1 / 46

Mobile Security – Threats and Mitigation April 1, 2014

Mobile Security – Threats and Mitigation April 1, 2014. Agenda. Introduction What Your Phone Knows and What It Shares The Threats Mitigating the Risks Conclusion Q&A. About Your Presenter. Ken Smith Staff Consultant III SecureState , Attack & Defense Team Education/Certifications

belita
Download Presentation

Mobile Security – Threats and Mitigation April 1, 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Security – Threats and Mitigation April 1, 2014

  2. Agenda • Introduction • What Your Phone Knows and What It Shares • The Threats • Mitigating the Risks • Conclusion • Q&A

  3. About Your Presenter • Ken Smith • Staff Consultant III • SecureState, Attack & Defense Team • Education/Certifications • BS, Computer Information Systems • AA, Arabic Language and Culture • MA, Security Policy Studies • Offensive Security Wireless Professional (OSWP) • Areas of Specialization • Wireless Security, Mobile Devices • Social Engineering, Physical Security

  4. Mobile Technology • Star Trek tricorder realized • Convenience and services • Knowledge at your fingertip • Comes at a price… • By its very use, opens a hole into our private lives • Size of aperture depends largely on the user • There are steps that can be taken for protection

  5. What Your Phone Knows And What It’s Sharing

  6. It Knows Too Much! • Important: • By owning a smart phone, users assuming a certain level of risk • There is no way to mitigate 100% of the risk • Contracted agreement puts your information and data in hands of third party(s)

  7. Information Up For Grabs • Location Data • GPS • Cell Network • WIFI • Check-in Apps • Personal Data • App-permissions • Social Media

  8. Location Data • GPS • Most obvious • Pretty accurate outdoors, but not so much indoors • Very useful • Third party applications use GPS for correlation • Sometimes stored locally and accessible • “Frequent Locations” in iOS7 • We’ll discuss this later in the presentation

  9. Location Data • Cell-Network • Tower Triangulation ** • Can be used alongside GPS • Mandatory use in emergencies • Law enforcement • Carriers • As long as you have a phone, this information is available • Sometimes legalities or warrants involved • Doesn't have to be a smartphone • Built into cellular technology

  10. Location Data • Triangulation

  11. Location Data • Wi-Fi • Carriers collect WIFI network names/BSSIDs and correlating GPS data • Fine-tune location • Can be used indoors • Google got in trouble in 2010 for collecting data with their StreetViewcars • Decided it was simpler to use mobile devices • Enormous userbase • Constantly updated • Apple, Google, Microsoft now ALL use it

  12. Personal Data • App Permissions • Android • Always displayed before you download from Google Play store • ie: “Why does this calorie counter need to access my camera and phone calls?” • iOS • A little more secure • Apps now default to no permissions outside of their sandbox • ie: “This app wants to use your location."

  13. Personal Data • App Permissions • Windows • App settings are viewable before install or through “Settings” • Similar to Android

  14. Personal Data • Social Media • A problem in and of itself • The success of mobile devices and global rise of social media are unquestionably intertwined • Outside of the obvious personal data • Geo-tagged updates on Facebook and Twitter • Facebook Graph search makes hiding online much more difficult • LinkedIn open by default • Useful tool for social engineers • Site is scraped for names and corporate structure

  15. The Threats Who and What They Are

  16. The Threats • Four Major Actors • Government • Carriers/Providers • Hackers • Thieves • Once again, if you use a mobile device, your data is being stored and tracked

  17. Government • Nothing known for sure about collection/ exploitation • Lots of leaks • Lots of partial information • Lots of conjecture • Some companies have admitted to cooperation • You can choose to avoid those services • May be worried about nothing • Companies claiming to protect your rights may not be on the up-and-up • Again, if you're really concerned about it, avoid mobile devices all together

  18. Carriers/Providers • Revenue-driven • Want to know where you've spent money • The better targeted the ad, the more likely you'll click • Service-driven • Collecting WIFI points means more accuracy • More accuracy might give them an edge in the market • Nothing that isn't already open-source collected • Just more organized • We will address this later

  19. Hackers - Traditional • Network-Based • Normal web-based rules apply • Beware public Wi-Fi networks • App security is getting better everyday • A lot of unencrypted sensitive traffic is still sent and received • Major hole in iOS7 < 7.0.6/ iOS6 < 6.1.6 • 70% of Android devices in circulation • Affected by known, remote code execution vulnerability • Beware QR Codes!

  20. Hackers - Phishing • Social Engineering-based attacks • Getting people to do things that may not be in their best interests • Many people check email via phones/tablets • Harder to distinguish phish from legitimate email • Can't "hover" over a link to see where it'll take you • Phishing via SMS • Very common in Europe and Asia, but the tactic has crossed the pond • Same basic premise: visit this link • "To claim your gift card…” • Use shrunken URLs for obscurity

  21. Hackers - Malicious Applications • Apps get permission to do questionable things • Access your Address Book • Access your location • Make calls/Send SMS • Apple vs. Android • Less of an issue for Apple • Stringent requirements to get into app store • Fewer (known) instances • Doesn't mitigate risk entirely • Android is a bigger risk • Play Store is more open • Possible to install spoofed apps by mistake • People don’t always read app permissions or understand them

  22. Hackers - Leaky Wi-Fi • Whenever a device's Wi-Fi is enabled, probes are made for known networks • Possible to build pattern of life by examining network probes • Powerful when combined with open-source data (Wigle.net) • Snoopy and Corporate Wi-Fi • “Evil Access Point” attack • Possible to intercept usernames and hashed passwords • Offline cracking means a hacker can work at his own pace

  23. Hackers - Leaky Wi-Fi • Wigle.net • Open-source tool • Anyone can contribute • Downtown Pittsburgh

  24. Thieves • Physical Access is King • Much easier to get at sensitive data • Loosens time constraints • Less trouble-shooting than remotely exploiting

  25. Thieves – Authentication Issues • Convenience vs Security • iPhone pin codes • Weak/no-password • Custom "lock screens" • Not all of them actually work • Lots of them have a work-around or two • LockscreenWidgets and messaging • What can people do from your lockscreen? • Use camera, toggle connectivity, play music • Read/send SMS or email, see/return missed calls

  26. Thieves – Authentication Issues • Inherent Problems • Auth screen bypasses • iOS 7 Siri *** • Chips (iOS) < A5 – root access! *** • Numerous hardware/software specific in Android devices (“device fragmentation”) • iPhone 5s thumb print authentication • Greasy fingers and 9-point swipe authentication

  27. Thieves – Authentication Issues • Most Common Pincodes 2013

  28. Thieves - Digital Self • Serious damage to reputation • Traditional communications • Contact list • Phone call/SMS history • Email accounts • Social media profiles • Can lead to the compromise of accounts not already attached to your mobile device • Password reset or email reset functions

  29. Thieves - Purchasing Power • Google Play or App Store • Amazon and other shopping apps • Mobile Banking

  30. Thieves – Misc. Local Data • Photos, notes, schedule/calendar… • Jailbreak/rooting process is trivial (if not already done) • Root access opens up access to all kinds of app-specific database and plist files • Usernames & passwords, sessionIDs, contact info, etc. • Recent location data can be recovered for building pattern of life

  31. Mitigating the Risk

  32. Government, Providers, and Carriers • Only sure-fire way: Choose to not use mobile devices • "Resistance is futile“ • Turn off services when they aren't in use • Use specialized apps to encrypt calls, SMS, and email • Usually a closed-loop system • Can be fairly expensive • Also, not all of them work as advertised • “Pry-Fi” and similar apps • Designed specifically to screw with WIFI collection databases • Pebble in the ocean effect • Usually require root/jailbreak • Can break device, require re-flash

  33. Hackers – Network-Based • Avoid public Wi-Fi when possible • Never bank • Access email and social media at your own peril • Run a port scan against your device occasionally to look for obvious holes • ESPECIALLY if you've rooted/jailbroken your device • Lots of root-apps open ports by default • Download Fing • Free network-scanner for iOS/Android • Direct Fing at your own device

  34. Hackers – Phishing • Don't Click without Thinking! • Modern phishing • Fewer spelling and grammatical errors • Much more timely (ie: Post-Target breach emails) • Applies to emails, phone calls, and SMS • If you're the slightest bit suspicious, contact the sender by some other means and confirm the message's validity • Anything too good to be true probably is • Watch out for urgency and embarrassment too

  35. Hackers – Malicious Apps • ALWAYS check Android app permissions before installing • ALWAYS consider ramifications of giving iOS apps special permissions • iOSallows you to fine-tune permissions in settings • Check app's developer and make sure it's spelled correctly, matches who it's supposed to be • A kind of special phishing attack • Backdoored/cloned apps exist

  36. Hackers – Leaky Wi-Fi • Turn off your Wi-Fi when you aren’t using it • Use a generic name for your home network • Still change it from its default • Netgearbecomes Linksys, Linksys becomes Buffalo...etc • Default ESSIDs give away a lot of info to hackers (default username/password, etc) • Regularly change your network names

  37. Thieves • Always be sure to keep your device up to date with the latest firmware • Use passphrase option for lockscreens • No 9-point swipe • No PIN codes • Enable 10-attempt wipe for iOS • Enable encryption (iOS and Android both support this, though iOS' is a better setup)

  38. Thieves • Avoid rooting/jailbreaking • Risk of bricking your device is actually fairly low nowadays • Processes are well-documented • “Click-to-root” • HOWEVER • Bad idea to run normal computer as Admin • Why risk your mobile device? • IF you choose to root/jailbreak • iOSdevice ‘root’ & ‘mobile’ password: alpine • ssh-enabled • Use “Approval” mode for SU in Android

  39. Thieves • With iOS, check the System log to see what your sensitive apps (banking, social media...) are saving to the device • Pro: Free download in App Store (“Xtools”) • Con: BIG download for small tool • Run Wireshark on your home network while using sensitive apps • Pro: Identify clear-text protocols • Con: Steep learning curve

  40. Mobile Device Management Solution • Lots of options for MDM • Each comes with benefits and weaknesses • Examples • MobileIron • Granular setup • Known vulnerabilities • Maas360 • Robust features for iOS and intuitive UI • Lacking in Android and Windows features

  41. Mobile Device Management Solution • www.enterpriseios.com/wiki/Comparison_MDM_Providers • Excellent site for comparing biggest name MDMs

  42. Demo Time

  43. Root Access on iPhone 4 with iOS 7 • SSH ramdisk • Similar technique to booting PC from livedisk • Gives access to root file system • Process is complete automated • One simple download • Quick process

  44. iOS 7 Siri Lock Screen Auth Bypass • Interactive Demo since I don’t have an iPhone 4s+ • Siri Enabled on Lock Screen • Call or FaceTime unknown Contact • Presents option for “Other” • Look at Contacts and Change Pictures

  45. Conclusion • Progress and convenience come with a risk • There are lots of steps we can take as users and consumers to protect ourselves • From an enterprise standpoint • Consider an MDM • Heavy testing up front AND regular testing once implemented • iOS> Android

  46. Q & A Q U E S T I O N S A N S W E R S Thank you for your time!

More Related