Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

iOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation

2,745 views

Published on

A profile is an extremely sensitive optional configuration file which allows to re-define different system functionality parameters such as mobile carrier settings, Mobile Device Management (MDM) settings and networking settings. Through social engineering techniques such as email phishing or a fake URL, an attacker can convince a user to install a malicious profile and compromise the device settings to silently route network traffic from the device to a remote proxy over SSL using a self-signed certificate.

The impact:
Once the attacker has re-routed all traffic from the mobile device to their own server, they can begin to install other malicious apps and decrypt SSL communications.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

iOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation

  1. 1. iOS Threats - Malicious Configuration Profiles Threat, Detection & Mitigation 1
  2. 2. A Little About Lacoon 2 Who We Are What We Do §  Develop new mobile security technologies that can detect and prevent mobile threats §  Partner with leading mobile operators and technology companies to provide comprehensive mobile security solutions §  Founded by mobile security experts from Military Intelligence and Telco Industries §  Supported by a Security Research Team focused on uncovering undiscovered threats to mobile apps and platforms §  Well-funded and backed by successful security industry veterans
  3. 3. 3 iOS Configuration Profiles can be loaded on any iOS device with relative ease. Each configuration profile can include settings for managing the devices proxy, VPN, and certificates Introduction – iOS Malicious Configuration Profile Through social engineering like email phishing or web link an attacker can convince the user to install a malicious profile and compromise the device settings The attack can silently route network traffic from a device using the profile to a remote proxy over SSL using a self-signed certificate authority that appears valid to the end user Once the attacker re- routed all traffic from the mobile device to an attacker- controlled server, he can further install rogue apps, and decrypt SSL communications 1 2 3 4 1 2 3 4
  4. 4. 4 How iOS Attacks 'Get in" Three Main Infection Vectors for iOS Attacks Physical Access Social Engineering Rogue WiFi HotSpots •  Malicious Profiles •  Fake Certificates •  Zero-Day Vulnerabilities 1 2 3
  5. 5. 5 Malicious Profiles example LinkedIn Intro 1 User downloads app or accepts new functionality from one of their apps that requires an update to their device’s Profile. Example: LinkedIn Intro’s new Profile reroutes all email to the LinkedIn Servers. Example: LinkedIn Intro LinkedIn is now intercepting all emails and modifying their content (adding user info). This is known as a man- in-the-middle (MitM) attack! More Info 2 1 2
  6. 6. Holes in Existing Technologies 6 Capabilities needed to protect against MALICIOUS PROFILES Analyze Configuration Profiles Identify Suspicious Traffic Patterns Key: Cannot Protect Some Protection Can Protect✓
  7. 7. Certificate Validation Ability to check validity of certificates and accurately identify the source of the application Lacoon MobileFortress - iOS Threat Coverage Advanced Jailbreak Detection Ability to identify when a device has been jailbroken using continuous background service Configuration Profile Analysis Ability to identify changes to configuration profiles and understand when those changes make the device vulnerable (e.g. compromise secure containers) Malicious App Detection Ability to understand communications from the app, regardless of how it was installed on the device, to see what it’s doing (e.g. recognize traffic to and from unknown servers) Man-in-the-Middle Attack Mitigation Ability to trigger a VPN to isolate user when on a WiFi or other unsecured network
  8. 8. 8 Lacoon iOS App checks for modified network settings every 10 min and sends configuration info to the Behavioral Risk Engine (BRE) How Lacoon MobileFortress Works – iOS Malicious Configuration Profiles The BRE analyzes the new network configuration and determines if it can compromised the device communication The appropriate Risk Score is automatically assigned to the device and triggers the active protection layers Active Protection prevents data exfiltration- by notifying the user on-the-device, activating network protection and via MDM/NAC integration Full visibility and control over the compromised settings are available on the Lacoon Dashboard. Whitelisting capabilities are available for known settings1 2 3 4 5 1 2 3 4 5 MobileFortress App Behavioral Risk Engine Risk Score Active Protection Dashboard
  9. 9. Contact details www.lacoon.com sales@lacoon.com

×