In the last two years I have been to a few SANS training courses:
508: Advanced Forensic
617: Wireless Ethical Hacking
660: Advance PenTest
Last week I attended the SANS 575: Mobile Ethical Hacking course,
it is a nice complement to the 617 Wireless course and although there is some overlaps, especially around WIFI vector attacks, most of the content is different; and when it is not, you get another perspective for those attacks.
The course gave an overview of the different architectures surrounding the Android, iOS, Blackberry and Windows Mobile phones, how system and app updates are handled, how certificates are managed, attack technics against mobile apps communications as well as against the app code itself through leveraging jailbreaking.
As with most SANS courses your day is not limited to a 9 to 5 schedule and if you want to make the most of it you will end up attending after class presentations or the Netwars hacking contest during the last 2 evenings. Although this means you are most likely to finish your day at around 10pm, you also end up learning a lot more than what is just taught in your course.
Finally, the last day there is a Capture The Flag event in your class where you compete against your fellow students in teams of 3 or 4. It is a great way to apply all what you learnt during the week. It is very similar to Netwars but tailored to the topics you have just been studying .
Below are my key takeaways from that course:
1. History keeps repeating itself.
I will go into more details in a future post, but all the security issues we have had when Internet first appeared in the corporate world, then with WIFI networks are just repeating themselves with the use of mobile devices. Examples?
Mobile devices are more and more like computers yet we tend to only use simple and short passwords to protect how we are accessing them, there are no antivirus or firewalls in most platforms.
What drives mobile devices’ roadmaps is the user experience rather than its security.
2. Jailbreaking as a security tool
Jailbreaking a phone can be very useful, and sometimes the only way, to really understand what data an application is accessing and sending.
3. MDM alone, is not enough
MDM is just one component of what a mobile device strategy should be. Reviewing the security of apps being developed internally as well as the most commonly used 3rd party ones should be core to that strategy. Failing to do so equate to having an open desktop policy where users can install any applications they want, with no firewall/anti-virus.
4. Apps manipulation through HTTP intercept
The majority of mobile device applications uses HTTP as their communication transport protocol.
It often compromises the security model implemented with their counterpart desktop/web portal solutions.
Users often wrongly assume that an application is secure, because there are no visible signs as to how secure its communication is.
An example studied in class showed easily it is to manipulate stock option prices from the built-in iOS Stocks app.
5. 4 PIN on iOS is bad very bad.
I was amazed at the speed it takes to crack a 4 PIN protected iPhone (up to iPhone 4) and iPad (up to iPad 2).
In class we looked at how one needs just 15 minutes to a) take a locked iOS device, jailbreak it in memory, crack the PIN, dump all data, reboot the iDevice and the owner would never know you have just stolen all its data.
Although this is not currently possible on iPhone 4s+ and iPad 3+, this could change if new jailbreaking methods are found.
You would also be amazed as all the potential sensitive information is available in clear text, from WIFI to Emails passwords.
6. Certificate (mis) management
HTTPS certificates are very poorly managed on mobile devices currently and if a user is subjected to an HTTPS Man in the Middle attack, the warnings signs (if any!) could be at best confusing and at worse misleading! (i.e.: Hackers can pretend their certificate is from a valid and known CA).
6. Devices Emulator, Developer Programs and Mobile lab
Device emulators, although not as good as the real handsets, are very useful to do security assessments.
Being part of the major vendors developer programs does not cost much money and gives you access to exclusive tools and upcoming beta versions.
Lastly, having some kind of mobile device lab is useful for your security assessments and combining real handset with emulators should be relatively cheap to setup whilst still giving you enough handset coverage.
What this course has highlighted is how immature the security around Mobile Devices is, and that securing mobile devices in a corporate environment does not stop with MDM.
A very good course I would recommend to anyone involved with Mobile Device security, this will be an eye opener!