mobile,
  install it!
• - 3DGame 3DGame from me. It is FREE !
• - Desktop manager Official Symbian desctop
  manager.
• - Happy Birthday! Happy Birthday! It is present
  for you!
• - Internet Accelerator Internet accelerator, SSL
  security update 7.
• - Security update 12 Significant security
  update. See www.symbian.com
• - Symbian security update See security news at
  www.symbian.com
• - SymbianOS update OS service pack 1 from
  Symbian inc.

15
Symbian OS 6.0 and newer

• Before discussed malware work in earlier Symbian
  OS versions 6 and 7.
• Newest Symbian OS 9.x also known as S60 platform
  3rd Edition has adopted a capability model.
  Installed software will theoretically be unable
  to do damaging things without being digitally
  signed thus making it traceable.

16
First malware for Windows CE

• Duts is the first virus for devices running under
  Windows CE .NET.
• It is also the first file infector for
  smartphones.
• Duts is also made by the group 29A, which made
  the first Symbian virus.
• A proof of concept virus.
• It can infect devices running the following
  operating systems PocketPC 2000, PocketPC 2002,
  PocketPC 2003.

17
Duts continued

• The virus itself is an ARM processor program and
  is 1520 bytes in size.
• When the program is run, it raises a dialog box
  Dear user, Am I allowed to spread?
• If confirmation is given, the virus will infect
  executable files which correspond to the
  following criteria ARM processor, more than 4KB
  in size, located in the device's root directory.
• The virus writes itself to the last section of
  these files and establishes an entry point at the
  beginning of the file.

18
Duts continued

• The Duts virus exploited a clever workaround of
  the operating system architecture in order to
  gain access to the coredll module.
• Windows CE was designed with a protected kernel.
  User-mode applications are not permitted to
  interact directly with the kernel. This was
  designed to enhance the security and stability of
  Windows CE.
• Microsoft has left the function "kdatastruct"
  acessible to usermode. This provided the key to
  the entrypoint of the virus.

19
Brador

• Brador is a backdoor (a utility allowing for
  remote administration of the infected machine).
• Designed for PocketPC based on Windows CE and
  newer version of Windows Mobile.
• It is written in ASM for ARM-processors and is
  5632 bytes in size.
• After Brador is launched it creates an
  svchost.exe file in the /Windows/StartUp/ folder,
  thus gaining full control over the handheld every
  time it is restarted.

20
Brador continued

• Brador identifies the IP address of the infected
  device and sends it to the remote malicious user
  to inform him that the handheld is connected to
  the Internet and that the backdoor is active.
  Brador then opens port 2989 and awaits further
  orders.
• The backdoor responds to the following commands
• d - lists the directory contents
• f - closes the session
• g - uploads a file
• m - displays MessageBox
• p - downloads a file
• r - executes the specified command

21
Windows CE security

• Windows CE is extremely vulnerable from the point
  of view of system security. There are no
  restrictions on executable applications and their
  processes. Once launched, a program can gain full
  access to any operating system function such as
  receiving and transmitting files, phone and
  multimedia functions etc.
• Creating applications for Windows CE is extremely
  easy, as the system is totally open to
  programming, making it possible to use not only
  machine languages (e.g. ASM for ARM) but also
  powerful development technologies such as .NET.

22
Apple iPhone

• Within two weeks after iPhone was released I.S.E.
  (Independent Security Evaluators) found a way to
  take full control of the device.
• Apple's Safari web browser exposes the
  vulnerability.
• The exploit can be delivered via a malicious web
  page opened in the Safari browser on the iPhone.
• When the iPhone's version of Safari opens the
  malicious web page, arbitrary code embedded in
  the exploit is run with administrative
  privileges.
• After the Exploit is run the attacker has full
  control of the device.

23
Damages

• In various proof of concept it has been shown
  that the attacker can
• - Read/send SMS, MMS and emails,
• - Read the address book,
• - Read call history,
• - Read voicemail data.
• - Read users mail and other passwords,
• - Record audio clips,
• - Gain access to all files.
• The attacker can transmit all this information
  without the knowledge of the user.

24
iPhone DoS vulnerability

• Recently a Denial of Service (DoS) vulnerability
  was discovered in iPhones web browser.
• The DoS exploit can be triggered by visiting a
  maliciously crafted webpage.
• The page will insert code into the iPhone, which
  continually eats up available system memory
  before causing a kernel panic.
• It has been stated that the Exploit could be used
  for malicious purposes ? e.g. executing remote
  code.

25
What can mobile viruses do?

• In short what can mobile viruses do?
• - Spread via Bluetooth, MMS
• - Send SMS messages
• - Infect files
• - Enable remote control of the smartphone
• - Modify or replace icons or system applications
  
• - Install false or non-operational fonts and
  applications
• - Combat antivirus programs
• - Install other malicious programs
• - Block memory cards
• - Steal data

26
Protection against mobile viruses

• For a smartphone to become infected, the user has
  to twice confirm that an unknown file should be
  uploaded and launched.
• At the moment there are several anti-virus
  solutions designed to protect mobile devices from
  viruses.
• For worms which spread via MMS, the optimal
  solution is for the network operator to install
  an antivirus product which scans traffic that
  passes.

27
Forecast?

• It is difficult to forecast the evolution on
  mobile viruses. This area is constantly evolving.
• Todays mobile viruses are very similar to
  computer viruses in terms of their payload.
• It took computer viruses over twenty years to
  evolve, and mobile viruses have covered the same
  ground in a few years.
• Without doubt, mobile malware is the most quickly
  evolving type of malicious code, and clearly
  still has great potential for further evolution.

28
Sources

• Alexander Gostev, Mobile Malware Evolution An
  Overview, Kaspersky Lab
• Symbian.com http//www.symbian.com/
• Geekzone http//www.geekzone.co.nz/content.asp?co
  ntentid3379
• Viruslist.com http//www.viruslist.com
• Kaspersky http//www.kaspersky.com/
• FastCompany.com http//www.fastcompany.com/articl
  es/2007/11/hacking-the-iphone.html?page02C1
• Security Evvaluators http//www.securityevaluator
  s.com/iphone/
• I.S.E http//www.securityevaluators.com/
• iPhone World http//www.iphoneworld.ca/
• AvertLabs http//www.avertlabs.com/research/blog/
  index.php/2008/02/20/iphone-dos-vulnerability/