Transcription
Introducing the Smartphone PentestingFrameworkGeorgia WeidmanBulb Security LLCApproved for Public Release, Distribution Unlimited
The Problem: Smartphones in theWorkplace
The Problem: Smartphones in theWorkplace
The Problem: Smartphones in theWorkplace
Smartphones in the workplace Access your data Store company emails Connect to VPNs Generate 1 time passwords
Threats against smartphones: Apps Malicious apps steal your data, remotely controlyour phone, etc.Happens on all platforms. Some easier thanothers.If your employees have a malicious angry birdsadd-on what is it doing with your data?
Threats against smartphones:software bugs Browsers have bugs Apps have bugs Kernels have bugs Malicious apps, webpages, etc. can exploitthese and gain access to data
Threats against smartphones: socialengineering Users can be tricked into opening maliciouslinksDownloading malicious apps
Threats against smartphones:jailbreaking Smartphones can be jailbrokenGiving a program expressed permission toexploit your phoneOnce it is exploited, what else does thejailbreaking program do?
Remote Vulnerability ExampleJailbroken iPhones all have the same defaultSSH passwordHow many jailbroken iPhones have the defaultSSH password (anyone can log in as root)?
Client Side Vulnerability ExampleSmartphone browsers, etc. are subject tovulnerabilitiesIf your users surf to a malicious page theirbrowsers may be exploitedAre the smartphone browsers in yourorganization vulnerable to browser exploits?
Social Engineering VulnerabilityExampleSMS is the new email for spam/phishing attacks“Open this website” “Download this app”Will your users click on links in text messages?Will they download apps from 3rd parties?
Local Vulnerability ExampleSmartphones have kernel vulnerabilitiesUsed my jailbreaks and malicious appsAre the smartphones in your organization subjectto local privilege escalation vulnerabilities?
Post exploitationCommand shellApp based agentPayloads: information gatheringlocal privilege escalationremote control
The QuestionA client wants to know if the environment issecureI as a pentester am charged with finding outThere are smartphones in the environmentHow to I assess the threat of these smartphones?
What's out there now?Pentesting from Smartphones: zAntiSmartphone tool live cds: MobiSec (anotherDARPA project)Pentesting smartphone apps: MercuryPentesting smartphone devices: ?
Structure of the framework
Framework console
Framework GUI
Framework GUI
Framework Smartphone App
Framework Smartphone App
Framework Smartphone App
What you can test forRemote vulnerabilitiesClient side vulnerabilitiesSocial engineeringLocal vulnerabilities
Demos! Using the console Using the GUI Using the app Using an agent Using a shell Remote test Client side test Local test
Future of the Project More modules in each category More post exploitation options Continued integration with Metasploit and othertools Community driven features More reporting capabilities
3 to DARPA DARPA Cyber Fast Track program funded thisprojectWithout them I'd still be a junior pentester atsome company Now I'm CEO! 3 3 3 3 3
ContactGeorgia WeidmanBulb Security, LLCgeorgia @ bulbsecurity.comgeorgiaweidman.com bulbsecurity.com@georgiaweidman
Introducing the Smartphone Pentesting Framework Georgia Weidman Bulb Security LLC Approved for Public Release, Distribution Unlimited. The Problem: Smartphones in the Workplace. The Problem: Smartphones in the Workplace. The Problem: Smartphones in the Workplace. Smartphones in the workplace
