Mobile Device Security For Dummies
Page 6
Lost or stolen devices are ticking time bombs until they can be deactivated. Unscrupulous folks who have possession of these devices can access your network and assets inside your network. So the exposure is very high.
Most device manufacturers and OS vendors as well as some third-party software vendors offer what is commonly referred to as mobile device management (MDM) capabilities (described in detail in Chapter 5). In the context of lost or stolen devices, this typically entails locating the lost device, wiping out sensitive data from its memory, and preventing it from attaching to the network.
Some tech-savvy users can take matters into their own hands using software like the iPhone’s MobileMe capability to do the locate, wipe, and lock out actions; others can call the service provider who are also increasingly offering MDM service, too. You can educate the users about these avenues to prevent a lost device from becoming a liability to you.
It may be your employee’s device, but it is your company’s data that it is carrying.
Really off-site data storage
The exploding storage capabilities of mobile devices — which is further augmented by applications that extend storage to the cloud — present a growing possibility of intellectual property and sensitive information being widely downloaded and stored and, more critically, compromised.
The phone in smartphone belies the capabilities of these devices. Your employees frequently download all kinds of enterprise data (spreadsheets, presentations, e-mails, and so on) that are stored in these phones with ever-expanding memory footprints (the amount of memory used by applications). Such use makes these phones an IT asset that needs to be guarded as zealously as servers or other storage devices.
Figure 2-1 shows the amount of memory available in various smartphone models. Multiply these numbers by the number of suspected smartphones in your enterprise, and you can quickly see how much company data could be downloaded onto this mobile storage. It’s enough to give you (as someone tasked to secure data) the heebie-jeebies.
Figure 2-1: Comparison of storage capacity across smart devices.
Free (but not necessarily nice) apps
With the advent of free and nearly free applications available for download for every smartphone, your employees are experimenting with new apps all the time. After all, don’t you?
Almost exclusively, these applications are designed with the consumer in mind. So the fact that cheap and free apps lure your employees into constantly experimenting and downloading these apps to their devices isn’t surprising. And such experimentation results in devices that are constantly morphing and being exposed to potential malware. This situation is quite different from other enterprise devices such as the venerable desktop, or even the laptop, which has a more stable countenance, and therefore affords you a baseline to protect against.
It would behoove you to establish an approved set of application types and versions that could be your baseline for mobile devices. This allows you to evaluate any deviations from this baseline as your users customize their devices.
This is a rapidly changing landscape, and you need to keep abreast with the latest application sets all the time; otherwise, your users will be either very unhappy (because you disallow new apps that are not part of your baseline) or they will be angry (because you’re seemingly ignorant of the newer apps). Either way, you are in serious danger of renegade applications running amok.
Network access outside of your control
By their nature, mobile devices connect wirelessly to available networks, most of which are outside your company’s control. The proliferation of wireless interfaces means an ever-increasing attack surface that can be used to compromise mobile devices.
Smartphones have a variety of radio interfaces to cater to the always-on connectivity that users demand, as well as the need to use the smartphone as a hub to connect to accessories, such as a stereo headset, GPS Bluetooth receiver, Wi-Fi hotspot, and so on. While these interfaces enhance the user’s experience, they also expose your company to yet another attack vector that the bad guys are waiting to exploit. (An attack vector is a mechanism that is used by the attacker to gain access to a critical resource in order to deliver malware or compromise the entity.) Radio interfaces are a problem, not a feature. So again you’re faced with the dilemma of how to rein in the runaway vendor manufacturers cramming in more and more radio interfaces that your users are actively lapping up and exposing their smartphones to risk on a continual basis. Figure 2-2 shows the multitude of radio interfaces on today’s mobile devices, each one further exposing the device to potential attacks.
Figure 2-2: Some of the radio interfaces on the smartphones today.
It is only a matter of time before mobile devices become multihomed, meaning they are connected to multiple wireless interfaces simultaneously. Therefore, you need to be aware of and protect against all of these interfaces simultaneously. Chapter 10 goes into detail about what tools you can use to protect devices against these attacks.
Understanding the Risks
Now that you’ve explored the characteristics of a mobile device and its implication on security, it is time to delve deeper into the risks you face from a compromised mobile device.
Opening the door to hackers
First, we examine in some detail how these mobile devices can get compromised to begin with.
The get out of jail card
Given that the primary focus (so far) has been the younger generation, who tend to spend more on mobile gadgets and renew devices faster, it isn’t surprising that ease of use trumps everything else. Nowhere is this more evident than the website that goes by the illustrative name of JailbreakMe 2.0 (www.jailbreakme.com).
Jailbreaking is the term used for hacking into one’s device and freeing it from the controls imposed by the device manufacturer. While jailbreaking phones is nothing new, the website JailbreakMe 2.0 is interesting because it succeeds in opening up the phone with the user simply visiting the website, as shown in Figure 2-3. There are no special loaders, no rebooting the phone into recovery mode, and no connecting the device to a computer. Users just visit the site on their iPhone, iPad, or iPod touch, confirm that they want to jailbreak the device, and then sit back and wait. This is convenient for users who want to jailbreak their phone.
Figure 2-3: Jailbreak with an easy slide.
Note that jailbreaking is different from unlocking a phone, which essentially frees it from the carrier’s controls and allows a user to connect to another carrier’s network. Jailbreaking, on the other hand, frees the device from the controls of the device manufacturer and allows the user to download unvetted (by Apple) applications.
Unfortunately, the ease of which a user can jailbreak a phone through a site like JailBreakMe is also very convenient for an attacker. The ability to cause code to be executed on a device with high privilege simply by visiting a website is the very essence of a drive-by attack. The JailbreakMe website kindly asks the user to confirm that his device should be broken, but an attacker is unlikely to be so gracious. The fact that these devices can be opened up so easily represents a serious security flaw.
Some reasons for jailbreaking include a user wanting to choose what applications can be installed (and uninstalled), which carrier’s SIMs the phone can support, and what administrative settings can be imposed on the device. With the recent ruling by the U.S. Library of Congress that jailbreaking is legal (July 2010), the legion of users who will experiment with jailbreaking will only increase.
The Digital Millennium Copyright Act is a U.S. copyright law that criminalizes the production and dissemination of technology and services that circumvent measures protecting copyrighted works. However, the U.S. Library of Congress decided to add exemptions to this act, specifically “that Americans are within their rights to modify, remove or replace software on their mobile devices.” What this means is that your users are well within their legal rights to jailbreak.
So what went wrong? How did the perpetrator
s break through the impregnable walls of the much lauded iOS and iPhone? Well, it seems that the attackers are exploiting at least two security vulnerabilities:
Heap overflow bug: The attack makes use of a classic heap overflow bug in the Type1 font decoding of Apple’s PDF viewer. The attack payload consists of a PDF containing a malformed font that exploits the bug and executes code in the Safari browser’s memory space. Once code is running in the browser’s space, it then has to break out of the sandbox.
A sandbox in this context refers to an isolated application environment that prevents one application from encroaching on another application’s environment. It is a commonly used technique to provide compartmentalization leading to better security.
IOSurface library bug: As far as we can tell, the attacker breaks out of the sandbox by exploiting another bug, this time in the IOSurface library that handles various types of video and OpenGL rendering onto the screen. A set of parameters is passed to IOSurface with values that look suspiciously like ARM machine code instructions, along with various values that look like they’re designed to trigger heap overflows. Because the IOSurface code has direct access to hardware, it has to run outside the sandbox. Therefore, by triggering the execution of attack code from within this library, the attacker can break out of the sandbox and control the whole phone.
If a highly regulated entity like Apple, which thoroughly vets both its in-house products and third-party products, can be the subject to this kind of subversive attack, imagine what a more “open” operating system like Android can be subject to. By the time you read this, there are likely to be many breaches and patches.
App (did we say malicious?) Store
At the highly regarded Black Hat DC 2010 conference (a premier security event about security breaches and vulnerabilities in hardware and software), the principals of the App Genome project (which focuses on the Android platform) revealed some disturbing facts. They found a series of wallpaper applications that gathered seemingly unnecessary data — a device’s phone number, International Mobile Subscriber Identifier (IMSI), and the currently entered voice mail on the phone number. And here is the kicker: The apps were transmitting this data unencrypted to a server.
Would you feel compromised if your employees’ information could not only be accessed by a seemingly innocuous application but also shared with some untrusted third party?
Another recent development in app security breaches was on the App Store for iPhone. A rogue application developer figured out a way of hacking into other members’ iTunes accounts and initiating fraudulent purchases of all of his apps. At one point, his applications accounted for 42 of the top 50 apps on App Store.
Writing malware for a mobile phone
Lest you be lulled into believing that it takes a PhD to write malware for the mobile phone, let us blow that fallacy away. An experiment conducted by BBC News along with security firm Veracode involved creating a crude game for a smartphone that also spied on the handset. It wasn’t hard to do. In fact, the application was built using standard parts from the software toolkits that developers use to create programs for handsets, which also makes these malicious programs hard to identify because they use the same building blocks as benign programs.
What’s worse, creating the program took only a couple of weeks. The program included a crude game that surreptitiously gathered contacts, copied text messages, logged the phone’s location, and sent all the information to a specially set up e-mail address — all built from standard library functions that legitimate programs use.
Compromising your business communications
Next we move on to security issues that prevail upon the very lifeline of enterprises: communication (voice, data, text, instant messaging, and so on).
Electronic eavesdropping
Societal decorum forces us to talk in suppressed tones while using our smartphones and devices in public places, often because we don’t like to be eavesdropped upon.
But the same cannot be said of electronic eavesdropping, which is easily achieved with the tools available today. It’s the easiest way for your employees’ devices to be compromised. When users inadvertently download an infected application, malicious spy software can be surreptitiously installed to collect data and voice, and forward it to a rogue server that can then analyze the sensitivity of the information and decide how best to use this proprietary data.
The regulatory environment that you are in can vary based on geography and industry, so be aware of the impact of trying to secure the communication channels to prevent eavesdropping from happening, as well as the fallout of the result of the communication channel having been breached by a malicious third party.
SMS (also known as texting) — it can be hacked
The number one application for users and mobile operators worldwide is SMS (short message service) — that is, text messaging. The popularity of this simple yet effective service is really remarkable, and Figure 2-4 indicates that the top application among U.S. adults really is SMS.
Couple the popularity of SMS with the explosive growth in the U.S. (see Figure 2-5), and it becomes apparent that SMS is a great magnet for someone with mal-intent wanting to take advantage by eavesdropping.
Although traditional SMS uses GSM encryption that has been cracked only in university research labs and is relatively secure, there are increasing indications that this veneer of security around SMS is starting to crack. (See Chapter 10 for more on GSM encryption.) The ability to turn a phone into a surveillance gadget to capture text messages is possible. One way to do this is phone cloning, which allows somebody to impersonate others’ phones and masquerade as the original. This obviously works with only one phone at a time, but you can imagine your fate if that one phone happens to be the CEO’s, or yours for that matter. For the hackers who are interested in casting a wider net, there are ways to load illegal firmware onto one’s device so that it can listen in on multiple radio channels to pick up text messages that are sent from other devices that are using the same channels.
Figure 2-4: U.S. adult mobile application usage.
Figure 2-5: U.S. SMS users growth from 2005–2010.
Endangering corporate data
Shifting gears, we now focus on where your intellectual property may actually be doing the rounds. Given that users have access to corporate data across a variety of mobile devices, keeping tabs on where this data resides at all times is crucial. And any vulnerability or attack on the mobile devices inherently endangers the corporate data. The following sections look at the different ways that this data could be compromised.
Mobile data on the move
If you compare the specifications of the four top smartphones, as detailed in Table 2-1, the statistic that jumps out is the fact that they compete along the matrices of processor speed, size of display, camera resolution, memory size, and creating a roaming hotspot.
This a big problem for you. Imagine having your employees walking around with hotspots in their pockets, carrying sensitive enterprise data. The Invasion of the Devices is now faster, bigger, fatter, and better.
The highly consumer-focused view of the world results in devices that are flashy, are user-friendly, sport gorgeous displays, and have large amounts of memory but very little in terms of features that you as an IT professional might care about, such as hardware encryption, built-in locators, remote wipeout, and lockdown capabilities.
Server resident data
One trend that has significant ramifications for your employees’ data is the storage of content on servers operated by content and service providers. The applications that your employees download are increasingly augmenting the storage that is available on the device by using a server extension. It’s a convenient way to provide a backup for the device itself. But imagine the scenario in which your employees are downloading sensitive corporate data to their devices, and this information is then periodically synchronized with the servers in the service provider’s domain. This situation
not only violates all of your typical enterprise security policies but also lends itself to potential compromise of the data in the cloud that could come back to bite you. Figure 2-6 shows four popular cloud storage apps for the iPhone, highlighting the ease of use of these cloud storage apps, which means nothing but migraines for you.
Cloud, in this context, refers to cloud storage, which is an online-hosted storage service provided by third parties to augment or replace any local storage that you may host.
Figure 2-6: iPhone cloud storage apps.
There was a well-publicized incident involving the T-Mobile account of a celebrity’s Sidekick device wherein all of this person’s address book data, photos, e-mail, and voice mail maintained in the cloud was compromised. Unauthorized users gained access to this information and had a field day propagating it. While this event was limited to one celebrity’s personal trauma, imagine if this were a high-profile employee of your company and the same breach were to occur.
Reckless user experimentation
Jailbreaking, as described earlier in this chapter, is the term used for hack-ing into a device and freeing it from the controls imposed by the device manufacturer.
While jailbreaking certainly is welcome news to freedom-loving users who are glad to be rid of the shackles imposed by their device vendors and carriers alike, make note that it brings forth a brand-new set of headaches for you. For instance, the typical jailbroken iPhone has the SSH server running by default, and worse still, has the default password of alpine. Now it doesn’t take a genius to launch a probe at a hotspot or other commercial establishment for jailbroken iPhones and ssh into the device and wreak havoc. In fact, one of the earliest exploits of this was a Dutch hacker who did exactly that and left the hapless user with a screen similar to Figure 2-7.