Introducing the Smartphone Pentesting Framework Georgia Weidman Bulb Security LLC Approved for Public Release, Distribution Unlimited.

Slides:



Advertisements
Similar presentations
ATK Space 9617 Distribution Avenue San Diego, California Tel: (858) Fax: (858) Website:
Advertisements

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.
Mobile device security Practical advice on how to keep your mobile device and the data on it safe.
Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.
29 Oded Moshe, VP Products & IT Official Release May 24, 2011 SysAid 8.0.
CBIP Mobile App How Can I get it on to my clients mobile devices?
Kadra Alvaro April,2010. Introduction: The Android Platform Threats to Smartphones Android-Specific Threats How to Secure Your Android Device The Future.
Dissecting Android Malware : Characterization and Evolution
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
WebRTC & SIP E-SBC PBX Companion
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
KoolSpan Comparison to CellCrypt
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Smartphone Security How safe are you?. Main Points 1. Malware/Spyware 2. Other Mischief 3. How a phone might get infected 4. Staying Safe a. Malware b.
CS691 Robin Kimzey Cell Phone Security a little computer in your pocket an easy target for malcontents.
Browser Exploitation Framework (BeEF) Lab
1 Integrating ISA Server and Exchange Server. 2 How works.
Creating Online Class Communities Jennifer Dorman Discovery Education
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
HOW TO USE INIGO. Hello, My Name Is Inigo… Lets walk through how to set up your company with Inigo. You will set up a business card on your phone serving.
Presentation By Deepak Katta
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Cyber Crimes.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Instant Messaging for the Workplace A pure collaborative communication tool that does not distract users from their normal activities.
Instant Messaging for the Workplace A pure collaborative communication tool that does not distract users from their normal activities.
Session 1.  Websites  Mobile Websites  WordPress Security  Reputation Marketing  Coming Soon ◦ Contractor Software ◦ Facebook Pages ◦ Mobile Apps.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
1 The System Menu. 2 The System menu Dashboard Page displayed upon every login. It encompasses several boxes organised in two columns that provide a complete.
Mobile Security iPhone and Android OS. iPhone Security Features Find my iPhone Remote wipe Automated back up at sync Auto lock / passcode lock Wipe after.
Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.
Grants Management Training 200 Cyber Security There are two kinds of people in America today: Those who have experienced a cyber-attack and know it, and.
The “Five W’s” of Mobile Device Malware: W ho, W hat, W hen, W here, and W hy? … and What Can be Done About It? Kevin McPeak, CISSP, ITILv3 Technical Architect,
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
FriendFinder Location-aware social networking on mobile phones.
Mobile Banking Dangers Denise Butler Rick Hebert & Associates
Introduction to Security Dr. John P. Abraham Professor UTPA.
Computer Security By Duncan Hall.
IPhone Hacking for fun and profit Term Project for CAP 6135 Malware and Software Vulnerability Noah Guilbault and Zachary Neyland.
JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.
© 2015 IBM Corporation John Guidone Account Executive IBM Security IBM MaaS360.
Root Access By: Derek Grove. What Do I Mean By Root?  An account that by default has access to all commands and files on a linux or other Unix-like operating.
Mobile Security Tom Taylor. Roadmap Security Risks Security Risks Examples of Attacks Examples of Attacks Personal Protection Personal Protection Business.
A leap ahead... Darren Kearney Don Miller Ilya Pinchuk.
FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.
Mobile Device Security Threats Christina Blakley Host Computer Security.
ID8 TEAM 2012 Caroline Amaba Ryan Gavin Mike Hegadorn Greg McLeod John Scire Nirmal Rajan.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Android and IOS Permissions Why are they here and what do they want from me?
Joe Knight’s Company VPN Policy. What is VPN? Virtual Private Network (VPN) will allow you all as users to remote into the network from home or anywhere.
Mobile device security Practical advice on how to keep your mobile device and the data on it safe.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:
Mobile Devices in the Corporate World
To the ETS – Accounts Setup and Preferences Online Training Course
Software Applications for end-users
EBSCO eBooks.
Service Provider Best Practices
Advanced Chatting App Development Company
Mobile Pen Testing w/ drozer
Industry Best Practices – Security For Smartphones / Mobile Devices
Web Application Penetration Testing ‘17
9 ways to avoid viruses and spyware
The Effects of Jailbreaking on iPhone Security
To the ETS – Accounts Setup and Preferences Online Training Course
MyLion Registration Website | Mobile device
Multi-Factor Authentication
AXIA APP.
Presentation transcript:

Introducing the Smartphone Pentesting Framework Georgia Weidman Bulb Security LLC Approved for Public Release, Distribution Unlimited

Disclaimer “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI , January 8, 2009.

<3 to DARPA DARPA Cyber Fast Track program funded this project Without them I'd still be a junior pentester at some company Now I'm CEO! <3 <3 <3 <3 <3

The Problem: Smartphones in the Workplace

Smartphones in the workplace Access your data Store company s Connect to VPNs Generate 1 time passwords

Threats against smartphones: Apps Malicious apps steal your data, remotely control your phone, etc. Happens on all platforms. Some easier than others. If your employees have a malicious angry birds add-on what is it doing with your data?

Threats against smartphones: software bugs Browsers have bugs Apps have bugs Kernels have bugs Malicious apps, webpages, etc. can exploit these and gain access to data

Threats against smartphones: social engineering Users can be tricked into opening malicious links Downloading malicious apps

Threats against smartphones: jailbreaking Smartphones can be jailbroken Giving a program expressed permission to exploit your phone Once it is exploited, what else does the jailbreaking program do?

The Question A client wants to know if the environment is secure I as a pentester am charged with finding out There are smartphones in the environment How to I assess the threat of these smartphones?

What's out there now? Pentesting from Smartphones: zAnti Smartphone tool live cds: MobiSec (another DARPA project) Pentesting smartphone apps: Mercury Pentesting smartphone devices: ??

Structure of the framework

Framework console

Framework GUI

Framework Smartphone App

What you can test for Remote vulnerabilities Client side vulnerabilities Social engineering Local vulnerabilities

Remote Vulnerability Example Jailbroken iPhones all have the same default SSH password How many jailbroken iPhones have the default SSH password (anyone can log in as root)?

Client Side Vulnerability Example Smartphone browsers, etc. are subject to vulnerabilities If your users surf to a malicious page their browsers may be exploited Are the smartphone browsers in your organization vulnerable to browser exploits?

Social Engineering Vulnerability Example SMS is the new for spam/phishing attacks “Open this website” “Download this app” Will your users click on links in text messages? Will they download apps from 3 rd parties?

Local Vulnerability Example Smartphones have kernel vulnerabilities Used my jailbreaks and malicious apps Are the smartphones in your organization subject to local privilege escalation vulnerabilities?

Post exploitation Command shell App based agent Payloads: information gathering local privilege escalation remote control

Demos! Using the console Using the GUI Using the app Using an agent Using a shell Remote test Client side test Local test

Future of the Project More modules in each category More post exploitation options Continued integration with Metasploit and other tools Community driven features More reporting capabilities

Contact Georgia Weidman Bulb Security, LLC bulbsecurity.com georgiaweidman.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.