Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Mobile & Wireless
Showing posts in English
Eric Chien | 10 Jul 2007 07:00:00 GMT | 0 comments

Some of us (Ollie Whitehouse, Eduardo Tang, and myself) are happy owners of the iPhone. However, not because we are constantly listening to music or using a pinching motion with our fingers to see pictures zoom and shrink, but because we get to analyze the attack surface. While the iPhone itself will surely evolve via new models, software, and patches, this blog will consist of a rundown of our initial thoughts.

In the default out-of-the-box configuration for the average user, you can not run code on the device. This makes the platform less risky than other mobile platforms and desktop operating systems like Windows. If you can't run code, you can't run malicious code. Further, the AJAX/Web 2.0 applications that can utilize the phone's services (such as the ability to make calls) normally prompts the user before the action takes place. This prevents automatic dialing and things like SMS worms.

These factors greatly limit the attack surface. However,...

Ollie Whitehouse | 03 Jul 2007 07:00:00 GMT | 0 comments

If you Google for either "Windows CE", "Windows Mobile" along with "rootkits" [1] [2] you don’t find anything on the subject. Back in the early part of this year I started a little skunk-works project (which resulted in an internal whitepaper) to understand the techniques that could be employed in rootkitting Windows Mobile devices, and how you would detect them if the bad guys got nasty and started doing so.

The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.

The caveat about some of these methods and techniques is that your process needs to be fully trusted in order to weave its magic. So in a properly configured one-tier device that requires signing, or a two-tier...

Marc Fossi | 25 Jun 2007 07:00:00 GMT | 0 comments

Many people have said that the lack of attacks upon Apple’s operating systems and devices can be attributed to a lower market share than Microsoft Windows-based PCs. With the shift towards malicious code being written for financial gain, it makes more economic sense. (I know that there are other arguments to be made, but bear with me.) Why write a Trojan that only runs on about 10% of computers when you can write one that is capable of affecting closer to 90% of them? Far more bang for the buck.

At the same time, there haven’t been many attacks on cellular phones and mobile devices. There have been several proof of concept Trojans, worms, and viruses for Symbian Smart Phones as well as a few for the Windows Mobile platform. Some of these have even resulted in small, localized outbreaks. Again, the lack of attacks on these devices has been attributed to a smaller user base.

On June 29th, however, these two platforms will converge when Apple’s iPhone is released in the...

Ollie Whitehouse | 04 Jun 2007 07:00:00 GMT | 0 comments

So time for another Mind Map. My generic one for Mobile devices last time was received pretty well. I put together the one below for Windows Mobile 6 as part of an internal research project on the new features Microsoft introduced (click for the bigger version) as well as ensuring that functionality in the previous version was captured.

I think it pretty much speaks for itself…. With ubiquity comes a vector/surface explosion... .

P.S. As with last time if you’re going to borrow the picture, feel free, but please...

Ollie Whitehouse | 24 Apr 2007 07:00:00 GMT | 0 comments

With the advent of Windows Mobile 6 came a file system filter driver for encrypting data on Secure Digital (SD) cards, which are frequently used to store sensitive data. Previously, to gain access to users' data, an attacker could simply steal their SD card. Breaking the device's PIN protection was completely unnecessary.

In order to protect users and enterprises alike, Microsoft implemented on-device encryption for SD cards. The down side, however, is that the master key used for this encryption is non-persistent between hard resets. There is currently no escrow mechanism, which is clearly stated by Microsoft: [1]

There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don't want key escrow, that would also be good to hear.

Ollie Whitehouse | 19 Apr 2007 07:00:00 GMT | 0 comments

User Interface Spoofing and Its Impact on Security
As you may have seen in James O’Connor’s paper, Attack Surface Analysis of Blackberry Devices, there is a bug/vulnerability in Blackberry devices that allows an attacker to spoof the interface that shows a .jad file's signing properties. A .jad file is a Java package format that is frequently used to distribute applications for mobile phones. This spoofing allows an attacker to make a .jad application appear to be signed by a legitimate user or company. The attacker accomplishes this by using a carefully constructed file with the appropriate amount of spaces within certain strings.

Because the susceptibility to this class of attacks is not unique to the BlackBerry or to .jad files, I thought it might make an interesting blog entry. I originally found something like this...

James O'Connor | 19 Apr 2007 07:00:00 GMT | 0 comments

Some of you may have read my blog article last year about the BlackBerry mobile device: Hacking the BlackBerry along with the associated whitepaper, Blackberry Security: Ripe for the picking? We decided not to widely distribute that paper for a number of reasons, including the fact that the model reviewed was a tad on the old side (BlackBerry 7290 circa 2004). Well, fast-forward to 2007, when I was supplied with a shiny new BlackBerry Pearl 8100 and a blank sheet of paper.

As I alluded to in my previous blog, the Pearl represents a significant departure for Research In Motion; a departure from the world of purely corporate utility, and an arrival at the world of consumer-oriented features. The device sports a beautifully stylized slimline form-factor, a 1.3 megapixel camera, and a removable media card as standard. Of course, all the...

Ollie Whitehouse | 12 Apr 2007 07:00:00 GMT | 0 comments

In May of 2006, for my second blog post for Symantec, I penned an entry entitled, "The Elephant Under the Carpet (and when I say 'carpet' I mean PDA). " The purpose of that post was to dispel the myth that Windows CE (and thus Windows Mobile) doesn't have security issues, and to point out that Microsoft had silently patched a number of security-related bugs. At that time, I couldn't see any Windows CE 5.0 security issues patched by Microsoft. This didn't seem right, so I decided it was time to review the situation. This blog post is an update to cover some issues since then.

If you look at Microsoft's Windows CE Critical Updates and Security site, [1] you'll see that there are no issues listed. It's important to point that, due to Microsoft's restrictions around getting information with regards to Windows Mobile, I will only be...

Ollie Whitehouse | 05 Feb 2007 08:00:00 GMT | 0 comments

Recently my boss provided me with a license for some mind-mapping software (if you’re curious, it’s MindManager from MindJet). So, I took it for a spin on a subject close to my heart and if you’re a regular reader I’m betting you’ll be able to guess what it is – yep, mobile device threats.

For mobile device threats, I found that it was actually quite a good way to communicate the threats modern mobile devices face today. You can see the results below (click on the image for a larger version). This rocked for several reasons, not the least because it saved me from having to type out long and rambling descriptions while trying to poorly communicate their relationships. The threats shown below are the most applicable to modern smart devices, yet certain categories also apply to legacy mobile devices running proprietary operating systems.


Ollie Whitehouse | 30 Jan 2007 08:00:00 GMT | 0 comments

So, it's Tuesday morning in London town and I've been up since 6:00 a.m. staring at a monitor, trying to free myself from PowerPoint hell (it's all rock and roll I tell ya!). Anyway, this morning I stumbled across an InfoWorld article entitled “Hackers to target mobile banking, study says.” This article seems to have been spun out of a press release by the Tower Group entitled “Increases in Mobile Fraud and ID Theft Could Hamper Mobile Payment / Banking Initiatives.” The press release, in turn, references a report entitled “Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning.” While I've not read the report and may not agree with the notion that security issues hamper payment / banking initiatives (just look at the world that is the Internet—yeah,...