guess who’s texting you? evaluating the security of smartphone messaging applications (ndss...
DESCRIPTION
Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012). Sebastian Schrittwieser , Peter Frühwirt , Peter Kieseberg , Manuel Leithner , Martin Mulazzani , Markus Huber, and Edgar Weippl SBA Research gGmbH Vienna, Austria. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/1.jpg)
Guess Who’s Texting You?Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar WeipplSBA Research gGmbHVienna, Austria
![Page 2: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/2.jpg)
Outline
• Introduction• Related Work• Mobile Messaging Applications• Evaluation• Results• Conclusion
![Page 3: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/3.jpg)
Introduction
• In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced.
• These services with a novel user authentication concept offer free calls and text messages.
• The main contribution of our paper is an evaluation of the security of mobile messaging.
![Page 4: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/4.jpg)
Introduction
![Page 5: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/5.jpg)
Related Work
• User authentication is a popular field of research in information security, especially applied to distributed systems or for web services.
• Smartphone application security without mobile messaging services has been evaluated in the past.
• Recently, cloud storage services have attracted the interest of security researchers analyzing the implications of faulty authentication in that area.
![Page 6: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/6.jpg)
Mobile Messaging Application
• All applications analyzed in this paper have one thing in common: They use the user’s phone number as the basis for identification.
• iOS don’t allow applications to access the phone number, but Android can.
• Benefit of typing number is that a WiFi-only tablet can be activated using the phone number of another device.
• Attacker could enter other’s phone number and hijack account.
![Page 7: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/7.jpg)
Messaging Application
![Page 8: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/8.jpg)
Evaluation
• Authentication Mechanism and Account Hijacking• Sender ID Spoofing/Message Manipulation• Unrequested SMS/phone calls• Enumeration• Modifying Status Messages
![Page 9: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/9.jpg)
Authentication Mechanism and Account Hijacking
Attacker VictimServer
Victim’s phone Code(SMS)
Code
Code
![Page 10: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/10.jpg)
Sender ID Spoofing/Message Manipulation
Attacker VictimServer
Message
Modify Sender ID
![Page 11: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/11.jpg)
Unrequested SMS/phone calls
Attacker
Victim1
Server
Victim1’s phone Code(SMS)
Victim2’s phone
Victim2
Code(SMS)
![Page 12: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/12.jpg)
Enumeration
Attacker Server
Attacker’s Address Book
Other user’s information
![Page 13: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/13.jpg)
Modifying Status Messages
• We analyzed the protocol for setting the status message and explore possible vulnerabilities that could result in unauthorized modification of status messages.
• In practice, this approach would likely be combined with some sort of enumeration attack.
![Page 14: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/14.jpg)
Experimental Setup
![Page 15: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/15.jpg)
Result
![Page 16: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/16.jpg)
Account Hijacking
![Page 17: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/17.jpg)
![Page 18: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/18.jpg)
WowTalk
![Page 19: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/19.jpg)
EasyTalk
![Page 20: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/20.jpg)
HeyTell
• No verification.
![Page 21: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/21.jpg)
Viber, Forfone, eBuddy XMS
• The authentication mechanisms of Forfone and eBuddy XMS are similar to Viber’s.
![Page 22: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/22.jpg)
Tango, Voypi
• If the number is not registered for the service yet, no verification is done.
• Only if the number is already known to the system, a verification process via SMS is performed.
![Page 23: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/23.jpg)
Sender ID Spoofing
• Other applications use the Extensible Messaging and Presence Protocol (XMPP).
![Page 24: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/24.jpg)
Unrequested SMS
• All examined applications had some kind of timeout that thwarted real mass spamming.
![Page 25: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/25.jpg)
Unrequested SMS (Cont.)
![Page 26: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/26.jpg)
Enumeration
• we selected the US area code 619, which covers the southern half of the city of San Diego, CA and enumerated the entire number range from 000-0000 to 999-9999.
• 21095 valid phone numbers use WhatsApp. (2.5 hours)
![Page 27: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/27.jpg)
Other Vulnerabilities
• WowTalk
• Voypi
![Page 28: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)](https://reader035.vdocuments.site/reader035/viewer/2022070500/56816882550346895ddeff1f/html5/thumbnails/28.jpg)
Conclusion
• Future work might include security assessments of upcoming solutions slated for mass adoption such as Apple’s iMessage.
• Furthermore, research towards an authentication scheme suitable as a best practice template for newly developed applications would be a welcome addition.