On the Feasibility of Large-Scale Infections of iOS Devices

Slides:

Advertisements

Similar presentations

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Advertisements

Enabling Secure Internet Access with ISA Server

Objectives Overview Define an operating system

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

How’s My Network (HMN)? A Java approach to Home Network Measurement Alan Ritacco, Craig Wills, and Mark Claypool Computer Science Department Worcester.

SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

1 Integrating ISA Server and Exchange Server. 2 How works.

8/10/2015Windows 71 George South. 8/10/2015Windows Windows Vista Windows Vista was released in January 2007 some five years after Windows XP Vista.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

1 Enabling Secure Internet Access with ISA Server.

Printing Terminology. Requirements for Network Printing At least one computer to operate as the print server Sufficient RAM to process documents Sufficient.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Remote Accessing Your Home Computer Using VNC and a Dynamic DNS Name.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

1 Linux Networking and Security Chapter 3. 2 Configuring Client Services Configure DNS name resolution Configure dial-up network access using PPP Understand.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Managing Windows Server 2008 R2 Lesson 2. Objectives.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Explain the purpose of an operating system

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

1 Tradedoubler & Mobile Mobile web & app tracking technical overview.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

REMOTE LOGIN. TEAM MEMBERS AMULYA GURURAJ 1MS07IS006 AMULYA GURURAJ 1MS07IS006 BHARGAVI C.S 1MS07IS013 BHARGAVI C.S 1MS07IS013 MEGHANA N. 1MS07IS050 MEGHANA.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Wireless and Mobile Security

CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.

Unit 2 - Hardware Networking. What is a network? A computer network is essentially a connection between two or more computers. This connection can be.

Chapter 9 Operating Systems Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet.

General Concerns on WWW Security Name: Huaying Chen ID# Instructor: Dr Mort Anvari.

Configuring and Deploying Web Applications Lesson 7.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

LO2 Understand the key components used in networking.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.

Android and IOS Permissions Why are they here and what do they want from me?

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Standard Demo 1 © Hacking Team All Rights Reserved.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Pass Microsoft Installing and Configuring Windows Server 2012 exam in just 24 HOURS! 100% REAL EXAM QUESTIONS ANSWERS Microsoft Installing.

CHAPTER 7 Operating System Copyright © Cengage Learning. All rights reserved.

MaaS360 MDM for iOS, Android & Windows Phone 7

How to use Library Kindle Books

How to use Library Kindle Books

Module 8: Networking Services

Connecting Remotely Winter 2014.

Presentation transcript:

On the Feasibility of Large-Scale Infections of iOS Devices Tielei Wang, Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau, and Wenke Lee Georgia Institute of Technology

Outline Background and Motivation Security Risks in Connecting iOS Devices to Compromised PCs Measurement Results Conclusion

Jekyll on iOS [USENIX Security’13] We created a seemingly benign app named Jekyll and published it on the Apple App Store Jekyll can be instructed to carry out malicious tasks by reordering and rearranging benign functionalities Conclusion: Apple’s vetting process cannot prevent malicious apps

Key Limitation of Jekyll Apps Jekyll apps did not get a lot of downloads Malicious apps, like any other apps, have the challenge of attracting attention from users Such apps can only affect a limited number of iOS users who accidentally download and run them

Motivation Is it feasible to proactively deliver malicious apps to iOS devices at scale?

Attack Vector We reviewed the iOS app distribution channels, and confirmed that PCs become a new attack vector to iOS devices Install or remove apps Access data in mobile devices

Contributions Demonstrated security risks in connecting iOS devices to compromised computers Measured the overlap between iOS devices and compromised Windows PCs

Outline Background and Motivation Security Risks in Connecting iOS Devices to Compromised PCs Measurement Results Conclusion

Attack I: Delivery of Jekyll Apps Intuition: Attacker downloads a Jekyll app, and then injects the Jekyll app to plugged-in iOS devices Challenge: Digital Rights Management (DRM) technology in iOS prevents users from sharing apps among arbitrary iOS devices

FairPlay DRM Downloading apps from the App Store requires an Apple ID User attempting to run an app downloaded by a different Apple ID on his iOS device needs to first enter the correct Apple ID and password How to bypass the DRM protection?

Key Observation: iTunes Syncing iTunes with Apple ID A iOS device with Apple ID B iTunes can authorize an iOS device with a different Apple ID to run its apps After syncing, apps purchased by Apple ID A can also run on the iOS device

The Detailed Process iTunes with Apple ID A iOS device with Apple ID B

The Man-in-the-Middle syncing iTunes with Botmaster's Apple ID A iOS device with Apple ID B

Attack I Summary Attackers can remotely instruct an already compromised computer to install apps on a connected iOS device, completely bypassing DRM checks Even if an app has been removed from the App Store, attackers can still distribute their own copies to iOS users Although Apple has absolute control of the App Store, attackers can leverage MitM to build a covert distribution channel of iOS apps

Attack II: Delivery of Attacker-Signed Apps Apple allows developers to test their apps on iOS devices through a process called device provisioning A compromised computer can be instructed to provision a plugged-in iOS device without user knowledge It allows the computer to further install any app signed by the attacker

Attack III: Stealing Credentials iOS Sandboxing Each app has a unique home directory for its file Apps are restricted from accessing files stored by other apps or from making changes to the device

Attack III: Stealing Credentials Many iOS apps store credentials in plaintext, because the developers presume that the iOS sandbox can prevent other apps from accessing files in their apps’ home directories

Attack III: Stealing Credentials However, from a USB connection, a host computer has access to the contents of all apps

Attack III: Stealing Credentials As a proof of concept, we implemented a tool that can retrieve the cookies of Facebook and Gmail apps from a USB-connected iOS device By reusing the cookies, we successfully logged in as the iOS user via the web services for both Facebook and Gmail

Outline Background and Motivation Security Risks of Connecting iOS Devices to Compromised PCs Measurement Results Conclusion

The Goal of the Measurement To quantitatively estimate how many users would connect iOS devices to compromised PCs Compromise PCs iOS Devices

Two Main Datasets DNS Query Dataset Labeled C&C Domains Obtained from two large ISPs in the US, collected in 13 cities for five days in Oct 2013 54 million client IDs, 62 million queries, and 12 billion records daily from 13 sensors in total Labeled C&C Domains Obtained command and control (C&C) domain names for botnets that Damballa is tracking

We know DNS queries from this IP address Basic Information We know DNS queries from this IP address 192.168.0.1 192.168.0.2 Home Network Internet NAT 192.168.0.3 143.215.130.78

Step1: Determine Bot Population If a CID queried any C&C domain in a day, we consider it as having a bot at home for that day 192.168.0.1 192.168.0.2 Home Network Internet 192.168.0.3 473,506 infected CIDs on 10/12/2013.

After excluding Mac OS X, we have 466,540 bot CIDs Step2: Exclude Mac OS X Mac OS X is set to automatically check for security updates daily since version 10.6 swscan.apple.com swquery.apple.com swdist.apple.com swdownload.apple.com swcdn.apple.com 192.168.0.1 Home Network Internet 192.168.0.3 After excluding Mac OS X, we have 466,540 bot CIDs

Step3: Determine coexistence of iOS We used unique domains from two default apps and one service in iOS (the Weather app, Stocks app, and Location Services) to get a lower bound of CIDs containing iOS devices 192.168.0.1 Home Network Internet 192.168.0.3 Of 466,540 CIDs without Mac OS X traffic, 142,907 queried these domains

Step4: Determine Windows iTunes Purchases Connecting iOS devices to a PC does not generate observable network traffic

Step4: Determine Windows iTunes Purchases More evidences If iTunes is installed on a user’s PC and is also used to purchase some items from the App Store, the user will eventually connect her iOS devices to the PC

Step4: Determine Windows iTunes Purchases Solution: Leverage iOS heartbeat DNS queries iOS devices must send an HTTP request to init-p01st.push.apple.com to get push server configurations at least every 1,800s Heartbeat Query App Store Purchase time 2-hour time-windows Issued from Windows PC Issued from iOS

Measurement Summary 23% of all bot population have connections with iOS devices

Measurement Summary 23% of all bot population have connections with iOS devices

Outline Background and Motivation Security Risks of Connecting iOS Devices to Compromised PCs Measurement Results Conclusion

Conclusion Demonstrated attacks: Bypass Apple DRM and install Apple-signed malicious apps Stealthily provision the devices and install attacker-signed malicious apps Obtain app credentials (e.g., Gmail and Facebook cookies) Measurement Results: 23% of all bot population have connections with iOS devices

Questions?