Hands-on Penetration Testing of Mobile Devices

Georgia Weidman (Shevirah Inc.) | July 22-23 & July 24-25



Overview

Malicious hackers gain access to corporate networks through end points in the majority of cases. However, user habits are shifting rapidly with over 65% of user time now spent on smartphones and tablets as their primary computing devices. But mobile isn't just another endpoint; its architecture: a combination of consumer, carrier, vendor, and third-party, is wholly unique. It needs to be understood to be exploited.

In this session, students will learn a holistic threat model for mobile, how hackers are specifically exploiting mobile, and then will conduct a series of penetration tests against mobile phones based upon real world attacks. Students will practice attack vectors and learn what payloads provide what data.

Day One: Foundations
  • Background
  • Generalized Mobile Threat Model
  • Specific Mobile Threat Model
  • Countermeasures
  • Real World Attacks

Day Two: Hands-on Labs
  • Phishing
  • Client Side
  • Man-in-the-Middle
  • USB
  • Bluetooth
  • Camera (QR Code)
  • Audio (Voice Assistant)
  • Ad Hoc Networking
  • Mobile Device Management (MDM) APIs
  • Malicious Bootloaders
  • Malicious Drivers
  • Malicious Applications
  • Root Kits and Shells

Who Should Take this Course

Penetration testers, Red Team, Blue Team and security researchers concerned about the unique threats of mobile in the Enterprise.

Student Requirements

  • Penetration Testing Processes understanding
  • Basic Mobile Operating Systems understanding
  • Basic Enterprise Mobile Security architectures understanding

What Students Should Bring

  • Computer capable of running a VMWare virtual machine and Android Emulators
  • At least 40 gigs of free space for virtual machine handouts
  • Android and/or iOS mobile phone for testing

What Students Will Be Provided With

  • Virtual machines with vulnerable programs and tools
  • Additional exercises
  • Exploit Skeletons
  • Lab manual
  • Slides

Trainers

Georgia Weidman is the Founder and CTO of Shevirah Inc. She is a penetration tester, security researcher, speaker, trainer, and author. Ms. Weidman holds a MS in computer science as well as CISSP, CEH, and OSCP certifications. Her work in mobile exploitation has been featured internationally in print and on television. She has presented and trained at venues such as the NSA, West Point, and BlackHat. Her DARPA Cyber Fast Track grant resulted in the release of the Smartphone Pentest Framework(SPF). She founded Shevirah Inc. to commercialize SPF for enterprise customers and is a graduate of the Mach37 accelerator. Georgia is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women's Society of CyberJutsu Pentest Ninja award.