Smartphone Penetration Testing Framework

Georgia Weidman

Wed, 24th October 2012


Speaker Bio 1:
Georgia founded Bulb Security focusing on security training, research and development, and penetration testing. Not only is Georgia a superb talent, excellent speaker and highly skilled penetration tester, she is also the lead developer of the Smartphone Penetration Testing Framework, (abbreviated to SPF in our video interview and the below transcript).

Max, Concise Courses:
Could you please explain to us why you started Bulb Security?

I have a background in security, pentesting and mobile research. Why I setup Bulb Security? Actually I got a DARPA Cyber Fast Track grant to make the SPF Smartphone Pentest framework.

Max, Concise Courses:
Excellent sounds great, shall we jump straight into the presentation?

Sounds great! This is a bit shorter than the typical presentation so I’ll just get to the meat of things. I know that you guys did BYOD yesterday [reference to Aamir Lakhani “Bring Your Own Disaster” which you can watch here] so probably a lot of people who were on that saw that Bring Your Own Device is awesome but it has its own special caveats to the security of the workplace and that is really what SPF is trying to do is actually test for those, so to be able to bring testing smartphones into the pentest.

Georgia Weidman:
Our smartphones for instance have the ability to get our email or download stuff from servers, go wireless and be another node on the network, these are all good things and fun but smartphones by definition have an “out-of-bound” communication method being the cell phone towers themselves so any information that reaches the smartphone may be going out to possibly malicious entities in a way that we can’t really monitor and that’s kinda scary!

From 3 minutes onwards: So, if you think about it, if you have a Bring Your Own Device, think about if an attacker was on that device all the things that they would be able to get. Some of the threats against them [the victims] I think the big one that comes up a lot when you talk about this stuff are Apps. I love Apps, I’m kinda obsessed with them, for instance Twitter, you know, look at the permissions that android wants and that kinda scares me because I don’t really think Twitter needs to involved with making phone calls but if my choice was “don’t use Twitter” or “accept that risk”, I’d accept it – and if I accept it everyone else will also probably be accepting it. Most people don’t even think about this stuff so you have to assume that there is probably some malicious apps in your environment when you have Bring Your Own Device.

From 4 minutes onwards: And then of course there is always the software bugs, every time we see somthing getting jailbroken that’s someone exploiting a software bug, we can only expect so much security, I mean Apple particularly tries really hard: “No one is going to jailbreak this”, and then somebody does, but that’s true of all code, even SPF, some people are finding bugs – its really hard to write secure code so naturally our software on our smartphones is going to have software bugs on it as well.

From 4:30 minutes onwards: And then there’s our social engineering, even if you live in a perfect world where security training works and no-one in your environment would ever click on a malicious link in an email; I do a lot of Pentesting and I’ve never had an environment whereby nobody clicked on a malicious link in an email, but a text message is regarded as being more “safe”. Solid awareness training is hard, we know this as well, it’s a whole new breed of social engineering because we have browser bugs, we have people giving up their credentials so it’s a new way for attackers to get in, plus you don’t have spam filtering your text messaging unless you use something like Symantec or MacAfee or one of them that lets you specifically blacklist a phone number, so you really have no filtering whatever which is kinda scary.

From 5:50 minutes onwards: Jailbreaking! Raise your hand, although I can’t see you!, if you have a jailbroken an iPhone or you have rooted your android, a lot of people! A lot of people that aren’t even into technology jailbreak! I tell this joke where in my nursing home where my great-grandmother lives – all the people there had jailbroken iPhones! Its true! Even me, I want to jailbreak my iPhone so I look up on Google “Jailbreak” whatever iOS version, now what’s to say which one of those is good and which one is malicious? We know that there are examples out there in the wild of malicious code that either infects your computer or infects your iPhone or even both, you download a program on it and your specifically telling someone to exploit your device!

What else can they do? Well once they have root they can join you to a botnet, all sorts of things with your device. Even people that put out their source code, even if I have 100% faith that the jailbroken code was all for good, it is written in assembly language, I mean, raise your hand if you can read assembly language that well that you can say absolutely that’s not doing anything malicious? I for one am not that cool!

From 7:15 minutes onwards: So my question with all of that, is that I’m kinda known as a smartphone person, my clients were starting to ask me well what about these smartphones, we have Bring Your Own Device and were not testing them in our pentest should we be? And I think absolutely, yes, you should be testing them and there was not really any tool that will allow us to do that, so that’s where SPF entered.

When people hear about SPF they are like, ok, yeah, that’s great your allowing people to use nmap or nessus or metasploit on their phones and basically you’ve created something like a pwn phone which we already have – which is like, “how nice for you” but that’s not what this is at all. What this actually allows us to do is from a computer or in some cases from a smartphone to test the security posture of the smartphones environment, so you can kinda think of it as a very “early stage metasploit” for testing specific issues for smartphones.

From 8:30 minutes onwards: This is what SPF really is, [referring to a slide] it makes it look a lot more complicated than it really is, for instance the client controlled server and the client controlled computers. The client controlled smartphones can all really be one device but it does have the ability to all get on our work stations and collaborate as pentesters working in a group, or just like if you put metaspoolit or backtrack on your laptop we can just do it all in one place. What i think is particularly cool about SPF is that a lot of our attacks are going to be based on the mobile modem, our attacks are going to be over the network, client side, but were going to want to do things that attack specifically the mobile modem like sending SMS’s or USSD [Unstructured supplementary service data] attacks that we saw come out of an Echo Party about a month ago, so these are specific issues to smartphones and what it allows you to do, is that with SPF you can hook up to the mobile modem in the device you already have. Currently you can use the smartphones you already have and use an App and it will hook your device to that modem to send text messages or you can use a USB and plug it into your compute. You would just put your SIM card in it and it will send off mobile modem stuff there. I’m working with a pwn plug form pwnie express and am working on making that a modem and some stuff on Google plus but our goal is either via the network, or the server, or via the smartphones or via the modems to attack those phones and attack their security posture.

From 9:55 minutes onwards: We have our framework console, I think it looks a lot like a social engineered toolkit, its really menu based and I’m putting in some stuff so you can script it. There’s also a GUI, my mom wrote this so its really pretty – but real hackers use the console anyway but it does have a GUI that you can use and it also has the smartphones App. This allows you to use the SPF to actually run some attacks from your mobile so further blurring the lines about pentesting from a smartphone or pentesting smartphones. In fact, sometimes using this App we are really doing both: we can run our attacks from our phones.

From 10:51 minutes onwards: We can test for a variety of things, we have to wait a little longer until we can test for everything like metasploit can, but it does have some things in there and I update it about every two weeks for remote stuff that you can attacks things like PCs etc. We can also test for some client side things like block peoples browsers, social engineering, send them some text messages and say “hey this is really cool why don’t you download it” then once we are on the device then we can look for local vulnerabilities and increase our privileges.

From 11:44 minutes onwards: I think this is first iPhone bot net that ever happened, what happened was that people were jailbreaking their iPhones and they had the default root password being “Alpine”, which is still true, so how many people in our environment jailbreak their iphones and just leave that? I mean it doesn’t really say please change your default password, so that’s just about as easy as it gets when you log in as root, so we can test for that. There are also USSD attacks but I guess that is more of a client side.

From 12:27 minutes onwards: Form the client side, we can put up a malicious webpage and either via SMS or email ask people to browse to it and hopefully we are able to, if they are running a vulnerable version of a browser, (since browsers have bugs), we will be able to exploit them there and get a client side shell. We will then have a shell and then hopefully be able to get more privileges using local privilege escalation kinda like metasploit.

From 13 minutes onwards: We also have social engineering stuff whereby we can send SMS to try and get them to open and be sent to a malicious website. We could do one of those browser client side attacks or a phishing attack and have them put in their credentials and then log it, or we can say “download this App” which is a really good way to get onto peoples devices and then get local privilege escalation and gather stuff right from there. I have actually seen some carriers or providers send a text message that says, as a premium handset subscriber you have the right to download this security App. This just came in as a text message from like number 2345 or something and it takes you to a third party App store which I am sure is pretty legit, but if they are getting in the habit of responding to these sorts of messages then there is nothing to stop the attacker doing exactly the same thing. In this case the carriers are actually part of the problem.

From 14 minutes onwards: Once we are on the device we can do some local privilege escalation, pretty much on every version of iOS and android all have some kind of vulnerability as a result of jailbreaking, its just the nature of the beast, a lot of really smart people are working on jailbreaking for example and it’s a lot harder to keep a program secure. Once we are on there then we can start doing things like gathering information and remotely controlling the device. I want to add nmap in the future so that once we are on the device and are connected to the internal network then we can use that as a pivot to start attacking severs. I think that that is really exciting and I know that hackers will start doing this stuff.

People are always saying if it is so easy to attack smartphones why are we not seeing it more in the wild? And there was a really good representation on that this past year that says that as of December 2012 only 11% of the web traffic in the world was mobile based so unlike people like me, that want to do the latest and greatest thing and really pushing the boundaries of what can be done, as an attacker you just want to make money.

Therefore, if my best success rate is 11% then it’s too low, it’s better to go after the more traditional platforms. However, fast forward to a year when we don’t even have computers anymore we only have iPads and Samsung Galaxy Tab, Androids, then it’s going to be a completely different environment so this stuff is going to blow up. So if you have a lot of mobile devices then its going to be a bit of a problem and hopefully SPF will be able to mature to the point where it will be able to help with that. We don’t really have time for demo’s but there are a lot of SPF demos and videos on my website. This is all free and open source so if you have ideas of things that you would like to see in it please email me and I’d love to have people contribute ideas and code. Right now I am just trying to expand SPF in every way possible and find more ways to interact with it like more mobile modem options more modules in each of the categories.

Since smartphones starting coming out from then to now, I want to put all of those vulnerability exploits in there, more post exploitations and like everything you could possibly want to do on a smartphone, like all the information you want to gather, dump their VPN credentials, give their work emails, start attacking other devices as a pivot – the sky’s really the limit.

From 17:30 minutes onwards: Integrate with more tools. I want to hook it up to things like metapsloit, I’m currently working on hooking it up to the pwnie plug and to the pwnie phone. That could be really cool because that it could hold all of SPF inside itself and it has the mobile modem, 3G capability right there instead of hooking it up to say, my smartphone. [The device] could have all of the capabilities of SPF so that could be really cool. It currently has a database dump, so it logs everything, so it shows reporting for everything you did, what was successful from the information you gathered. I don’t like writing reports so I want it to writes the report for you.

So this is me and I’d love to have your questions and again there is a lot of videos of these demo-ing pretty much everywhere going on. Best place to find me is on twitter.

My idea is to turn SPF into a metaspolit thing – I really want it to be community driven.


Questions and answers

Max, Concise Courses:
That was really great. Just talking about getting more information about SPF, except for the website, what’s your distribution plan, how are you getting SPF out there? Through social media? How can we get more people to learn about this?

Georgia Weidman:
Well I speak about it a lot at hacking conferences, I do things like this, and on Twitter, it’s on Backtrack now and its going to be onmobisec so it’s becoming more ubiquitous, it’s just a matter of getting more people interested in it I think.


Max, Concise Courses:
Yesterday we were talking about the importance of BYOD policies in companies and I was curious to see whether you had seen any companies integrate smartphones into the BYOD policies?

Georgia Weidman:
I have, for example at the place where I worked, as long as you had a passcode you could put it on the network even although it was jailbroken so i think that there is a lot more to be dome in that area I think it is still a really new area, we will see a lot more maturity putting BYOD policies in place. People have been bringing their laptops in for years and years and I am sure it didn’t start out as well as it is now and it’s still not perfect in that domain.


Max, Concise Courses:
What other resources could you help people look at in with regards to smartphone pentesting?

Georgia Weidman:
Bulb security is the best place, there are a bunch of videos and also I do a column of ethicalhacker.net that’s all about smartphones and Apps and pentesting.


Max, Concise Courses:
Thank you very much. We wish you every success with SPF and hopefully we can get you back on again in the future. It’s an amazing application and we will do whatever we can to promote the good work.

Georgia Weidman:
Yes I’d love to come on again in six months when SPF is way bigger and cooler and we could put them side by side and say, “is that really the same program!?”


Max, Concise Courses:
Without a doubt SPF will continue to evolve and we would love to be part of the journey with you. Safe travels and we will be in touch.