Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Security – Threats and Mitigation April 1, 2014.

Similar presentations

Presentation on theme: "Mobile Security – Threats and Mitigation April 1, 2014."— Presentation transcript:

1 Mobile Security – Threats and Mitigation April 1, 2014

2 Agenda Introduction What Your Phone Knows and What It Shares The Threats Mitigating the Risks Conclusion Q&A 2

3 About Your Presenter Ken Smith Staff Consultant III SecureState, Attack & Defense Team Education/Certifications – BS, Computer Information Systems – AA, Arabic Language and Culture – MA, Security Policy Studies – Offensive Security Wireless Professional (OSWP) Areas of Specialization – Wireless Security, Mobile Devices – Social Engineering, Physical Security 3

4 Mobile Technology Star Trek tricorder realized – Convenience and services – Knowledge at your fingertip – Comes at a price… By its very use, opens a hole into our private lives – Size of aperture depends largely on the user – There are steps that can be taken for protection 4

5 What Your Phone Knows And What It’s Sharing 5

6 It Knows Too Much! Important: – By owning a smart phone, users assuming a certain level of risk – There is no way to mitigate 100% of the risk Contracted agreement puts your information and data in hands of third party(s) 6

7 Information Up For Grabs Location Data – GPS – Cell Network – WIFI – Check-in Apps Personal Data – App-permissions – Social Media 7

8 Location Data GPS – Most obvious – Pretty accurate outdoors, but not so much indoors – Very useful Third party applications use GPS for correlation Sometimes stored locally and accessible – “Frequent Locations” in iOS7 – We’ll discuss this later in the presentation 8

9 Location Data Cell-Network – Tower Triangulation ** – Can be used alongside GPS – Mandatory use in emergencies Law enforcement Carriers – As long as you have a phone, this information is available Sometimes legalities or warrants involved Doesn't have to be a smartphone Built into cellular technology 9

10 Location Data Triangulation 10

11 Location Data Wi-Fi – Carriers collect WIFI network names/BSSIDs and correlating GPS data Fine-tune location Can be used indoors – Google got in trouble in 2010 for collecting data with their StreetView cars Decided it was simpler to use mobile devices Enormous userbase Constantly updated – Apple, Google, Microsoft now ALL use it 11

12 Personal Data App Permissions – Android Always displayed before you download from Google Play store ie: “Why does this calorie counter need to access my camera and phone calls?” – iOS A little more secure Apps now default to no permissions outside of their sandbox ie: “This app wants to use your location." 12

13 Personal Data App Permissions – Windows App settings are viewable before install or through “Settings” Similar to Android 13

14 Personal Data Social Media – A problem in and of itself The success of mobile devices and global rise of social media are unquestionably intertwined Outside of the obvious personal data – Geo-tagged updates on Facebook and Twitter – Facebook Graph search makes hiding online much more difficult – LinkedIn open by default Useful tool for social engineers Site is scraped for names and corporate structure 14

15 The Threats Who and What They Are 15

16 The Threats Four Major Actors – Government – Carriers/Providers – Hackers – Thieves Once again, if you use a mobile device, your data is being stored and tracked 16

17 Government Nothing known for sure about collection/ exploitation – Lots of leaks – Lots of partial information – Lots of conjecture Some companies have admitted to cooperation – You can choose to avoid those services May be worried about nothing Companies claiming to protect your rights may not be on the up-and-up Again, if you're really concerned about it, avoid mobile devices all together 17

18 Carriers/Providers Revenue-driven – Want to know where you've spent money – The better targeted the ad, the more likely you'll click Service-driven – Collecting WIFI points means more accuracy – More accuracy might give them an edge in the market Nothing that isn't already open-source collected – Just more organized – We will address this later 18

19 Hackers - Traditional Network-Based – Normal web-based rules apply – Beware public Wi-Fi networks App security is getting better everyday A lot of unencrypted sensitive traffic is still sent and received – Major hole in iOS7 < 7.0.6 / iOS6 < 6.1.6 – 70% of Android devices in circulation Affected by known, remote code execution vulnerability Beware QR Codes! 19

20 Hackers - Phishing Social Engineering-based attacks – Getting people to do things that may not be in their best interests Many people check email via phones/tablets – Harder to distinguish phish from legitimate email – Can't "hover" over a link to see where it'll take you Phishing via SMS – Very common in Europe and Asia, but the tactic has crossed the pond – Same basic premise: visit this link "To claim your gift card…” Use shrunken URLs for obscurity 20

21 Hackers - Malicious Applications Apps get permission to do questionable things – Access your Address Book – Access your location – Make calls/Send SMS Apple vs. Android – Less of an issue for Apple Stringent requirements to get into app store Fewer (known) instances Doesn't mitigate risk entirely – Android is a bigger risk Play Store is more open Possible to install spoofed apps by mistake People don’t always read app permissions or understand them 21

22 Hackers - Leaky Wi-Fi Whenever a device's Wi-Fi is enabled, probes are made for known networks Possible to build pattern of life by examining network probes Powerful when combined with open-source data ( Snoopy and Corporate Wi-Fi – “Evil Access Point” attack – Possible to intercept usernames and hashed passwords – Offline cracking means a hacker can work at his own pace 22

23 Hackers - Leaky Wi-Fi – Open-source tool – Anyone can contribute – Downtown Pittsburgh 23

24 Thieves Physical Access is King – Much easier to get at sensitive data – Loosens time constraints – Less trouble-shooting than remotely exploiting 24

25 Thieves – Authentication Issues Convenience vs Security – iPhone pin codes – Weak/no-password Custom "lock screens" – Not all of them actually work – Lots of them have a work-around or two Lockscreen Widgets and messaging – What can people do from your lockscreen? – Use camera, toggle connectivity, play music – Read/send SMS or email, see/return missed calls 25

26 Thieves – Authentication Issues Inherent Problems – Auth screen bypasses iOS 7 Siri *** Chips (iOS) < A5 – root access! *** Numerous hardware/software specific in Android devices (“device fragmentation”) – iPhone 5s thumb print authentication – Greasy fingers and 9-point swipe authentication 26

27 Thieves – Authentication Issues Most Common Pincodes 2013 27

28 Thieves - Digital Self Serious damage to reputation Traditional communications – Contact list – Phone call/SMS history – Email accounts Social media profiles Can lead to the compromise of accounts not already attached to your mobile device – Password reset or email reset functions 28

29 Thieves - Purchasing Power Google Play or App Store Amazon and other shopping apps Mobile Banking 29

30 Thieves – Misc. Local Data Photos, notes, schedule/calendar… Jailbreak/rooting process is trivial (if not already done) – Root access opens up access to all kinds of app- specific database and plist files – Usernames & passwords, sessionIDs, contact info, etc. – Recent location data can be recovered for building pattern of life 30

31 Mitigating the Risk 31

32 Government, Providers, and Carriers Only sure-fire way: Choose to not use mobile devices – "Resistance is futile“ – Turn off services when they aren't in use Use specialized apps to encrypt calls, SMS, and email – Usually a closed-loop system – Can be fairly expensive – Also, not all of them work as advertised “Pry-Fi” and similar apps – Designed specifically to screw with WIFI collection databases – Pebble in the ocean effect – Usually require root/jailbreak – Can break device, require re-flash 32

33 Hackers – Network-Based Avoid public Wi-Fi when possible – Never bank – Access email and social media at your own peril Run a port scan against your device occasionally to look for obvious holes – ESPECIALLY if you've rooted/jailbroken your device – Lots of root-apps open ports by default Download Fing – Free network-scanner for iOS/Android – Direct Fing at your own device 33

34 Hackers – Phishing Don't Click without Thinking! – Modern phishing Fewer spelling and grammatical errors Much more timely (ie: Post-Target breach emails) – Applies to emails, phone calls, and SMS If you're the slightest bit suspicious, contact the sender by some other means and confirm the message's validity Anything too good to be true probably is – Watch out for urgency and embarrassment too 34

35 Hackers – Malicious Apps ALWAYS check Android app permissions before installing ALWAYS consider ramifications of giving iOS apps special permissions iOS allows you to fine-tune permissions in settings Check app's developer and make sure it's spelled correctly, matches who it's supposed to be – A kind of special phishing attack – Backdoored/cloned apps exist 35

36 Hackers – Leaky Wi-Fi Turn off your Wi-Fi when you aren’t using it Use a generic name for your home network – Still change it from its default – Netgear becomes Linksys, Linksys becomes Buffalo...etc – Default ESSIDs give away a lot of info to hackers (default username/password, etc) Regularly change your network names 36

37 Thieves Always be sure to keep your device up to date with the latest firmware Use passphrase option for lockscreens – No 9-point swipe – No PIN codes Enable 10-attempt wipe for iOS Enable encryption (iOS and Android both support this, though iOS' is a better setup) 37

38 Thieves Avoid rooting/jailbreaking – Risk of bricking your device is actually fairly low nowadays Processes are well-documented “Click-to-root” – HOWEVER Bad idea to run normal computer as Admin Why risk your mobile device? – IF you choose to root/jailbreak iOS device ‘root’ & ‘mobile’ password: alpine ssh-enabled Use “Approval” mode for SU in Android 38

39 Thieves With iOS, check the System log to see what your sensitive apps (banking, social media...) are saving to the device – Pro: Free download in App Store (“Xtools”) – Con: BIG download for small tool Run Wireshark on your home network while using sensitive apps – Pro: Identify clear-text protocols – Con: Steep learning curve 39

40 Mobile Device Management Solution Lots of options for MDM Each comes with benefits and weaknesses Examples – MobileIron Granular setup Known vulnerabilities – Maas360 Robust features for iOS and intuitive UI Lacking in Android and Windows features 40

41 Mobile Device Management Solution Excellent site for comparing biggest name MDMs 41

42 Demo Time 42

43 Root Access on iPhone 4 with iOS 7 SSH ramdisk – Similar technique to booting PC from livedisk – Gives access to root file system Process is complete automated – One simple download – Quick process 43

44 iOS 7 Siri Lock Screen Auth Bypass Interactive Demo since I don’t have an iPhone 4s+ Siri Enabled on Lock Screen – Call or FaceTime unknown Contact – Presents option for “Other” Look at Contacts and Change Pictures 44

45 Conclusion Progress and convenience come with a risk There are lots of steps we can take as users and consumers to protect ourselves From an enterprise standpoint – Consider an MDM – Heavy testing up front AND regular testing once implemented – iOS > Android 45

46 Thank you for your time! A Q & Q U E S T I O N S A N S W E R S 46

Download ppt "Mobile Security – Threats and Mitigation April 1, 2014."

Similar presentations

Ads by Google