There's been a fair bit written and presented about smartphone's, and yet, when it comes to the attack surface of the operating systems running on them, and the applications running on top of those, much still has to be explorer. This talk will dive a bit deeper into that attack surface. This talk will take a look at the smart phone attack surface, only from and end-to-end point of view. the baseband type stuff and things owned by the telco's will not be covered. Basically, it'll cover 5 major areas: identifying operating systems (through for example the user-agent with mms) identifying entrypoints identifying trust boundaries identifying bugs exploiting bugs There has been a fair amount of cellphone and smartphone reseach done in the past, and yet, when it comes to attack surface, we've barely scratched the surface. SMS alone allows for a dozen or so different types of messages, there's mms, all sorts of media codecs are build into smart phones. The entrypoints can be roughly categorized as: primary entypoints: - zero-click remote attacks over default communication network (sms, mms, ...) secondary entrypoints: - zero-click remote attacks over non-default communication network (email, ...) tertiary entrypoints: - proximity attacks (wifi, bluetooth, irda, mitm wifi connection, ...) - not-zero click remote attacks (e.g. start application XYZ and connect to my evil server) The main focus in this talk will be on the primary entrypoints, however some of the secondary and tertiary entrypoints will be talked about aswell, in particular irda, since unlike bluetooth and wifi, very little security research has ever been done with irda, which on itself is weird, since after less than a day of poking around it became quite clear most irda stacks are pretty weak (as a hilarious irda sidenote which got me started to look at idra, one should read the following microsoft bulletin http://www.microsoft.com/technet/security/bulletin/ms01-046.mspx). once's the interesting entrypoints for various smartphones are explored the talk will dive into some of the trust boundaries on different smartphones, things their sandboxes allow, things they don't, wether or not it's documented and wether or not the documentation is actually accurate. in the spirit of keeping the best for last, some of the bugs discovered during the smartphone research will be discussed, both the details of them, as well as the pains the speaker had to go through to make exploits for them.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.