Introducing SCS Speaker Jérémy Matos
For the average user, the selection of the secure messaging app does not matter very much anymore. All the options bring you end-to-end encryption and even if they are not perfect for paranoid users, they certainly do the job for Joe Average User. Or so the story goes.
Meanwhile James Mickens delivered a breathtaking keynote at Usenix Security last week. He ranted about the state of mobile security. To illustrate this, he showed how a typical Torch Light application asks for the permission to receive emails and to edit contacts. We kind of got used to this situation. But if we think this through, we end up with a perfectly encrypted communication channel from our secure device to a person that our torch added to the contact list.
We trust our secure messenger and the secure messenger trusts the contact list but the contact list is in the hands of the torch? This is screaming for a fire! There is a trust problem in this architecture and it is obvious that this is an intriguing scene for spear phishing attacks.
Our speaker Jérémy Matos played this through in great detail. He is able to demonstrate how you can use Signal, Telegram and WhatsApp to trick a user into talking to the wrong person. He named the attack “Man in the Contacts” and presented his findings at DefCon in 2016. He thought that the issues would certainly be fixed. But he was wrong. The big players in the field refuse to fix it by shifting the responsibility to the users (probably expecting everybody to memorize the key fingerprints of all their). Meanwhile, the problem persists and spear phishing attacks are on the rise.
Jérémy has therefore teamed with Laureline David to develop a proof of concept app. This comes in the form of a game distributed officially via the Google Play Store. It takes over your contacts and gives an attacker a complete command and control server together with a handy web gui.
So the weakness is now well documented, proven in practice and Jérémy has talked about it at multiple conferences including Area41 this Summer. It is time to take the next step: Given the software won’t be fixed anytime soon, how can you deal with this problem? How can enterprises protect their staff for spear phishing attacks via manipulated contacts? Jérémy is the expert and he is ready to discuss the problem and possible mitigations with you at our conference on October 30.
Jérémy Matos has extensive experience developing secure applications, namely a 2-factor authentication application for mobile use. This gave him a different view on security and threat models in particular. He is now consulting on security and teaches secure application development and blockchain concepts around Geneva. He was an original organizer for the Black Alps conference and we are very happy he finds the time to share his view on Man in the Contacts with us at Swiss Cyber Storm on October 30.
More about Jérémy Matos:
- Twitter @securingapps
- Company Website : SecuringApps.com
- Insomni’hack 2018 video: Abusing Android In-app Billing Feature