Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren ([email protected])...
Transcript of Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren ([email protected])...
![Page 1: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/1.jpg)
Omer Shwartz ([email protected])Amir Cohen ([email protected])Dr. Asaf Shabtai ([email protected])Dr. Yossi Oren ([email protected])
Ben-Gurion University of the Negev, Israel
1
![Page 2: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/2.jpg)
Overview ● Motivation● Attack surface● Vulnerability discovery and demo● Discussion, conclusions and
questions
2
![Page 3: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/3.jpg)
Motivation
3
![Page 4: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/4.jpg)
Motivation ● Smartphone components often break.● Many replacements are counterfeit.● “Street corner phone repair shops”
available everywhere.
Image from: Wikimedia 4
![Page 5: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/5.jpg)
Research Question
What if a smartphone peripheral was malicious?
Could it attack the stock driver?
Would it affect the user’s privacy?
5
![Page 6: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/6.jpg)
Attack model
6
![Page 7: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/7.jpg)
Attack surface survey
Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y. (2017) “From smashed screens to smashed stacks: Attacking mobile phones using malicious aftermarket parts”, Workshop on Security for Embedded and Mobile Systems (SEMS 2017).
7
![Page 8: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/8.jpg)
Attack surface survey
● We started by doing a semi-automated analysis of the source code of 26 android smartphones.
● Drivers were catalogued to vendor and version.
● 89 different driver versions were evaluated.
8
![Page 9: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/9.jpg)
Peripheral diversity
9
![Page 10: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/10.jpg)
Attack surface survey results
● Only three drivers were used in two phone models.
● Only two drivers were used on three or more phone models.
● Most of the drivers were unique to their respective device.
10
![Page 11: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/11.jpg)
Attack surface survey results
Percentage of Driver related android CVEs is on the rise.
11
![Page 12: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/12.jpg)
Attack surface survey insights
● A codebase that diverse is ought to contain bugs and vulnerabilities.
● Bugs are easy to find (more ahead…)
12
![Page 13: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/13.jpg)
Bug Hunting ● We started looking for device driver bugs that may be exploited by the component.
● In less than two hours (!), we found exploitable buffer and heap overflows in a touchscreen module.
● Further analysis revealed dozens more potential issues in multiple drivers.
● The issues found were reported, acknowledged (CVE-2017-0650 ) and patched by Google.
13
![Page 14: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/14.jpg)
Actual Exploitation
14
![Page 16: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/16.jpg)
Workbench
16
![Page 17: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/17.jpg)
CVE-2017-0650
17
![Page 18: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/18.jpg)
CVE-2017-0650
18
Get data from device.......
![Page 19: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/19.jpg)
ARM64 ROP Attack
19
![Page 20: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/20.jpg)
ARM64 ROP Attack
20
![Page 21: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/21.jpg)
Vulnerabilities ● Vulnerabilities such as CVE-2017-0650 are easy to find!
● Another vulnerability was found in a different touchscreen driver by another manufacturer. This vulnerability was proved in a POC level. (Pending Responsible Disclosure)
21
![Page 22: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/22.jpg)
Touch Logging & Touch Injection
● In addition to exploiting the kernel, the touchscreen can abuse its known capabilities.
● The touchscreen or a component on the touchscreen bus can record user touches.
● Injection of touch events can also be done without any user interaction.
22
![Page 23: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/23.jpg)
Proofs of Concept
● Malicious Software Installationhttps://youtu.be/83VMVrcEOCM
● Take Picture and Send Via Emailhttps://youtu.be/WS4NChPjaaY
● Replace URL with Phishing URLhttps://youtu.be/XZujd42eYek
● Log and Exfiltrate Screen Unlock Patternhttps://youtu.be/fY58zoadqMA
● Complete Phone Compromisehttps://youtu.be/sDfD5fJfiNc
23
![Page 25: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/25.jpg)
Discussion ● In smartphones, device drivers are very diverse, leading to many potential vulnerabilities.
● The device drivers are trusted by the kernel, and the peripherals are trusted by the drivers.
● We showed how a peripheral may exploit that trust.
● Detection of attacks may be impossible with current tools and design.
25
![Page 26: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/26.jpg)
Conclusions ● Attacks of this sort are practical and may be highly effective.
● Consumers have no tools to help them detect such attacks.
● Countermeasures, such as a physical interface firewall may prove effective.
● There is much more left to explore in the field of malicious hardware components.
26
![Page 27: Ben-Gurion University of the Negev, Israel Dr. Yossi Oren ... · Dr. Yossi Oren (yos@bgu.ac.il) Ben-Gurion University of the Negev, Israel 1. Overview Motivation Attack surface Vulnerability](https://reader033.fdocuments.us/reader033/viewer/2022042809/5f936eb4ea49fd5ee22afe92/html5/thumbnails/27.jpg)
● Omer Shwartz ([email protected])
● Amir Cohen ([email protected])
● Dr. Asaf Shabtai ([email protected])
● Dr. Yossi Oren ([email protected])
Thank you
27