Mobile Security – Threats and Mitigation April 1, 2014

• Introduction • What Your Phone Knows and What It Shares • The Threats • Mitigating the Risks • Conclusion • Q&A

Agenda

2

About Your Presenter

• • • • • Ken Smith Staff Consultant III SecureState, Attack & Defense Team Education/Certifications – – BS, Computer Information Systems AA, Arabic Language and Culture – – MA, Security Policy Studies

Offensive Security Wireless Professional (OSWP)

Areas of Specialization – – Wireless Security, Mobile Devices Social Engineering, Physical Security 3

Mobile Technology

• Star Trek tricorder realized – – – Convenience and services Knowledge at your fingertip Comes at a price… • By its very use, opens a hole into our private lives – Size of aperture depends largely on the user – There are steps that can be taken for protection 4

What Your Phone Knows

And What It’s Sharing 5

It Knows Too Much!

• • Important: – By owning a smart phone, users assuming a certain level of risk – There is no way to mitigate 100% of the risk Contracted agreement puts your information and data in hands of third party(s) 6

• Location Data – – – – GPS Cell Network WIFI Check-in Apps • Personal Data – – App-permissions Social Media

Information Up For Grabs

7

Location Data

• GPS – Most obvious – – Pretty accurate outdoors, but not so much indoors Very useful • Third party applications use GPS for correlation • Sometimes stored locally and accessible – “Frequent Locations” in iOS7 – We’ll discuss this later in the presentation 8

Location Data

• Cell-Network – Tower Triangulation ** – – – Can be used alongside GPS Mandatory use in emergencies • • Law enforcement Carriers

As long as you have a phone, this information is available

• • • Sometimes legalities or warrants involved

Doesn't have to be a smartphone

Built into cellular technology 9

• Triangulation

Location Data

10

Location Data

• Wi-Fi – – – Carriers collect WIFI network names/BSSIDs and correlating GPS data • Fine-tune location • Can be used indoors Google got in trouble in 2010 for collecting data with their StreetView cars • Decided it was simpler to use mobile devices • Enormous userbase • Constantly updated Apple, Google, Microsoft now ALL use it 11

Personal Data

• App Permissions – – Android • Always displayed before you download from Google Play store • iOS ie: “Why does this calorie counter need to access my camera and phone calls?” • • • A little more secure Apps now default to no permissions outside of their sandbox ie: “This app wants to use your location." 12

Personal Data

• App Permissions – Windows • App settings are viewable before install or through “Settings” • Similar to Android 13

Personal Data

• Social Media – – – – A problem in and of itself • The success of mobile devices and global rise of social media are unquestionably intertwined • Outside of the obvious personal data Geo-tagged updates on Facebook and Twitter Facebook Graph search makes hiding online much more difficult LinkedIn open by default • • Useful tool for social engineers Site is scraped for names and corporate structure 14

The Threats

Who and What They Are 15

The Threats

• Four Major Actors – – – – Government Carriers/Providers Hackers Thieves • Once again, if you use a mobile device, your data is being stored and tracked 16

Government

• • • Nothing known for sure about collection/ exploitation – – Lots of leaks Lots of partial information – Lots of conjecture Some companies have admitted to cooperation – You can choose to avoid those services • May be worried about nothing • Companies claiming to protect your rights may not be on the up-and-up Again, if you're really concerned about it, avoid mobile devices all together 17

Carriers/Providers

• • • Revenue-driven – – Want to know where you've spent money The better targeted the ad, the more likely you'll click Service-driven – Collecting WIFI points means more accuracy – More accuracy might give them an edge in the market Nothing that isn't already open-source collected – Just more organized – We will address this later 18

Hackers - Traditional

• Network-Based – – – – Normal web-based rules apply Beware public Wi-Fi networks • • App security is getting better everyday A lot of unencrypted sensitive traffic is still sent and received Major hole in iOS7 < 7.0.6 / iOS6 < 6.1.6

70% of Android devices in circulation • • Affected by known, remote code execution vulnerability Beware QR Codes!

19

• • •

Hackers - Phishing

Social Engineering-based attacks – Getting people to do things that may not be in their best interests Many people check email via phones/tablets – Harder to distinguish phish from legitimate email – Can't "hover" over a link to see where it'll take you Phishing via SMS – – Very common in Europe and Asia, but the tactic has crossed the pond Same basic premise: visit this link • • "To claim your gift card…” Use shrunken URLs for obscurity 20

• •

Hackers - Malicious Applications

Apps get permission to do questionable things – Access your Address Book – Access your location – Make calls/Send SMS Apple vs. Android – Less of an issue for Apple • Stringent requirements to get into app store • Fewer (known) instances Doesn't mitigate risk entirely – • Android is a bigger risk • Play Store is more open • • Possible to install spoofed apps by mistake People don’t always read app permissions or understand them 21

• • • •

Hackers - Leaky Wi-Fi

Whenever a device's Wi-Fi is enabled, probes are made for known networks Possible to build pattern of life by examining network probes Powerful when combined with open-source data (Wigle.net) Snoopy and Corporate Wi-Fi – “Evil Access Point” attack – – Possible to intercept usernames and hashed passwords Offline cracking means a hacker can work at his own pace 22

• Wigle.net

– – Open-source tool Anyone can contribute

Hackers - Leaky Wi-Fi

– Downtown Pittsburgh 23

•

Thieves

Physical Access is King – – – Much easier to get at sensitive data Loosens time constraints Less trouble-shooting than remotely exploiting 24

• • •

Thieves – Authentication Issues

Convenience vs Security – – iPhone pin codes Weak/no-password Custom "lock screens" – Not all of them actually work – Lots of them have a work-around or two Lockscreen Widgets and messaging – – – What can people do from your lockscreen?

Use camera, toggle connectivity, play music Read/send SMS or email, see/return missed calls 25

•

Thieves – Authentication Issues

Inherent Problems – Auth screen bypasses • iOS 7 Siri *** – – • • Chips (iOS) < A5 – root access! *** Numerous hardware/software specific in Android devices (“device fragmentation”) iPhone 5s thumb print authentication Greasy fingers and 9-point swipe authentication 26

•

Thieves – Authentication Issues

Most Common Pincodes 2013 27

• •

Thieves - Digital Self

Serious damage to reputation Traditional communications – Contact list – – Phone call/SMS history Email accounts • Social media profiles • Can lead to the compromise of accounts not already attached to your mobile device – Password reset or email reset functions 28

•

Thieves - Purchasing Power

Google Play or App Store • Amazon and other shopping apps • Mobile Banking 29

•

Thieves – Misc. Local Data

Photos, notes, schedule/calendar… • Jailbreak/rooting process is trivial (if not already done) – Root access opens up access to all kinds of app specific database and plist files – – Usernames & passwords, sessionIDs, contact info, etc.

Recent location data can be recovered for building pattern of life 30

Mitigating the Risk

31

• • •

Government, Providers, and Carriers

Only sure-fire way: Choose to not use mobile devices – "Resistance is futile“ – Turn off services when they aren't in use Use specialized apps to encrypt calls, SMS, and email – Usually a closed-loop system – – Can be fairly expensive Also, not all of them work as advertised “Pry-Fi” and similar apps – Designed specifically to screw with WIFI collection databases – – – Pebble in the ocean effect Usually require root/jailbreak Can break device, require re-flash 32

• • •

Hackers – Network-Based

Avoid public Wi-Fi when possible – – Never bank Access email and social media at your own peril Run a port scan against your device occasionally to look for obvious holes – – ESPECIALLY if you've rooted/jailbroken your device Lots of root-apps open ports by default Download Fing – – Free network-scanner for iOS/Android Direct Fing at your own device 33

• • •

Hackers – Phishing

Don't Click without Thinking!

– Modern phishing • Fewer spelling and grammatical errors • Much more timely (ie: Post-Target breach emails) – Applies to emails, phone calls, and SMS If you're the slightest bit suspicious, contact the sender by some other means and confirm the message's validity Anything too good to be true probably is – Watch out for urgency and embarrassment too 34

•

Hackers – Malicious Apps

ALWAYS check Android app permissions before installing • ALWAYS consider ramifications of giving iOS apps special permissions • iOS allows you to fine-tune permissions in settings • Check app's developer and make sure it's spelled correctly, matches who it's supposed to be – A kind of special phishing attack – Backdoored/cloned apps exist 35

• • •

Hackers – Leaky Wi-Fi

Turn off your Wi-Fi when you aren’t using it Use a generic name for your home network – Still change it from its default – Netgear becomes Linksys, Linksys becomes Buffalo...etc

– Default ESSIDs give away a lot of info to hackers (default username/password, etc) Regularly change your network names 36

•

Thieves

Always be sure to keep your device up to date with the latest firmware • Use passphrase option for lockscreens – No 9-point swipe – No PIN codes • Enable 10-attempt wipe for iOS • Enable encryption (iOS and Android both support this, though iOS' is a better setup) 37

•

Thieves

Avoid rooting/jailbreaking – – Risk of bricking your device is actually fairly low nowadays • Processes are well-documented • “Click-to-root” HOWEVER – • • Bad idea to run normal computer as Admin Why risk your mobile device?

IF you choose to root/jailbreak • iOS device ‘root’ & ‘mobile’ password: alpine • • ssh-enabled Use “Approval” mode for SU in Android 38

•

Thieves

With iOS, check the System log to see what your sensitive apps (banking, social media...) are saving to the device – – Pro: Free download in App Store (“Xtools”) Con: BIG download for small tool • Run Wireshark on your home network while using sensitive apps – – Pro: Identify clear-text protocols Con: Steep learning curve 39

• •

Mobile Device Management Solution

Lots of options for MDM Each comes with benefits and weaknesses • Examples – MobileIron • • Granular setup Known vulnerabilities – Maas360 • Robust features for iOS and intuitive UI • Lacking in Android and Windows features 40

•

Mobile Device Management Solution

www.enterpriseios.com/wiki/Comparison_MDM_Providers • Excellent site for comparing biggest name MDMs 41

Demo Time

42

•

Root Access on iPhone 4 with iOS 7

SSH ramdisk – – Similar technique to booting PC from livedisk Gives access to root file system • Process is complete automated – – One simple download Quick process 43

•

iOS 7 Siri Lock Screen Auth Bypass

Interactive Demo since I don’t have an iPhone 4s+ • Siri Enabled on Lock Screen – – Call or FaceTime unknown Contact Presents option for “Other” • Look at Contacts and Change Pictures 44

•

Conclusion

Progress and convenience come with a risk • There are lots of steps we can take as users and consumers to protect ourselves • From an enterprise standpoint – Consider an MDM – – Heavy testing up front AND regular testing once implemented iOS > Android 45

Thank you for your time!

Q U E S T I O N S A N S W E R S

46