Jun 21, 2015
#ISC2CongressStrengthening Cybersecurity Defenders
A Day in the Life of Your Mobile Phone
Rob Barnes, CISSP®, CSSLP®
Software Security ArchitectThe College Board
#YourPhoneHatesYou
(or: how your phone hates you)
3 #ISC2Congress
Reality:
Your phone hates you.
How we like to think our phones protect our
privacy:
4 #ISC2Congress
Things you do every day
» Check email» Check weather» Check stocks» Use social media» Take photos» Post photos» Buy coffee» Sync device with phone
» Join Wi-Fi access points» Send email» Navigate with map» Research restaurants» Place hands-free calls» Browse websites» (Plus all the things your
kids do that you don’t know about)
5 #ISC2Congress
Things your phone does every day
Collects location information(Divulges location information.)
Collects personal information(Divulges personal information.)
Collects usage information(Divulges usage information.)
6 #ISC2Congress
Does it matter?
97% of mobile applications access personal address books, social media pages and
connectivity options like Bluetooth or Wi-Fi.
86% of mobile applications are insecure.
But it doesn’t matter. 100% of what you do reveals something about you.
http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.VA2ntvlr6Cc
http://threatpost.com/insecure-applications-we-are-84-percent-120711/75961
7 #ISC2Congress
Don’t think like an attacker.
Think like:
a marketer.
a parent.
a forensic investigator.
8 #ISC2Congress
Location Privacy: Using the device
9 #ISC2Congress
Location Privacy: Browsing
This is where I spent my summer, as told by a web service:
10 #ISC2Congress
Browser version
Firmware version = iOS 6.1.4
Belongs to Verizon FiOS in Chantilly, VA
Device make and model (OLD!)
Location and Device Privacy
108.28.101.205
08/Sep/2014:14:18:45 -0400
Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X)
Version/6.0 Mobile/10B350 Safari/8536.25
(a two-for-one bonus!)
When you (or an app) access a web page or web service, it sends the following information:
11 #ISC2Congress
Location Privacy: Using apps
Are you sure you’re just checking the weather? As a bonus to you, Weather Channel shares your usage statistics!
» http://or1.sc.omtrdc.net/b/ss/twciiphonescroll/0 . . .» Resolution=640x1136» AppID=iPhone 6.2.1 (420573)» TimeSinceLaunch=58» DeviceName=iPhone6,1» action=weather:data-refresh-requested» OSVersion=iOS 7.1.2» CarrierName=Verizon» actionTracking=weatherdatarefreshrequested» ts=1408722639
(which translates to 8/22/2014 11:50:39 AM)
XYZ XYZ
12 #ISC2Congress
Location Privacy: Using apps
Sure enough, you agreed to all of this.
13 #ISC2Congress
When you’re at home
When you’re at workWhen you’re driving
Why should you care?
“Big Data” marketing can infer:
14 #ISC2Congress
…and when you’re not
When you’re at home
Why should you care?
An attacker can infer:
15 #ISC2Congress
Device Privacy: Using Wi-Fi
Hi! Can I please join your network? My MAC address is DC:9B:9C:xx:xx:xx!
Sure! (Ah…so you’re an Apple device…)
Thanks! Oh, also, my name is “Rob Barnes’s iPhone 5”!
OK, thanks. Welcome! (Welcome, indeed, “Rob Barnes”!)
16 #ISC2Congress
It’s 209.48.123.456.
Device Privacy: Using Wi-Fi
Hey, it’s “Rob Barnes’s iPhone 5” again. Sorry to bother you. What is the IP address for email.mycompany.com?
17 #ISC2Congress
Why should you care?
Dear Rob Barnes:
Congratulations! Your iPhone 5 is eligible for a free upgrade! Please click here for details, or visit your local Atlanta Apple retail store.
This message was sent to [email protected]. Click here to unsubscribe from future emails.
Sincerely,The Apple Customer Loyalty Team
18 #ISC2Congress
Device Privacy: Using Wi-Fi
belkin.d36
belkin.d36.guests
HoundNet_Guest
xfinitywifi
DUKE
LCPS-OPEN
Residence_GUEST
Marriott_Guest
Kimpton
Marriott_CONFERENCE
Dunn_Bros_337!
Carlton
My stored Wi-Fi networks(com.apple.wifi.plist)
19 #ISC2Congress
belkin.d36
belkin.d36.guests
HoundNet_Guest
xfinitywifi
DUKE
LCPS-OPEN
Residence_GUEST
Marriott_Guest
Kimpton
Marriott_CONFERENCE
Dunn_Bros_337!
Carlton
Device Privacy: Using Wi-Fi
Marriott_Guest
<key>lastAutoJoined</key><date>2014-07-13T06:33:08</date><key>SSID_STR</key><string>Marriott_Guest</string><key>Strength</key><real>0.9104790687561035</real><key>CAPABILITIES</key><key>NOISE</key><integer>91</integer><key>isWPA</key><integer>0</integer><key>CaptiveNetwork</key><boolean>true</boolean><key>lastJoined</key><date>2014-07-12T16:22:16</date>
20 #ISC2Congress
Device Privacy: MACEver get the feeling that you’re being watched?
http://qz.com/112873/this-recycling-bin-is-following-you/
This recycling bin is tracking you.
21 #ISC2Congress
Device Privacy: MAC
http://www.moxieretail.com/storage/heat_map2.jpg
Ever get the feeling that you’re being watched?
Your supermarket is tracking you.
22 #ISC2Congress
Why should you care?
Loyalty Card Yo
u
23 #ISC2Congress
A picture is worth1,000 words…
http://sophosnews.files.wordpress.com/2012/12/mcafee-exif.jpg?w=640
24 #ISC2Congress
…and some EXIF data as well…Exif Image Size 470 × 353Make AppleCamera Model Name
iPhone 4
Orientation Horizontal (normal)Date/Time Original
2012:12:03 12:26:00
Create Date 2012:12:03 12:26:00Flash Off, Did not fireGPS Latitude Ref NorthGPS Latitude 15.658167 degreesGPS Longitude Ref WestGPS Longitude 88.992167 degreesGPS Altitude Ref Above Sea LevelGPS Altitude 7.152159468 mResolution 72 pixels/inch
25 #ISC2Congress
…and some geolocation, too.
26 #ISC2Congress
Usage Privacy: Using email
iOS mail header:
X-Mailer: iPhone Mail (10B350)[10B350 = iOS 6.1.4]
Android mail header:
X-Mailer: YahooMailAndroidMobile/3.1.3
27 #ISC2Congress
Usage Privacy: Using Bluetooth
http://cnet3.cbsistatic.com/hub/i/r/2013/08/22/2cbcf893-6de6-11e3-913e-14feb5ca9861/resize/620x/e604bfe06973383ec0c3ca6323c35487/142B6607.jpg
28 #ISC2Congress
How to Protect Yourself
» Location Services• Turn it off• Use it selectively
» Browsing• Use Onion browser (or other Tor equivalent)• Maintain awareness
» Wi-Fi• Do not connect to untrusted networks
– (But if you do, assume everything you do is monitored)– (Also, tell your device to “forget” the network when you’re
done.)
29 #ISC2Congress
How to Protect Yourself
» EXIF Data• iOS
– TrashExif– Metadata Cut
• Android:– EXIF Stripper– Photo Editor
30 #ISC2Congress
How to Protect Yourself
» MAC Tracking• iOS
– Upgrade to iOS 8
• Android– Pry-Fi (requires rooting the device)
» Bluetooth• Delete any data from synced devices
– This becomes increasingly applicable with iOS 8’s HealthKit
31 #ISC2Congress
The End.
Rob Barnes
ww.linkedin.com/in/robertdbarnes
#YourPhoneHatesYou