Mobile devices security, history repeating itself: Harder, Faster, Stronger but not Better!

 Blog  No Responses »
Dec 052012
 

Following up on my SANS 575: Mobile Device Ethical Hacking course review, below is my take on the current state of Mobile Devices security.

First, let me define what I mean by mobile devices: Smartphone and Tablets, not laptops. Although laptops are “mobile” the level of security available to them is more mature and not in scope for this article.

Then, let’s dive into the past and where mobile device security fits.
Right at the start, when computers where used and interconnected, the security element of it has always been the last “add-on” and security professionals had to play catch-up. This was true with Intranets, where no or poor defences meant companies were often heavily relying on physical security, i.e.: no hackers will be allowed within the premises to connect their portable desktops. The realisation that staff could also be hackers and the arrival of laptops meant better IT access controls were put in place.
When Internet started to pop-up in every houses and sometimes under office desks, companies soon realised they had to connect their corporate networks to the Internet and leverage that powerful communication revolution. But again, the rush and lack of security technology maturity meant this was often done with the wrong or mis-configured controls in place. Security controls’ configuration, update and monitoring were done in a reactive mode rather than having been carefully planned, implemented, budgeted and allowed to be cared for.
Then WIFI/Wireless technology started it all over again, WIFI hotspots started to pop-up everywhere, uncontrolled, mis-understood and mis-configured. Even now, many companies are still trying to improve on their WIFI offering security or just running an insecure wireless infrastructure.

Today, we are seeing a similar trend to the consumer market, where companies are made to consume technology faster than they can digest it.
This is driven both by the consumerization of the work assets and by the promise of new technologies giving companies an edge.

The use of smartphones and tablets in being forced fed onto most companies. Forced, because this computing technology is no longer the exclusivity of a working environment, we are using it at home and have expectations. And also because the previous technology advance allowed for remote working and those mobile devices just leverage what is already there!

But history is repeating itself, and to use some famous DaftPunk Lyrics it is doing it “Harder, Faster, Stronger”… but not “Better”!

1. Harder:
The impact is harder.
All corporate data is now digitalised and accessible somehow from the Internet, through VPN, Bastion hosts or web portals, from chat logs to financial market modelisations. Computer systems are now critical to companies, if they become unavailable, compromised or corrupted this would severely impact employees’ ability to work.

2. Faster:
This is happening faster.
2G yesterday, 3G today, 4G/NFC tomorrow. All with their own weaknesses and vulnerabilities.
Every year sees new mobile device architectures. They are not just iterative improved updates, they often introduce new hardware, new firmware with new functions. This is true from the supporting mobile network infrastructure down to the handsets themselves. Let’s take iOS 6.0 for example, it allegedly fixed about 200 security issues but also introduced hundreds of new features! Not only those new features could have introduced new security vulnerabilities but it also means previous hardware that cannot upgrade to 6.0 are vulnerable to 200 security issues.
Other manufacturers are not better, with some Android phones having a shelf-life of just 6 months in terms of updates!

3. Stronger:
The drive is stronger.
As mentioned earlier, the use of smartphones and tablets are being forced-fed onto most companies.
This pressure to use new technology at work not only comes from the base but from the top of most organisations, this makes the matter worse. It usually means it has to happen yesterday and to happen anyway with very little time for careful planning, design and implementation. In fact, most of the time when security teams start to get involved it has already happened!

There are 3 ways for a technology to be securely implemented, all complementary to each other:
- The best is for it to be secure by design;
- A good approach is to take the time to review and understand it before designing its implementation through pilots and testing;
- The minimum is to review its implementation security through pent testing, on-going monitoring and the all so important care and feed (updates, roadmaps, etc).

When it comes to mobile device security, this is a very new and immature area. My advice is to act NOW and to start setting-up your mobile device security task force if you don’t want to play catch up for the years to come:
- Communicating/Educating your users to the risks associated with the use of mobile devices is a low cost, light and fast way to improve their awareness and behaviours.
- Implementing a Mobile Device Management solution is a must to gain some controls over what and how corporate data is accessed from mobile devices. At the very least it gives you a framework to move forward from.
- Having an Internal Apps review capability will allow for guidelines to be provided on how corporate data should be accessed and stored on such devices and it will help driving security by design. Also, being able to assess Apps’ security before they are being published will give this extra assurance that those guidelines were indeed understood and followed.
- Having a 3rd parties Apps review capability will allow assessing the most common used apps or those 3rd parties apps used to access corporate data. This will help limit the risk of data leakage or malware attacks.
- Monitoring your network and infrastructure for specific mobile malware activity will help detecting any on going attacks against your users mobile device.

The point is that mobile device security is an area that must be taken very seriously, it should not and does not stop with MDM.

SANS 575: Mobile Device Ethical Hacking Review

 Blog  No Responses »
Dec 042012
 

In the last two years I have been to a few SANS training courses:

508: Advanced Forensic
617: Wireless Ethical Hacking
660: Advance PenTest

Last week I attended the SANS 575: Mobile Ethical Hacking course,
it is a nice complement to the 617 Wireless course and although there is some overlaps, especially around WIFI vector attacks, most of the content is different; and when it is not, you get another perspective for those attacks.

The course gave an overview of the different architectures surrounding the Android, iOS, Blackberry and Windows Mobile phones, how system and app updates are handled, how certificates are managed, attack technics against mobile apps communications as well as against the app code itself through leveraging jailbreaking.
As with most SANS courses your day is not limited to a 9 to 5 schedule and if you want to make the most of it you will end up attending after class presentations or the Netwars hacking contest during the last 2 evenings. Although this means you are most likely to finish your day at around 10pm, you also end up learning a lot more than what is just taught in your course.
Finally, the last day there is a Capture The Flag event in your class where you compete against your fellow students in teams of 3 or 4. It is a great way to apply all what you learnt during the week. It is very similar to Netwars but tailored to the topics you have just been studying .

Below are my key takeaways from that course:
1. History keeps repeating itself.
I will go into more details in a future post, but all the security issues we have had when Internet first appeared in the corporate world, then with WIFI networks are just repeating themselves with the use of mobile devices. Examples?
Mobile devices are more and more like computers yet we tend to only use simple and short passwords to protect how we are accessing them, there are no antivirus or firewalls in most platforms.
What drives mobile devices’ roadmaps is the user experience rather than its security.

2. Jailbreaking as a security tool
Jailbreaking a phone can be very useful, and sometimes the only way, to really understand what data an application is accessing and sending.

3. MDM alone, is not enough
MDM is just one component of what a mobile device strategy should be. Reviewing the security of apps being developed internally as well as the most commonly used 3rd party ones should be core to that strategy. Failing to do so equate to having an open desktop policy where users can install any applications they want, with no firewall/anti-virus.

4. Apps manipulation through HTTP intercept
The majority of mobile device applications uses HTTP as their communication transport protocol.
It often compromises the security model implemented with their counterpart desktop/web portal solutions.
Users often wrongly assume that an application is secure, because there are no visible signs as to how secure its communication is.
An example studied in class showed easily it is to manipulate stock option prices from the built-in iOS Stocks app.

5. 4 PIN on iOS is bad very bad.
I was amazed at the speed it takes to crack a 4 PIN protected iPhone (up to iPhone 4) and iPad (up to iPad 2).
In class we looked at how one needs just 15 minutes to a) take a locked iOS device, jailbreak it in memory, crack the PIN, dump all data, reboot the iDevice and the owner would never know you have just stolen all its data.
Although this is not currently possible on iPhone 4s+ and iPad 3+, this could change if new jailbreaking methods are found.
You would also be amazed as all the potential sensitive information is available in clear text, from WIFI to Emails passwords.

6. Certificate (mis) management
HTTPS certificates are very poorly managed on mobile devices currently and if a user is subjected to an HTTPS Man in the Middle attack, the warnings signs (if any!) could be at best confusing and at worse misleading! (i.e.: Hackers can pretend their certificate is from a valid and known CA).

6. Devices Emulator, Developer Programs and Mobile lab
Device emulators, although not as good as the real handsets, are very useful to do security assessments.
Being part of the major vendors developer programs does not cost much money and gives you access to exclusive tools and upcoming beta versions.
Lastly, having some kind of mobile device lab is useful for your security assessments and combining real handset with emulators should be relatively cheap to setup whilst still giving you enough handset coverage.

What this course has highlighted is how immature the security around Mobile Devices is, and that securing mobile devices in a corporate environment does not stop with MDM.

A very good course I would recommend to anyone involved with Mobile Device security, this will be an eye opener!