In, Mobile Hacking 101, the first article in my new column on The Ethical Hacker Network, I felt it was appropriate to start from the beginning. Offer up a primer if you will to give the readers a brief synopsis of where we’ve been and where we’re heading in regards to smartphones, their security and their determined march into the enterprise. Now that the basics have been covered, it’s now time to start digging deeper into the technical aspects of smartphone security. The logical next step is to set the foundation of a mobile penetration testing lab and eventually enter the live testing phase. That’s where the Smartphone Pentest Framework (SPF) enters the picture. Being the developer of this project, I thought it might be interesting to give you a personal tour.
Often when I try to tell people about SPF, they naturally jump to the conclusion that this is a tool to let you run Nmap or Metasploit on a smartphone. While that is certainly cool, it’s been done before. SPF takes the opposite angle. Instead of pentesting from a smartphone (though some attacks in SPF can be launched from an on-device app), our goal is to instead perform a pentest of the mobile devices themselves. As mobile devices are joining more corporate networks every single day, do organizations have a security standard in place? If so, is it being properly enforced? Even if it is, do the smartphones in the environment open you up to total compromise as they access internal networks with direct access to sensitive resources, receive and store sensitive emails, and a wide variety of other security red flags? For this reason, all mobile devices should be in your organizations’ penetration testing activities. Like Metasploit for network pen testing, SPF is a tool to help make it easier to pen test those pesky mobile devices.
First released at Black Hat USA 2012, SPF is the product of a DARPA Cyber Fast Track grant. SPF is now a community driven open source product. One of my favorite things about SPF is the ability to hook up to a mobile modem that you already have. Many of the attacks both in the wild and in SPF against smartphones originate using the mobile modem for example, via an SMS (text message) with a malicious link. Rather than calling out to a paid SMS gateway on the Internet, SPF allows you to use the mobile modems you already own utilizing the phone plan you already purchased with your chosen provider. SPF can attach to your smartphone via an on device app, allowing SPF to use the phone’s built-in modem. SPF can also attach to a USB mobile modem. This feature alone allows this free, open source tool to save you money. Not bad, huh?
Currently SPF has modules spanning remote exploits, client-side attacks, social engineering, and post exploitation. Though still in its early stages, SPF is rapidly expanding to include new exploits and functionality. The only thing missing is your input. How could SPF help you assess the security of mobile devices in your environment? If you had control over a corporate phone, what information would you most like to gather in the post exploitation phase? SPF is actively soliciting ideas from the community, and, if you are a coder looking for an open source project to work on, we would be glad to include your contributions to SPF. For now here’s an introduction to SPF in action.
Georgia Weidman’s First Look the Smartphone Pentest Framework (SPF)
Useful Links for the Smartphone Pentest Framework
Download SPF: http://www.bulbsecurity.com/smartphone-pentest-framework/download/
Bulb Security: http://www.bulbsecurity.com/
My Site: http://www.georgiaweidman.com/
SPF Forums: http://www.bulbsecurity.com/phpbb
The best place to go for the newest updates about SPF: http://www.twitter.com/georgiaweidman (@georgiaweidman) or contact me directly at georgia (at) bulbsecurity . com.
Until next month…
Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as CISSP, CEH, NIST 4011, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at conferences around the world such as Shmoocon, Blackhat, Security Zone, Hack in the Box, and Derbycon. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews. Building on her experience, Georgia recently founded Bulb Security, LLC a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to build the Smartphone Pentest Framework, a tool that allows users to integrate mobile device security into traditional penetration tests.