Mobile Security - ISSA: Pittsburgh Chapter
advertisement
Mobile Security – Threats and Mitigation April 1, 2014 Agenda • Introduction • What Your Phone Knows and What It Shares • The Threats • Mitigating the Risks • Conclusion • Q&A 2 About Your Presenter • Ken Smith • Staff Consultant III • SecureState, Attack & Defense Team • Education/Certifications – BS, Computer Information Systems – AA, Arabic Language and Culture – MA, Security Policy Studies – Offensive Security Wireless Professional (OSWP) • Areas of Specialization – Wireless Security, Mobile Devices – Social Engineering, Physical Security 3 Mobile Technology • Star Trek tricorder realized – Convenience and services – Knowledge at your fingertip – Comes at a price… • By its very use, opens a hole into our private lives – Size of aperture depends largely on the user – There are steps that can be taken for protection 4 What Your Phone Knows And What It’s Sharing 5 It Knows Too Much! • Important: – By owning a smart phone, users assuming a certain level of risk – There is no way to mitigate 100% of the risk • Contracted agreement puts your information and data in hands of third party(s) 6 Information Up For Grabs • Location Data – GPS – Cell Network – WIFI – Check-in Apps • Personal Data – App-permissions – Social Media 7 Location Data • GPS – Most obvious – Pretty accurate outdoors, but not so much indoors – Very useful • Third party applications use GPS for correlation • Sometimes stored locally and accessible – “Frequent Locations” in iOS7 – We’ll discuss this later in the presentation 8 Location Data • Cell-Network – Tower Triangulation ** – Can be used alongside GPS – Mandatory use in emergencies • Law enforcement • Carriers – As long as you have a phone, this information is available • Sometimes legalities or warrants involved • Doesn't have to be a smartphone • Built into cellular technology 9 Location Data • Triangulation 10 Location Data • Wi-Fi – Carriers collect WIFI network names/BSSIDs and correlating GPS data • Fine-tune location • Can be used indoors – Google got in trouble in 2010 for collecting data with their StreetView cars • Decided it was simpler to use mobile devices • Enormous userbase • Constantly updated – Apple, Google, Microsoft now ALL use it 11 Personal Data • App Permissions – Android • Always displayed before you download from Google Play store • ie: “Why does this calorie counter need to access my camera and phone calls?” – iOS • A little more secure • Apps now default to no permissions outside of their sandbox • ie: “This app wants to use your location." 12 Personal Data • App Permissions – Windows • App settings are viewable before install or through “Settings” • Similar to Android 13 Personal Data • Social Media – A problem in and of itself • The success of mobile devices and global rise of social media are unquestionably intertwined • Outside of the obvious personal data – Geo-tagged updates on Facebook and Twitter – Facebook Graph search makes hiding online much more difficult – LinkedIn open by default • Useful tool for social engineers • Site is scraped for names and corporate structure 14 The Threats Who and What They Are 15 The Threats • Four Major Actors – Government – Carriers/Providers – Hackers – Thieves • Once again, if you use a mobile device, your data is being stored and tracked 16 Government • Nothing known for sure about collection/ exploitation – Lots of leaks – Lots of partial information – Lots of conjecture • Some companies have admitted to cooperation – You can choose to avoid those services • May be worried about nothing • Companies claiming to protect your rights may not be on the up-and-up • Again, if you're really concerned about it, avoid mobile devices all together 17 Carriers/Providers • Revenue-driven – Want to know where you've spent money – The better targeted the ad, the more likely you'll click • Service-driven – Collecting WIFI points means more accuracy – More accuracy might give them an edge in the market • Nothing that isn't already open-source collected – Just more organized – We will address this later 18 Hackers - Traditional • Network-Based – Normal web-based rules apply – Beware public Wi-Fi networks • App security is getting better everyday • A lot of unencrypted sensitive traffic is still sent and received – Major hole in iOS7 < 7.0.6 / iOS6 < 6.1.6 – 70% of Android devices in circulation • Affected by known, remote code execution vulnerability • Beware QR Codes! 19 Hackers - Phishing • Social Engineering-based attacks – Getting people to do things that may not be in their best interests • Many people check email via phones/tablets – Harder to distinguish phish from legitimate email – Can't "hover" over a link to see where it'll take you • Phishing via SMS – Very common in Europe and Asia, but the tactic has crossed the pond – Same basic premise: visit this link • "To claim your gift card…” • Use shrunken URLs for obscurity 20 Hackers - Malicious Applications • Apps get permission to do questionable things – Access your Address Book – Access your location – Make calls/Send SMS • Apple vs. Android – Less of an issue for Apple • Stringent requirements to get into app store • Fewer (known) instances • Doesn't mitigate risk entirely – Android is a bigger risk • Play Store is more open • Possible to install spoofed apps by mistake • People don’t always read app permissions or understand them 21 Hackers - Leaky Wi-Fi • Whenever a device's Wi-Fi is enabled, probes are made for known networks • Possible to build pattern of life by examining network probes • Powerful when combined with open-source data (Wigle.net) • Snoopy and Corporate Wi-Fi – “Evil Access Point” attack – Possible to intercept usernames and hashed passwords – Offline cracking means a hacker can work at his own pace 22 Hackers - Leaky Wi-Fi • Wigle.net – Open-source tool – Anyone can contribute – Downtown Pittsburgh 23 Thieves • Physical Access is King – Much easier to get at sensitive data – Loosens time constraints – Less trouble-shooting than remotely exploiting 24 Thieves – Authentication Issues • Convenience vs Security – iPhone pin codes – Weak/no-password • Custom "lock screens" – Not all of them actually work – Lots of them have a work-around or two • Lockscreen Widgets and messaging – What can people do from your lockscreen? – Use camera, toggle connectivity, play music – Read/send SMS or email, see/return missed calls 25 Thieves – Authentication Issues • Inherent Problems – Auth screen bypasses • iOS 7 Siri *** • Chips (iOS) < A5 – root access! *** • Numerous hardware/software specific in Android devices (“device fragmentation”) – iPhone 5s thumb print authentication – Greasy fingers and 9-point swipe authentication 26 Thieves – Authentication Issues • Most Common Pincodes 2013 27 Thieves - Digital Self • Serious damage to reputation • Traditional communications – Contact list – Phone call/SMS history – Email accounts • Social media profiles • Can lead to the compromise of accounts not already attached to your mobile device – Password reset or email reset functions 28 Thieves - Purchasing Power • Google Play or App Store • Amazon and other shopping apps • Mobile Banking 29 Thieves – Misc. Local Data • Photos, notes, schedule/calendar… • Jailbreak/rooting process is trivial (if not already done) – Root access opens up access to all kinds of appspecific database and plist files – Usernames & passwords, sessionIDs, contact info, etc. – Recent location data can be recovered for building pattern of life 30 Mitigating the Risk 31 Government, Providers, and Carriers • Only sure-fire way: Choose to not use mobile devices – "Resistance is futile“ – Turn off services when they aren't in use • Use specialized apps to encrypt calls, SMS, and email – Usually a closed-loop system – Can be fairly expensive – Also, not all of them work as advertised • “Pry-Fi” and similar apps – Designed specifically to screw with WIFI collection databases – Pebble in the ocean effect – Usually require root/jailbreak – Can break device, require re-flash 32 Hackers – Network-Based • Avoid public Wi-Fi when possible – Never bank – Access email and social media at your own peril • Run a port scan against your device occasionally to look for obvious holes – ESPECIALLY if you've rooted/jailbroken your device – Lots of root-apps open ports by default • Download Fing – Free network-scanner for iOS/Android – Direct Fing at your own device 33 Hackers – Phishing • Don't Click without Thinking! – Modern phishing • Fewer spelling and grammatical errors • Much more timely (ie: Post-Target breach emails) – Applies to emails, phone calls, and SMS • If you're the slightest bit suspicious, contact the sender by some other means and confirm the message's validity • Anything too good to be true probably is – Watch out for urgency and embarrassment too 34 Hackers – Malicious Apps • ALWAYS check Android app permissions before installing • ALWAYS consider ramifications of giving iOS apps special permissions • iOS allows you to fine-tune permissions in settings • Check app's developer and make sure it's spelled correctly, matches who it's supposed to be – A kind of special phishing attack – Backdoored/cloned apps exist 35 Hackers – Leaky Wi-Fi • Turn off your Wi-Fi when you aren’t using it • Use a generic name for your home network – Still change it from its default – Netgear becomes Linksys, Linksys becomes Buffalo...etc – Default ESSIDs give away a lot of info to hackers (default username/password, etc) • Regularly change your network names 36 Thieves • Always be sure to keep your device up to date with the latest firmware • Use passphrase option for lockscreens – No 9-point swipe – No PIN codes • Enable 10-attempt wipe for iOS • Enable encryption (iOS and Android both support this, though iOS' is a better setup) 37 Thieves • Avoid rooting/jailbreaking – Risk of bricking your device is actually fairly low nowadays • Processes are well-documented • “Click-to-root” – HOWEVER • Bad idea to run normal computer as Admin • Why risk your mobile device? – IF you choose to root/jailbreak • iOS device ‘root’ & ‘mobile’ password: alpine • ssh-enabled • Use “Approval” mode for SU in Android 38 Thieves • With iOS, check the System log to see what your sensitive apps (banking, social media...) are saving to the device – Pro: Free download in App Store (“Xtools”) – Con: BIG download for small tool • Run Wireshark on your home network while using sensitive apps – Pro: Identify clear-text protocols – Con: Steep learning curve 39 Mobile Device Management Solution • Lots of options for MDM • Each comes with benefits and weaknesses • Examples – MobileIron • Granular setup • Known vulnerabilities – Maas360 • Robust features for iOS and intuitive UI • Lacking in Android and Windows features 40 Mobile Device Management Solution • www.enterpriseios.com/wiki/Comparison_MDM_Providers • Excellent site for comparing biggest name MDMs 41 Demo Time 42 Root Access on iPhone 4 with iOS 7 • SSH ramdisk – Similar technique to booting PC from livedisk – Gives access to root file system • Process is complete automated – One simple download – Quick process 43 iOS 7 Siri Lock Screen Auth Bypass • Interactive Demo since I don’t have an iPhone 4s+ • Siri Enabled on Lock Screen – Call or FaceTime unknown Contact – Presents option for “Other” • Look at Contacts and Change Pictures 44 Conclusion • Progress and convenience come with a risk • There are lots of steps we can take as users and consumers to protect ourselves • From an enterprise standpoint – Consider an MDM – Heavy testing up front AND regular testing once implemented – iOS > Android 45 Thank you for your time! QUESTIONS ANSWERS 46
