the 7 insecure habits of highly effective smartphones p.ceelen & m.smeets infosecuritycongress...

The 7 insecure habits of highly effective smartphones and tablets2 November 2011, Infosecurity.nl seminar

Pieter Ceelen

Marc Smeets

Agenda

Intro

■ Who are we?

■ What’s the buzz?

The 7 insecure habits

SolutionsSolutions

Wrap up

1© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Who are we?

Pieter Ceelen

■ Loves hacking, cooking and reading books

■ Android user

Marc Smeets:

■ Loves fast cars and champagne (not together)

■ Loves IT security

■ Apple user

Ethical hackers @ KPMG IT Advisory@ y

■ Team of over 15 IT security testers

■ Combining strong technical skills with IT auditing skills


■ Translating impact of deep technical issues to management, from bit to board

What’s the buzz?

History

■ Blackberry served the corporate world

■ As of 2007 major growth market share of smartphones (iPhone, Android)

Recent years

■ Explosion of smartphone penetration

■ Emergence of tablets

■ Corporate and private phones get mixed:■ Corporate and private phones get mixed: “Bring your own device”

Recent years

■ Intuitive/Usable interface■ Intuitive/Usable interface

■ Internet/cloud integration

■ Affordable pricing


■ Explosion Share of worldwide 2011 Q2 smartphone sales to end users by operating system, according to Gartner. Image from Wikipedia, user Eraserhead1

The 7 habitsThe 7 habits

Habit 1: I don’t know where my data is



CORPORATE EXCHANGE SERVICES

Mobile Device Management

INTERNET

WIFI / UMTS / GPRS


DEVICES


CORPORATE EXCHANGE SERVICES

SE

RV

ICE

Mobile Device ManagementES

INTERNET

INTER

NET SER

V

WIFI / UMTS / GPRS

WIFI / USB

WEB

LOC

AL

NETWORK

ICE

S

WIFI / USB

USB

Bluetooth

L SE

RV

ICE

S

NETWORK


DEVICESCLOUDCORPORATE / PRIVATE

PERIPHERALS

Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 2: ActiveSync doesn t make all secure


Habit 2: ActiveSync doesn’t make all secure

ActiveSync:

■ “Exchange ActiveSync is a Microsoft Exchange synchronization protocol that's optimized to work together with high-latency and low-bandwidth networks. The protocol, based onto work together with high latency and low bandwidth networks. The protocol, based on HTTP and XML [..] enables mobile phone users to access their e-mail, calendar, contacts, and tasks“

■ De-facto standard, widely supported by devices.

ActiveSync can perform security checks:

R i d■ Require password

■ Length of password

■ Require encryption on device

■ Etc.


Habit 2: ActiveSync doesn’t make all secure - cont.

Two major security issues with ActiveSync

■ 1. ActiveSync checks are device local security checks

■ 2. It relies on XML over HTTP(S)

1. security checks are device local security checks

■ ActiveSync server asks : “Do you have a screen lock?”

■ Device answers: “Yeah, sure! Now give me the latest emails.”


Habit 2: ActiveSync doesn’t make all secure - cont.

Two major security issues with ActiveSync

■ 1. Security checks are device local security checks

■ 2. Relies on XML over HTTP(S)

Pictures removed as they2. Relies on XML over HTTP(S)

■ Man-in-the-middle attacks

Pictures removed as they contain detailed info of end user. The pictures showed:

•Details of rogue – HTTP is clear text

– HTTPS allows for rogue certificates

■ Intercepted data contains:

certificate shown on iPhone after SSL man-in-the-middle attack on ActiveSync sessionp

– sync data (e.g. Email data)

– Authentication data!

ActiveSync session •Details of attack with harvesting of credentials


Habit 1: I don’t know where my data isHabit 1: I don t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 3: Disk encryption doesn t keep my data secure


Habit 3: Disk encryption doesn’t keep my data secure

Disk encryption is iOS only, Android has no official disk encryption yet.

iOS Disk encryption:

■ Technically it is hard disk encryption

■ But, it decrypts itself without user inputyp p

■ Main reason: fast wiping via crypto-shredding

Better solution is encryption based on:

Something you know (passcode) + something you have (crypto chip) -> Data Protection

Critical flaws in iOS allow for retrieval of all data on an iOS device if stolen.


Habit 3: Disk encryption doesn’t keep my data secure

Pictures removed as they contain detailed info of end user The pictures showed:end user. The pictures showed:

•Tooling used for gaining physical access to data of iDevice with known exploits also used for jailbreaking

•Keychain items without Data Protection cracked•Brute force cracking of passcode on device with tooling

•Decrypted keychain items after decoding withDecrypted keychain items after decoding with cracked passcode


Habit 1: I don’t know where my data isH bit 2 A ti S d ’t k llHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipe


Habit 4: Theft is an issue, despite remote wipe

Remote wipe procedure:

■ 1. End user or administrator commands the device to perform a wipe

■ 2. Smartphone receives a message and performs the wipe

Implementation differences between systemsp y

■ iOS : Push notifications from Apple’s servers

■ Android : Web or SMS messages for Android (custom apps)

■ ActiveSync : Next sync attempt device receive a wipe command

What if the device never receives the wipe message?What if the device never receives the wipe message?


Habit 4: Theft is an issue, despite remote wipe


Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipe Habit 5: Jailbreaking isn’t only for hackers


Habit 5: Jailbreaking isn’t only for hackers

Jailbreaking (iOS) = removing the ‘jail’ Apple has put in

■ Install Apps Apple did not approve

Rooting and custom roms (Android)

■ Rooting = gaining root level access to device g g g

■ Custom rom = custom OS (faster, newer, better)

J ilb ki d ti b d i i li ti d i b t l dJailbreaking and rooting can be done via running applications and via boot loader

It is not that hard!


Habit 5: Jailbreaking isn’t only for hackers


Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipe Habit 5: Jailbreaking isn’t only for hackersHabit 6: Quality assured AppStore doesn’t prevent

malware and viruses


Habit 6: Qa’ed AppStore doesn’t prevent malware and viruses

Google checks:

■ Are you a developer? Was the 25 dollar developer fee paid?

■ Are users complaining once released?

■ Afterwards: remove known rogue apps remote from device with ‘kill switch’

Apple has ‘strict’ checks in AppStore

■ Some security checks on code

■ Adhere to Apple’s guideline

■ Brand / trademark protection

Android allows to install apps from non-Google App stores with a few clicks


Habit 6: Qa’ed AppStore doesn’t prevent malware and viruses


Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipeHabit 5: Jailbreaking isn’t only for hackersHabit 6: Quality assured AppStore doesn’t prevent

malware and virusesHabit 7. Google and Apple don’t fix security issues in

ti24© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with

KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

time

Habit 7. Google and Apple don’t fix security issues in time

Android

■ Security updates rely on Google, device vendor, telco and user

■ Major releases lagging by over 6 months

■ Average device less than a year of security updates

■ Some currently sold devices already 2 major releases behind y y j

■ Distribution “over the air” or via USB cable

■ No clear statements from vendors on support

Apple

■ Security updates rely on Apple and usery p y pp

■ Less diversity, more enforcement by Apple

■ Critical security issues not fixed in release updates


There are even more habits


Habits we didn’t even mention

■ Life cycle and diversity

■ App permissions

■ Legal

■ iTunes and mp3s on corporate computer

■ Privacy and geotrackingy g g

■ Publishing apps by your organisation

■ Unauthorized apps that use your branding/website

■ Technical vulnerabilities

■ Asset management processes

■ User awareness and security incident reporting without a phoney p g p


SolutionsSolutions

Solution 1: Fine grained security checks


Fine grained security checks

Functionality

■ Additional security checks on device, for example:

– Jailbreak detection

– Application/malware checks

■ Data processed using regular device softwarep g g

Pro

Operating system

■ Native apps

Con

■ Various risks not fully mitigated, e.g. remote wiping, Operating systemy g , g p g,malware, encryption risks


Solution 1: Fine grained security checksSolution 1: Fine grained security checksSolution 2: Virtualization


Virtualization

Functionality

■ Two operating systems:

– playground

– hardened environment under full control of a central Management environment

Pro

■ Native apps

Operating system

■ Native apps

Con

■ Various risks not fully mitigated, e.g. remote wiping, malware encryption risks Operating systemmalware, encryption risks

■ Hypervisor specific attacks


Solution 1: Fine grained security checksSolution 1: Fine grained security checksSolution 2: VirtualizationSolution 3: Secure containerSolution 3: Secure container


Secure container

Functionality

■ All data encrypted on device

■ Application includes functionality for rendering Word/Excel files, intranet

■ Encryption between app and corporate network

Pro

■ Data always encrypted prevents various security■ Data always encrypted, prevents various security issues

Con

■ Attacks on secure container e g implementation flawsOperating system

■ Attacks on secure container, e.g. implementation flaws

■ Attacks outside container, e.g. key loggers and screen scrapers


Solution 1: Fine grained security checksSolution 1: Fine grained security checksSolution 2: VirtualizationSolution 3: Secure containerSolution 3: Secure containerSolution 4: Remote desktop


Remote desktop

Functionality

■ Render view/desktop from remote system

■ No data stored on device itself

Pro

■ No data on device

C

O ti t

Con

■ Usability, e.g. App interface

■ Availability, e.g. working in a airplaneOperating system

■ Attacks outside container, e.g. key loggers and screen scrapers


Wrap upWrap up

Wrap up

Enrolling mobile devices results in new risks

■ Broader then expected, e.g. legal, technology, cloud integration, backups

■ Security controls work differently on mobile devices

Technical Solutions

■ Different security architectures to reduce risks of mobile devices

■ No technical solution fixes it all, mitigate risks by people, processes and technology

How to continue

■ Perform risk assessment before implementation

■ Consult with relevant experts

■ Implement security controls for people, process and technology

■ Test effectiveness of security controls


■ Test effectiveness of security controls

■ Stay up-to-date with recent developments

Thank you

Presentation by :

Marc Smeets MSc. CISSP [email protected]+31 6 513 66680

Pieter Ceelen [email protected]+31 6 515 72696

© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent pmember firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

The KPMG name, logo and ‘cutting throughcomplexity’ are registered trademarks or trademarksco p e ty a e eg ste ed t ade a s o t ade a sof KPMG International.

the 7 insecure habits of highly effective smartphones p.ceelen & m.smeets infosecuritycongress...

Technology