Transcription

Symbian phoneSecurityJob de HaasITSXSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Overview Symbian OS.Security Risks and Features.Taking it apart.Conclusions.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian History Psion owner of EPOC OS, originally from1989, released EPOC32 in 1996 EPOC32 was designed with OO in C 1998: Symbian Ltd. formed by Ericsson,Nokia, Motorola and Psion. EPOC renamed to Symbian OS Currently 30 phones with Symbian and15 licensees.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian Organization Symbian licenses the main OS Two GUI’s on top of Symbian:– Series 60, led by Nokia– UIQ, subsidiary of Symbian Ownership:– Nokia47.5%– Ericsson15.6%– SonyEricsson 13.1%Symbian phoneSecurityJob de HaasITSX erdam 2005

Symbian Versions EPOC32EPOC R5Symbian v6.0Symbian v7.0Symbian v8.0Symbian v9.0 announced for Q3 ‘05Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Series60 versions 1st edition 2nd edition 3rd edition,announced feb. 2005Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

UIQ versions UIQ 1.0 UIQ 2.1 UIQ 3.0released feb 2005Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian OSSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian OS Multitasking, preemptive kernel. MMU protection of kernel and processspaces. Strong Client – Server architecture Plug-in patterns Filesystem in ROM, Flash, RAM and onSD-cardSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian development Symbian v6 and v7 are compiled with amodified GCC. The base environment consists of a set ofPerl scripts and command line tools. IDE’s interface to that:– Metrowerks CodeWarrior– MS Visual Studio– Borland C BuilderSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian development Emulator on x86 runsa majority of thenative code base. Compiled to x86 (sonot running ARM) Emulator is onewindows process.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian development Limited support for on-target debugging– It does not work on all devices.– Uses a gdb stub.– Metrowerks provides MetroTRK. Future: v9 will move to ARM Real View(RVCT) and the EABI standard.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Mobile phone risks Toll fraud:– Auto dialers.– High cost SMS/MMS.– Phone Proxy. Loss or theft:– Data loss.– Data compromise.– Loss of Identity (caller ID)Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Mobile phone risks Availability:– SPAM.– Destruction of the device (flash)– Destruction of data. Risks induced by usage:– Mobile banking.– Confidential e-mail, documents.– Device present at confidential meetings: snoopingSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Attack vectors Too many entry points to list:––––––––––Symbian phoneSecurityExecutablesBluetoothGPRS / GSMOTAIrDaBrowserSMS / MMSSD cardWAPE-mailJob de HaasITSX BVBlackHatAmsterdam 2005

Security features Crypto:– Algorithms– Certificate framework– Protocols: HTTPS, WTLS, Symbian signed:– Public key signatures on applications– Root CA’s in ROMSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian security features Separation– Kernel vs. user space;– process space– Secured ‘wallet’ storage Access controls– SIM PIN, device security code– Bluetooth pairingSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian security features Artificial Limitations / patches– Preventing loading device drivers in the kernel(Nokia).– Disallowing overriding of ROM based plug-ins.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Risks covered / mitigated Fraud: hardly, user should not acceptunsigned apps. Loss/theft: In practice, none. Availability: hardly, any application canrender phone unusable (skulls trojan).Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

What goes wrong? So-far all of known attacks have neededuser confirmation. Often more than once. People loose a hell of a lot devices. Not that much so-far actually.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Viruses and Trojans Skulls Trojan:– theme that replaces all icons and can not bede-installed. Caribe:– Installs itself as a ‘Recognizer’ to get activatedat boot time and starts broadcasting itself overBluetooth.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Problems in Symbian No concept of roles or users. No access controls in the file system. No user confirmation needed for access byapplications. User view on device is limited: partialfilesystem, selected processes. Majority of interesting applications isunsigned.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian security features Future: v9:– Data ‘caging’: per application file system access– Capabilities tied to signing: Limited access to sound. Only signed apps get access to keys.– OMA DRM v2.0– Suspect: tying to ARM TrustZone: hardware assistedcode protection.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Risk improvements Limits the damage an application can do. Improvements for data access andintegrity. Will also limit what you (as a developer)can access on the phone without goingthrough certification.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Still things go wrong February 23, 2005 a notice appeared onthe Nokia site:Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Their ‘work around’Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Unraveling a ROM Obtaining ROMs:– Vendor upgrades– Reading them from the device Understanding the ROM structure:– Base porting guide (7.0 help file)– Header filesSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Extracting the ROM Creating a Device driver on a P900 Read the MMU Page tables. Copy physical memory out to memory cardSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Unpacking a ROM Small toolkit with Python scripts Extracts files from a ROM Creates a browse-able interface withdetails and relation between files.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

DemoSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Examining binaries (OS) Use the emulator versions with debug info.Translate names to ordinals with Libs.Import them in IDALoad the full ROM at once or use a DB toname direct references to other files.Symbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Conclusions Currently Symbian is not prepared forserious attacks. Embeddedness and OO implementationraised the bar for attacks. Relatively few tools available for dissectingSymbian ROMs and applications. V9 promises much needed improvementsSymbian phoneSecurityJob de HaasITSX BVBlackHatAmsterdam 2005

Security Job de Haas ITSX BV BlackHat Amsterdam 2005 Mobile phone risks Toll fraud: –Auto dialers. –High cost SMS/MMS. –Phone Proxy. Loss or theft: –D