Cloud Security Alliance Top Threats to Mobile Computing July 2012 CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing v SECTION 1: TABLE OF CONTENTS SECTION 1: TABLE OF CONTENTS ...............................................................................................................................1 SECTION 2: CLOUD SECURITY ALLIANCE TOP THREATS TO MOBILE COMPUTING .....................................................2 2.1 Introduction ......................................................................................................................................................2 2.2 Project Timeline................................................................................................................................................2 2.3 Candidate List 4 ................................................................................................................................................2 2.4 Evil 8: Top Threats to Mobile ............................................................................................................................3 2.4.1 Insecure or Rogue Marketplaces ...............................................................................................................3 2.4.2 Data Loss from Stolen, Lost, or Decommissioned Devices ........................................................................4 2.4.3 Information Stealing Malware...................................................................................................................4 2.4.4 Insecure WIFI / Network Access / Rogue Access Points ............................................................................5 2.4.5 Insufficient Access to APIs, Management Tools, and Multi-Personas ......................................................5 2.4.6 Data Loss / Data Leaking Through Poorly Written Applications ...............................................................6 2.4.7 Vulnerabilities in Hardware, OS, Applications, 3rd-Party Apps ..................................................................6 2.4.8 NFC / Proximity-Based Hacking .................................................................................................................7 © Copyright 2012 Cloud Security Alliance. All rights reserved. 1 CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing v SECTION 2: CLOUD SECURITY ALLIANCE TOP THREATS TO MOBILE COMPUTING 2.1 Introduction Currently the Cloud Security Alliance (CSA) has a working group dedicated to tracking and reporting on the top X threats to the cloud. That project is currently working on revision 3. When discussing version 3, there were many cases around the use and integration of mobile devices into the cloud. Subsequently CSA decided to add a new working group around mobility. Due to the adoption and immediate connection to cloud computing we thought it was relevant to create a “Top Threats to Mobility” in addition to the current “Top Threats to the Cloud.” For this version, we are restricting the framework to devices that connect to the Internet that predominately connected over cellular access networks such as 3 and 4G. We made a conscious decision to not include laptops with cellular access, Chromebooks, or other similar devices. This may change in the future. In this version we are focusing on smartphones and tablets. The audience is information security professionals. 2.2 Project Timeline March 1: Project launch April: Working group call for volunteers May: Basecamp forum discussions May 15: Version 1 draft request for comments June 1: Version 2 draft July 1: Final presentation due July 15: Survey released July 28: BlackHat public launch 2.3 Candidate List 4 Data Loss from lost, stolen, or decommissioned devices Insecure or Rogue marketplaces Information stealing mobile malware Rogue access points Insecure Wi-Fi and network access Digital Wallet attacks Insufficient management tools, capabilities, and access to API’s Data Loss / Data Leakage through 3rd-party apps Eavesdropping due to lack of encryption Weak authentication protocols Vulnerabilities within devices, OS, design, 3rd-party applications Poorly written applications that do not properly secure critical data Lack of persona controls may lead to data leakage, miss-configuration, or privileged access Compromise of marketplace(s) resulting in mass infection © Copyright 2012 Cloud Security Alliance. All rights reserved. 2 CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing v Network bridging circumvents policy and security Data Loss from lost, stolen, or decommissioned devices (1) Insecure or Rogue marketplaces (2) Information stealing mobile malware (3) Rogue access points (4) Insecure Wi-Fi and network access (4) Digital Wallet attacks (5) Insufficient management tools, capabilities, and access to API’s (6) Data Loss / Data Leakage through 3rd party apps (7) Eavesdropping due to lack of encryption (4) Weak authentication protocols (8) Vulnerabilities within devices, OS, design, 3rd-party applications (9) Poorly written applications that do not properly secure critical data (7) Lack of persona controls may lead to data leakage, miss-configuration, or privileged access (10) Compromise of marketplace(s) resulting in mass infection (drop) Network bridging circumvents policy and security (11 or perhaps 4) 2.4 Evil 8: Top Threats to Mobile Insecure or Rogue marketplaces Data Loss from lost, stolen, or decommissioned devices Information stealing mobile malware Insecure Wi-Fi, network access, and rogue access points Insufficient management tools, capabilities, and access to API’s (includes persona’s) Data Loss / Data Leakage through poorly written 3rd-party apps NFC and proximity based hacking Vulnerabilities within devices, OS, design, 3rd-party applications 2.4.1 Insecure or Rogue Marketplaces 2.4.1.1 Overview of Threat Android devices in particular have many options for application downloads and installations. Unlike Apple iDevices, which need to be jail broken, users of Android devices can easily select to download and install apps from 3rd-party market places other than the official one supplied by Google. To date, the majority of malicious code distributed for Android has been distributed in these 3rd-party app stores, predominantly in Asia. Additionally there have been illegitimate sites that appear like app stores which unfortunately are not. 2.4.1.2 Threat Example © Copyright 2012 Cloud Security Alliance. All rights reserved. 3 CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing v TigerBot is a bot that is designed to gather confidential data from the phone and uses SMS to control the BOT that is installed. This has been discovered on several market places in Asia. 2.4.1.3 Threat Level High: Android malware in particular is being distributed through these market places more and more frequently. 2.4.2 Data Loss from Stolen, Lost, or Decommissioned Devices 2.4.2.1 Overview of Threat Mobile devices are with us wherever we go and are getting more powerful and smarter over time. With that, users can lose them or have them taken from them without them knowing it too late. Additionally, weak password access, no passwords, and little/no encryption could lead to data leakage on the devices. Additionally, users may sell or throw out devices not understanding the risk of the data being taken. 2.4.2.2 Threat Example 1.96 percent of lost smartphones were accessed by the finders of the devices; 2.89 percent of devices were accessed for personal related apps and information; 3.83 percent of devices were accessed for corporate related apps and information; 4.70 percent of devices were accessed for both business and personal related apps and information; 5.50 percent of smartphone finders contacted the owner and provided contact information. 2.4.2.3 Threat Level Current threat happens frequently as is a top concern across executives and IT admins. 2.4.3 Information Stealing Malware 2.4.3.1 Overview of Threat Android devices in particular have many options for application downloads and installations. Unlike Apple iDevices, which need to be jail broken, users of Android devices can easily select to download and install apps from 3rd-party market places other than the official one supplied by Google. To date, the majority of malicious code distributed for Android has been distributed in these 3rd-party app stores, predominantly in Asia. Additionally, there have been illegitimate sites that appear like app stores which unfortunately are not. © Copyright 2012 Cloud Security Alliance. All rights reserved. 4 CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing v 2.4.3.2 Threat Example One of the most prevalent pieces of malicious code for Android is called “Zitmo.” This is a mobile version of the Zeuss malware which is designed to steal information from the device. 2.4.3.3 Threat Level High: Android malware in particular is becoming a more popular attack surface for criminals who traditionally have used PCs as their platforms. 2.4.4 Insecure WIFI / Network Access / Rogue Access Points 2.4.4.1 Overview of Threat Insecure Wi-Fi has been around for years. However, as more users are mobile and data plans become more limited users will increasingly use Wi-Fi in public locations. The number of locations that provide WiFi, in particular free Wi-Fi, has exploded over the last few years. This has increased the attack surface for users who connect to these. There have been hotel hacks, open rogue access points installed, and eavesdropping cases throughout the last year. 2.4.4.2 Threat Example Firesheep, Hotel Hacking, Airport hacks, etc. 2.4.4.3 Threat Level High: Firesheep was a perfect example of how one could gain access to data through public in-secured Wi-Fi. 2.4.5 Insufficient Access to APIs, Management Tools, and Multi-Personas 2.4.5.1 Overview of Threat Giving users and developers access to some of the low level functions of devices is a double edged sword as attackers, in theory, could also have that access. However, a lack of access to system level functions to trusted developers could lead to insufficient security. Additionally with most smartphone and tablet operating systems today there is little, if any, guest access or user status. This means that all usage is in the context of the admin so there is too much access. 2.4.5.2 Threat Example Anti-virus vendor may not have the ability to read programs in memory for real-time protection leading to malicious code being run. Additionally, a user may simply leave their phone unlocked which allows someone with access to read and modify all information on the phone including configuration settings. © Copyright 2012 Cloud Security Alliance. All rights reserved. 5 CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing v 2.4.5.3 Threat Level Medium 2.4.6 Data Loss / Data Leaking Through Poorly Written Applications 2.4.6.1 Overview of Threat Applications for smartphones and tablets have grown exponentially on iOS and Android. Although the main marketplaces have security checks, it can be a numbers and certain features may be subjective. Unfortunately, all too often the applications either ask for too much access to data or simply gather more data than they need or otherwise are advertised. 2.4.6.2 Threat Example Recently LinkedIn got in some hot water over privileged access to calendar data within their iPad app. 2.4.6.3 Threat Level Medium: Although this can and has happened across both iDevices and Android devices, it has been in small numbers. Additionally high profile cases are helping more checks and providing caution to developers and app stores alike. 2.4.7 Vulnerabilities in Hardware, OS, Applications, 3rd-Party Apps 2.4.7.1 Overview of Threat Mobile hardware, OS, applications and 3rdparty apps contain defects (vulnerabilities) and are susceptible to exfiltration and/or © Copyright 2012 Cloud Security Alliance. All rights reserved. 6 CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing v injection of data and/or malicious code (exploits). 2.4.7.2 Threat Example Exponential growth in mobile malware, hardware that sends data back to manufacturer, weak coding techniques easy to exploit by criminals (unsafe sensitive data storage/transmission, hardcoded password/keys, data leakage) in 3rd-party apps and most likely in applications 2.4.7.3 Threat Level Medium: Although the threat is high, the number of exploits in the wild is still not. 2.4.8 NFC / Proximity-Based Hacking 2.4.8.1 Overview of Threat Near field communications (NFC) are being built directly into phones predominately as a means to make payment. Due to the information value being transmitted, this is likely to be a target of attackers in the future. 2.4.8.2 Threat Example Drive-by payment whereas based on your physical location the attacker can receive currency from your smart phone (also known as a digital wallet) 2.4.8.3 Threat Level Low: Still proof of concept. © Copyright 2012 Cloud Security Alliance. All rights reserved. 7