15. 15
In Local
• Bootable CD/DVD/USB
• Bad-USB
• Customized Jail-Breaking or Rooting Tools for mobile devices
Infection Vectors
https://youtu.be/oNsXKPHBR3s?t=4m32s
19. 19
Mactans (BlackHat 2013)
Infection Vectors
• Injecting Malware into iOS Devices via Malicious Charger
• Yeongjin Jang, Billy Lau, Chengyu Song, Georgia Institute of Technology
20. 20
In Remote
• Sending Executable or Document file
• Sending Link or QRCode included malware
• Modifying network traffic on the fly
(acting on data downloaded from target’s device)
• Replace URL resource
• Inject-EXE
• Inject-HTML-Flash (0-day vulnerabilities)
Infection Vectors
21. 21
In Remote
• Sending Executable or Document file
• Sending Link or QRCode included malware
• Modifying network traffic on the fly
(acting on data downloaded from target’s device)
• Replace URL resource
• Inject-EXE
• Inject-HTML-Flash (0-day vulnerabilities)
Infection Vectors
22. 22
In Remote
• Sending Executable or Document file
• Sending Link or QRCode included malware
• Modifying network traffic on the fly
(acting on data downloaded from target’s device)
• Replace URL resource
• Inject-EXE
• Inject-HTML-Flash (0-day vulnerabilities)
Infection Vectors
23. 23
In Remote
• Sending Executable or Document file
• Sending Link or QRCode included malware
• Modifying network traffic on the fly
(acting on data downloaded from target’s device)
• Replace URL resource
• Inject-EXE
• Inject-HTML-Flash (0-day vulnerabilities)
Infection Vectors
24. 24
In Remote - Network Injection
Infection Vectors
https://youtu.be/BXTyxAsYk3w?t=12s
25. Capture Sensitive Data
25
Sensitive Data that stealer can capture.
Money
Call
Message
Password
Contacts
Location
MIC
E-Mail
Camera
KeyLog
Clipboard
Web HistoryFile
Screenshot
30. Capture Sensitive Data
30
iOS Call & Voice
• Audio Unit Hooking by Substrate
micBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples;
micBuffer.mBuffers[0].mData = malloc(micBuffer.mBuffers[0].mDataByteSize);
AudioBufferList speakerBuffer;
speakerBuffer.mNumberBuffers = 1;
speakerBuffer.mBuffers[0].mNumberChannels = 1;
speakerBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples;
speakerBuffer.mBuffers[0].mData = malloc(speakerBuffer.mBuffers[0].mDataByteSize);
AudioBufferList mixBuffer;
mixBuffer.mNumberBuffers = 1;
mixBuffer.mBuffers[0].mNumberChannels = 2;
mixBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples * 2;
mixBuffer.mBuffers[0].mData = malloc(mixBuffer.mBuffers[0].mDataByteSize);
//Converting
while (true)
{
//Reading data from input files
UInt32 framesToRead = bufferSizeInSamples;
ExtAudioFileRead(micFile, &framesToRead, &micBuffer);
ExtAudioFileRead(speakerFile, &framesToRead, &speakerBuffer);
if (framesToRead == 0)
{
break;
}
//Building interleaved stereo buffer - left channel is mic, right - speaker
for (int i = 0; i < framesToRead; i++)
{
memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2,
(char*)micBuffer.mBuffers[0].mData + i * sampleSize, sampleSize);
memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2 + sampleSize,
(char*)speakerBuffer.mBuffers[0].mData + i * sampleSize, sampleSize);
}
//Writing to output file - LPCM will be converted to AAC
ExtAudioFileWrite(mixFile, framesToRead, &mixBuffer);
}
//Closing files
// Dumping Audio Buffer
31. Capture Sensitive Data
31
Capture Message & Another data
• Stored message as file (.db .sqlite .xml or etc)
• Plain-Text
• Encrypted Message
• need a Decryption (usually, Key stored in the local storage)
32. Capture Sensitive Data
32
Encrypted Message - case of Kakao Talk
• AES 256 CBC Encryption
• Generate a Encryption-Key base on UserId
• IVKey is static (1608096f02172b0821210a1003030706)
36. Capture Sensitive Data
36
Messages or another datas
• Stored message as file (.db .sqlite .xml or etc)
• plain-text
• encrypted message
• need a decryption (usually, encryption-key store in the local storage)
• special permission , accessibility
• SMS, BLIND
40. Conclusion
40
We still confront security holes that we hardly control or even can not
• Injection issue on the Network Level
: File Reputation Services
: VPN
• Encrypt issue
: Trusted Platform Module - Encrypt/Decrypt sensitive data using the secure world
• Authentication Bruteforce Attack
: 2 Channel Authentication