Mobile Security and the new generation of security threats

thank you for for joining me here today I'm going to talk about something that in most cases people don't really think about mobile security is something that is done over there somebody else does it the mobility people do it and we as security experts don't necessarily put this into our everyday experience I just give you a bit of a background about myself my name is Scott kite I have been in the mobile business for very long time just about 20 years now I started a long time ago as one of the first people in the u.s. selling BlackBerry devices if you think back to those days and you know I saw the devices come I saw smart

phones go from zero to hero I saw blackberry go from zero to hero to zero and hopefully can be becoming hero again at some point in the near future so I've seen a lot of stuff change I remember like a very specific example was I remember sitting in a restaurant in New York City and I looked over and I saw somebody with a blackberry device and I was like with my buddies like look that guy has a blackberry you know the things that we're selling this is amazing we're seeing it in the real world um then somebody pointed out to me a few weeks ago if I went to New York and I saw somebody on a blackberry probably say

the exact same thing now but that's a different story um we've seen these things kind of grow from nothing to something but they grew in a kind of a weird way they grew in a way where us as companies believed back in the day we're gonna buy devices these devices like BlackBerry devices are secure and we're gonna give them to our employees because we get a really good return on investment out of these devices something like it's gonna cost us 50 bucks a month that we get $3,000 out of it I mean that's a great investment as a company and then they figured out something something really really interesting what if we don't even have

to pay the 50 bucks and we still get the ROI oh that's great and what that ended up being is that people buy their own devices and they support their own devices and as a company that seems like a really good way to save some money or even actually make money and in the world space it means that we are now at over 7 billion devices because people think hey I get a return on investment out of this device - it's not just my company I get something out of this get to play games not be bored surf the web whatever I'm going to do with the device I get to do that any time I want

without any interference and I get to access my work stuff and I get to do all these other great things all wonderful except for the fact that us as security experts could sort of let it happen it it was over there somebody else was managing it it wasn't my problem the problem is well the bad guys understand that particular point of view we're not looking at something we need to think about it if something is going on over there somebody else is going to be paying attention to that something is going on over there and like I said those bad guys figure this out they figured out how to look at those devices and take data off of those devices the

last conference the last little session was about data exfiltration mobile devices are actually a definite point of exfiltration of data as well as entry points of data and since we're not looking at them you know that's kind of an issue so in this example we can see that there are a few attacks that have occurred over time against mobile devices these are just some of the attacks so most of these are the ones that checkpoint company I work for I won't be selling anything today I just talked a little bit about it but we've done a lot of research into this and found a number of different types of attacks both of application-based and physical based and other things onto

devices and not only are we seeing attacks in general we see very large-scale attacks like 'we saw one that was called copycat that affected I believe was like 12 or 13 million users and found ones that like there was an attack against some doctors at UVA lasted over 19 months of attacks and we think about this and I will I will challenge you if you're a security expert and you have an attack in your network active for 19 months where are you looking for a new job because you're probably not going to be continuing there that is one of those things that we as a security expert group need to understand that that exists and we need

to stop that type of attack from occurring ahead of time not let it sit in our networks for 19 months and just to put those numbers again in perspective with the rest of the types of attacks that exist out there if we are looking at Muller attacks attacks that hit front-page news things like wanna cry Lackey petia not Petya all of those massive ransomware attacks well the scale of those attacks actually isn't that great the effect is amazing and it's terrible and it was very destructive but the numbers of devices affected were measured in the hundreds of thousands max total for all of them but that hit front-page news on every newspaper every webpage every news

article you can think of for months that hit the front page but if we look at the attacks of mobile devices like copycat like I had said it was it's 15 million devices humming bad is a different type of an attack hit 10 million devices we've seen Judy hit another 12 million we've seen another couple of attacks tech types hit 36 million so the numbers of devices affected with true data exfiltration unbelievable numbers but we're not talking about it because again as security experts we're not looking at it it's not destructive in the same way that want to cry a lot of locky and kathy anot petia wore it it's just data actual straight exfiltration just an

attack and then to get into to get into the details here so let's talk about a couple of these attacks judy is one of those attacks if you're not familiar with some of these attacks you know feel free to come and talk to me later we can talk about some of these attacks in detail Judy was an attack against basically the advertisement engine of your device now that doesn't sound really creative it just sounds like wow why do I care about the advertisement engine my advice well just let's back up for a second what does an advertisement engine do it's designed to track you to understand what your interests are understand what types of places you

frequent what types of things that you might be interested in well as a packer what do I want to understand for social engineering I want to understand where are you going who are you talking to what types of things are you interested in that seems like a really good pairing it really seems like a good place to get data get information and get some way to understand you better and in fact that's exactly what happened so what we did hackers is create an engine that would replace the advertisement engine of a device and rather than providing Google you know with hey John was here at this particular Macy's and he was walking past this particular counter and telling

Google this information and then Google reselling that out anonymously it just says hey John was here he went here he went to Starbucks at this time bought these two things was in the office by 9:00 a.m. met with the CFO and early in the morning then left and then you know very very detailed steps very detailed information about individual users which as a hacker that's invaluable if I understand my target then I can plan a good social engineering a good next step and just to put this in a different light all the stuff that I'm talking about all the stuff found all of the information that could be stolen you would have no idea it was taking place because you're not

protecting against mobile device mobile device infiltration because again I can tell because Judy hid you know 10 15 million devices across the world and the other ones hit 20 30 40 million and most people don't know anything about them another type of an attack was called Bank bot now this one is a little bit more specific although it's been used a number of times it's been used both in a corporate sense as well as an individual sense the basic idea is that Bank bot was incorporated into a bunch of other applications it affects Android devices specifically and if you ran an application that was infected with Bank BOTS it was infected actually the infections were done at the

API level and infecting developers the developers didn't know they were including this in their software and then providing it out if you ran the software that had Bank bot installed in it it would run in the background on an Android device and it would wait for you to trigger your own banking application so say you are using whichever banking app you definitely matter say you're a day trader you're opening up your day trading application the first screen that pops up is a login screen you think should be but what happens is Bank bot sees you opening that application up and draws its own screen on top of the real application and it has a place for you

to put in your email in your pal or login your password so you put in your login your password screen just goes blank it doesn't say anything it just goes and looks exactly the same well what's happened is actually you put your information into a screen drawn on top of the screen you're expecting that looks exactly like this screen you're expecting so you don't notice the fact that you just gave out your login and password to somebody else you then you do it the second time and it works oh whatever whatever happened it was just sort of broken for a second that exact system works over and over and over again for these guys they have

reintroduced this out into Google Play and other sources many many times it is a really bad issue and it exists and finally I'll talk a little bit about Google again which is another attack it's actually the single largest attack against Google ever found I know that you're probably going to think well well there was a G+ hack but honestly it's G+ who actually used two G+ in this room Google again actually is it a little bit of a different hat so the basic idea here is that again people went out and created some applications put them on the Google Play Store in different locations around the world as well as alternate stores people downloaded those

applications and install the application ran it so what happened in they ran these applications is that it did a temporary rootkit on the device without notifying the user of course or you know forcing them to hit yes to a whole bunch of properties but they did and they ran it and they made the application alive when that application went live with that temporary rootkit it stole your authentication token off the device now if you're not familiar with what that authentication token does one of the things it does is allow somebody to access your Google Play Store account and rate applications as five-star apps and that is exactly what they started out doing and they sold that as a

service that's great I can I can now have a million users rate your application as five stars that's my service I'm gonna sell it for 2,000 bucks each whatever you know whatever the case might be and that's what they did that's what this the bad guys started doing is selling that service of rating applications as five-star apps okay fine I don't care and as a user when I see my my information since why did I rate all these apps as five stars I don't know even know any of these applications you don't even pay attention it's below your threshold of care but there's a problem that authentication token doesn't just allow you to rate those apps as five-star apps it also

allows you full access to any and all Google services without two-factor authentication without identification of the individual device you can use that token anywhere from any system for any reason for any user with that authentication token and that includes Google Docs Google for work Android Enterprise it includes any type of third-party authentication steagle you name it anywhere and everywhere at Google is broken for 1.3 million users now I what I'll say is in terms of this is the time frame for it it was active for nine weeks it was active initially we reported it to Google it took Google about three weeks to come back and say oh yeah that's an issue and then it took

another six weeks to solve the problem so just put those time frames in the back of your head in terms of how long it takes to solve a major issue with a company I'll just say this it's something that we're proud of we got a little plaque because we found this from Google and they entered us and they're their Hall of Fame so we like that but we thought it was kind of cool but just to to talk a little bit about the overall types of attacks so I've been talking about a number of different attacks some of them applications some of them hacking API some of them hacking other systems mobile devices have a lot

of vectors of attack and things that we don't necessarily control when we talk about our laptops in endpoints we generally provide VPNs we provide disk encryption we provide lots of ways to keep those systems very secure on mobile devices we depend upon somebody else to do that for us we depend upon somebody else to make sure those devices are ok whether it's Google or Apple or if you have BlackBerry devices or Microsoft or whatever else all those types of devices you know we're depending upon somebody else to secure them for us but the problem is that's not really a terribly realistic expectation Microsoft I mean a Google and Apple are out to sell devices to as many people as possible if they

make their devices to secure they'll be annoying for some users and that's it so lowest common denominator says their security requirements our maximum security is not going to be as high as what you would want it to be so that leaves us full of different types of attack vectors infected applications obviously we are we can understand that particular theory we have Network attacks when when you connect to a network there is no guarantee as to what that network is it is a $100 device I'm sure most of you know or heard of a pineapple device but 100 bucks buys you a hacking tool that can take over a mobile device we have OS X flex jailbreaking root kidding or

taking advantage of settings and systems on devices that you're not necessarily familiar with the biggest attack vector right now that we see at all and mobile devices fishing and smishing for one reason or another when people receive an SMS they are very likely to click on a link in an SMS you would never click on a random link from something you don't know in an email but people do click on links and sms's and the bad guys realize this and they are using that as an absolute attack vector to get into your systems to get data out of your systems just as a quick little tidbit we actually were working with a different pen testing company at some point and

they did SMS pen testing with a particular company did a whole bunch of training saying don't click on links that look like this do you agree on pain of job do you agree to not click on the links like this so of course all the people that this particular company said yes we agree we understand we'll never click on these types of links three months later they sent out the SMS is that actually duplicated those original links 70% of the people clicked on the links when asked why did you click on the links the response from a regular user I was curious and that was it that was enough for them to click on a link that

allowed them to lose data to give out logins give out passwords gives out information about the company and allow somebody else to take over their stuff and finally is ss7 this is not something I'll talk about today too much but ss7 if you're not familiar with it if you are familiar with it it hasn't gone away if you're not familiar with it it is the switching system upon which the old Potts phone network is based but cell phones actually still use this network they still use ss7 as a signaling system as a way to do stuff the problem is that ss7 is secure because it's Tovar there it's in a building ten miles away with a

DMS 100 switch the problem is that's the sum total of security in sa-7 if you tell ss7 do this it doesn't and our ways for hackers to go and talk to a seal ACK somewhere in the middle of Russia hey can you issue a command I want to listen into this person's conversations can you issue a command that allows me to listen into it sure no problem if you want that we can give you a there's a link to 60 minutes did a piece on this is about a 15 minute YouTube video search for it SS 7 hack 60 minutes you'll love it it's fantastic or you'll hate it depending punch point of view but it is definitely a way of

attack and then to kind of bring this a little bit back together when we went and did a bunch of research with the different customers and different people we wanted to understand what is the prevalence how many companies out there have actually experienced hacks have experienced issues and their mobile devices and what we found is we went out to customers who had more than 500 license so 850 of our customers that had over 500 devices have you been attacked have you connected to mobile networks that were malicious have you installed malware on your devices and we found that every single one of them had we found that a whole bunch of them had jailbroken brick headed devices we found

we actually found some amazing company some very very high-end companies had enterprise certificates installed in the research department and they had no idea if you're not familiar with what Enterprise certificate is it's the ability to install and run basically self-developed applications which is fine on an apple device except for the fact that this particular company had all ton of enterprise certificates installed on their devices from other companies from places they didn't know anything about from hacked sites if you're familiar with 25 P P or V share they're basically app stores for Apple devices that have nothing to do with the Apple App Store at all they just use hacked Enterprise certificates and allow you to download pirated software and ask

if you don't know what I'm talking about if you don't know how to do it ask any eight-year-old I guarantee you they'll figure it out really quickly so now I've talked a lot I want to show you a little demo of basically trying to put a question yes sir and 50 yd so for the most part the customers that we're talking about here the were mostly boa aidid not all of them though so one of the customers in particular the one I was talking about the enterprise certificates was about 50/50 and we basically assumed we assumed eight a lot of assumptions we walked in we assumed that they would have this particular company would have

nothing actually I can talk about them sorry it would be Samsung Samsung research we figured that they would not have any issues whatsoever they were actually one of the ones with the biggest set of issues and they had about a 50-50 distribution of assigned devices and non assigned devices and just put just to be clear yes it was Samsung but we're talking about 1500 devices a 50-50 split of iPhone and Android devices and out of that a 50/50 split of CYO D and BYOD so our CEO D corporately owned devices so yeah it was really interesting to us to see that at the end of the day but now I'm gonna show you a quick demo and this demo uses a lot of

the technologies and things and tact vectors all combined into one it uses OS exploits it uses malicious networks it uses some user confusion and it uses some basic application hacking so without further ado here is an MDM if you're not familiar with this MDM don't worry about it it looks like all the other ones in terms of the aspect we believe for one reason or another mDM's are enough to secure our devices but understand that the mDM's point of view and the mDM's purpose and life comes from a corporately owned world where all you care about is inventory management and policy management the security is there because well it's a BlackBerry device it's secure it's an Apple device

it's secure that's it that is there some total of security but we believe that these provide security down to the device when they kind of provide something but not necessarily security they do a great job in policy and inventory management though and what we're saying here with this particular device in this particular screen and all we're trying to demonstrate is that there is a device it is on an MDM it is client with the requirements of the MDM it is install the policies that MDM creates and it is a managed device it's perfectly normal in this case it's running iOS 11 to 2 it does not matter if this what I'm going to show you works

just well on 12 12 1 and 12 1.1 beta I am running it so I know this for sure but I don't recommend 12 1 1 beta it's not very good but either way so say you're travelling the world and you have this device and you go to hack Airport I know I have bad humor but either way you go to hack Airport you land and you need to get a document out you need to do something you need to send some data so you connect to the Wi-Fi network because you know you need to send a whole bunch of stuff and the roaming network there isn't working or whatever the case might be you connect to the Wi-Fi network just

like most you are probably connected to the Wi-Fi network here at the school so you connect and everything seems fine and you know you connect and when you do you get a pop-up on your device it says hey you are connected to the airport Wi-Fi click here to continue you need to do this you know whatever the the statement is now I will say that no one in this room is going to get that thing and probably continue gonna go what the hell is this and then do something else but if you're an HR person and you're desperate ticket a job done and that pops up and says click here to continue you're gonna do exactly what you see on

the screen you're gonna install the profile that it's telling you to install and you're gonna click Next a whole bunch of times the problem is that entire process put that device under somebody else's control that was it that device is now controllable now it's not ready just yet but it has set up the scene for a particular type of control what we've done just so far is install profile that allows non or it basically allows redirection of traffic that allows HTTP inspection it allows a couple of other things and this is all done perfectly legally as far as Apple's system is concerned we're not hacking anything this isn't a true hack this is an OS exploit we're exploiting the way

that the device actually functions and works and is designed to function and the next screen you're going to see an application install and I try to preface this because it's pretty quick it's real-time there's gonna be a screen it is the normal screen that you see when an application is installed and pushed down by nem there is nothing different about what you'll see in the next screen and in fact it actually has a server name in the in the dialog box that server name is exactly what the user expects it is their corporate MDM that they see so without further ado MDM is pushing something we see right in the middle of the screen app installation well that's

my server okay fine install so you install and you can see at the bottom there's an application installing onto the device and hey mobile conference what's that my company we're gonna mess with me having a conference I'll open it up I don't know what this is yeah whatever my company sent it it's fine it'll go in the background I'm not worried about it but that's it that was the hack this particular application we know to be a hack because we wrote it we actually used it for a keynote presentation at a different different place and what we did was we wrote this application to do a couple of things and it actually takes audio it takes contacts calendars and a

bunch of other things and packages it up and sends it at will so once this user has this application installed and once they've run it with once they can leave the network there at and they can go wherever they want and then we can trigger it at any time that we decide as a hacker we can say to that device I want you to give me some information right now so we did we use this but at this particular thing at RSA so RSA it asked us to do a keynote speech there we go out to Keene do the keynote speech and we've decided to write the application and bring it out as a true

demonstration well how can we make that even better well how about this you know how they have posters all over the place and a lot of presentations a lot of events that have like maybe they used to have QR codes on everything well what we did was we just went over to Tech Kinkos and print it out our own QR code went back to RSA and just kind of tape them over the QR codes on the walls you know so it the simplest physical hack you can come up with you know figure most people probably was scan it and go what the hell is this and move on but some people will go ok and they'll scan it and what

we did was get in front of the crowd go hey you know thank you everybody for joining Jim I know that you have a meeting in ten minutes I hope you'll stay around for the rest of the presentation and Stephanie thank you for coming here from Starbucks ten minutes ago we know that you're all caffeinated and you can see people just go huh that's not so good you know so we actually had real information about the crowd and and the funny part about this is that RSA actually kicked us out right afterwards they were less than pleased with our actions but we discussed it with them and show them what we had done and they

they actually weren't the crazy thing is they really worked - super - super displeased with us doing the mobile conference attack they were actually displeased with the fact that we called it RSA mobile conference and we changed the name of everything fine we've come back we go to RSA every year we they they like us at this point so so what does this mean to the MDL you know so we have a device we have a hack installed on it it's ready to go we can trigger it at any time we can listen in on conversations we can get contacts and get calendar information out of it well here we have the MDM the device is not

compromised the device has no violations and in fact if we go into the device in the system itself and we look at the device we can see that the application was installed by the MDM it thinks it wasn't but the MDM thinks it was installed and it thinks it's a managed app by the MDM because the MDM isn't smart enough because the operating system isn't smart enough to know anything all it knows is it was installed the MDM says to the device hey do you have any managed apps and the device goes yes I do you installed it it's great that's it that is the sum total of the experience and unfortunately that leaves the user

hacked and leaves you you know definitely if you're looking for the app but how do you know how to look for the app that's where you know you need some other system and other ways to think about it and it's something that we do think about and a lot of companies will go too much into sales but just to be clear there are a lot of different types of things you need to think about when you're looking at mobile devices you need to think about malware and think about the timeframe that the malware is out there absolute Google and Apple are very good at killing stuff over time they are not good at zero day it takes

nine weeks for them to or took nine weeks to for them to solve the biggest hack ever against Google so think about that in the timeframe we've seen a lot of different attacks and applications we've seen the malicious attacks on Wi-Fi land have demonstrated that you can obviously think of Bluetooth attacks you can think of the browsing that your users are doing is it okay are they being tricked into going to a website or they being using different sites using different systems the lots of different things for you to think about so I just want to leave it with this and if you have any questions I'm here otherwise you can find me at the

booth later and you know really appreciate your time thank you everybody [Applause]