Mobile Security - ISSA: Pittsburgh Chapter

Mobile Security – Threats and Mitigation
April 1, 2014
• Introduction
• What Your Phone Knows and What It Shares
• The Threats
• Mitigating the Risks
• Conclusion
• Q&A
About Your Presenter
• Ken Smith
• Staff Consultant III
• SecureState, Attack & Defense Team
• Education/Certifications
– BS, Computer Information Systems
– AA, Arabic Language and Culture
– MA, Security Policy Studies
– Offensive Security Wireless Professional (OSWP)
• Areas of Specialization
– Wireless Security, Mobile Devices
– Social Engineering, Physical Security
Mobile Technology
• Star Trek tricorder realized
– Convenience and services
– Knowledge at your fingertip
– Comes at a price…
• By its very use, opens a hole into our private lives
– Size of aperture depends largely on the user
– There are steps that can be taken for protection
What Your Phone Knows
And What It’s Sharing
It Knows Too Much!
• Important:
– By owning a smart phone, users assuming a
certain level of risk
– There is no way to mitigate 100% of the risk
• Contracted agreement puts your information and
data in hands of third party(s)
Information Up For Grabs
• Location Data
– Cell Network
– Check-in Apps
• Personal Data
– App-permissions
– Social Media
Location Data
– Most obvious
– Pretty accurate outdoors, but not so much
– Very useful
• Third party applications use GPS for correlation
• Sometimes stored locally and accessible
– “Frequent Locations” in iOS7
– We’ll discuss this later in the presentation
Location Data
• Cell-Network
– Tower Triangulation **
– Can be used alongside GPS
– Mandatory use in emergencies
• Law enforcement
• Carriers
– As long as you have a phone, this
information is available
• Sometimes legalities or warrants involved
• Doesn't have to be a smartphone
• Built into cellular technology
Location Data
• Triangulation
Location Data
• Wi-Fi
– Carriers collect WIFI network names/BSSIDs
and correlating GPS data
• Fine-tune location
• Can be used indoors
– Google got in trouble in 2010 for collecting
data with their StreetView cars
• Decided it was simpler to use mobile devices
• Enormous userbase
• Constantly updated
– Apple, Google, Microsoft now ALL use it
Personal Data
• App Permissions
– Android
• Always displayed before you download from
Google Play store
• ie: “Why does this calorie counter need to
access my camera and phone calls?”
– iOS
• A little more secure
• Apps now default to no permissions outside of
their sandbox
• ie: “This app wants to use your location."
Personal Data
• App Permissions
– Windows
• App settings are viewable before install or
through “Settings”
• Similar to Android
Personal Data
• Social Media
– A problem in and of itself
• The success of mobile devices and global rise
of social media are unquestionably intertwined
• Outside of the obvious personal data
– Geo-tagged updates on Facebook and Twitter
– Facebook Graph search makes hiding online
much more difficult
– LinkedIn open by default
• Useful tool for social engineers
• Site is scraped for names and corporate
The Threats
Who and What They Are
The Threats
• Four Major Actors
– Government
– Carriers/Providers
– Hackers
– Thieves
• Once again, if you use a mobile device, your data is
being stored and tracked
• Nothing known for sure about collection/ exploitation
– Lots of leaks
– Lots of partial information
– Lots of conjecture
• Some companies have admitted to cooperation
– You can choose to avoid those services
• May be worried about nothing
• Companies claiming to protect your rights may
not be on the up-and-up
• Again, if you're really concerned about it, avoid
mobile devices all together
• Revenue-driven
– Want to know where you've spent money
– The better targeted the ad, the more likely you'll
• Service-driven
– Collecting WIFI points means more accuracy
– More accuracy might give them an edge in the
• Nothing that isn't already open-source collected
– Just more organized
– We will address this later
Hackers - Traditional
• Network-Based
– Normal web-based rules apply
– Beware public Wi-Fi networks
• App security is getting better everyday
• A lot of unencrypted sensitive traffic is still sent
and received
– Major hole in iOS7 < 7.0.6 / iOS6 < 6.1.6
– 70% of Android devices in circulation
• Affected by known, remote code execution
• Beware QR Codes!
Hackers - Phishing
• Social Engineering-based attacks
– Getting people to do things that may not be in
their best interests
• Many people check email via phones/tablets
– Harder to distinguish phish from legitimate email
– Can't "hover" over a link to see where it'll take you
• Phishing via SMS
– Very common in Europe and Asia, but the tactic
has crossed the pond
– Same basic premise: visit this link
• "To claim your gift card…”
• Use shrunken URLs for obscurity
Hackers - Malicious Applications
• Apps get permission to do questionable things
– Access your Address Book
– Access your location
– Make calls/Send SMS
• Apple vs. Android
– Less of an issue for Apple
• Stringent requirements to get into app store
• Fewer (known) instances
• Doesn't mitigate risk entirely
– Android is a bigger risk
• Play Store is more open
• Possible to install spoofed apps by mistake
• People don’t always read app permissions or
understand them
Hackers - Leaky Wi-Fi
• Whenever a device's Wi-Fi is enabled, probes are
made for known networks
• Possible to build pattern of life by examining
network probes
• Powerful when combined with open-source data
• Snoopy and Corporate Wi-Fi
– “Evil Access Point” attack
– Possible to intercept usernames and hashed
– Offline cracking means a hacker can work at
his own pace
Hackers - Leaky Wi-Fi
– Open-source tool
– Anyone can contribute
– Downtown Pittsburgh
• Physical Access is King
– Much easier to get at sensitive data
– Loosens time constraints
– Less trouble-shooting than remotely exploiting
Thieves – Authentication Issues
• Convenience vs Security
– iPhone pin codes
– Weak/no-password
• Custom "lock screens"
– Not all of them actually work
– Lots of them have a work-around or two
• Lockscreen Widgets and messaging
– What can people do from your lockscreen?
– Use camera, toggle connectivity, play music
– Read/send SMS or email, see/return missed
Thieves – Authentication Issues
• Inherent Problems
– Auth screen bypasses
• iOS 7 Siri ***
• Chips (iOS) < A5 – root access! ***
• Numerous hardware/software specific in
Android devices (“device fragmentation”)
– iPhone 5s thumb print authentication
– Greasy fingers and 9-point swipe
Thieves – Authentication Issues
• Most Common Pincodes 2013
Thieves - Digital Self
• Serious damage to reputation
• Traditional communications
– Contact list
– Phone call/SMS history
– Email accounts
• Social media profiles
• Can lead to the compromise of accounts not
already attached to your mobile device
– Password reset or email reset functions
Thieves - Purchasing Power
• Google Play or App Store
• Amazon and other shopping apps
• Mobile Banking
Thieves – Misc. Local Data
• Photos, notes, schedule/calendar…
• Jailbreak/rooting process is trivial (if not already
– Root access opens up access to all kinds of appspecific database and plist files
– Usernames & passwords, sessionIDs, contact info,
– Recent location data can be recovered for
building pattern of life
Mitigating the Risk
Government, Providers, and Carriers
• Only sure-fire way: Choose to not use mobile
– "Resistance is futile“
– Turn off services when they aren't in use
• Use specialized apps to encrypt calls, SMS, and email
– Usually a closed-loop system
– Can be fairly expensive
– Also, not all of them work as advertised
• “Pry-Fi” and similar apps
– Designed specifically to screw with WIFI collection
– Pebble in the ocean effect
– Usually require root/jailbreak
– Can break device, require re-flash
Hackers – Network-Based
• Avoid public Wi-Fi when possible
– Never bank
– Access email and social media at your own peril
• Run a port scan against your device occasionally
to look for obvious holes
– ESPECIALLY if you've rooted/jailbroken your
– Lots of root-apps open ports by default
• Download Fing
– Free network-scanner for iOS/Android
– Direct Fing at your own device
Hackers – Phishing
• Don't Click without Thinking!
– Modern phishing
• Fewer spelling and grammatical errors
• Much more timely (ie: Post-Target breach
– Applies to emails, phone calls, and SMS
• If you're the slightest bit suspicious, contact the
sender by some other means and confirm the
message's validity
• Anything too good to be true probably is
– Watch out for urgency and embarrassment too
Hackers – Malicious Apps
• ALWAYS check Android app permissions before
• ALWAYS consider ramifications of giving iOS apps
special permissions
• iOS allows you to fine-tune permissions in settings
• Check app's developer and make sure it's spelled
correctly, matches who it's supposed to be
– A kind of special phishing attack
– Backdoored/cloned apps exist
Hackers – Leaky Wi-Fi
• Turn off your Wi-Fi when you aren’t using it
• Use a generic name for your home network
– Still change it from its default
– Netgear becomes Linksys, Linksys becomes
– Default ESSIDs give away a lot of info to hackers
(default username/password, etc)
• Regularly change your network names
• Always be sure to keep your device up to date
with the latest firmware
• Use passphrase option for lockscreens
– No 9-point swipe
– No PIN codes
• Enable 10-attempt wipe for iOS
• Enable encryption (iOS and Android both support
this, though iOS' is a better setup)
• Avoid rooting/jailbreaking
– Risk of bricking your device is actually fairly low
• Processes are well-documented
• “Click-to-root”
• Bad idea to run normal computer as Admin
• Why risk your mobile device?
– IF you choose to root/jailbreak
• iOS device ‘root’ & ‘mobile’ password: alpine
• ssh-enabled
• Use “Approval” mode for SU in Android
• With iOS, check the System log to see what your
sensitive apps (banking, social media...) are saving
to the device
– Pro: Free download in App Store (“Xtools”)
– Con: BIG download for small tool
• Run Wireshark on your home network while using
sensitive apps
– Pro: Identify clear-text protocols
– Con: Steep learning curve
Mobile Device Management Solution
• Lots of options for MDM
• Each comes with benefits and weaknesses
• Examples
– MobileIron
• Granular setup
• Known vulnerabilities
– Maas360
• Robust features for iOS and intuitive UI
• Lacking in Android and Windows features
Mobile Device Management Solution
• Excellent site for comparing biggest name MDMs
Demo Time
Root Access on iPhone 4 with iOS 7
• SSH ramdisk
– Similar technique to booting PC from livedisk
– Gives access to root file system
• Process is complete automated
– One simple download
– Quick process
iOS 7 Siri Lock Screen Auth Bypass
• Interactive Demo since I don’t have an iPhone 4s+
• Siri Enabled on Lock Screen
– Call or FaceTime unknown Contact
– Presents option for “Other”
• Look at Contacts and Change Pictures
• Progress and convenience come with a risk
• There are lots of steps we can take as users and
consumers to protect ourselves
• From an enterprise standpoint
– Consider an MDM
– Heavy testing up front AND regular testing
once implemented
– iOS > Android
Thank you for your time!

similar documents