SlideShare a Scribd company logo

Cybersecurity Risks In the Mobile Environment

Download as PPTX, PDF
Hamilton Turner
Hamilton Turner

Dr. Hamilton Turner of Silent Circle discusses real-world case studies of mobile security compromises and the current ecosystem of 2/3/4G mobile security with a focus on LTE. Silent Circle is a secure mobility provider of the world-class Silent Phone product. Dr. Turner holds a degree in mobile privacy and security and has 10 years of experience building and securing mobile devices as CTO of multiple companies.

Mobile
1 of 16
Nothingseen. Nothingheard. Nothingdisclosed. EverythingSilent. SILENT CIRCLE
About Silent Circle Launched in 2012 by security industry experts Phil Zimmerman – co-founder PGP Jon Callas, co-founder of PGP Corporation & CSO Apple Mike Janke – Seal Team 6 HQ in Columbia, MD Committed to Secure, Private Communications Silent Phone – Enterprise-managed secure talk, text, file sharing Silent World – Global coverage + traditional telephone numbers GoSilent – Portable Next-Gen Firewall + VPN  Financial, Utilities, Logistics, Legal, Healthcare, Government, IoT 2
Cybersecurity Risks in the Mobile Environment  Real-world financial case studies  The forgotten risks of using smartphones as phones  Practical steps to protect the organization  Presentation by Dr. Hamilton Turner, CTO  10+ years of mobile security experience 3
Stories From the Silent Circle  Four real Silent Circle customer cases  All financial or investment firms  Most based in NY  Events span 2015 to 2018 4
Case 1: Intercepting Board Calls To Short Stock • Very large public fin. services company • Mid 2015, preparing to announce quarterly loss • Board meeting scheduled in Manhattan office • Multiple pre-meeting phone calls to strategize • Targeted by well-known organized crime • Rogue cell towers were installed near NYC office • Calls & SMS were intercepted • From many levels e.g. C-level, assistants, others • Stock shorted, criminals gained 30M • FBI caught & convicted criminals
Case 2: Widespread Intelligence Gathering • Early 2017, NYC Police detect Russian mafia activity focused on multiple financial services companies • Brooklyn-based criminals were tapping cell phones • Both phones and network towers were targeted • Numerous companies included – dragnet approach • Concluded goal - intelligence gathering with intent to damage reputation • Attacks were not detected or reacted to in real time • Main conclusion came after criminals stole significant data
Case 3: M&A Espionage Large investment bank Late 2017 – detected compromise of CEO & COO devices Traditional voice communications were recommended 3rd party apps were intercepting voice IA determined multiple M&A opportunities were affected Including multiple that were not closed successfully IA response included recommendation for secure voice telecommunications
Case 4: On-device Call Interception Ongoing American-based multinational financial services Early 2018 Malicious application on-device App intercepts outbound calls and switched the telephone number to fraudsters App intercepts inbound fraudster call and shows bank logo
Understanding the Mobile Ecosystem • The three pillars of secure mobile • Mobile Device • Hardware, OS, Security APIs • Applications • Securing Distribution & Execution, Prevent Forgery & Misleading Actions, App Management • Network • Call interception, call monitoring, message interception, monitoring, • Disproportionate focus on two pillars – securing the network is hard!
What about the network? “As early as 1996, members of Congress experienced calls being illegally intercepted, however no technological solution to this problem has been systematically deployed and it remains to this day.” April 2017 Dept. Homeland Security. Study on Mobile Device Security “In the United States, there are no regulations requiring carriers to run encryption or provide privacy protections to users on their networks” “The caller ID display is unauthenticated and can be made to display any data, including fraudulent information.” “[mobile devices] remain fully functional when running on non-encrypted networks; no notification is provided to the user when operating in this mode.”
What about the network? “LTE standards do not provide confidentiality protection for user traffic as the default configuration” “integrity protection for user traffic is explicitly prohibited” “…security capabilities provided by LTE are markedly more robust [than previous]…yet [LTE systems] coexist with previous cellular infrastructure.” “Current mobile devices do not provide the option for a user to know if their [device’s] connection is encrypted...” December 2017 NIST SP 800-187 Guide to LTE Security [1] Jian A. Zhang, Peng Cheng, Andrew R. Weily, Y. Jay Guo. 2014. Towards 5th Generation Cellular Mobile Networks . Australian Journal of Telecommunications and the Digital Economy, Vol 2, No 2, Article 34. http://doi.org/10.18080/ajtde.v2n2.34(link is external). Published by Telecommunications Association Inc. ABN 34 732 327 053. https://telsoc.org
Is Old News still News? • To security professionals, telecommunication risk is nothing new[1]! • Why hasn’t this situation (drastically)? • Thousands of companies in hundreds of countries • Tens of technologies • ~4.7 billion deployed phones • 2G/3G fallback is consistent – GSM is still prevalent • Making cellular networks at scale is very hard work • CVEs may not exist – pentesting can be illegal! [1] April 2016, NISTR 8071. Jeffrey Cichonski (NIST), Joshua Franklin (NIST), Michael Bartock (NIST) LTE Architecture Overview and Security Analysis http://theinternetofthings.report/Resources/Whitepapers/ 8965b6c5-40e0-448b-950a-a3adc428144b_ The%20Global%20State%20of%202G,%203G,%204G,%20and%205G.pdf
Is Old News still News? • Why has this situation changed, drastically? • Access to low-cost radio hardware • In 2014 • “Baseband attacks are considered extremely difficult”[1] • “system costs as much as $400,000”[2] • In 2016, GSM ISMI Catcher for $1400[3] • In 2018, “The cost of the hardware is about €1,250…”[4] • Ettus USRP, HackRF, BladeRF, etc • Prevalence of readily-available software • OpenBTS, OpenBSC, OpenLTE • Proactive nation-state attackers[5] puts backhaul & core at greater risk [1] https://www.welivesecurity.com/2014/08/28/android-security-2/ [2] https://resources.infosecinstitute.com/stingray-technology-government-tracks-cellular-devices/ [3] https://securityaffairs.co/wordpress/41513/hacking/low-cost-imsi-catcher-lte.html [4] https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/ [5] https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/
“Call me on the phone, I don’t want to write this down” • Voice communications is frequently less secure than Wi-Fi • But fewer CVEs – pentesting can be illegal • Also…the logs are only in hands of MNOs/malicious entities • Passive monitoring of un/poorly-encrypted air-traffic • From ground or space! • Calls or messages, device tracking • Rogue towers • Active intercept • Downgrade, de-auth attacks • Backhaul / Core network attacks • No end-to-end security of user data • User data can be sniffed from core network • Malicious attacks on carrier • Malicious carrier
But isn’t LTE more secure • GSM is still the most common global connection • Smart jamming 3G/UMTS and 4G/LTE triggers fallback to 2G/GSM • Regardless of LTE, the device is not secure due to fallback • Rogue base stations are still very real • LTE has poor support for user data security • By default, no user data encryption by default • Disallows user data integrity • No notice to user about non control connection • No regulations about backhaul/core network • Prior evidence of nation-state interest here • Lack of confidentiality – sniff SMS/call traffic • Physical access is always a weakness • Geographic deployment of PKI onto towers • Femtocell-based key theft • No clear mandate forcing secure backhaul https://opensignal.com/reports/2018/02/state-of-lte Feb 2017 Global LTE Availability
What should an enterprise do to protect itself? • Select ‘secure communication’ tools for your organization • Multiple over-the-top options • Many are easy to use • Silent Phone supports management, PSTN integration, etc • Review your sensitive communication policy • NIST SP 800-171 - Compliance impossible with LTE-based cellular networks • ISO 27001 – Does not address cellular well, but A.9.2.3 is difficult • Short answer – recommend a ‘sensitive calling’ app • Train your employees • Traditional voice calls are insecure • Traditional calls are being attacked • Use a ‘secure communication’ tool Steve Davis | Silent Circle Silent Phone stephendavis Office 646.681.6841 Mobile 908.285.4525

Recommended

Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
NowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
NowSecure
 

Recommended

Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
NowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
NowSecure
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overviewPrivateWave Italia SpA
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)
Rui Miguel Feio
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
EnergySec
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
Cellebrite
 
IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)
Rui Miguel Feio
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
Security and privacy
Security and privacySecurity and privacy
Security and privacy
Mohammed Adam
 
Trends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsTrends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and Artifacts
Cellebrite
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
Yu-Hsin Hung
 
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT WorldOWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
Stephen Cobb
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Design World
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
marukanda
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOJim Romeo
 

More Related Content

What's hot

2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)
Rui Miguel Feio
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
EnergySec
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
Cellebrite
 
IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)
Rui Miguel Feio
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
Security and privacy
Security and privacySecurity and privacy
Security and privacy
Mohammed Adam
 
Trends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsTrends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and Artifacts
Cellebrite
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
Yu-Hsin Hung
 
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT WorldOWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
Stephen Cobb
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Design World
 

What's hot (20)

2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
 
IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Security and privacy
Security and privacySecurity and privacy
Security and privacy
 
Trends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsTrends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and Artifacts
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
 
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT WorldOWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
 
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsSecurity Fundamental for IoT Devices; Creating the Internet of Secure Things
Security Fundamental for IoT Devices; Creating the Internet of Secure Things
 

Similar to Cybersecurity Risks In the Mobile Environment

Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
marukanda
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOJim Romeo
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOJim Romeo
 
2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)Fabio Pietrosanti
 
271 Information Governance for Mobile Devices .docx
271 Information Governance for Mobile Devices .docx271 Information Governance for Mobile Devices .docx
271 Information Governance for Mobile Devices .docx
lorainedeserre
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)sandhibhide
 
Internet of things
Internet of thingsInternet of things
Internet of things
Rushana Bandara
 
Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Security Requirements in IoT Architecture
Security Requirements in IoT Architecture
Vrince Vimal
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
Mobile security trends
Mobile security trendsMobile security trends
Mobile security trendsKen Huang
 
Voice communication security
Voice communication securityVoice communication security
Voice communication security
Fabio Pietrosanti
 
IT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide DeckIT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide Deck
Don Gulling
 
How to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeHow to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data Safe
Rocket Matter, LLC
 
Assign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptxAssign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptx
pdevang
 
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
NetMotion Wireless
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
The New frontiers in Information Security
The New frontiers in Information SecurityThe New frontiers in Information Security
The New frontiers in Information Security
Vineet Sood
 
A survey study of title security and privacy in mobile systems
A survey study of title security and privacy in mobile systemsA survey study of title security and privacy in mobile systems
A survey study of title security and privacy in mobile systems
Kavita Rastogi
 
Cybersecurity and Internet Governance
Cybersecurity and Internet GovernanceCybersecurity and Internet Governance
Cybersecurity and Internet Governance
Kenny Huang Ph.D.
 

Similar to Cybersecurity Risks In the Mobile Environment (20)

Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIO
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIO
 
2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)
 
271 Information Governance for Mobile Devices .docx
271 Information Governance for Mobile Devices .docx271 Information Governance for Mobile Devices .docx
271 Information Governance for Mobile Devices .docx
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Security Requirements in IoT Architecture
Security Requirements in IoT Architecture
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Mobile security trends
Mobile security trendsMobile security trends
Mobile security trends
 
Voice communication security
Voice communication securityVoice communication security
Voice communication security
 
IT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide DeckIT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide Deck
 
How to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeHow to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data Safe
 
Assign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptxAssign 1_8812814ctm.pptx
Assign 1_8812814ctm.pptx
 
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
The New frontiers in Information Security
The New frontiers in Information SecurityThe New frontiers in Information Security
The New frontiers in Information Security
 
A survey study of title security and privacy in mobile systems
A survey study of title security and privacy in mobile systemsA survey study of title security and privacy in mobile systems
A survey study of title security and privacy in mobile systems
 
Cybersecurity and Internet Governance
Cybersecurity and Internet GovernanceCybersecurity and Internet Governance
Cybersecurity and Internet Governance
 

Cybersecurity Risks In the Mobile Environment

  • 2. About Silent Circle Launched in 2012 by security industry experts Phil Zimmerman – co-founder PGP Jon Callas, co-founder of PGP Corporation & CSO Apple Mike Janke – Seal Team 6 HQ in Columbia, MD Committed to Secure, Private Communications Silent Phone – Enterprise-managed secure talk, text, file sharing Silent World – Global coverage + traditional telephone numbers GoSilent – Portable Next-Gen Firewall + VPN  Financial, Utilities, Logistics, Legal, Healthcare, Government, IoT 2
  • 3. Cybersecurity Risks in the Mobile Environment  Real-world financial case studies  The forgotten risks of using smartphones as phones  Practical steps to protect the organization  Presentation by Dr. Hamilton Turner, CTO  10+ years of mobile security experience 3
  • 4. Stories From the Silent Circle  Four real Silent Circle customer cases  All financial or investment firms  Most based in NY  Events span 2015 to 2018 4
  • 5. Case 1: Intercepting Board Calls To Short Stock • Very large public fin. services company • Mid 2015, preparing to announce quarterly loss • Board meeting scheduled in Manhattan office • Multiple pre-meeting phone calls to strategize • Targeted by well-known organized crime • Rogue cell towers were installed near NYC office • Calls & SMS were intercepted • From many levels e.g. C-level, assistants, others • Stock shorted, criminals gained 30M • FBI caught & convicted criminals
  • 6. Case 2: Widespread Intelligence Gathering • Early 2017, NYC Police detect Russian mafia activity focused on multiple financial services companies • Brooklyn-based criminals were tapping cell phones • Both phones and network towers were targeted • Numerous companies included – dragnet approach • Concluded goal - intelligence gathering with intent to damage reputation • Attacks were not detected or reacted to in real time • Main conclusion came after criminals stole significant data
  • 7. Case 3: M&A Espionage Large investment bank Late 2017 – detected compromise of CEO & COO devices Traditional voice communications were recommended 3rd party apps were intercepting voice IA determined multiple M&A opportunities were affected Including multiple that were not closed successfully IA response included recommendation for secure voice telecommunications
  • 8. Case 4: On-device Call Interception Ongoing American-based multinational financial services Early 2018 Malicious application on-device App intercepts outbound calls and switched the telephone number to fraudsters App intercepts inbound fraudster call and shows bank logo
  • 9. Understanding the Mobile Ecosystem • The three pillars of secure mobile • Mobile Device • Hardware, OS, Security APIs • Applications • Securing Distribution & Execution, Prevent Forgery & Misleading Actions, App Management • Network • Call interception, call monitoring, message interception, monitoring, • Disproportionate focus on two pillars – securing the network is hard!
  • 10. What about the network? “As early as 1996, members of Congress experienced calls being illegally intercepted, however no technological solution to this problem has been systematically deployed and it remains to this day.” April 2017 Dept. Homeland Security. Study on Mobile Device Security “In the United States, there are no regulations requiring carriers to run encryption or provide privacy protections to users on their networks” “The caller ID display is unauthenticated and can be made to display any data, including fraudulent information.” “[mobile devices] remain fully functional when running on non-encrypted networks; no notification is provided to the user when operating in this mode.”
  • 11. What about the network? “LTE standards do not provide confidentiality protection for user traffic as the default configuration” “integrity protection for user traffic is explicitly prohibited” “…security capabilities provided by LTE are markedly more robust [than previous]…yet [LTE systems] coexist with previous cellular infrastructure.” “Current mobile devices do not provide the option for a user to know if their [device’s] connection is encrypted...” December 2017 NIST SP 800-187 Guide to LTE Security [1] Jian A. Zhang, Peng Cheng, Andrew R. Weily, Y. Jay Guo. 2014. Towards 5th Generation Cellular Mobile Networks . Australian Journal of Telecommunications and the Digital Economy, Vol 2, No 2, Article 34. http://doi.org/10.18080/ajtde.v2n2.34(link is external). Published by Telecommunications Association Inc. ABN 34 732 327 053. https://telsoc.org
  • 12. Is Old News still News? • To security professionals, telecommunication risk is nothing new[1]! • Why hasn’t this situation (drastically)? • Thousands of companies in hundreds of countries • Tens of technologies • ~4.7 billion deployed phones • 2G/3G fallback is consistent – GSM is still prevalent • Making cellular networks at scale is very hard work • CVEs may not exist – pentesting can be illegal! [1] April 2016, NISTR 8071. Jeffrey Cichonski (NIST), Joshua Franklin (NIST), Michael Bartock (NIST) LTE Architecture Overview and Security Analysis http://theinternetofthings.report/Resources/Whitepapers/ 8965b6c5-40e0-448b-950a-a3adc428144b_ The%20Global%20State%20of%202G,%203G,%204G,%20and%205G.pdf
  • 13. Is Old News still News? • Why has this situation changed, drastically? • Access to low-cost radio hardware • In 2014 • “Baseband attacks are considered extremely difficult”[1] • “system costs as much as $400,000”[2] • In 2016, GSM ISMI Catcher for $1400[3] • In 2018, “The cost of the hardware is about €1,250…”[4] • Ettus USRP, HackRF, BladeRF, etc • Prevalence of readily-available software • OpenBTS, OpenBSC, OpenLTE • Proactive nation-state attackers[5] puts backhaul & core at greater risk [1] https://www.welivesecurity.com/2014/08/28/android-security-2/ [2] https://resources.infosecinstitute.com/stingray-technology-government-tracks-cellular-devices/ [3] https://securityaffairs.co/wordpress/41513/hacking/low-cost-imsi-catcher-lte.html [4] https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/ [5] https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/
  • 14. “Call me on the phone, I don’t want to write this down” • Voice communications is frequently less secure than Wi-Fi • But fewer CVEs – pentesting can be illegal • Also…the logs are only in hands of MNOs/malicious entities • Passive monitoring of un/poorly-encrypted air-traffic • From ground or space! • Calls or messages, device tracking • Rogue towers • Active intercept • Downgrade, de-auth attacks • Backhaul / Core network attacks • No end-to-end security of user data • User data can be sniffed from core network • Malicious attacks on carrier • Malicious carrier
  • 15. But isn’t LTE more secure • GSM is still the most common global connection • Smart jamming 3G/UMTS and 4G/LTE triggers fallback to 2G/GSM • Regardless of LTE, the device is not secure due to fallback • Rogue base stations are still very real • LTE has poor support for user data security • By default, no user data encryption by default • Disallows user data integrity • No notice to user about non control connection • No regulations about backhaul/core network • Prior evidence of nation-state interest here • Lack of confidentiality – sniff SMS/call traffic • Physical access is always a weakness • Geographic deployment of PKI onto towers • Femtocell-based key theft • No clear mandate forcing secure backhaul https://opensignal.com/reports/2018/02/state-of-lte Feb 2017 Global LTE Availability
  • 16. What should an enterprise do to protect itself? • Select ‘secure communication’ tools for your organization • Multiple over-the-top options • Many are easy to use • Silent Phone supports management, PSTN integration, etc • Review your sensitive communication policy • NIST SP 800-171 - Compliance impossible with LTE-based cellular networks • ISO 27001 – Does not address cellular well, but A.9.2.3 is difficult • Short answer – recommend a ‘sensitive calling’ app • Train your employees • Traditional voice calls are insecure • Traditional calls are being attacked • Use a ‘secure communication’ tool Steve Davis | Silent Circle Silent Phone stephendavis Office 646.681.6841 Mobile 908.285.4525

Editor's Notes

  1. For the first two pillars, you will find tens of companies, and gartner quadrants. For the network….not so much ;-) To be fair, global rollout of LTE is fairly high – 450+ netowrks before 2015
  2. If you’re saying that to skirt compliance, let me remind you that the folks who would get a record of your conversation are exactly the type of individuals interested in your decision to skirt compliance