PDA

View Full Version : PlaceRaider: The Military Smartphone Malware Designed to Steal Your Life




noneedtoaggress
07-22-2013, 11:43 AM
http://www.technologyreview.com/view/429394/placeraider-the-military-smartphone-malware-designed-to-steal-your-life/

The article is about a year old, but I hadn't heard of this before.


PlaceRaider: The Military Smartphone Malware Designed to Steal Your Life

The US Naval Surface Warfare Center has created an Android app that secretly records your environment and reconstructs it as a 3D virtual model for a malicious user to browse

http://www.technologyreview.com/blog/arxiv/files/91915/PlaceRaider.png

The power of modern smartphones is one of the technological wonders of our age. These devices carry a suite of sensors capable of monitoring the environment in detail, powerful data processors and the ability to transmit and receive information at high rates.

So it’s no surprise that smartphones are increasingly targeted by malware designed to exploit this newfound power. Examples include software that listens for spoken credit card numbers or uses the on-board accelerometers to monitor credit card details entered as keystrokes.

Today Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of ‘visual malware’ capable of recording and reconstructing a user’s environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information.

Templeman and co call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system.

Their idea is that the malware would be embedded in a camera app that the user would download and run, a process that would give the malware the permissions it needs to take photos and send them.

PlaceRaider then runs in the background taking photos at random while recording the time, location and orientation of the phone. (The malware mutes the phone as the photos are taken to hide the shutter sound, which would otherwise alert the user.)

The malware then performs some simple image filtering to get rid of blurred or dark images taken inside a pocket for example, and sends the rest to a central server. Here they are reconstructed into a 3D model of the user’s space, using additional details such as the orientation and location of the camera.

A malicious user can then browse this space looking for objects worth stealing and sensitive data such as credit card details, identity data or calender details that reveal when the user might be away.

Templeman and co have carried out detailed tests of the app to see how well it works in realistic situations. They gave their infected phone to 20 individuals who were unaware of the malware and asked them to use it for various ordinary purposes in an office environment.

They then evaluated the resulting photos by asking a group of other users to see how much information they could glean from them. Some of these users studied the raw images while the others studied the 3D models, both groups looking for basic information such as the number of walls in the room as well as more detailed info such as QR codes and personal checks lying around.

Templeman and co say the tests went well. They were able to build detailed models of the room from all the data sets. What’s more, the 3D models made it vastly easier for malicious users to steal information from the personal office space than from the raw photos alone.

That’s an impressive piece of work that reveals some of the vulnerabilities of these powerful devices.And although the current version of the malware runs only on the Android platform, there is no reason why it couldn’t be adapted for other systems. “We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone,” say Templeman and co.

They go on to point out various ways that the operating systems could be made more secure. Perhaps the simplest would be to ensure that the shutter sound cannot be muted, so that the user is always aware when the camera is taking a picture.

However that wouldn’t prevent the use of video to record data in silence. Templeman and co avoid this because of the huge amount of data it would produce but it’s not hard to imagine that this would be less of a problem in the near future.

Another option would be a kind of antivirus app for smartphones which actively looks for potential malware and alerts the user.

The message is clear–this kind of malware is a clear and present danger. It’s only a matter of time before this game of cat and mouse becomes more serious.

Ref: arxiv.org/abs/1209.5982: PlaceRaider: Virtual Theft in Physical Spaces with Smartphones

The Northbreather
07-22-2013, 11:49 AM
I've always assumed the possibility of this type of program and here it is.

:eek::mad:

tangent4ronpaul
07-22-2013, 12:50 PM
http://arxiv.org/abs/1209.5982

PlaceRaider: Virtual Theft in Physical Spaces with Smartphones
Robert Templeman, Zahid Rahman, David Crandall, Apu Kapadia
(Submitted on 26 Sep 2012)

As smartphones become more pervasive, they are increasingly targeted by malware. At the same time, each new generation of smartphone features increasingly powerful onboard sensor suites. A new strain of sensor malware has been developing that leverages these sensors to steal information from the physical environment (e.g., researchers have recently demonstrated how malware can listen for spoken credit card numbers through the microphone, or feel keystroke vibrations using the accelerometer). Yet the possibilities of what malware can see through a camera have been understudied. This paper introduces a novel visual malware called PlaceRaider, which allows remote attackers to engage in remote reconnaissance and what we call virtual theft. Through completely opportunistic use of the camera on the phone and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments. Remote burglars can thus download the physical space, study the environment carefully, and steal virtual objects from the environment (such as financial documents, information on computer monitors, and personally identifiable information). Through two human subject studies we demonstrate the effectiveness of using mobile devices as powerful surveillance and virtual theft platforms, and we suggest several possible defenses against visual malware.

Subjects: Cryptography and Security (cs.CR); Computer Vision and Pattern Recognition (cs.CV)
Cite as: arXiv:1209.5982 [cs.CR]
(or arXiv:1209.5982v1 [cs.CR] for this version)
Submission history
From: Robert Templeman [view email]
[v1] Wed, 26 Sep 2012 15:56:07 GMT (2556kb,DS)

http://arxiv.org/pdf/1209.5982v1

-t

tangent4ronpaul
07-22-2013, 01:05 PM
http://www.theregister.co.uk/2013/07/21/researcher_cracks_sim_crypto_to_own_phones_via_sms/


Researcher cracks SIM crypto to own phones via SMS
Java fingered as part of problem that has ITU urging global action
By Richard Chirgwin, 21st July 2013

A quarter of mobiles phones using DES encryption rather than the newer triple-DES for their SIM cards are vulnerable to an attack via SMS that results in a complete takeover of the phone.

German security researcher Karsten Nohl, founder of Berlin's Security Research Labs, who previously busted GPRS encryption and cracked transport smartcard encryption keys with a microscope, has told the New York Times and Forbes about the attack, which he will outline to the August Black Hat conference in Las Vegas.

While Nohl is holding back some details of the attack until his Black Hat talk, he says he has developed a technique that allows him to obtain the 56-bit DES encryption key of a SIM by sending a text message that spoofs the phone's operator. With the key in hand, a second text message will install software on the target device that takes over the phone completely – including eavesdropping and impersonation attacks.

“We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account”, Nohl told the NYT.

Forbes' report suggests Java Card, an Oracle product Big Red says "provides a secure environment for applications that run on smart cards and other devices with very limited memory and processing capabilities", is the source of the vulnerability.

Of the six billion mobiles currently in service, about half still use DES encryption. In a sample of 1,000 SIMs tested over two years, Nohl said one-quarter were vulnerable – which suggests as many as 750 million vulnerable devices are in the field.

Nohl has disclosed the vulnerability in full to the GSM Association, and the ITU is planning an advisory to all mobile phone operators. ®

-t

tangent4ronpaul
07-22-2013, 01:06 PM
http://www.theregister.co.uk/2010/07/29/cell_phone_snooping/


Cell phone eavesdropping enters script-kiddie phase
Get your GSM snooping tools here
By Dan Goodin, 29th July 2010

Black Hat Independent researchers have made good on a promise to release a comprehensive set of tools needed to eavesdrop on cell phone calls that use the world's most widely deployed mobile technology.

“The whole topic of GSM hacking now enters the script-kiddie stage, similar to Wi-Fi hacking a couple years ago, where people started cracking the neighbor's Wi-Fi,” said Karsten Nohl, a cryptographer with the Security Research Labs in Berlin who helped spearhead the project. “Just as with Wi-Fi, where they changed the encryption to WPA, hopefully that will happen with GSM, too.”

The suite of applications now includes Kraken, software being released at the Black Hat security conference on Thursday that can deduce the secret key encrypting SMS messages and voice conversations in as little as 30 seconds. It was developed by Frank A. Stevenson, the same Norwegian programmer who almost a decade ago developed software that cracked the CSS encryption scheme protecting DVDs.

It has been designed to work seamlessly with 1.7TB worth of rainbow tables that are used to crack A5/1, a decades-old encryption algorithm used to protect cell phone communications using GSM, which is used by about 80 percent of the world's mobile operators. A small confederation of researchers announced last year they were setting out to create the voluminous index, which exploits known weaknesses in the encryption formula.

Distributing the rainbow tables has proved to be a challenge to the project participants. Stevenson said people in Oslo, where he's located, are welcome to exchange a blank hard disk for one that contains the data. Eventually, the group expects to make the tables available as a BitTorrent.

The GSM Alliance, which represents almost 800 operators in 219 countries, pooh poohed the universal snooping plan by characterizing the attack as theoretical and saying encryption wasn't the only protection preventing eavesdropping on real-time communications.

That's where another tool, called AirProbe, comes in. An updated version of the program, also to be distributed Thursday, works with USRP radios to record digital signals as they pass from an operator's base station to a GSM handset. Combined with refinements in the open-source GNU radio, it works by pulling down voluminous amounts of data in real time as it travels to the targeted cell phone and storing only those packets that are needed to snoop on a call.

GSM insecurity is largely the result of widely known weaknesses in A5/1, the algorithm used to decrypt calls in most of the developed world. Years ago, mobile operators devised A5/3, which requires some quintillion more mathematical operations to be cracked. It has yet to be adopted as mobile operators fret that the change will be expensive and won't work on older handsets. Many countries continue to use A5/0, which uses no meaningful encryption at all.

The eavesdropping initiative is just one of the security pitfalls to hit the GSM standard. On Wednesday, a researcher calling himself “The Grugq” described several attacks that can be launched with standard handsets to disrupt network communications.

One, called RACHell, can take down nearby cellular towers by sending out a torrent of so-called RAC requests. The result is handsets in the immediate vicinity will be unable to send or receive messages. A separate attack he referred to as an IMSI detach can be used to prevent a given cell phone from receiving SMS messages and incoming calls. All that's needed is the target's phone number. ®

-t

tangent4ronpaul
07-22-2013, 01:08 PM
http://www.theregister.co.uk/2013/07/16/android_sig_vuln_analysis/


Pwn all the Androids, part II: Flaw in Java, hidden Trojan
Google pushes update but when will it land?
By John Leyden, 16th July 2013

Analysis Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.

The flaw, discovered by the "Android Security Squad", stems from a Java-based issue (explained on a Chinese language blog here, Google translation here).

The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month.

Bluebox first notified Google about a potential problem back in February, months prior to going public on the issue.

The practical effect of both flaws is the same: miscreants could upload Trojan-laden versions of Android application packages (.APK files) onto online marketplaces. These backdoored apps would carry the same digital signature as undoctored copies of the APKs.

The Chinese discovery is a "different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at ViaForensics, told Computerworld. Oliva Fora put together a (harmless) proof-of-concept exploit based on the Bluebox vulnerability last week.
Pack RAT

Bluebox Security has avoided going into details prior to its upcoming Black Hat presentation on 1 August but the work of Oliva Fora and other security researchers has revealed that the current Android app security shenanigans stem from duplicate filename trickery in Android application installer files rather than something more esoteric, such as a hash collision.

Android installation packages are compressed in containers that work like ZIP archive files. Regular ZIP utilities generally prevent you from having two files with the name in one archive but the ZIP format itself doesn't preclude duplicated filenames - so with a bit of hacking and tweaking, you can fairly easily create a utility to build an archive with repeated filenames.

It's this behaviour that spawns the vulnerability discovered by Bluebox Security, explains anti-virus veteran Paul Ducklin in a post on Sophos' Naked Security blog.

"Android's cryptographic verifier validates the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version," Ducklin explains. "In other words, the APK passes its cryptographic tests at install time, even though what gets installed is bogus."
Chinese whispers

The Chinese vulnerability creates a means for miscreants to inject code into the headers of APKs without screwing with digital signatures. However the potential of the attack is limited because targeted files (of the type classes.dex) need to be smaller than 64K in size.

Google has already released a security fix to smartphone manufacturers covering both the Bluebox master key vulnerability and the flaw uncovered by the Chinese researchers, according to a statement from Jeff Forristal, CTO of Bluebox, received in response to our inquiries into the issue.

Bluebox had already sent disclosure to Google regarding the additional vulnerability discovered, prior to it being publicized in the referenced blog post. A (second) patch has already been released publicly (AOSP, Android Open Source Project) & to Google partners, although it is a bit too early to expect partners to have firmware updates containing the second patch ready for devices. A statement from Google indicates they scan for this vulnerability too in the Google Play Store, but Bluebox has not verified that statement.

Google has yet to respond to The Register's request for a comment on the vuln, so it remains unconfirmed whether or not Mountain View scans for modified applications that exploit either of the two vulnerabilities in its official Google Play store. Effective scanning would be little more complex than looking for duplicate filenames in APK files.
Stay away from those third-party apps

Google recently banned Google Play Store apps from updating outside the Play update mechanisms, as tech analysis blog GigaOM was among the first to note, so at least some protection is already in place.

Filters on Google Play don't do much to help users who install Android apps from third-party stores, of course.

Consumers and business users of Android devices won't really be protected until manufacturers roll out the Android software updates. Samsung is already pushing out a patch but other OEMs might be slower to react - and the whole process might take weeks, if not months.

Bluebox reckons 99 per cent of Android devices are vulnerable to the master key flaw. And that's without even considering devices out there that are still in use but no longer supported.

Almost all Android devices are vulnerable, since the vulnerability has existed since Android 1.6 (Donut), and only the Samsung Galaxy S4 has been patched to protect against it, Trend Micro warns.

A blog post by Trend providing an additional perspective on the problem, and taking issue with Bluebox's description of it as a master key vulnerability, can be found here.

"This vulnerability can be used to replace legitimate apps on an Android device with malicious versions," explains Jonathan Leopando, a member of Trend's technical communications team. "Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

"Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanised app for a bank would continue to work for the user, but the credentials would have been sent to an attacker," he adds. ®

-t

tangent4ronpaul
07-22-2013, 02:05 PM
Remember this? Start at about 11:50 and watch till about 19:00. If you read between the lines, he's talking about potentially taking control of every cell phone in a given area in order to identify someone by their signature (gait).


http://www.youtube.com/watch?feature=player_embedded&v=GUPd2uMiXXg

-t