This document discusses practical attacks against virtual desktop infrastructure (VDI) solutions. It begins with introductions to the presenters and an overview of mobile VDI. It then outlines four threats: 1) using a remote access Trojan to keylog credentials, 2) directly grabbing credentials from an Android device, 3) screen scraping on Android, and 4) man-in-the-middle session hijacking on iOS. It argues that a layered mobile security approach is needed to protect VDI, including device assessment, reducing attack surfaces, threat detection, and risk mitigation.
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructure (VDI)
1. Practical Attacks against
Virtual Desktop Infrastructure (VDI) Solutions
Michael Shaulov, CEO
Daniel Brodie, Sr. Security Researcher
Lacoon Mobile Security
Lacoon Mobile Security
1
2. About Daniel
§ 10 years of security research
§ From PC to Mobile
§ Researcher and developer at Lacoon Mobile Security
§ Developing a virtual execution-based app behavioral analysis framework of mRATs and
mobile malware
§ Analysis of iOS and Android vulnerabilities and exploits
§ BH 2013: “A Practical Attack against Mobile Device Management (MDM)
Solutions”
Lacoon Mobile Security
2
3. About Michael
§ Decade of experience researching and working in the mobile security space
§ From feature-phones to smartphones
§ Mobile Security Research Team Leader for Defense Contractors
§ CEO and co-founder of Lacoon Mobile Security
§ BH EU, BH USA, RSA Conf, GovWare …
Lacoon Mobile Security
3
4. Quick Disclaimer
This talk is NOT about:
§ Dismiss VDI value as an enterprise
mobile solution
§ Specific vendor
implementation
This talk is about:
§ Quantify risks that can compromise
VDI sessions
§ Provide a framework to assess and
mitigate the risks
Lacoon Mobile Security
4
5. Agenda
§ Mobile VDI 101
§ Practical Mobile Threats against
VDI
§ Augmenting VDI with Defense-in-
Depth Mobile Security
§ Conclusions
Threat
2
Grabbing credentials locally / Android
Threat
3
Screen-scraping/ Android
Threat
4
MitM Session Hijacking / iOS
Lacoon Mobile Security
5
In the Wild mRAT Key-loggers / AndroidThreat
1
7. Mobile VDI Motivation
Key Requirements for BYOD / CYOD
§ Enablement
§ DLP / Lost Device
§ Intrusion
Lacoon Mobile Security
7
8. Enablement
Simplify IT support of BYO devices
It can meet the increasing demand for
BYO initiatives by delivering apps and
desktops as an on-demand service.
Lacoon Mobile Security
8
9. DLP / Lost Device
X
No content is
saved on the
device
On-demand session
Lacoon Mobile Security
9
10. Intrusion
“Virtual desktop security to protect sensitive information
Centrally secured virtual desktops and apps in the
datacenter reduce the risk of data loss or intrusion when
delivered to any device. Corporate access remains secure
while intellectual property and sensitive private information
stays safe.”
Good
Marketing
Lacoon Mobile Security
10
14. Threat 1
Using an mRAT for its Keylogging Capabilities
Lacoon Mobile Security
14
15. Emails
App Data
Contact Lists, Call & Text Logs
What is a Mobile Remote Access Trojan (mRAT)
Key Logger
Screen Scrapper
Memory Scrapping
Files and Photos
Microphone and Camera
Track Location
Lacoon Mobile Security
15
18. mRAT Spectrum
$300K-$12M
Government -> Terrorists / Activists
Free - $100
Everyone -> Everyone
Surveillance /
Monitoring ToolsGov / Mil mRATs
Lacoon Mobile Security
18
“Hacking Team is really a very basic software
with a public payload based on CVE bugs
PUBLIC. Not different than any commercial
spyware on internet. Even with lower features.”
-- Mobile Malware Google Group
20. Data sample
Mobile devices communicating
through corporate WiFi access
points, connected to the Checkpoint
firewall
Traffic from 95 gateways
(~90 enterprises)
20
Lacoon Mobile Security
Survey: mRATs in the Enterprise
A Lacoon-Checkpoint Research
22. 22
Lacoon Mobile Security
How common are mobile threats in the Enterprise?
% By Country
41.8
6.6
5.3
4.9
4.9
3.9
3.3
US
MX
NO
TM
EC
FR
BR
Key Findings:
Number of infected Devices
• 290
• Median: 2 infected devices / enterprise
mRATS found
• 16 used
• Most common: Spy2Mobile, Mspy, Mobile
Spy, Bosspy
Types of OS
• 90% Android
• 10% iOS
Country infection rates
• Spread across 30 countries
23. The full report coming soon…
Stay tuned @LacoonSecurity.
Survey: mRATs in the Enterprise
A Lacoon-Checkpoint Research
23
Lacoon Mobile Security
24. Lacoon Mobile Security
24
Recap
§ Looked at the two solutions
§ Test servers (citrixcloud, pivot3’s testdrive)
§ Vmware is more of a slim VDI while Citrix has
additional capabilities
§ Very configurable
§ Both provide a myriad of clients and logging in
capabilities
25. Lacoon Mobile Security
25
Threat 1
Using a Widely Popular mRAT on an Android-based Device
§ Keylogging for data or authentication info
§ mSpy
§ Lacoon-Checkpoint “mRATs in the Enterprise” survey
§ Mostly used in the enterprise
§ Detected in 19 countries, such as USA, Britain, and France
Cost: >$50
27. Different Keylogging options
§ Repackage keyboard – done on SwiftKey in 2013
§ Used by mRAT’s as a custom keyboard
§ MitM on the active input method – grant yourself the
BIND_INPUT_METHOD permission
§ Pretty complicated and requires elevated privileges
§ Input Manager Service is a native process, hooking it at the InputDispatcher-
>dispatchOnce will give you access to all input events
§ Practically all Android ROMs use default symbol visibility
27
Lacoon Mobile Security
29. Threat 2
Grabbing Credentials Locally on Android
§ Keylogging has it’s own problems
§ Target the client itself to grab whatever credentials you need
Lacoon Mobile Security
29
30. Threat 2
Grabbing Credentials Locally on Android
1. Run a Privilege Elevation vulnerability
1. TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…
2. Exploit does not leave identifiable root marks
2. Enable jdwp debugging on all the apps installed on the device
3. Connect as a debugger to the VDI client
4. Set a breakpoint on a function that handles the credentials
Lacoon Mobile Security
30
32. Enabling jdwp debugging on apps
§ By ptrace-ing the init process to dynamically change the ro.debugabble
property
§ Similar to what setpropx does
§ By starting the jdwp thread by yourself in the relevant process
§ Easily done by calling the dvmJdwpStartup with ptrace
32
Lacoon Mobile Security
33. Possibilities to hook apps
JDWP
easy way to simply sit on a specific java
function after enabling debugging
XPosed / Cydia Substrate
Also great way to dynamically hook a
function without needing to resort to
debugging
§ Uses a small jar injected into every process
by zygote to initiate hooking, dalvik
changes not neccesary
Native code hooking
Through ptrace debugging or so-
injection
§ Either by having a relevant native function
somewhere in the stack
§ Also very useful for hooking ART
33
Lacoon Mobile Security
35. Two possible methods
§ Leverage the clipboard access support
§ Record the screen automatically when the mRAT detects that the VDI client is connected
Threat 3
Screen Scraping against Android
35
Lacoon Mobile Security
36. Screen Scraping using Clipboard Access Support
Run a Privilege Escalation vulnerability
§ TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…
§ Exploit does not leave identifiable root marks
Monitor the current foreground activity using standard Android APIs
getRunningTasks/getForgroundApp
Inject keyboard events to cause content to be copied from the file to the
clipboard
§ Using InputManager’s injectInputEvent (as root/system) we can inject input events
§ Specifically Ctrl+A, Ctrl+C will work for most interesting applications
36
Lacoon Mobile Security
38. Screen Scraping using Screen Recording
1. Run a Privilege Escalation vulnerability
§ TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…
§ Exploit does not leave identifiable root marks
2. Monitor the current foreground activity using standard Android APIs
§ getRunningTasks/getForgroundApp
3. Start recording the screen using one of the recording apis
(go into depth)
§ 4.4 has a nice new screenrecorder – but possible even earlier by accessing framebuffer
§ SurfaceView.setSecure would need to be patched on 4.2 and up
Lacoon Mobile Security
38
40. User VDI Credentials
Authorized
List of services & Organizational policy
Request for Service A
VDI
40
Lacoon Mobile Security
VDI Protocol Flow
Server
User Inserts VDI credsSSL Connections
VDI
Client
Mobile Device
42. 42
Lacoon Mobile Security
Threat #4: MitM against iOS
This is an email with a
phishing link to a
configuration profile. It
will be replaced with a
screenshot.
VDI Server
43. More possibilities with MitM attacks
§ Duplicating the actual screen/input stream to a separate machine
§ VmWare Horizon Viewer uses either a proprietary protocol or RDP
§ Citrix Receiver uses a proprietary protocol called ICA – not widely analyzed yet
§ Simulate commands to the client and/or server
§ Can be used to do implementation specific actions, including gaining VPN credentials, etc…
43
Lacoon Mobile Security
45. VDI depends on the integrity of the host system
§ Protects the data as long as the device is uncompromised
§ If the underlying device is compromised, so is the VDI solution
Conclusions
45
Lacoon Mobile Security
46. A multi-layer approach to mobile security.
Detect. Assess. Respond to Mobile Threats.
A Layered Mobile Security Approach
46
Lacoon Mobile Security
47. A Layered Mobile Security Approach
47
Lacoon Mobile Security
• Assess Device, Configurations, Apps
• Reduce attack surface
Accurate mitigation and dynamic access control of compromised
devices, using a rich toolbox:
• Integration to MDM, NAC and SIEM
• On-device remediation and on-demand network mitigation
• Device, Application, Network anomaly detection
• Mobile AV, advanced app reputation analysis
• Detect and classify advanced threats (Zero-day, APT, malicious
applications, etc)
Advanced
Mobile
Threat
Detection
Mobile Vulnerability
Assessment
Mobile
Risk
Mitigation
48. Thanks to those that helped on the
Lacoon-Checkpoint mRATs in the Enterprise Survey!
Lacoon
§ Pavel Berengoltz
§ Shai Yanovski
§ Shalom Bublil
§ Shayna Tichler
§ Amir Kessler
§ Noam Modai
Checkpoint
§ Inna Myslyuk
§ Gali Carmel
§ Ron Davidson
§ Inbar Raz
§ Alon Kantor
48
Lacoon Mobile Security