security through obscurity · 2019. 9. 3. · quizduell. extremely popular in germany. extremely...
TRANSCRIPT
-
Security Through Obscurity... powered by HTTPS!
Peter Frühwirt, SBA ResearchSebastian Schrittwieser, FH St. Pölten
redacted version
-
Live-Demo onWowtalk
-
ServerAttackerPhone
1. (HTTPS): Request
2b. (HTTPS): PIN
TargetPhone
2a. (SMS): PIN
SMS Proxy
-
SSL != protection against protocol analysis
-
SSL interception enables man-in-the-middle attacks
for protocol analysis purposes
-
transport layer encryption cannot replace good protocol design!
-
Certificates?
-
http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c
-
Quizduell
-
extremely popular in Germany
-
extremely popular in Germany
-
Let’s play a round of Quizduell ;)
-
Curiosity
-
November 2012 - May 2013
-
326 layers
-
69 billion small cubes
-
4 million players
-
3,000,000,000 coins for a diamond chisel
-
Bonus points for clearing the entire screen!
-
Parameter for multiplieris set by the server!
-
[...]&backgroundColor=blue&backgroundText=Curiosity&bonusMultiplier=10&hardwareID=&[...]
10000000
https://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggghttps://feelinsonice-hrd.appspot.com/bq/blob?id=898240380188930800r&req_token=d4bae532f7e2fae301a693acb7d9478c5cb0d1b8bb3d88b2d05e02ee1ed977ec×tamp=1380188936948&username=blauggg
-
Photoswap
-
http://www.server.com/images/12345.jpghttp://www.server.com/images/12347.jpghttp://www.server.com/images/12349.jpghttp://www.server.com/images/12351.jpghttp://www.server.com/images/12353.jpg
http://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpghttp://www.server.com/images/12345.jpg
-
for;i;in;{1..12345};;dowget;Ak;http://www.server.com/images/$i.jpg;done
http://www.server.com/images/$i.jpghttp://www.server.com/images/$i.jpg
-
Demo
-
Countermeasures?
-
Certificate Pinning
Verification if particular certificate is used
-
Reduced costs
Increased security
Less flexibility
-
75 %
25 %
Facebook
Facebook Messenger
Shazam
eBay
ÖBB Scotty
AntiVirus Security
Tango
Google Earth
LOVOO
Geizhals
Geizhals
Stocard
AutoScout24wetter.com
Twitter
LogoQuizWhatsapp
Snapchat
Tinder
NavigonRuntastic
iMessage
Quizduell
AppStore
Viber
certificate pinningno certificate pinning
HikeRublys
-
E-Banking apps?
Bank Austria
Erste BankSparkasse
Commerzbank
Eniteo DZ Bank
ING Diba
Raiffeisen Bank
Postbank
Union Bank
Volksbank
Volksbanken Raiffeisenbanken
Deutsche Bank
UBS Mobile Banking
Alpha Bank
Westpack Banking
BNI Internet Banking
BPN Paribas
Bank Republic
Targobank
-
never ever trust the client (even if it’s your own client)!
server-side validation of every client request
(the 80’s called and want their advice back)
-
secure side channel
establish a trusted second channel
-
Conclusions
-
‣ Many smartphone applications implement insecure protocols
‣ These protocols are hidden behind transport encryption, which does not prevent protocol analysis
‣ Don’t rely on Security through Obscurity
-
Peter Frühwirt
IT-Sicherheitsforscher, SBA Re
search
Doktoratsstudent TU Wien
Mobile Security | Digital foren
sics in Databases
Peter Frühwirt
IT-Sicherheitsforscher, SBA Re
search
Doktoratsstudent TU Wien
Mobile Security | Digital foren
sics in Databases
-
Sebastian Schrittwieser
Dozent Fachhochschule St. P
ölten
Doktoratsstudent TU Wien
sebastian.schrittwieser@fhst
p.ac.at
Code obfuscation | Fingerprin
ting of anonymized microdata
Mobile security | Digital foren
sics | Research ethics
Sebastian Schrittwieser
Dozent Fachhochschule St. P
ölten
Doktoratsstudent TU Wien
sebastian.schrittwieser@fhst
p.ac.at
Code obfuscation | Fingerprin
ting of anonymized microdata
Mobile security | Digital foren
sics | Research ethics