Smartphone Hacks and Attacks:

A Demonstration of Current Threats to Mobile Devices

Daniel V. Hoffman, CISSP, CEH, CHFI

Chief Technology Officer

Troy Vennon, CISSP, CEH, OPST

Global Threat Center Research Engineer
 SMobile Global Threat Center
Exploit Research and Development
– Complete threat analysis against all exploit vectors
– Continual assessment of new devices and platforms
– Knowledge-share with worldwide device exploit
network

Malware Operation Center

– Actively monitor SMobile customer Malware alerts,
reporting and trending
– Monitor and scan publicly submitted Malware
samples
– Scan partner feeds for discovered/
recent viruses, Spyware, etc.
– Continually monitor underground and public Malware
bulletin boards, websites, newsgroups, etc.

Page 2 Copyright 2009 SMobile Systems

 • BlackBerry

• Symbian

• Windows Mobile

• iPhone

• Android

• Palm

Page 3 Copyright 2009 SMobile Systems

 Smartphone
Security Perfect
Storm?

Page 4 Copyright 2009 SMobile Systems

Smartphone Security – In The News

“Android Security Chief: Mobile-phone Attacks Coming”

PC World
August 12th 2009

"The smartphone OS will become a major security target," said Android Security Leader
Rich Cannings.

"We wanted developers to be able to upload their applications without anyone stopping
them from doing that," Cannings said. "Unfortunately this opens us up to malware."

Page 5
Identity Theft Moves to Mobile
• Identity theft is the Number 1 consumer crime in America¹

• Identity theft is a $50 billion per year industry¹

• 75% of “Phishing" e-mails are banking related¹

• 5 million U.S. consumers lost money to phishing attacks in 2008 - a 40% increase for that
period¹

• SMS (text) messaging is now the second leading conduit for phishing attacks¹

• 80% of mobile device owners store personal information on their handset ²

• 40% of users who store credit card information on their handset do not have a basic
password on the device to limit entry ²

• 24% of smartphone users store bank account details on their device ²

• 10% store credit card information ²

• Approximately 2 million smartphones were stolen in the US 2008 ²

¹ - Gartner Research
² - Credant Technologies

6
Page 6
 Mobile Banking is on the Rise

Page 7 Copyright 2009 SMobile Systems

 Mobile Banking Trojan – January 21, 2009

Page 8 Copyright 2009 SMobile Systems

 Phone Virus Steals Money – February 8, 2009

Page 9 Copyright 2009 SMobile Systems

 News Clips

Page 10
 • Smartphones are rapidly replacing feature
phones. Analyst predictions state that by 2012,
65% of all cell phone sales will be smartphones

• Cell phones are used for the same functions

and have the same capabilities as PCs

• While most PCs have at least some security

software in place, smartphones commonly do
not have any security software installed

Page 11 Copyright 2009 SMobile Systems

 Smartphones are the new PCs for consumers
Smartphones are the new workstations for
workers
Smartphones are susceptible to the exact
same threats as PCs

Page 12 Copyright 2009 SMobile Systems

 Threats to Mobile Devices

• Malware – Viruses, Worms, Trojans, Spyware

• Direct Attack – Attacking device interfaces, browser exploits, etc.

• Physical Compromise – Accessing sensitive data

• Data Communication Interception –

Sniffing data as it is transmitted
and received

• Authentication/Identity
Spoofing and Sniffing –
Accessing resources with a
user’s identity or credentials

• Exploitation and Misconduct –

Online predators, pornography,
inappropriate communications

Page 13 Copyright 2009 SMobile Systems

Are Application Signing and Review Processes the Answer?

Page 14 Copyright 2009 SMobile Systems

Page 15 Copyright 2009 SMobile Systems
Spyware Pushed By Carrier to BlackBerry Users

Page 16 Copyright 2009 SMobile Systems

Symbian Malware Infections

Page 17 Copyright 2009 SMobile Systems

 Let’s get specific as to what’s
happening today with,
Spyware, Direct Attacks and
Loss and Theft

Page 18 Copyright 2009 SMobile Systems

 Spyware Properties:
• Silently runs on devices without the
knowledge of the device user
• Easily installed via Trojans and other
Malware
• 2 of the top 3 BlackBerry infectors
are Spyware
• 4 of the top 5 Windows Mobile
infectors are Spyware

Spyware Capabilities:
• Intercept and post to a website every
SMS, MMS and e-mail (see image)
• Track every key typed by the device “Users and enterprises who are waiting to experience an infection before
implementing security software are placing themselves into the unsavory
• Remotely and silently turn on the position of unknowingly becoming infected with Spyware and having
phone to hear ambient conversations absolutely no security software in place to address that infection.”
– SMobile Global Threat Center
• Track the position of the device

Page 19 Copyright 2009 SMobile Systems

 Mobile Banking Keylogger

Page 20 Copyright 2009 SMobile Systems

 Spyware Demo

Page 21 Copyright 2009 SMobile Systems

 Threat: Direct Attack

Curse of Silence Demo

Page 22 Copyright 2009 SMobile Systems

 Curse of Silence Demo

Page 23 Copyright 2009 SMobile Systems

 Threat: Data Communication
Interception

Page 24 Copyright 2009 SMobile Systems

 iPhone E-mail Sniff

Sniffed Packets
118 and 140

Page 25 Copyright 2009 SMobile Systems

 Threat: Loss and Theft

Page 26 Copyright 2009 SMobile Systems

 Physical Compromise

• Even using a PIN/passcode

doesn’t guarantee protection
• Data is still unencrypted
• The authentication method can be
bypassed

Page
Page 27
27 Copyright 2009Copyright 2008 SMobile Systems
SMobile Systems
 iPhone “Encryption”

Page 28 Copyright 2009 SMobile Systems

 Threat: Exploitation and
Misconduct

Page 29 Copyright 2009 SMobile Systems

 Exploitation and Misconduct

Page 30 Copyright 2009 SMobile Systems

 Exploitation and Misconduct

Enterprises:
• Where is your data going?
• What is your employee e-mailing, storing on
their phone, texting?
• What pictures are employees taking; Data
Leakage Protection
• What websites are being visited with the
company device? You control your PCs, why
not your smartphones?

Page 31 Copyright 2009 SMobile Systems

…

Threat SMobile Product

Antivirus, Firewall,
Malware
Application Revocation, Update OS

Direct Attack Firewall, AntiVirus, Update OS

Physical Compromise Encryption, Lock and Wipe

Data Communication Interception VPN, SSL

VPN, Antivirus, SSL, Firewall, Update

Authentication Attacks
OS

Parental and Enterprise Controls,

Exploit and Misconduct
Application Revocation

* Treat the smartphone like a PC … because that’s essentially what it is

Page 32 Copyright 2009 SMobile Systems

 Conclusion

• Threats to smartphones do exist and devices are

being exploited. This is an undeniable fact and the
data supports it
• Smartphones are the new PCs and need to be
protected with the same security technologies
• Physical compromise is currently the easiest
means of exploitation
• Smartphone Malware does exist and has infected
devices
• Malware is now being written to be stealthy,
undetectable and for financial gain – infection and
exploitation can occur without the knowledge of the
device user/owner
• Not all smartphone security products do not
significantly drain the battery!

Page 33 Copyright 2009 SMobile Systems

 Additional Resources:

• SMobilesystems.com (Global Threat Center/Mobile

Security News)

• Ethicalhacker.net

• BlackJacking Book

• Complete Guide to NAC Book

Page 34 Copyright 2009 SMobile Systems