More Related Content
What's hot
What's hot (20)
Similar to Huiming Liu-'resident evil' of smart phones--wombie attack
Similar to Huiming Liu-'resident evil' of smart phones--wombie attack (20)
More from GeekPwn Keen
More from GeekPwn Keen (12)
Recently uploaded
Recently uploaded (20)
Huiming Liu-'resident evil' of smart phones--wombie attack
- 1. "Resident Evil" of SmartPhones--Wombie Attack Huiming Liu Tencent Xuanwu Lab
- 3. ATTACKER Phone A Phone B
- 4. ATTACKER Phone A Phone B
- 5. ATTACKER Phone A Phone B
- 6. Demo Time
- 7. Technique Details 1.Firmware Patch 2.Wireless Zombie Implementation 3.Conclusion
- 8. Patch Firware? Why? • In a word, Launch Karma attack on a smartphone • Karma Attack • If you have ever connected to a WiFi, Your devices will frequently send probe request to find it. • Many devices will automatically connect if get correct responses, which is very easy to forge when the devices send directed probes. • Then, the devices may become MITM victims • How about on Latest smartphones?
- 9. Karma Attack! But on Android? • Latest Android Versions won’t send directed probe normally • However • All of them will send BROADCAST probe…we can use SSID dictionary to launch Karma Attack. • Add a network manually will STILL send directed probe • Some ROMs will send directed probe MISTAKENLY • How about being an attacker • WiFi chip on the SmartPhones can be both in STA and AP mode • SmartPhones are essentially mobile and of massive amount • If we can make the victim attack and infect another victim. The situation will be much worse
- 10. Patch Firware to Make phone infectious – How? • Reverse Engineering the firmware • Patch Probe Request Handler • Patch Association Request Handler
- 11. Patch Probe Request in the UCODE? NOT GOOD!
- 12. Instead, Forward Probe Request to Firmware Layer and Response! • Patch 1 line in UCODE to forward to firmware • hook sub_19610E • Call wlc_bcn_prb_template to generate template • Modify dst mac and ssid
- 13. Patch Association Request Handler (Nexus 5) -- How?
- 14. Patch Association Request Handler (Nexus 6p) -- How? • All required Information Elements’ parse function pointers are stored in an array dynamically created in Firmware(RAM) • Information Element SSID’s parse function is implemented in ROM (Hard to Modify) • So, we choose to modify the firmware instead of the ROM • hook a function(sub_1B03AC) in Firmware • Implement a SSID’s parse function • Replace its original parse function pointer with our new function pointer • Nexmon • C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
- 16. Wombie Attack Process • Step1: Launch Karma attack to MITM other phones. • Step2: Get RCE by exploiting the vulnerabilities in the victims’ smartphones • Step3: Get Root Access and modify the firmware and set attack environment. • Step4: The victim infects another victim
- 17. What’s Inside Wireless Zombie? • 1. Background AP • 2. MITM module • 3. Exploit and Environment Setup module Background AP Traffic Hijack Module Exploit Payloads
- 18. • Google’s Latest data (OCT 2017): • Android version <=5.x 50% • Latest Android Release Version 0.2% • Version <= 4.x 22.3% How to get RCE/ROOT? Android Fragmentation!
- 19. Impact • Invisible Attack: • Doesn't rely on Internet to spread, so we can't detect it on the internet • Magnifier: • Easier to exploit & more severe consequences
- 20. Combined with Krack(ATTACK WPA2)? • Krack attack’s preconditions can be satisfied within our attack model. • Preconditions • Clone original wifi to a different channel • Monitor, block and send specific message • The way we can make it in our model • Nexmon to Intercept Packets. (OK) • Like running tcpdump in monitor mode and airbase-ng in the same time. (OK) • But the Exploit Scripts are not released now • Krack attack to WPA2 can be combined with our karma attack to launch and spread more easily
- 21. Conclusion • 1. Karma attack to smartphone is very dangerous due to android fragmentation and the smartphone’s mobility. • 2. To defend against this attack model, we must working with system security, wireless security, hardware security • 3. There’s no absolute security. Apart from the vendor’s effort, the users also need to pay more attention.