Lesson 13
Implementing Secure Mobile Solutions
LESSON INTRODUCTION
Mobile devices are now the preferred client for many common work tasks, and network
management and security systems have had to adapt to accommodate them. The shift
toward mobile also presages a move toward unified management of endpoints, and
the use of virtualized workspaces as a better model for provisioning corporate apps
and data processing.
Lesson Objectives
In this lesson, you will:
•
Implement mobile device management.
•
Implement secure mobile device connections.
DO NOT REDISTRIBUTE
344 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
Topic 13A
Implement Mobile Device Management
EXAM OBJECTIVES COVERED
3.5 Given a scenario, implement secure mobile solutions
As use of mobiles has permeated every type of organization, network management
and security suites have developed to ensure that they are not exploited as
unmanaged attack vectors. As a security professional, you will often have to configure
these management suites, and assist users with the device onboarding process.
Mobile Device Deployment Models
Mobile devices have replaced computers for many email and diary management
tasks and are integral to accessing many other business processes and cloud-based
applications. A mobile device deployment model describes the way employees are
provided with mobile devices and applications.
•
Bring your own device (BYOD)—the mobile device is owned by the employee. The
mobile will have to meet whatever profile is required by the company (in terms of
OS version and functionality) and the employee will have to agree on the installation
of corporate apps and to some level of oversight and auditing. This model is usually
the most popular with employees but poses the most difficulties for security and
network managers.
•
Corporate owned, business only (COBO)—the device is the property of the
company and may only be used for company business.
•
Corporate owned, personally-enabled (COPE)—the device is chosen and supplied
by the company and remains its property. The employee may use it to access
personal email and social media accounts and for personal web browsing (subject
to whatever acceptable use policies are in force).
•
Choose your own device (CYOD)—much the same as COPE but the employee is
given a choice of device from a list.
Virtualization can provide an additional deployment model. Virtual desktop
infrastructure (VDI) means provisioning an OS desktop to interchangeable hardware.
The hardware only has to be capable of running a VDI client viewer, or have browser
support a clientless HTML5 solution. The instance is provided "as new" for each session
and can be accessed remotely. The same technology can be accessed via a mobile
device such as a smartphone or tablet. This removes some of the security concerns
about BYOD as the corporate apps and data are segmented from the other apps on
the device.
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 345
Enterprise Mobility Management
Enterprise mobility management (EMM) is a class of management software designed
to apply security policies to the use of mobile devices and apps in the enterprise. The
challenge of identifying and managing attached devices is often referred to as visibility.
EMM software can be used to manage enterprise-owned devices as well as BYOD.
There are two main functions of an EMM product suite:
•
Mobile device management (MDM)—sets device policies for authentication,
feature use (camera and microphone), and connectivity. MDM can also allow device
resets and remote wipes.
•
Mobile application management (MAM)—sets policies for apps that can process
corporate data, and prevents data transfer to personal apps. This type of solution
configures an enterprise-managed container or workspace.
Additionally, distinguishing whether client endpoints are mobile or fixed is not really
a critical factor for many of these management tasks, with the consequence that
the latest suites aim for visibility across PC, laptop, smartphone, tablet, and even IoT
devices. These suites are called unified endpoint management (U M) (redmondmag.
com/Articles/2017/10/01/Unified-Endpoint-Management.aspx).
The core functionality of endpoint management suites extends the concept of
network access control (NAC) solutions. The management software logs the use of a
device on the network and determines whether to allow it to connect or not, based
on administrator-set parameters. When the device is enrolled with the management
software, it can be configured with policies to allow or restrict use of apps, corporate
data, and built-in functions, such as a video camera or microphone.
Some EMM/UEM solutions include AirWatch (air-watch.com), Microsoft Intune
(microsoft.com/en-us/microsoft-365/enterprise-mobility-security/microsoft-intune),
Symantec/Broadcom (broadcom.com/products/cyber-security/endpoint/end-user/
protection-mobile), and Citrix Endpoint Management (formerly XenMobile) (citrix.com/
products/citrix-endpoint-management).
iOS in the nterprise
In Apple's iOS ecosystem, third-party developers can create apps using Apple's
Software Development Kit, available only on MacOS. Apps have to be submitted to
and approved by Apple before they are released to users via the App Store. Corporate
control over iOS devices and distribution of corporate and B2B (Business-to-Business)
apps is facilitated by participating in the Device Enrollment Program (support.apple.
com/business), the Volume Purchase Program, and the Developer Enterprise Program
(developer.apple.com/programs/enterprise). Another option is to use an EMM suite
and its development tools to create a "wrapper" for the corporate app.
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
346 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
Configuring iOS device enrollment in Microsoft s Intune EMM suite.
(Screenshot used with permission from Microsoft.)
Most iOS attacks are the same as with any system; users click malicious links or enter
information into phishing sites, for instance. As a closed and proprietary system, it
should not be possible for malware to infect an iOS device as all code is updated from
Apple's servers only. There remains the risk that a vulnerability in either iOS or an app
could be discovered and exploited. In this event, users would need to update iOS or the
app to a version that mitigates the exploit.
Android in the nterprise
Android's open source basis means that there is more scope for vendor-specific
versions. The app model is also more relaxed, with apps available from both Google
Play and third-party sites, such as Amazon's app store. The SDK is available on Linux,
Windows, and macOS. The Android Enterprise (android.com/enterprise) program
facilitates use of EMM suites and the containerization of corporate workspaces.
Additionally, Samsung has a workspace framework called KNOX (samsung.com/us/
business/solutions/samsung-knox) to facilitate EMM control over device functionality.
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 347
Enrolling an Android smartphone with Intune.
(Android is a trademark of Google LLC.)
iOS devices are normally updated very quickly. With Android, the situation is less
consistent, as updates often depend on the handset vendor to complete the new
version or issue the patch for their flavor of Android. Android OS is more open and
there is Android malware, though as with Apple it is difficult for would-be hackers and
spammers to get it into any of the major app repositories.
One techni ue used is called Staged Payloads. The malware writers release an app that
appears innocuous in the store but once installed it attempts to download additional
components infected with malware (zdnet.com/article/android-security-sneaky-three-stagemalware-found-in-google-play-store). Google has implemented a server-side malware
scanning product (Play Protect) that will both warn users if an app is potentially damaging
and scan apps that have already been purchased, and warn the user if any security issues
have been discovered.
Since version 4.3, Android has been based on Security-Enhanced Linux. SEAndroid
(source.android.com/security/selinux) uses mandatory access control (MAC) policies to
run apps in sandboxes. When the app is installed, access is granted (or not) to specific
shared features, such as contact details, SMS texting, and email.
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
348 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
Configuring app permissions in Android OS. (Android is a trademark of Google LLC.)
Mobile Access Control Systems
If a threat actor is able to gain access to a smartphone or tablet, they can obtain a huge
amount of information and the tools with which to launch further attacks. Quite apart from
confidential data files that might be stored on the device, it is highly likely that the user has
cached passwords for services such as email or remote access VPN and websites.
Smartphone Authentication
The majority of smartphones and tablets are single-user devices. Access control can be
implemented by configuring a screen lock that can only be bypassed using the correct
password, PIN, or swipe pattern. Many devices now support biometric authentication,
usually as a fingerprint reader but sometimes using facial or voice recognition.
Configuring authentication and profile policies using Intune EMM Note that the policy allows the user
to have a different type of authentication (or none at all) to the workspace hosting corporate apps
and data. (Screenshot used with permission from Microsoft.)
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 349
Strong passwords should always be set on mobile devices, as simple 4-digit PIN codes can
easily be brute-forced. Swipe patterns are vulnerable to poor user choices (arstechnica.
com/information-technology/2015/08/new-data-uncovers-the-surprising-predictability-ofandroid-lock-patterns), such as choosing letter or box patterns, plus the tendency for the
grease trail to facilitate a smudge attack.
Screen Lock
The screen lock can also be configured with a lockout policy. This means that if an
incorrect passcode is entered, the device locks for a set period. This could be configured
to escalate (so the first incorrect attempt locks the device for 30 seconds while the third
locks it for 10 minutes, for instance). This deters attempts to guess the passcode.
Context-Aware Authentication
It is also important to consider newer authentication models, such as context-aware
authentication. For example, smartphones now allow users to disable screen locks
when the device detects that it is in a trusted location, such as the home. Conversely,
an enterprise may seek more stringent access controls to prevent misuse of a device.
For example, even if the device has been unlocked, accessing a corporate workspace
might require the user to authenticate again. It might also check whether the network
connection can be trusted (that it is not an open Wi-FI hotspot, for instance).
Remote Wipe
A remote wipe or kill switch means that if the handset is stolen it can be set to the
factory defaults or cleared of any personal data (sanitization). Some utilities may also
be able to wipe any plug-in memory cards too. The remote wipe could be triggered by
several incorrect passcode attempts or by enterprise management software. Other
features include backing up data from the phone to a server first and displaying a
"Lost/stolen phone—return to XX" message on the handset.
Most corporate messaging systems come with a remote wipe feature (such as this one provided with
Intermedia mail hosting), allowing mail, calendar, and contacts information to be deleted from mobile
devices. (Screenshot used with permission from Intermedia.)
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
350 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
In theory, a thief can prevent a remote wipe by ensuring the phone cannot connect to
the network, then hacking the phone and disabling the security.
Full Device Encryption and External Media
All but the early versions of mobile device OSes for smartphones and tablets provide
full device encryption. In iOS, there are various levels of encryption.
•
All user data on the device is always encrypted but the key is stored on the device.
This is primarily used as a means of wiping the device. The OS just needs to delete
the key to make the data inaccessible rather than wiping each storage location.
•
Email data and any apps using the "Data Protection" option are subject to a second
round of encryption using a key derived from and protected by the user's credential.
This provides security for data in the event that the device is stolen. Not all user
data is encrypted using the "Data Protection" option; contacts, SMS messages, and
pictures are not, for example.
In iOS, Data Protection encryption is enabled automatically when you configure a
password lock on the device. In Android, there are substantial differences to encryption
options between versions (source.android.com/security/encryption). As of Android 10,
there is no full disk encryption as it is considered too detrimental to performance. User
data is encrypted at file-level by default.
A mobile device contains a solid state (flash memory) drive for persistent storage of
apps and data. Some Android handsets support removable storage using external
media, such as a plug-in Micro SecureDigital (SD) card slot; some may support the
connection of USB-based storage devices. The mobile OS encryption software might
allow encryption of the removable storage too but this is not always the case. Care
should be taken to apply encryption to storage cards using third-party software if
necessary and to limit sensitive data being stored on them.
A MicroSD HSM is a small form factor hardware security module designed to store
cryptographic keys securely. This allows the cryptographic material to be used with
different devices, such as a laptop and smartphone.
Location Services
Geolocation is the use of network attributes to identify (or estimate) the physical
position of a device. The device uses location services to determine its current position.
Location services can make use of two systems:
•
Global Positioning System (GPS)—a means of determining the device's latitude and
longitude based on information received from satellites via a GPS sensor.
•
Indoor Positioning System (IPS)—works out a device's location by triangulating
its proximity to other radio sources, such as cell towers, Wi-Fi access points, and
Bluetooth/RFID beacons.
Location services is available to any app where the user has granted the app
permission to use it.
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 351
Using Find My Device to locate an Android smartphone. (Android is a trademark of Google LLC.)
The primary concern surrounding location services is one of privacy. Although very
useful for maps and turn-by-turn navigation, it provides a mechanism to track an
individual's movements, and therefore their social and business habits. The problem
is further compounded by the plethora of mobile apps that require access to location
services and then both send the information to the application developers and store
it within the device's file structure. If an attacker can gain access to this data, then
stalking, social engineering, and even identity theft become real possibilities.
Geofencing and Camera/Microphone Enforcement
Geofencing is the practice of creating a virtual boundary based on real-world
geography. Geofencing can be a useful tool with respect to controlling the use of
camera or video functions or applying context-aware authentication. An organization
may use geofencing to create a perimeter around its office property, and subsequently,
limit the functionality of any devices that exceed this boundary. An unlocked
smartphone could be locked and forced to re-authenticate when entering the
premises, and the camera and microphone could be disabled. The device's position is
obtained from location services.
Restricting device permissions such as camera and screen capture using Intune.
(Screenshot used with permission from Microsoft.)
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
352 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
GPS Tagging
GPS tagging is the process of adding geographical identification metadata, such as
the latitude and longitude where the device was located at the time, to media such as
photographs, SMS messages, video, and so on. It allows the app to place the media
at specific latitude and longitude coordinates. GPS tagging is highly sensitive personal
information and potentially confidential organizational data also. GPS tagged pictures
uploaded to social media could be used to track a person's movements and location.
For example, a Russian soldier revealed troop positions by uploading GPS tagged
selfies to Instagram (arstechnica.com/tech-policy/2014/08/opposite-of-opsec-russiansoldier-posts-selfies-from-inside-ukraine).
Application Management
When a device is joined to the corporate network through enrollment with
management software, it can be configured into an enterprise workspace mode in
which only a certain number of authorized applications can run.
Endpoint management software such as Microsoft Intune can be used to approve or prohibit apps.
(Screenshot used with permission from Microsoft.)
A trusted app source is one that is managed by a service provider. The service provider
authenticates and authorizes valid developers, issuing them with a certificate to use
to sign their apps and warrant them as trusted. It may also analyze code submitted to
ensure that it does not pose a security or privacy risk to its customers (or remove apps
that are discovered to pose such a risk). It may apply other policies that developers
must meet, such as not allowing apps with adult content or apps that duplicate the
function of core OS apps.
The mobile OS defaults to restricting app installations to the linked store (App Store for
iOS and Play for Android). Most consumers are happy with this model but it does not
work so well for enterprises. It might not be appropriate to deliver a custom corporate
app via a public store, where anyone could download it. Apple operates enterprise
developer and distribution programs to solve this problem, allowing private app
distribution via Apple Business Manager (developer.apple.com/business/distribute).
Google's Play store has a private channel option, called Managed Google Play. Both
these options allow an EMM/UEM suite to push apps from the private channel to
the device.
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 353
Unlike iOS, Android allows for selection of different stores and installation of untrusted
apps from any third party, if this option is enabled by the user. With unknown sources
enabled, untrusted apps can be downloaded from a website and installed using the
.apk file format. This is referred to as sideloading.
Conversely, a management suite might be used to prevent the use of third-party stores
or sideloading and block unapproved app sources.
Content Management
Containerization allows the employer to manage and maintain the portion of the
device that interfaces with the corporate network. An enterprise workspace with a
defined selection of apps and a separate container is created. This container isolates
corporate apps from the rest of the device. There may be a requirement for additional
authentication to access the workspace.
The container can also enforce storage segmentation. With storage segmentation the
container is associated with a directory on the persistent storage device that is not
readable or writable by apps that are not in the container. Conversely, apps cannot
write to areas outside the container, such as external media or using copy and paste
to a non-container app. App network access might be restricted to a VPN tunneled
through the organization's security system.
The enterprise is thereby able to maintain the security it needs, without having to
enforce policies that affect personal use, apps, or data.
Containerization also assists content management and data loss prevention (DLP)
systems. A content management system tags corporate or confidential data and
prevents it from being shared or copied to unauthorized external media or channels,
such as non-corporate email systems or cloud storage services.
Rooting and ailbreaking
Like Windows and Linux, the account used to install the OS and run kernel-level
processes is not the one used by the device owner. Users who want to avoid the
restrictions that some OS vendors, handset OEMs, and telecom providers (carriers) put
on the devices must use some type of privilege escalation:
•
Rooting—this term is associated with Android devices. Some vendors provide
authorized mechanisms for users to access the root account on their device. For
some devices it is necessary to exploit a vulnerability or use custom firmware.
Custom firmware is essentially a new Android OS image applied to the device. This
can also be referred to as a custom ROM, after the term for the read only memory
chips that used to hold firmware.
•
Jailbreaking—iOS is more restrictive than Android so the term "jailbreaking"
became popular for exploits that enabled the user to obtain root privileges,
sideload apps, change or add carriers, and customize the interface. iOS jailbreaking
is accomplished by booting the device with a patched kernel. For most exploits,
this can only be done when the device is attached to a computer when it boots
(tethered jailbreak).
•
Carrier unlocking—for either iOS or Android, this means removing the restrictions
that lock a device to a single carrier.
Rooting or jailbreaking mobile devices involves subverting the security measures on
the device to gain administrative access to it. This also has the side effect of leaving
many security measures permanently disabled. If the user has root permissions, then
essentially any management agent software running on the device is compromised.
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
354 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
If the user has applied a custom firmware image, they could have removed the
protections that enforce segmentation. The device can no longer be assumed to run a
trusted OS.
EMM/UEM has routines to detect a rooted or jailbroken device or custom firmware with
no valid developer code signature and prevent access to an enterprise app, network,
or workspace. Containerization and enterprise workspaces can use cryptography to
protect the workspace in a way that is much harder to compromise than a local agent,
even from a rooted/jailbroken device.
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 355
Review Activity:
Mobile Device Management
Answer the following questions:
1.
What type of deployment model(s) allow users to select the mobile device
make and model?
2.
How does VDI work as a mobile deployment model?
3.
Company policy requires that you ensure your smartphone is secured from
unauthorized access in case it is lost or stolen. To prevent someone from
accessing data on the device immediately after it has been turned on, what
security control should be used?
4.
An employee's car was recently broken into, and the thief stole a company
tablet that held a great deal of sensitive data. You've already taken the
precaution of securing plenty of backups of that data. What should you do
to be absolutely certain that the data doesn't fall into the wrong hands?
5.
What is containerization?
6.
What is the process of sideloading?
7.
Why might a company invest in device control software that prevents the
use of recording devices within company premises?
8.
Why is a rooted or jailbroken device a threat to enterprise security?
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13A
356 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
Topic 13B
Implement Secure Mobile
e ice onnec ions
EXAM OBJECTIVES COVERED
1.4 Given a scenario, analyze potential indicators associated with network attacks
3.5 Given a scenario, implement secure mobile solutions
As well as authentication and authorization for features and apps, management
suites can also assist with networking options for mobile. You must be able to disable
communication types that are not secure for local networks, and advise users about
the security of communications when they use their devices remotely.
Cellular and GPS Connection Methods
Mobile devices use a variety of connection methods to establish communications in
local and personal area networks and for Internet data access via service providers.
Locking down Android connectivity methods with Intune note that most settings can be applied only
to Samsung KNOX-capable devices. (Screenshot used with permission from Microsoft.)
Cellular Data Connections
Smartphones and some tablets use the cell phone network for calls and data access. A
cellular data connection is less likely to be subject to monitoring and filtering. It may be
appropriate to disable it when a device has access to an enterprise network or data, to
prevent its use for data exfiltration.
There have been attacks and successful exploits against the major infrastructure
and protocols underpinning the telecoms network, notably the SS7 hack (theregister.
com/2017/05/03/hackers fire up ss7 flaw). There is little that either companies or
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 357
individuals can do about these weaknesses. The attacks require a high degree of
sophistication and are relatively uncommon.
Global Positioning System (GPS)
A global positioning system (GPS) sensor triangulates the device position using
signals from orbital GPS satellites. As this triangulation process can be slow, most
smartphones use Assisted GPS (A-GPS) to obtain coordinates from the nearest cell
tower and adjust for the device's position relative to the tower. A-GPS uses cellular
data. GPS satellites are operated by the US Government. Some GPS sensors can
use signals from other satellites, operated by the EU (Galileo), Russia (GLONASS), or
China (BeiDou).
GPS signals can be jammed or even spoofed using specialist radio equipment. This
might be used to defeat geofencing mechanisms, for instance (kaspersky.com/blog/
gps-spoofing-protection/26837).
Wi-Fi and Tethering Connection Methods
Mobile devices usually default to using a Wi-Fi connection for data, if present. If the
user establishes a connection to a corporate network using strong WPA3 security,
there is a fairly low risk of eavesdropping or man-in-the-middle attacks. The risks from
Wi-Fi come from users connecting to open access points or possibly a rogue access
point imitating a corporate network. These allow the access point owner to launch any
number of attacks, even potentially compromising sessions with secure servers (using
a DNS spoofing attack, for instance).
Personal Area Networks (PANs)
Personal area networks (PANs) enable connectivity between a mobile device and
peripherals. Ad hoc (or peer-to-peer) networks between mobile devices or between
mobile devices and other computing devices can also be established. In terms of
corporate security, these peer-to-peer functions should generally be disabled. It might
be possible for an attacker to exploit a misconfigured device and obtain a bridged
connection to the corporate network.
Ad Hoc Wi-Fi and Wi-Fi Direct
Wireless stations can establish peer-to-peer connections with one another, rather than
using an access point. This can also called be called an ad hoc network, meaning that
the network is not made permanently available. There is no established, standardsbased support for ad hoc networking, however. MITRE have a project to enable Android
smartphones to configure themselves in an ad hoc network (mitre.org/research/
technology-transfer/open-source-software/smartphone-ad-hoc-networking-span).
Wi-Fi Direct allows one-to-one connections between stations, though in this case one
of the devices actually functions as a soft access point. Wi-Fi Direct depends on Wi-Fi
Protected Setup (WPS), which has many vulnerabilities. Android supports operating as
a Wi-Fi Direct AP, but iOS uses a proprietary multipeer connectivity framework. You can
connect an iOS device to another device running a Wi-Fi direct soft AP, however.
There are also wireless mesh products from vendors such as Netgear and Google
that allow all types of wireless devices to participate in a peer-to-peer network. These
products might not be interoperable, though more are now supporting the EasyMesh
standard (wi-fi.org/discover-wi-fi/wi-fi-easymesh).
Tethering and Hotspots
A smartphone can share its Internet connection with another device, such as a PC.
Where this connection is shared over Wi-Fi with multiple other devices, the smartphone
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
358 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
can be described as a hotspot. Where the connection is shared by connecting the
smartphone to a PC over a USB cable or with a single PC via Bluetooth, it can be
referred to as tethering. However, the term "Wi-Fi tethering" is also quite widely
used to mean a hotspot. This type of functionality would typically be disabled when
the device is connected to an enterprise network, as it might be used to circumvent
security mechanisms, such as data loss prevention or a web content filtering policies.
Bluetooth Connection Methods
Bluetooth is one of the most popular technologies for implementing PANs. While native
Bluetooth has fairly low data rates, it can be used to pair with another device and then
use a Wi-Fi link for data transfer. This sort of connectivity is implemented by iOS's
AirDrop feature.
Bluetooth devices have a few known security issues:
•
Device discovery—a device can be put into discoverable mode meaning that it will
connect to any other Bluetooth devices nearby. Unfortunately, even a device in nondiscoverable mode is quite easy to detect.
•
Authentication and authorization—devices authenticate ("pair") using a simple
passkey configured on both devices. This should always be changed to some secure
phrase and never left as the default. Also, check the device's pairing list regularly to
confirm that the devices listed are valid.
•
Malware—there are proof-of-concept Bluetooth worms and application exploits,
most notably the BlueBorne exploit (armis.com/blueborne), which can compromise
any active and unpatched system regardless of whether discovery is enabled
and without requiring any user intervention. There are also vulnerabilities in
the authentication schemes of many devices. Keep devices updated with the
latest firmware.
Pairing a computer with a smartphone. (Screenshot used with permission from Microsoft.)
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 359
It is also the case that using a control center toggle may not actually turn off the Bluetooth
radio on a mobile device. If there is any doubt about patch status or exposure to
vulnerabilities, Bluetooth should be fully disabled through device settings.
Unless some sort of authentication is configured, a discoverable device is vulnerable to
bluejacking, a sort of spam where someone sends you an unsolicited text (or picture/
video) message or vCard (contact details). This can also be a vector for malware,
as demonstrated by the Obad Android Trojan malware (securelist.com/the-mostsophisticated-android-trojan/35929).
Bluesnarfing refers to using an exploit in Bluetooth to steal information from
someone else's phone. The exploit (now patched) allows attackers to circumvent
the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is
vulnerable to brute force password guessing.
Other significant risks come from the device being connected to. A peripheral device
with malicious firmware can be used to launch highly effective attacks. This type of
risk has a low likelihood, as the resources required to craft such malicious peripherals
are demanding.
Infrared and RFID Connection Methods
Infrared signaling has been used for PAN in the past (IrDA), but the use of infrared in
modern smartphones and wearable technology focuses on two other uses:
•
IR blaster—this allows the device to interact with an IR receiver and operate a device
such as a TV or HVAC monitor as though it were the remote control handset.
•
IR sensor—these are used as proximity sensors (to detect when a smartphone is
being held to the ear, for instance) and to measure health information (such as
heart rate and blood oxygen levels).
Radio Frequency ID (RFID) is a means of encoding information into passive tags,
which can be easily attached to devices, structures, clothing, or almost anything else. A
passive tag can have a range from a few centimeters to a few meters. When a reader
is within range of the tag, it produces an electromagnetic wave that powers up the tag
and allows the reader to collect information from it or to change the values encoded in
the tag. There are also battery-powered active tags that can be read at much greater
distances (hundreds of meters).
One type of RFID attack is skimming, which is where an attacker uses a fraudulent
RFID reader to read the signals from a contactless bank card. Any reader can access
any data stored on any RFID tag, so sensitive information must be protected using
cryptography. It is also possible (in theory) to design RFID tags to inject malicious code
to try to exploit a vulnerability in a reader.
ear Field Communications and Mobile Payment Services
NFC is based on a particular type of radio frequency ID (RFID). NFC sensors and
functionality are now commonly incorporated into smartphones. An NFC chip can
also be used to read passive RFID tags at close range. It can also be used to configure
other types of connections (pairing Bluetooth devices for instance) and for exchanging
information, such as contact cards. An NFC transaction is sometimes known as a bump,
named after an early mobile sharing app, later redeveloped as Android Beam, to use
NFC. The typical use case is in "smart" posters, where the user can tap the tag in the
poster to open a linked web page via the information coded in the tag. Attacks could
be developed using vulnerabilities in handling the tag (securityboulevard.com/2019/10/
nfc-false-tag-vulnerability-cve-2019-9295). It is also possible that there may be some
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
360 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
way to exploit NFC by crafting tags to direct the device browser to a malicious web
page where the attacker could try to exploit any vulnerabilities in the browser.
NFC does not provide encryption, so eavesdropping and man-in-the-middle attacks are
possible if the attacker can find some way of intercepting the communication and the
software services are not encrypting the data.
The widest application of NFC is to make payments via contactless point-of-sale (PoS)
machines. To configure a payment service, the user enters their credit card information
into a mobile wallet app on the device. The wallet app does not transmit the original
credit card information, but a one-time token that is interpreted by the card merchant
and linked backed to the relevant customer account. There are three major mobile
wallet apps: Apple Pay, Google Pay (formerly Android Pay), and Samsung Pay.
Despite having a close physical proximity requirement, NFC is vulnerable to several
types of attacks. Certain antenna configurations may be able to pick up the RF signals
emitted by NFC from several feet away, giving an attacker the ability to eavesdrop
from a more comfortable distance. An attacker with a reader may also be able to skim
information from an NFC device in a crowded area, such as a busy train. An attacker
may also be able to corrupt data as it is being transferred through a method similar
to a DoS attack—by flooding the area with an excess of RF signals to interrupt the
transfer.
Skimming a credit or bank card will give the attacker the long card number and expiry date.
Completing fraudulent transactions directly via NFC is much more difficult as the attacker
would have to use a valid merchant account and fraudulent transactions related to that
account would be detected very uickly.
USB Connection Methods
Android devices can be connected to a computer via the USB port. Apple devices
require a lightning-to-USB converter cable. Once attached the computer can access the
device's hard drive, sync or backup apps, and upgrade the firmware.
Some Android USB ports support USB On The Go (OTG) and there are adapters for
iOS devices. USB OTG allows a port to function either as a host or as a device. For
example, a port on a smartphone might operate as a device when connected to a
PC, but as a host when connected to a keyboard or external hard drive. The extra pin
communicates which mode the port is in.
There are various ways in which USB OTG could be abused. Media connected to
the smartphone could host malware. The malware might not be able to affect the
smartphone itself but could be spread between host computers or networks via the
device. It is also possible that a charging plug could act as a Trojan and try to install
apps (referred to as juice-jacking), though modern versions of both iOS and Android
now require authorization before the device will accept the connection.
SMS MMS RCS and Push
otifications
The Short Message Service (SMS) and Multimedia Message Service (MMS) are
operated by the cellular network providers. They allow transmission of text messages
and binary files. Vulnerabilities in SMS and the SS7 signaling protocol that underpins
it have cast doubt on the security of 2-step verification mechanisms (kaspersky.com/
blog/ss7-hacked/25529).
Rich Communication Services (RCS) is designed as a platform-independent advanced
messaging app, with a similar feature set to proprietary apps like WhatsApp and
iMesssage. These features include support for video calling, larger binary attachments,
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
DO NOT REDISTRIBUTE
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 361
group messaging/calling, and read receipts. RCS is supported by carriers via Universal
Profile for Advanced Messaging (gsma.com/futurenetworks/digest/universal-profileversion-2-0-advanced-rcs-messaging). The main drawbacks of RCS are that carrier
support is patchy (messages fallback to SMS if RCS is not supported) and there is no
end-to-end encryption, at the time of writing (theverge.com/2020/5/27/21271186/
google-rcs-t-mobile-encryption-ccmi-universal-profile).
Vulnerabilities in processing attachments and rich formatting have resulted in DoS
attacks against certain handsets in the past, so it is important to keep devices patched
against known threats.
Push notifications are store services (such as Apple Push Notification Service and
Google Cloud to Device Messaging) that an app or website can use to display an alert
on a mobile device. Users can choose to disable notifications for an app, but otherwise
the app developer can target notifications to some or all users with that app installed.
Developers need to take care to properly secure the account and services used to
send push notifications. There have been examples in the past of these accounts being
hacked and used to send fake communications.
Firmware Over-the-Air Updates
A baseband update modifies the firmware of the radio modem used for cellular, Wi-Fi,
Bluetooth, NFC, and GPS connectivity. The radio firmware in a mobile device contains
an operating system that is separate from the end-user operating system (for example,
Android or iOS). The modem uses its own baseband processor and memory, which
boots a real-time operating system (RTOS). An RTOS is often used for time-sensitive
embedded controllers, of the sort required for the modulation and frequency shifts
that underpin radio-based connectivity.
The procedures for establishing radio connections are complex and require strict
compliance with regulatory certification schemes, so incorporating these functions in
the main OS would make it far harder to bring OS updates to market. Unfortunately,
baseband operating systems have been associated with several vulnerabilities over the
years, so it is imperative to ensure that updates are applied promptly. These updates
are usually pushed to the handset by the device vendor, often as part of OS upgrades.
The updates can be delivered wirelessly, either through a Wi-Fi network or the data
connection, referred to as over-the-air (OTA). A handset that has been jailbroken
or rooted might be able to be configured to prevent baseband updates or apply a
particular version manually, but in the general course of things, there is little reason to
do so.
There are various ways of exploiting vulnerabilities in the way these updates work. A
well-resourced attacker can create an "evil base station" using a Stingray/International
Mobile Subscriber Identity (IMSI) catcher. This will allow the attacker to identify the
location of cell devices operating in the area. In some circumstances it might be
possible to launch a man-in-the-middle attack and abuse the firmware update process
to compromise the phone.
Microwave Radio Connection Methods
Cellular networks are microwave radio networks provisioned for multiple subscribers.
Microwave radio is also used as a backhaul link from a cell tower to the service
provider's network. These links are important to 5G, where many relays are required
and provisioning fiber optic cabled backhaul can be difficult. Private microwave links
are also used between sites. A microwave link can be provisioned in two modes:
•
Point-to-point (P2P) microwave uses high gain antennas to link two sites. High
gain means that the antenna is highly directional. Each antenna is pointed directly
at the other. In terms of security, this makes it difficult to eavesdrop on the signal,
DO NOT REDISTRIBUTE
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
362 | The Official CompTIA Security+ Student Guide (Exam SY0-601)
as an intercepting antenna would have to be positioned within the direct path. The
satellite modems or routers are also normally paired to one another and can use
over-the-air encryption to further mitigate against snooping attacks.
•
Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each
covering a separate quadrant. Where P2P is between two sites, P2M links multiple
sites or subscriber nodes to a single hub. This can be more cost-efficient in high
density urban areas and requires less radio spectrum. Each subscriber node is
distinguished by multiplexing. Because of the higher risk of signal interception
compared to P2P, it is crucial that links be protected by over-the-air encryption.
Multipoint can be used in other contexts. For example, Bluetooth supports a multipoint
mode. This can be used to connect a headset to multiple sources (a PC and a
smartphone, for instance) simultaneously.
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
DO NOT REDISTRIBUTE