While not quite ‘zombies ate my neighbors,’ perhaps you or your social media friends are playing zombie games without even realizing it? What if you and your friends are the zombies who bring on the zombie apocalypse?
At the security conference Derbycon, Tom Eston and Kevin Johnson gave an interesting talk titled, Social Zombies: Rise of the Mobile Dead. “Just when you thought 'bath salts' were turning innocent humans into flesh eating Zombies in Florida…mobile devices have begun taken over the world like an infectious Zombie virus outbreak.”
As pentesters, Eston and Johnson love BYOD. They discussed how new wireless technology like NFC (Near Field Communication) and social networks are integrated into mobile operating systems to “introduce new privacy and physical security concerns not seen before.” Eston told me, “Privacy of user data has not changed as social networks have evolved over the years. It’s gotten worse through collection of private data and complicated, hard to read privacy policies. There is still very little regulation over user privacy here in the US.”
You may remember Charlie Miller's "Don't Stand So Close to Me" NFC presentation at Def Con? Eston and Johnson also discussed new tools and exploits that penetration testers can use such as an NFC proof-of-concept attack to launch BeEf (Browser Exploitation Framework ) which they said is “great for physical and/or social engineering attacks.” BeEF “will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.” They used Google Nexus and BeEf and said when a “malicious device taps your device, then you are instantly sent a link,” even though “nothing happens on your phone, no popup, no dialogue asking if it is okay.” But the BeEf hook allows an attacker to steal cookies and send malicious links. “Browsers in mobile devices are becoming so complex that the majority of BeEf modules will work on the mobile browsers. BlackBerry supports the most out of that list.”
“NFC,” according to the presentation, “is like having sex with another unprotected device.” If Adobe documentation says “we smoke crack,” so too might Google’s. Google wants NFC to be open and have little authorization such as is stated in the Android developer documentation. “When an Android-powered device discovers an NFC tag, the desired behavior is to have the most appropriate activity handle the intent without asking the user what application to use.” They said this “should scare the crap out of everyone here who has an NFC-enabled Google device.”
When it comes to the NFC-enabled business cards from MOO, if someone were to hand you this business card and you slide it in your pocket, you don’t stop to think if a card will own your phone. Eston told me, “New technology like NFC and integration of social networks into mobile OS’s bring interesting security challenges. Moo business cards are great for attackers to use for social engineering attacks.”
Social Zombies: Rise of the Mobile Dead from Tom Eston
They also discussed privacy and security issues with Face Unlock and geofencing technology. Android 4.1 Jelly Bean offers Google Now which pushes out “cards” to users; the cards are modified based on what you do, where you go, how long it takes and even maps it. But they didn’t only pick on Android.
“The more integration, the more dangerous, the more chances to exploit,” they warned. When it comes to iOS6, Facebook is integrated into the OS and Twitter is too since iOS5. So is Passbook – “centralize integration point, designed to provide access!” Then Eston and Johnson used the Target app as an example when talking about apps contacting you based upon your location. You walk into the store and your phone knows it, pulls up a coupon as soon as you walk in and “that should creep the crap out of you.”
The Find my friend app is built into iOS6 and not only has the ability to track exactly where your friends are, but also encourages that sharing. It could be used to track friends, a spouse, employees, or an ex-spouse. An attacker could also glean a great deal of info from it, since the application data can be accessed.
Poor authorization and authentication were issues when they looked at some of the top apps such as CNN Mobile App; it has a Disqus comment system API key vulnerability that “allows you to delete, update and modify user comments on the entire CNN website, passed in the GET request.” Eston told me, “I sent Turner Broadcasting the vulnerability details several weeks ago, but I haven’t got anything back.”
Did you know OAuth tokens are stored in the property list (P-LIST) file on Apple iOS? “Simply copy the p-list file to another device and you’re logged in as them!" There are OAuth tokens in lots of p-list files like Dropbox, and apps that use Dropbox like password managers. Speaking of which, Password Keeper Lite stores password in plain text.
Apple said it would ban or reject apps that access the UDID, yet Eston and Johnson gave these examples of apps that still use UDID: Draw Something which happens to connect to and share UDID with five different third parties for ads and marketing. Words with Friends, Redbox, United Airlines, Flipboard, and even Calculator apps access UDID. The Pinterest app uses Flurry for advertising and marketing, meaning Flurry snags the UDID, username, location, device model, and if a user is logged in or logged out; that adds up to a lot of info over a long period of time. All of those apps send the UDID to third party services, some send it to as many as 5 – 20 third party and analytic organizations.
While Eston's quotes are scattered within this article, when asked about some of the other biggest privacy and security issues that concern them from their presentation, Eston also included these:
In the near future, we will start to see more invasive facial recognition like “Facedeals” to provide social services like location based discounts. Even if you don’t “opt-in” this technology will still be scanning faces. What happens to this data and how is it controlled?
Mobile applications are far behind the curve from a security perspective. Mobile apps also introduce unique privacy issues such as UDID usage.
Users of social networks and mobile applications need to be aware of the information they share. Users need to become aware of what they are sharing and not blame third-party companies when their data is compromised or misused.
Mobile app security in general is like “living back in the world of 1999.” Simple things are too often overlooked and making assumptions the client is secured also opens up new privacy concerns. In other words, “All your data belongs to them.” The Facebook timeline correlates geolocation data from photos, status updates and more, and then maps it. Brewster combines contacts from Facebook, LinkedIn, who you follow on Twitter, Gmail address book, FourSquare, more contacts from your other address books, and uploads it all to a server so you can sort via pictures. The Instagram app photo maps; it was designed that way to correlate data and help to arrange it, which is “great for attackers or stalkers.”
There is "mass data collection," from all over. It just never seems to end. Like some kind of new zombie game, users are programmed to react like unthinking zombies to constantly share via social media networking without stopping to consider these issues. Eston and Johnson gave a ton of examples and their thought-provoking social zombie presentation is worth watching.
Other Derbycon talks were posted on IronGeek.