SECURITY EVALUATION OR ESCAPING FROM "VULNERABILITY PRISON"

Ph.D. YURY CHEMERKIN

NULLCON GOA 2013

BLACKBERRY SECURITY ENVIRONMENT

BLACKBERRY SMARTPHONE WAS SECURE
THE SECURITY IS THE CORNERSTONE A POWERFUL HIGH LEVEL INTEGRATION IMs, SOCIAL NETWORKS FINANCIAL DATA AND ETC. THE BLACKBERRY WAS BUILT FREE OF MALWARE & HARMFUL ACTIONS WITH NATIVE SECURITY SOLUTIONS MAINLY FOCUSED ON ENTERPRISE WIDE RANGE IT POLICY SET UP TO 500 UNITS A FEW THIRD PARTY SECURITY SOLUTIONS

PLAYBOOK HAS COME WITH A POOR ENVIROMENT

A SIMPLIFICATION OF THE SECURITY VISION POOR INTERGRATION (ONLY BLACKBERRY BRIDGE) NO BUILT IMs, HTML5 & WEB-LAUNCHER NO WALLETS OR ELSE BUILT APPLICATIONS PLAYBOOK MIGHT PRODUCE FEW VALUE DATA DUE APIs NOT MORE THAN LARGE PHONES SCREEN TOTALLY FOCUSED ON ENTERPRISE IT POLICY EXTRA REDUCED UP TO 10 UNITS ENTERTAINMENT APPLICATIONS ONLY

USER MODE ROOTKIT AND SPYWARE

MALWARE BOUNDS BECOME UNCLEAR
A LOT OF TYPES BOOTKITS FIRMWARE USER-MODE KERNEL HYPERVISOR SIMILAR TO THE SPYWARE BUNDLING WITH DESIRABLE SOFTWARE WIDESPREADING, EASY DITRIBUTION AND QUITE RELEVANT FOR HACKERS

HACKERS ARE INTERESTED IN CHEAPER COSTING

BASED ON: VENDOR-SUPPLIED EXTENSIONS THIRD PARTY PLUGINS PUBLIC INTERFACES INTERCEPTION OF SYSTEMS MESSAGES EXPLOITATION OF SECURITY VULNERABILITIES HOOKING AND PATCHING OF APIs METHODS

THE FILE SYSTEM ISSUES

BB OS v45 WAS ACCESSIBLE
VIA THE BUILT (INTERNAL) EXPLORER AFTER ENTERING THE PASSWORD BUT STILL THE INTERNAL EXPLORER FOR EXECUTING MALWARE FROM THE DEVICE BY CLICKING FILE (.JAR/.JAD + .COD)
TO ALLOW COPYING THE MALWARE TO THE DEVICE AS AN EXTERNAL DRIVE (LIKE A WORM)

BB OS V67 PLUS PLAYBOOK ARE ACCESSIBLE

AFTER MOUNTING AS AN EXTERNAL DRIVE(-S) AFTER ENTERING THE PASSWORD BUT IT IS NOT NECESSARY TO USE INTERNAL EXPLORER TO PREVENT FROM EXECUTING ANYTHING OUTSIDE APPWORLD (.BAR)
MALWARE IS A PERSONAL APPLICATION SUBTYPE IN TERMS OF RIMs SECURITY

ALL DATA ACCESSIBLE EXCEPT APP & SYSTEM DATA WITHOUT ANY API & OTHER INFO

SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS

THE APPLICATION MANAGEMENT ISSUES

BLACKBERRY SMARTPHONE (LESS THAN BB 10)
THE UPGRADE FEATURE MEANS THE INSTALL & REMOVE ACTIONS AT LEAST AN APPLICATION ID REQUIREMENT AN ACCESSIBLE RUNNING APPLICATION LIST HANDLING ANOTHER APPs SILENTLY VIA API HANDLING ANOTHER APPLICATION SILENTLY VIA PC TOOLS MAY NEED A PASSWORD DEBUG MODE IS FOR TRACING & DEBUGING ONLY EASY TRACKING THE NEWCOMING .COD MODULES FOR THE MALWARE PAYLOAD

BLACKBERRY PLAYBOOK (PROBABLY BLACKBERRY 10)

THE UPGRADE MEANS AN USER INTERACTION WITH APPWORLD WITH HOME SCREEN THERE ARE SOME APIs BUT DISABLED THERE IS NO API FOR SUCH ACTIONS YET HANDLING ANOTHER APPLICATION SILENTLY VIA PC TOOLS MAY NEED A PASSWORD STRONGLY NEED ACTIVATED A DEBUG MODE LOOKS LIKE MORE SECURE THAN BLACKBERRY BUT DIFFICULT TO REMOVE DISTRIBUTED MALWARE

THE CLIPBOARD ISSUES

BLACKBERRY SMARTPHONE
HOW TO REVEAL THE DATA IN REAL TIME GETCLIPBOARD() ANY PROTECTION NATIVE WALLETS RESTRICT THE CLIPBOARD ACCESS BY RETURNING NULL WHILE THE APPLICATION IS ACTIVE (ON TOP OF SCREEN STACK) ONLY DOES NOT WORK IN MINIMIZED STATE

BLACKBERRY PLAYBOOK
HOW TO REVEAL THE DATA IN REAL TIME GETDATA() ANY PROTECTION NO NATIVE WALLET APPLICATION MANAGING THE LAST CLIPBOARD DATA VIA SHARED FOLDER PLAIN TEXT HTML ETC.

THE PHOTOSCREEN ISSUES

ARE AVAILABLE FOR ALL BLACKBERRY DEVICES BUT DISABLED FOR PLAYBOOK AND BLACKBERRY 10 YET
SCREEN PROTECTION VIA SWITCHING PERMIT RESTRICT ADDITIONALLY PER APPLICATION. BUT DOES NOT HANDLE WINDOWs HANDLE WITH THE KEY PREVIEW DUE THE VIRTUAL KEYBOARD MAY BE IMPROVED BY XORing TWO PHOTOSCREENS TO GET THE DIFFERENCE MASKING THE ASTERISKS TAKES A DELAY ENOUGH TO STEAL THE TEXT MAY BE PART OF OCR ENGINES ONLINE OR DESKTOP RECOGNIZE TYPED DATA VERY QUICKLY WAS TESTED ON ABBYY ONLINE OCR SUBSTITUTE FOR HARDWARE KEYLLOGER RUNNING DOWN THE BATTERRY MORE SLOWLY THAN PHOTO/VIDEO CAMERA EASY ACCESS TO ANY APPLICATIONWALLET EVEN NO RESTRICTION LIKE THE CLIPBOARD NULL SCREENSHOTS OFTEN STORE IN CAMERA FOLDER THE SAME A FILE ACCESS

THE MESSAGES ISSUES

AVAILABLE ON THE BB DEVICES PROBABLY ON THE BLACKBERRY 10 NO 3G, NO API FOR PLAYBOOK
USING AUTHORIZED API TO INTERCEPT MESSAGES (BBM, EMAIL, PIN-TO-PIN) CREATE THE MESSAGE READ THE MESSAGE DELETE THE MESSAGE SET THE MESSAGE STATUS (UNREAD, SENT, ANY ERROR STATE, ETC.) THE BUTTON EVENTS (THE SAME TYPES) OPENING THE MESSAGE FORWARDING THE MESSAGE SENDING THE MESSAGE INTERCEPTING THE SMS (BASICALLY) RECEIVING AND SENDING EVENTS DELETING THE SENT & RECEIVED SMS ENOUGH TO HANDLE SOCIAL C&C SMS OUTCOMING SMS (ADVANCED) BLOCKING (DROPPING) THE SMS A NOTIFICATION IN THE MESSAGE THREAD SPOOFING THE RECEPIENT THE BODY TRANSMISSION REFUSED BY IF SUCH MESSAGE WAS NOT REMOVED

THE DEVICE PASSWORD ISSUES

FOR THE BLACKBERRY 47 DUE THE INTERNAL CASE FOR ALL DEVICES DUE IN THE DESKTOP ACCESS CASE
THE PASSWORD PROTECTION COVERS DEVICE LOCKING & ENCRYPTION FEATURE APPWORLD REQUEST LIMITED BY 5/10 ATTEMPTS & WIPE THEN WIPING THE INTERNAL STORAGE ONLY EXTRACTING THE PASSWORD TRHOUGHT ELCOMSOFT PRODUCT (CUSTOM CASE) GUI VULNERABILITY CREATING THE FAKE WINDOW ON DESKTOP SYNCHRONIZATION BREAKING INTO BB DESKTOP SOFTWARE HANDLING DESKTOP SOFTWARE VULNERABILITY UNMASKING THE FIELD GRABBING THE PASSWORD MASKING THE FIELD DELAY TAKES NOT MORE THAN 15 MSEC AFFECTED PASSWORD TYPES THE DEVICE PASSWORD THE BACKUP PASSWORD AFFECTED DEVICES BLACKBERRY 4-7 (BB 10 HIGHLY PROBABLY) BLACKBERRY PLAYBOOK

THE GUI EXPLOITATION

CONSEQUENCE OF WIDE INTERGRATION FEATURES OFFERED FOR DEVELOPERS (BLACKBERRY 47 ONLY)
INITIALLY BASED ON AUTHORIZED API COVERED ALL PHYSICAL & NAVIGATION BUTTONS TYPING THE TEXTUAL DATA AFFECT ALL NATIVE & THIRD PARTY APPs SECONDARY BASED ON ADDING THE MENU ITEMS INTO THE GLOBAL MENU INTO THE SEND VIA MENU AFFECT ALL NATIVE APPLICATIONS NATIVE APPLICATIONS ARE DEVELOPED BY RIM BLACKBERRY WALLETS, MESSAGES, SETTINGS, FACEBOOK, TWITTER, BBM/GTALK/YAHOO/WINDOWS IMs, GUI EXPLOITATION HANDLES WITH REDRAWING THE SCREENS ADDING NEW GUI OBJECTS CHANGING THEIR PROPERTIES GRABBING THE TEXT FROM THE ANY FIELDs (INCL. PASSWORD FIELD) UNLOCK THE DEVICEs FIELD SETTING UP THE PASSWORDs FIELD ADDING, REMOVING THE FIELD DATA ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED GUI OBJECTS SHUFFLING IS NOT POSSIBLE

THE THIRD PARTY EXPLOITATION

THERE ARE A FEW OF THEM THEY MIGHT HAVE AN EXPLOIT BUT RUIN NATIVE A SECURITY
KASPERSKY MOBILE SECURITY PROVIDES FIREWALL, WIPE, BLOCK, INFO FEATURES NO PROTECTION FROM REMOVING.CODs NO PROTECTION UNDER SIMULATOR EXAMING THE TRAFFIC, BEHAVIOUR SHOULD CHECK API IS SIMULATOR SMS MANAGEMENT (QUITE SECRET SMS) PASSWORD IS FOUR SIXTEEN DIGITS SET AND CAN BE MODIFIED IN REAL-TIME SMS IS A HALF A HASH VALUE OF GOST R 34.11-94 IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT TABLES (VALUEHASH) ARE EASY BUILT OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION OUTCOMING SMS CAN BLOCK OR WIPE THE SAME DEVICE OR ANOTHER DEVICE McAfee MOBILE SECURITY PROVIDES FIREWALL, WIPE, BLOCK, INFO FEATURES NO PROTECTION FROM REMOVING.CODs NO PROTECTION UNDER SIMULATOR EXAMING THE TRAFFIC, BEHAVIOUR SHOULD CHECK API IS SIMULATOR WEB MANAGEMENT CONSOLE DIFFICULT TO BREAK SMS C&C

THE PERMISSIONS
PRIVILEGED GENERAL PERMISSIONS
DENIAL OF SERVICE REPLACING/REMOVING EXEC FILES DOSing EVENTs, NOISING FIELDS GUI INTERCEPT INFORMATION DISCLOSURE CLIPBOARD, SCREEN CAPTURE GUI INTERCEPT DUMPING .COD FILES, SHARED FILES MITM (INTERCEPTION / SPOOFING) MESSAGES GUI INTERCEPT, THIRD PARTY APPs FAKE WINDOW/CLICKJACKING

OWN APPs, NATIVE & 3RD PARTY APPs FEATURES

GENERAL PERMISSIONS INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs CONCRETE PERMISSIONS BUT COMBINED INTO GENERAL PERMISSION A SCREENSHOT PERMISSION IS PART OF THE CAMERA GENERAL PERMISSIONS INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs

CONCLUSION
THE VENDOR SECURITY VISION

HAS NOTHING WITH REALITY

AGGRAVATED BY SIMPLICITY

SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST

THANK YOU
YURY CHEMERKIN