![CLICK AND DRAGGER
Denial and Deception on Android
- the grugq [ @thegrugq ]](https://image.slidesharecdn.com/mobileopsec-140404041557-phpapp01/85/Click-and-Dragger-Denial-and-Deception-on-Android-mobile-1-320.jpg)
![–Allen Dulles
“Never dial [the] number before having thought about
your conversation. Do not improvise even the dummy
part of it. But do not be too elaborate.The great
rule…is to be natural.”](https://image.slidesharecdn.com/mobileopsec-140404041557-phpapp01/85/Click-and-Dragger-Denial-and-Deception-on-Android-mobile-42-320.jpg)
![–Allen Dulles, Former Director of Central Intelligence
“Even if you do not use [the phone] carelessly
yourself, the other fellow, very often will, so in any
case, warn him.”](https://image.slidesharecdn.com/mobileopsec-140404041557-phpapp01/85/Click-and-Dragger-Denial-and-Deception-on-Android-mobile-44-320.jpg)
Click and Dragger: Denial and Deception on Android mobile
- 1. CLICK AND DRAGGER Denial and Deception on Android - the grugq [ @thegrugq ]
- 2. AGENDA • OPSEC Refresher • Phones Suck • Threat Model • Some Solutions • Conclusion
- 3. ABOUT ME
- 6. –Quellcrist Falconer “If you want to lose a fight, talk about it first”
- 8. DENIAL Prevent the adversary from gaining useful information
- 9. DECEPTION Feed the adversary false information
- 10. • Cover • Cover for action • Cover for status • Concealment • Compartmentation
- 11. –James Clapper, Director of National Intelligence “People must communicate.They will make mistakes and we will exploit them.”
- 12. PHONES SUCK
- 13. –Allen Dulles, Former Director of Central Intelligence “The greatest material curse to the profession, despite all its advantages, is undoubtedly the telephone.”
- 16. LOCATION • Specific location, e.g. home, work, etc. • Mobility pattern, from home, via commute, to work • Mirroring, two (or more) devices traveling together
- 17. NETWORK • Numbers dialed, (who you call) • Calls received, (who calls you) • Calling pattern, (number dialed, for how long, when, how frequently)
- 18. PHYSICAL • IMEI, mobile device ID (the serial number) • IMSI, mobile subscriber ID (the phone number)
- 19. CONTENT • Identifiers, e.g. names, locations • Voice fingerprinting • Keywords
- 20. SMARTPHONES • Ad network analytics • GPS • Apps scrape and upload content • Mothership pings • Android ID • MAC address
- 21. SMARTPHONES CONT. • IP address • WiFi beacons • Cameras • Gait analysis (via sensors)
- 22. THREAT MODEL
- 24. • Reporters are searched and interrogated • AJ reporters arrested for “spy equipment” • Mobile 3G access point • Militia members thought it looked “suspicious”
- 25. NOT NSA
- 26. USERS
- 27. SECURITY IS HARD WORK
- 29. USERS ARE LAZY
- 30. so are we
- 31. EASYTO USE
- 34. BURNER PHONES
- 35. WHAT ARETHEY GOOD FOR? • Threat actors without nation state level capabilities • Your mom • Building a non-operational legend • Flesh out a persona that doesn’t need protection
- 37. BURNER GUIDELINES • Dumber the better • Learn to disable completely (battery + SIM out) • Disable around locations linked to you (home!) • Never put in real information • Feel free to load with fake data https://b3rn3d.herokuapp.com/blog/2014/01/22/burner-phone-best-practices/
- 38. BURNER GUIDELINES, CONT. • Call non-operational numbers to chaff the analysis • Keep it short • Keep it simple • Get rid of it as soon as possible
- 39. BURNER GUIDE CONT. • Purchase using cash from smaller stores • Time delay before activation (months) • Dispose of with extreme prejudice
- 42. –Allen Dulles “Never dial [the] number before having thought about your conversation. Do not improvise even the dummy part of it. But do not be too elaborate.The great rule…is to be natural.”
- 43. • Keep it short, simple and natural • Prefer signalling over operational data • signalling > open codes > plain talk • Enter your conversation with a plan
- 44. –Allen Dulles, Former Director of Central Intelligence “Even if you do not use [the phone] carelessly yourself, the other fellow, very often will, so in any case, warn him.”
- 45. FORTRESS PHONE
- 46. NSA GUIDELINES • Two forms of encryption • Belts and braces • Data at rest • FDE + app encryption • Data in motion • VPN + app encryption
- 47. YOU CANNOT HAVE A SECURE ANDROID PHONE
- 48. BECAUSE IT IS A PHONE
- 49. BECAUSE IT IS ANDROID
- 51. YOU CAN'T BOLT ON SECURITY Android cannot be secured by adding apps
- 52. BUT WHAT IF I… No. Seriously, just no.
- 53. • Blackphone • For people with money • Samsung KNOX • For people who don’t want a secure phone
- 54. • GuardianROM • For people who like to reboot • CryptogenMod* • For DIY hackers * name subject to change
- 55. IS IT NSA-PROOF?
- 59. FEATURES • Lots of crypto • Robust against physical access • Resilient against network attacks • Impact containment
- 60. • Derived from CyanogenMod 11 • Stripped down (no browser, no analytics) • Advanced privacy patches • OpenPDroid + PDroid Manager • Secure application replacements
- 61. • Kernel hardening tweaks • A lot more work to be done here • Hardened userland • A lot more work to be done here
- 62. PROTECTION
- 63. • Local physical access • Remote hacking • Baseband hacking • Network monitoring • GSM monitoring
- 64. PHYSICAL • Forensic analysis • Encryption • Security Ratchet
- 65. REMOTE • Reduce attack surface dramatically • No browser, services, or email • No app store
- 66. BASEBAND • Nothing I can do • Except PORTAL • But it’s not the end of the world • BB exploits are finicky • BB design is everything (segmentation FTW)
- 67. NETWORK MONITORING • VPN direct to a secure backend • Limited information is exposed • Provides dual layer encryption
- 68. OPSEC STILL CRITICAL Secure phones can’t cure stupid.
- 69. DARKMATTER This App Kills Forensic Analysis
- 70. SECURE APP CONTAINERS + SECURE OPERATIONAL ENV
- 72. MOBILETRUECRYPT • Runs apps withinTrueCrypt containers • Automagically kills sensitive apps, then • mount -o bind … /data/data/$app
- 73. MOBILETRUECRYPT • tc-play https://github.com/bwalex/tc-play • Uses theTrueCrypt volume format • Supports outer and hidden volumes • Backend is dm-crypt not FUSE
- 74. MOBILETRUECRYPT • Why not use native /data encryption? • AES-256-XTS > AES-128-CBC • Use both
- 75. WIN STATES
- 78. HOW DO WE GETTHERE?
- 80. CHANGE SECURITY POSTURE BASED ON OBSERVATIONS OFTHE OPERATIONAL ENVIRONMENT
- 81. • Observe the operational environment • Monitor for SecurityEvents • Harden the security posture • Trigger SecurityActions
- 82. INDICATORS OF A NEGATIVE OPERATIONAL ENVIRONMENT
- 83. • Failed login • Timer • Temperature drop • Radio silence • Debugger attach • Receive alert • SIM removed
- 85. • Kill sensitive applications • Unmount file systems • Wipe files • Wipe ram • Reboot phone
- 86. DURESS CODES • Explicit duress codes don’t work • “of these two codes, only use this one when you’re under extreme stress. ps don’t forget” • “if you use the wrong code, you are severely punished”
- 90. RAISE NSA PRICE 2 PWN* * probably
- 91. THEY’LL ADAPT
- 93. THANKS!
- 94. QUESTIONS?