Is your Iphone Pwned? Auditing, Attacking and Defending Mobile Devices

Presented at DEF CON 17 (2009), July 31, 2009, 10 a.m. (50 minutes)

The world has never been more connected. Over a billion mobile devices ship every year, five times the number of PCs in the same period. The iPhone and Android have accelerated the mass adoption of smart devices, mobile applications, and high speed mobile networks. Meanwhile, mobile devices are now a material target: they contain sensitive personal and corporate data, access privileged networks, and routinely perform financial transactions. The question remains, how do we keep these devices safe? Learn about how to detect vulnerabilities on mobile devices, exploitation techniques, how the security architecture of major mobile platforms work, and how to protect your mobile device(s) in the threat landscape of a constantly evolving mobile world. We'll be demonstrating a new mobile device vulnerability (we're also providing a hotfix tool) and analyzing other vulnerabilities that affect major mobile platforms, one of which is already being actively exploited in the wild. To top it off, we will be releasing our 'Sniper' mobile fuzzing framework, a tool specifically designed to fuzz mobile platforms that includes support for major file formats and protocols typically present on mobile devices.

Presenters:

  • Anthony Lineberry - Security Researcher
    Anthony Lineberry Anthony Lineberry is a security researcher from Los Angeles who has been active in the security community for many years, specializing in reverse engineering code, researching vulnerabilities, and advanced exploitation development. He has written an open source kernel from scratch, helped with the first iPhone jailbreak, and feels uncomfortable speaking in the 3rd person. Professionally his experience includes working as a security researcher for McAfee, NeuralIQ, and currently with Flexilis. He has spoken previously at SCaLE and BlackHat.
  • John Hering - co-founder of Flexilis Mobile Security
    John Hering John Hering, co-founder of Flexilis mobile security, specializes in mobile security research and development with a focus on intelligence and emerging threats. Past projects include the "BlueSniper" project, which resulted in a world-record-setting attack of a Bluetooth-enabled mobile device from a distance of over 1.12 miles. John has studied Policy, Planning, and Development at the University of Southern California and has extensive experience with information security, policy, and wireless communications technologies.
  • Kevin Mahaffey - co-founder and CTO of Flexilis
    Kevin Mahaffey Kevin Mahaffey is a co-founder and the Chief Technology Officer of Flexilis. He has previously spoken at Blackhat, DefCon, and Microsoft's BlueHat conference on security topics including RFID security, commercial surveillance, and mobile security. Kevin studied Electrical Engineering at the University of Southern California and enjoys photography, snowboarding, unit tests, clean code, and building things that make people happy.

Links: