AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***
Back To Schedule
Thursday, July 5 • 11:45am - 12:30pm
Secure Messengers and Man in The Contacts: The Ultimate Spear Phishing Weaponi LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity seats available

In 2016, Man in the Contacts attack was published (MitC, https://www.securingapps.com/blog/ManInTheContacts_CYBSEC16.pdf) which consists in taking control of a smartphone's contacts with a legitimate application, then altering contact data to either
- impersonate a specific contact
- attempt to intercept communications by relaying messages through an additional device.
Despite sandboxing on most mobile platforms, contacts are shared between all applications and can be modified by any of them with sufficient permissions.

Building up from what was presented, we built and deployed a fully functional implementation.

Packaged within a game published on Google's Play Store without any validation issues, our MitC implementation allows us to fully control the contacts of the users by listening to our Command and Control server.

Since most modern messaging applications implicitly trust contact data, our implementation becomes a very efficient spear phishing weapon: user receives a message from someone he (thinks he) knows within an end to end encrypted (E2E) channel, so he is really confident. E2E also blinds messaging servers, not able to do anymore content filtering, making it easy to transfer malicious links.

Presentation Outline:
* Wrap up of Man In The Contacts attack
* Feedback from WhatsApp, Telegram and Signal: won't fix
* Implementing Man In The Contacts in practice
- Android game: social version of Rock, Paper, Scissors
- Command And Control server
- Web interface
* The spear phishing use case
* Live demonstration with volunteers from the audience
* Open sourcing the tool
* Possible mitigations 

avatar for Laureline David

Laureline David

Freelance consultant, Self-Employed
Freelance Consultant, HEIG-VD Graduate (Security Engineering)
avatar for Jeremy Matos

Jeremy Matos

Software Security Expert, Securing Apps
Jeremy Matos has been working in building secure software for more than 12 years.With an initial academic background as a developer, he designed and helped implementing a breakthrough mobile two-factor authentication solution. He led code reviews and security validation activities... Read More →

Thursday July 5, 2018 11:45am - 12:30pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE