Showing posts with label auscert. Show all posts
Showing posts with label auscert. Show all posts

Mar 22, 2016

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence

Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.

Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure. 

Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service. 

The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.

AusCERT 2016 - Thursday, 26th May 2016 - 11:40

Offensive Security Testing of Mobile Applications

Mobile applications and services are playing a key role in enterprise communications as well as financial and subscriber services. Larger organisations supervise mobile devices of employees for corporate communication and office collaboration. Financial companies offer mobile services to improve customer satisfaction and to shape their new habits. Service providers also supply mobile devices with some applications to offer their subscriber services such as entertainment or communication. However, due to insufficient security enforced on mobile applications, they are also under attack by malware, state-sponsored actors or just causal attackers who are after unauthorised financial benefits or cyber intelligence. Android, Windows and iOS mobile platforms offer security features to improve mobile security, they require full integration of mobile applications though.

This tutorial will be focused on the mobile applications security testing with practical exercises to highlight mobile security vulnerabilities of applications and design. Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed with demonstrations. New security testing techniques for Android, Windows and iOS applications will also be parts of the exercises such as assessing secure storage requirements, analysing multi-platform security integration, reverse engineering of mobile applications, testing cloud services and debugging supervised devices. The exercises are based on sample vulnerable applications as well as real life mobile applications available on the application stores. Improving mobile security testing skills may help software developers, consultants, administrators and architects to improve existing services as well as penetration testers to improve existing security testing services such as mobile applications and MDM security testing.

Tutorial registration (AusCERT Conference 2016)

TUTORIAL HEADLINES 

SECURITY TESTING REQUIREMENTS FOR MOBILITY 

Mobile applications and devices need a well-designed test platform for security assessments. Various test devices including tablets, mobile phones, virtual machines, embedded devices and watches are required to run target mobile applications. Jailbreaking and customisation of devices is another task to create a flexible test platform. In addition, essential test tools, official SDKs and vulnerable applications should be parts the test lab. In this section, participants will learn fundamentals of mobile security and how can they build a test lab.

DEVICE INTEGRATION SECURITY

Supervised devices, financial applications and subscriber services may need a secure platform integration to manage users’ actions. Secure storage, secure compile, encryption used and platform security objects such as sandboxing, internal services used (e.g. intent, broadcast, content provider, keychain/keystore), fingerprint modules, two-factor authentication and device policies are essential testing targets. Moreover, application specific services, information disclosure issues and functions used should be analysed in security perspective. During exercises, sample applications will be tested for common mobile security vulnerabilities, lack of platform integration, application specific security issues and insecure design.

REVERSE ENGINEERING

Reverse engineering for mobile applications is required to identify fundamental security issues such as information disclosure through source code, security bypass using runtime manipulation, insecure security and access management. In addition, it can be used for attacking target applications as malware, bypassing sandboxed information and bypassing security policies such as jailbreak detection and device enforcements. Reverse engineering section will teach fundamentals for mobile security such ARM shellcoding, explaining VMs (e.g. Xamarin/Mono, Dalvik and ART), disassembling mobile applications and debugging using GDB, LLDB and ADB. The exercises in this section will include unpacking and dissembling applications, Drozer exercises, runtime manipulation exercises using Cyript and GDB.

TRANSPORT SECURITY

Mobile applications need backend services on cloud or corporate networks to complete their features. However, most of mobile applications have security issues to implement transport security for backend services. Encryption issues such as lack of TLS enforcements, insecure crypto options and missing TLS pinning features are well-known security vulnerabilities for mobile implementations. Exercises in this section are based on using various proxies to intercept mobile traffic, attacking TLS implementations and bypassing TLS pinning.


BYOD and MDM SECURITY

Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed in this section. Various security problems of MDM solutions, well-known design issues, lack of cloud security and bypassing enforcements will be demonstrated.

Mar 21, 2014

AusCERT 2014 Tutorials from Sense of Security

Sense of Security will have 2 tutorials and 3 presentations at AusCERT 2014, details are accessible at the tutorials and the presentations pages of the event. 

Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.

Penetration Testing for Mobile Applications and Web Services
  • Mobile Applications 101
    • Preparing a mobile pen-test lab 
  • Auditing platform integration 
    • Compile options, Encryption, Storage, Caching, Logs
  • Reverse engineering
    • Unpacking, Deobfuscating, Permission Management
    • Source code analysis, Protection bypass, Sandbox Issues
    • Runtime manipulation, Debugging
  • Transport and communication features 
    • Certificate pinning, MITM, Fake services

Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.

Next Generation Attacks and Countermeasures for VoIP
  • Network Infrastructure Analysis
    • WAN/LAN/VLAN analysis, Service discovery
  • IP Telephony Server Security
    • Weak configuration, Management issues
  • SIP, Skinny and RTP Analysis
    • Discovery, Authentication, Call tests, VAS
    • Enumeration, Eavesdropping, Call Spoofing
  • VoIP Clients’ Security 
  • Advanced Attacks
    • Trust hacking, Proxy hacking, DoS, Fuzzing
If you have further questions about these tutorials, feel free to contact me at fatih.ozavci at viproy.com.