BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)


Published on

Spyphones are surveillance tools surreptitiously planted on a user’s handheld device. While malicious mobile applications, mainly phone fraud applications distributed through common application channels, target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.

How are these mobile cyber-espionage attacks carried out? In this engaging session, we present novel proof-of-concept attack techniques - both on Android and iOS devices - which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Pleasentries
  • Bypassing secure container encryption capabilitiesDemoTechnical aspects
  • Software management — This is the ability to manage and support mobile applications, contentand operating systems. The components are:■ Configuration■ Updates■ Patches/fixes■ Backup/restore■ Provisioning■ Authorized software monitoring■ Transcode■ Hosting■ Managed mobile enterprise application platforms (MEAPs)■ Development■ Background synchronization.■ Network service management — This is the ability to gain information off of the device thatcaptures location, usage, and cellular and WLAN network information. The components are:■ Invoice/dispute■ Procure and provision■ Reporting■ Help desk/support■ Usage■ Service and contract■ Hardware management — Beyond basic asset management, this includes provisioning andsupport. The components are:■ Procurement■ ProvisioningGartner, Inc. | G00230508 Page 25 of 34■ Asset/inventory■ Activation■ Deactivation■ Shipping■ Imaging■ Performance■ Battery life■ Memory■ Security management — This is the enforcement of standard device security, authenticationand encryption. The components are:■ Remote wipe■ Remote lock■ Secure configuration■ Policy enforcement password-enabled■ Encryption■ Authentication■ Firewall■ Antivirus■ Mobile VPNAlthough many MDM vendors may have different definitions, these are the general areas we assessin MDM.
  • The Secure Container engine -Containment of corporate data in encrypted environmentEmailsDocsApp wrappers
  • Spyphone = Remote Access Tool
  • For mass market, success is dependent on number of users, identity irrelevantFor targeted attacks, success is dependent on reaching a specific person (or people)
  • RAT’s aren’t new, why the sudden rise in popularity for mobileOur assumption is
  • Spyphones more popular than spyware on laptops (Shai’s example).EavesdroppingExtracting Call and Text LogsTracking LocationInfiltrating Internal LANSnooping on Corporate Emails and Application Data
  • Wide spectrum of SpyPhones from official companies helping the average joe spy on his girlfriend, child, or catTo those sold only to goverments
  • Cost upwards of 250 eurosFinSpy- BaharainDaVinci - DrWebLuckyCat – A sample of amobie agent was found on one of the servres
  • Starcuks latte
  • The mindset is that everyone can go and buy one, but does it really happen, or is it just fear mongeringThese numbers are especially troubling when we realize that every person in this sample who was installed was targeted personallyTHIS IS NOT MASS MALWARE
  • October 2012: 1 in 1000 devices
  • Anyway to make it look better?
  • Akin to encrypting the phone but reading emails in plain-text
  • BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)

    1. 1. Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security March 14, 2013
    2. 2. • Security researcher for almost a decade – From PC to Mobile – Low level OS research • Researcher at Lacoon Mobile Security – Developing a dynamic analysis framework for analyzing spyphones and mobile malware About: Daniel
    3. 3. • Decade of experience researching and working in the mobile security space – From feature-phones to smartphones – Mobile Security Research Team leader at NICE Systems • CEO and co-founder of Lacoon Mobile Security About: Michael
    4. 4. Introduction to MDM and Secure Containers Rise of the Spyphones Bypassing secure container encryption capabilities Recommendations and summary Agenda
    6. 6. • Helps enterprises manage BYOD (Bring Your Own Device) and corporate mobile devices • Policy and configuration management tool • Offerings include separating between business data and personal data Mobile Device Management
    7. 7. MDM: Penetration in the Market “Over the next five years, 65 percent of enterprises will adopt a mobile device management (MDM) solution for their corporate liable users” – Gartner, Inc. October 2012
    8. 8. • Software management • Network service management • Hardware management • Security management – Remote wipe – Secure configuration enforcement – Encryption MDM Key Capabilities
    9. 9. • All leading MDM solutions provide secure containers – MobileIron – AirWatch – Fiberlink – Zenprise – Good Technologies Secure Containers
    10. 10. Behind the Scenes: Secure Containers Enterprise Application Sandbox Secure Container Encrypted Storage Secure Communication (SSL/VPN)
    12. 12. Business Impact Complexity Mobile Malware Apps Consumer-oriented. Mass. Financially motivated, e.g.: - Premium SMS - Fraudulent charges - Botnets Spyphones Targeted: • Personal • Organization • Cyber espionage The Mobile Threatscape
    13. 13. Convergence of Personal Info • Contacts • Emails • Messages • Calls • Corporate Information Follows us everywhere • Office • Meetings • Home • Travel Perfect Spy Hardware • Always Online • Location • Microphone • Camera Why Mobile?
    14. 14. Spyphone Capabilities Eavesdropping and Surround Recording Extracting Call and Text Logs Tracking Location Infiltrating Internal LAN Snooping on Emails and Application Data Collecting Passwords
    15. 15. Examples More Than 50 Different Families in the Wild
    16. 16. The High-End • FinSpy – Gamma Group • DaVinci RCS – Hacking Team • LuckyCat – Chinese • LeoImpact Low End High End
    17. 17. The Low-EndLow End High End • Starting at $4.99 a month! What a steal! – For iOS, Android, Blackberry, Windows Mobile/Phone, Symbian, … • Professional worldwide support • Very simple and mainstream – So simple that even your mother could use it • On your father • Available at a reseller near you!
    18. 18. • From high-end to low-end – Difference is in infection vector -> price • End-result is the same – For $5, you get nearly all the capabilities of a $350K tool Spyphones: Varying Costs, Similar Results
    19. 19. SPYPHONE DEMO
    20. 20. • Partnered with worldwide cellular network operators: – Sampled 250K subscribers – Two separate sampling occasions • Infection rates: – March 2012: 1 in 3000 devices – October 2012: 1 in 1000 devices Spyphones in the Wild
    21. 21. Spyphone Distribution by OS 52% 35% 7% 6% iOS Android Symbian Unknown
    22. 22. 51% 12.39% 30.79% 1.40% 3.90% Android Blackberry iOS Symbian Windows Phone 7 and Windows Mobile Mobile OS Market ShareSpyphone Distribution by OS Comscore, March 2012 52% 35% 7% 6% iOS Android Symbian Unknown
    24. 24. • Secure Containers: – Detect JailBreak/Root – Prevent malicious application installation – Encrypt data – Dependent on the OS sandbox Secure Container Re-Cap
    25. 25. • JailBreaking (iOS)/ Rooting (Android) detection mechanism – “Let Me Google That For You” – Usually just check features of JB/ Root devices (e.g. is Cydia/ SU installed) • Cannot detect exploitation Opening the Secure Container (1)
    26. 26. • Prevention of malicious app installation (Android) – Targeted towards mass malware • Third-Party App restrictions – Should protect against malware • Has been bypassed – Both for Android and iPhone Opening the Secure Container (2)
    27. 27. ANDROID DEMO
    28. 28. • Install Malicious Application – Possible Vector – Publish an app through the market • Use “Two-Stage”: Download the rest of the dex later- and only for the targets we want • Get the target to install the app through spearphishing – Physical access to the device would also work Android Demo: Technical Details (1)
    29. 29. • Privilege Escalation – We used the Exynos exploit. (Released Dec., 2012) • Create a hidden ‘suid’ binary and use it for specific actions – Place in a folder with --x--x--x permissions – Undetected by generic root-detectors Android Demo: Technical Details (2)
    30. 30. • We listen to events in the logs – For <=2.3 we can just use the logging permissions – For >4.0 we use access the logs as root • When an email is read…. Android Demo: Technical Details (3)
    31. 31. • We dump the heap using /proc/<pid>/maps and /mem – Then search for the email structure, extract it, and send it home Android Demo: Technical Details (3)
    32. 32. Android Heap Searching
    33. 33. IOS DEMO
    34. 34. • Install Malicious Application – Possible Vectors – Use the JailBreak just for the installation • Install signed code using Enterprise/Developer certificate • Remove any trace of the JailBreak – Or just jailbreak and hide the jailbreak – Repackage the original application iOS Demo: Technical Details (1)
    35. 35. Load malicious dylib into memory (it’s signed!) Hook using standard Objective-C hooking mechanisms Get notified when an email is read Pull the email from the UI classes Send every email loaded home iOS Demo: Technical Details (2)
    36. 36. • DYLD_INSERT_LIBRARIES – Was very common previously, a bit harder now • MACH-O editing – Requires to resign code or leave device jailbroken – Number of tools to do the work for you • Objective-C Hooking – Objc_setImplementation…. Code Injection
    37. 37. Objective-C Hooking
    38. 38. CONCLUSIONS
    39. 39. • “Secure” Containers depend on the integrity of the host system 1. If the host system is uncompromised: what is the added value? 2. If the host system is compromised: what is the added value? • We’ve been through this movie before! Secure Containers…Secure?
    40. 40. • MDM provides Management, not absolute Security • Beneficial to separate between business and personal data • Main use-case – Remote wipe of enterprise content only – Copy & Paste DLP Infection is Inevitable
    41. 41. • Use MDM as a baseline defense for a multi- layer approach • Needs rethinking outside the box (mobile) • Solutions on the network layer: – C&C communications – Heuristic behavioral analysis – Sequences of events – Data intrusion detection Mitigating Spyphone Threats
    42. 42. THANK YOU! QUESTIONS? Email us at: