Mobile device risks and mitigation3 H 21 M
Sys admins, learn how to asses and mitigate cyber threats on your network when working with mobile teams and bring-your-own-device models.
- Mobile Security
- Exposure from Unmanaged Mobile Device
- Exposure from Unmanaged Mobile Device Part 2
- Securing Devices with MDM
- Man in the Middle Attacks
- Performing an Impersonation Attack
- Executing a Remote Exploit
- Trojan Horse Exploit
Exposure from Unmanaged Mobile Device
- Episode Description
In this episode, Ronnie and Don discuss and demonstrate the exposure we have from unmanned mobile devices within a managed network. Don describes some of the problems with them as well as the possible attacks. He then demonstrates the way built security is working to protect itself on an Apple device by segregating applications and isolatingthe communication between application and the iOS and not allowing direct communication between applications.
Welcome to ITProTV. I'm your host Don Pezet. >> [CROSSTALK] [MUSIC] >> You're watching ITProTV. >> Welcome to ITProTV, you're watching emergent technology security demonstrations. We're specifically gonna be diving into the realm of taking look at exposures that we can get from unmanaged devices. I'm your host Ronnie Wong and here to help us out is gonna be Mr. Don Pezet. Don, welcome back to the show. >> Thanks for having me, Ronnie. And yeah, in this episode like Ronnie said, we're gonna take a look at what it means to us, as administrators, if we have to deal with a network that allows for unmanaged mobile devices. And, let's start right there with what the heck is an unmanaged mobile device and we'll kinda get into the risk afterwards. We have this new movement going on right now that's called the BYOD or bring your own device movement. In the past, like when I think about it, when I got out of college, got my first IT job and went to work for a company, they issued me a company laptop and I had a company desktop. And so, when I was at work I used the company desktop and when I was at home I used the company laptop. And then, after a little while I was issued a company cellphone. And, if I may work phone calls I use my work cellphone. And, if I made personal calls, I use my personal cellphone if I had even one back then I don't think I even have one. So, that's how it was back in the day. Well the nice part about that is, because these were work devices, they were completely controlled by the company. The company had total control and they could dictate what applications were allowed to run, what permissions I had. Every aspect of that device, and that device's security was dictated by the company. But, over time, right, we had a lot of people wear it like me, I used a BlackBerry for ten years, I used a BlackBerry and just thought it was the greatest thing. And then the iPhone came out and the iPhone did so much more than the BlackBerry did. And then, the Android phones came out and they did so much more and I wanted to switch to one of those, right? >> [LAUGH] >> And so, I went and bought my own. I did the first generation iPhone and then the first generation Android phone. And now, I had these phones that I like better than my work phone. And when I got to the office, I didn't wanna use the work phone. I wanna use my phone. >> [LAUGH] >> Or, maybe I had a laptop that was better than the one they issued me for work and I wanted to use my own. But I couldn't because at the office, they required us to use the work device, right, that ensured security. But that started to change. In the last five to ten years, companies have started saying, wait a minute. If these people wanna buy their own phones and they're willing to pay for it, we could save money. We could let them bring their own device and use it for work. This is genius. Now we don't, we don't have to do warranties, we don't have to do any of that stuff. They pay for it and they're willing to do it, and they're happy to do it, 'cause they get the device they want.That's a, that's a win win, right? Company says, people get the device they want, that's perfect. But it comes with a risk. And the risk is, when somebody brings their own device, the company doesn't control it, they can't control what apps are on it. They can't control whether it's secure or not, whether it's being updated. They can't control any of that. And now, you might have people who yeah they're bringing their own device, you save a little money. But, they compromise your network, right? We can really run some big risks by allowing these unmanaged devices. And so, when that happens, what are some of our biggest risks? Well, the biggest risk is leaking your corporate data, right. And nowhere do we see this more than email. All you have to do is turn on the news to find out that celebrity acts or politician wise had their email compromised and some of these read through all of it. That, if I'm checking my company email on my personal phone, and my personal phone gets stolen or gets lost, and it wasn't secured, somebody who finds that phone, now has access to all of my email. And what can the company do about it? Nothing at that point, the device is already gone, right? They lost their opportunity to control it. That should have been a managed device, one that the company controlled, but it wasn't. And in super critical high secure environments, it will be a device, right? Think about the president right, when President Obama was elected, or President Trump, the news made a big deal out of both of them with their cell phones. They had their personal cell phones they really liked. And the government had to switch them to one of the black phones. The secure phones, because just a regular consumer grade phone is not gonna do for the President of the US so, they had to switch to a secure phone. That is a reality, right, for a high security environments. But if you're a medium size company, or even a large business, you can save a lot of money by having people bring their own devices, you just have to be smart about it. You have to secure them, protect them, and ensure those devices are configured in a secure manner. And the best way to do that is to manage them. Now in the next episode, we're gonna take a look at actually using what's call mobile device management, allowing us to manage those devices. But before we get in to that, let's talk a little bit about the security features in the phones themselves that are supposed to be helping us secure things. >> All right so, Don, help us out here. Now that we've got these types of our own unmanaged devices, what are some of the attacks that we're really looking out for when we're doing this inside of our networks? >> Okay, so I mentioned not really an attack, but a risk a minute ago. I said, what if somebody loses their phone? I could find the phone and exploit it or get the data out of that phone. Well, that's not really a purposeful attack. That's a chance occurrence. I just happened to find a phone, great. But if somebody wants to target your company and they know that you're using unmanaged devices, devices that have been brought in by end users and they're managing themselves then, there's a ton of attacks that are available. They can target them through a number of things like Rouge App Stores and push Trojan Horses and malware and things like that onto a phone to start tracking and leaking data out of that device. A remote exploit is probably one of the biggest risks. We'll see in another demonstration coming up. We've got jailbreaking end users will sometimes intentionally make their phones less secure, right, take an iOS device. When you buy an iPhone or an iPad, an iOS device, it can only run applications pulled from the Apple App Store, from the iTunes App Store, or whatever. Or, applications that have been digitally signed by a trusted company, so a company can push their own applications without going through the app store. But everything else has come to the app store unless the user jailbreaks their phone. If they jailbreak it, now they can install apps from anywhere. And maybe they wanna run things like video game emulators. You can't run those on an iPhone normally. But you can pull them from these alternative app stores if you jailbreak. And the risk there is, when you jailbreak, you're weakening the security of the phone and that can be taken advantage of very, very easily. That's something we just can't allow in a corporate environment, weaken security too much. Surveillance, if an attacker gets physical access to a phone, even for a moment ,there's a number of different exploits they can apply to the phone, to set it up for remote surveillance, right? And I'll show it in an episode later on here, where we take a phone and we remotely exploit it, we inject a malware into it via webpage. And once that's done, we can open up a session, and do things like turn on the microphone, and listen to what's going on on that phone, in that area. We can record what's on the camera, we can send text messages from that phone. You can do all sorts of things, remotely. And from a surveillance perspective, it's perfect because you've got a GPS on the phone, so you can track where people are going. You've got a microphone, you've got a camera. So now, you've got eyes and ears on the person. You know exactly where they are, all because that phone got exploited. We definitely don't want that. You might have security personnel that monitor your physical building, and if they're bringing their own device and those device is being compromised, now someone could determine where the security guards or in a given time and use that as part of a physical break in unto a facility. Those are things that aren't just possible, these are things that have already happened, right? There are documented cases of these events occurring. So definitely something we need to be aware of. And then lastly, data tampering. That if somebody has access to your information, if they can get into the phone's data, they can tamper with it. A Trojan horse is an example where we modify an application to then phone home back to us and send information, leak data, whatever, that we can tamper with the applications on a phone or just our regular data. I might be having email records or other files and folders stored on my phone. We can start to modify those records. These are all risks that we have when a phone is not properly secured and even a heavily secured phone can be risked to some of this, if it's not secured properly. We have to keep it patched and updated and all the things that we know we're supposed to do but a lot of people don't. >> Now, Don, you make it sound fairly dangerous to actually have an unmanaged device. But don't the devices themselves have some form of security that we can use? >> They do, right? So phones actually do a lot to secure themselves. But in a unmanaged device, right, so if I go to the store and I buy my own phone, I now manage it. Not my company, I do. And as the end user, I can start to turn off those protections, right? Think about a lock screen. If I wanna unlock my phone, most phones have a method of doing this, right? And it could be as simple as not having a lock screen. You push the power button and you're phone is on and now you're in and off you go, right? Or maybe it's a number pad, right? So you turn the phone on and you've gotta punch in a code to be able to get in or draw a pattern, to get in. Or maybe it's a finger print scanner, a little more advanced, right? That's what I use on my phone. So if I turn my phone on I've gotta use my finger print to unlock it. That really helps secure it. If I lose my phone, I leave it in a cab somewhere, somebody else could find it but unless they have my code, they're not gonna get at my data? So that's safe but if it's my phone, I can turn that off. I can turn the finger print scanner off. I can turn the number code lock off, pattern lock, whatever it is. And in fact, they're usually off by default. So phones take steps, they take precautions but a lot of times users don't take advantage of them. And that's where managing the devices comes in. Because a company can come in with a manage policy and they can say look, your phone has to have a lock screen, it's required. And it has to use either a finger print or a six digit PIN, not a four digit, a six digit, right? You can dictate policies like that and your phone has to be encrypted. And you know that almost every phone sold today supports encrypting the file system. But most of them don't do it out of the box. And the reason they don't is for performance. They want the phone to run fast so when the user buys it at the store, they see this snappy new fancy phone that runs nice and fast but if they turn on encryption, it's more secured which runs a little bit slower, right? Well for a regular end user, they might not care about encryption, they might not care, they want it to go fast. Versus a company which'll say, hey, we'll gladly sacrifice a little speed to encrypt it. Now that's rapidly changing. The newest iPhones are all encrypted by default. So that's a new kind of thing that's come out in the last year. We're starting to see Android phones that are doing the same. But it's a rare Android phone that encrypts the SD card by default. In fact many of them don't even support encrypting the SD card which is a shame. So there are areas where things can still be weakened and maybe weaken their basic configuration, right? But there's other things that phones do to try and help protect us, right? And the main example I want to give of that is sandboxing, that when you buy an Android phone, or an iOS phone, they both implement a sandboxing system. And sandboxes are ways of isolating applications, creating fences in between applications. So if I run one program, and maybe it's my email program, it's got all my email in it. And then I run another malicious program, maybe least somehow I managed to get a malware program installed, that by default, iOS and Android will not allow the malware program to access my email. And it won't be able to come over and gain access to that data, they're isolated, they're in their own separate little worlds. But it's not a perfect system because we need applications to be able to talk to each other, right? For example, maybe Ronnie emails me a PDF, okay? So, I fire up my email program and I see, Ronnie sent me an email and here's this attachment, it's a PDF. I need to open in my PDF reader. Well, now I need my email client to be able to talk to my PDF reader, don't I? I need those applications to talk so that I can open that up. And the vendors have found kind of some creative ways to do that securely. And one of the best examples is how Apple handled it with iOS. They do a great job of securely controlling access in between the applications. So every program runs in its own little isolated area and then there's very, very limited access, technically there's no access alowed between the applications. Let me show you, it's probably easier for me to show it than to just talk about it. I'm gonna connect into an iOS device here real quick. And what I'm doing is instead of using the fancy graphical user interface that most people are used to, I'm going in to the actual shell so the actual back end of the operating system on this phone. And I want to show you guys how applications are stored. Now, in order to gain this type of access, I had to jailbreak the phone. Normally, you don't have access to the backend file system. You can't gain root access, like you see I'm logged in here as root. Normally you wouldn't have that ability. So, I had to jailbreak the phone to do it. But it's my device, so I did it, I just jailbreak. It's easy, right? But in a corporate environment, this is bad. Because the access that I now have is the access an attacker would have if they got a hold of this device. Or if I configure it incorrectly, they might even be able to get this access over the network. I am doing SSH over the network here and there's no reason somebody else couldn't do it either and so now they might have access. There could be other people logging into this iPad right now without me knowing it. Hopefully not. [LAUGH] >> [LAUGH] >> All right, so here I am in this iPad and I'm in a folder, /var/root, which is just the folder for the root user. It's kinda like the root user's home directory. Well applications on an iPad and iPads and iPhones run the same operating system. They run the iOS, the Apple iPhone operating system. Even though it's an iPad, it runs the iOS. So, they run the same iOS and on the iOS, you have a root user which is the super user. And technically you should never have access to it like what I have right here. All the applications actually run as another user. They run as a user called mobile and so every program is running as a non-super user, so a user that doesn't have root access. So that's security protection number one. And then number two, they each have their own isolated little environments. If I browse around on this file system, I can see a couple of different things. So I'm in /var/ root. If I go into /var/mobile, that's the folder for the mobile user and its Home folder and its Information. And so if I take a look in there, I'll see Containers, Downloads, Media, Documents, Library, right? These are all files and things that pertain to that user, the mobile user. So when you pickup an iPhone, a brand new iPhone and you sign in with your Apple ID and all that, you're actually logging in as this user called mobile. Even though you have your own Apple ID, everybody's using the same user. But it's not like where it has the same password across all the devices, every device kind of leverages its own credentials like that. Now this mobile user exists inside of the sandbox. And the sandbox has three kind of containers that are inside of it. All right, one container is the application container. That's where the applications actually reside and the apps are stored in a different folder altogether. I'll show you that one here in just a moment. Then we have the data container and what I'm looking at right here is actually the data container where I see documents, and library, containers, downloads. This is the data container. And inside of the data container, there will be individual containers for each application we'll see in just a moment. And then lastly there's the iCloud container. Now I can't show you the iCloud container cuz that's a completely protected system that's synchronized with Apple's iCloud. But iCloud has its own storage, and it's completely protected so that you can't modify it without passing through the iCloud APIs to do it. So I don't see it represented here in the file system. All right. But, what I am seeing is user data that pertains to this particular user. Now, when I install an application, it's really important that applications don't get modified, that they don't get tampered with. So Apple does two things. First, they put it in protected storage. The applications are actually stored in /var/containers/, all right, so the applications are stored in the separate folder outside of the mobile user. So the mobile user does not have write permission to this folder. They can't change the files. When you install an application, it's the IOS on the back end that's installing it, and then the mobile user just has read access to that application. So they can't tamper with an application once it's in there. And even if they could, the applications are digitally signed. And so, when we come in here, and I'm gonna switch into the Bundle folder. So now I'm in /var/container/Bundle, and I take a look inside of here. Actually, I think there was one more folder. Yep, I need to get into Application. There we go. So /var/container/Bundle/Application, and when I look in here, I'm going to see really long folder names, right? And what these are are GUIDs, right? Global Unique Identifiers. Each application gets its own GUID. And they need that because they're all going to be digitally signed. They have a digital signature applied to each application. And where it gets really interesting is if Ronnie installs an app on his phone and I install the app on my phone, they'll have different GUIDs, and they'll have different signatures, so we can't kinda piggy back off of each other as we tamper with these things. So, if I tamper with one of my devices, the digital signature fails, or if I tamper with the application itself the signature fails. And we'll know it's a compromised application, right, so it won't be allowed to run. But if I take a look at these folders, I'm just gonna use the date here to figure out. I installed Pokemon Go. >> [LAUGH] >> That's gonna be my test app for this show here. It's fairly popular right now. So, I installed it on April 2nd. I'm gonna switch into that folder. And inside of that folder, we're going to see, there it is, pokemongo.app, right? And when I look at that file, pokemongo.app, it's 1.5 kilobytes in size, well, that's because this is a directory, right? The bundled application is actually stored in a directory. And then if I go inside of it, I'll see the data inside. But pokemongo.app, that's the actual application right here. And if I get into its folder, which I can do like this, there we go. Now I'm actually seeing the graphics assets for that file and the true application, which is down there at the bottom. See Pokemon Go, 54 megabytes? That's the actual application. And the user and group that owns it, the install daemon, right. So _installD. That's the install daemon. It's a service that runs in the background, and it's what actually did the installation, and it's what controls access to it. But if you look at the Unix permissions on the side, you've got RWX, RXRX. That means the owner, installD has read, write and execute. The group which is installD has read, write, and execute. And everyone else has read and execute. So regular users can launch the application, but they can't modify it right, so that's important. And even if they could modify it, it would damage the signature. So this is the application container, the application is isolated right over here. If I switch back to /var/mobile and get back here, this is the user, and if I get into the containers folder right in here, I'm gonna see data and shared, okay. There's two different folders here for data for applications. The data folder is isolated for each individual application, shared is the data that is allowed to be exchanged between applications. And on most iOS devices you'll find where shared is completely empty. That there is very, very little data that's allowed to be shared between application. So for the most part, you're gonna not see much in there. It's usually like game center junk that we don't care about anyway. But if we go into data, into here, now we can start to get into our data containers. And there's an application folder in here, just like before. I always forget that application folder. And let me get into it. And what we're going to see in here is another giant list of GUIDs basically that are coming up for all these applications. Let me just try and clean that up a little bit more. There we go. And so I'll see a ton of applications that are all being listed right here. And as I look in my list, I'll see April 2nd, this guy, and that's gonna be the Pokemon GO, again, that I installed just the other day. So I'm gonna copy that GUID so I can get at it. And then we'll change into that directory. And take a look at what's in there, right? And as I look in there I'll see there is a document folder, a library folder, a store kit folder. The most important one for me is gonna be this documents folder. And inside of the documents folder, if I can spell it right, [LAUGH] Inside this documents I see nothing. I see nothing cuz I've never actually run the app. I installed but I didn't run it. So it hasn't generated any documents. But what you're gonna find in here is that the application will store its files, its information, its preferences will be stored in here. And they'll be isolated from other applications. Let me just pick another application here and let's see if we can find somebody a little more interesting than old Pokemon Go. But they'll store their information in here. Another one I haven't run. This is the, the biggest challenge we have is that there are so many applications in the list and they have all got this kind of GUID names attached to them. So it's hard to tell what is what. But basically, they are gonna store their information right there in that documents folder, and that's gonna isolate them from anybody else. So if I have an email client and I download a attachment, that attachment is gonna go in that Documents folder. And once it's in the Documents folder, well it's just gonna sit there and the email client will be able to see it, but that's it. Nobody else will be able to see it. It's just gonna sit there and it's isolated. So what you'll see is Apple came up with an innovative way to allow us to share applications between devices. What they said was that instead of allowing one application to talk to another application, we're gonna gate everything through a share window. And the share window works on a really interesting principle. It says that the application is not allowed to talk to another application, but it can talk to iOS. And when it talks to iOS, it can say I wanna share this with another program. And iOS can make a decision, do I wanna allow this or not. That gives Apple the chance to gauge whether this is okay behavior or not. And if it's okay behavior, it will say,okay give me the file snd I'll take the file and I'll drop it off where it needs to go. So for example, if we were sharing something and it needed to be sent to a screen reader or something like that, what you would find is in the documents folder, so if were to get back into the documents folder of some application and take around, there's another empty one. What you'd find in here is as sub folder called inbox. And that inbox folder is where IOS would take the attachment and drop it off into the inbox. And now that other application would see this new incoming file and be able to act on it. Now notice what happens there, the two applications never talk to each other, right? They don't talk to each other at all. They talk to iOS and iOS takes that file and drops off in the other application. So you've always got this Gatekeeper in between and that what preserves the Sandbox. If one application is fully compromised, it's no big deal cuz it can't talk to any other application, it's isolated, protected, and separated. And when you jailbreak a phone, you break that. You tear down those walls. Notice how I'm just moving in-between these folders from application to application. I can touch all of these folders. And that's because this device is jailbroken. That means the walls, the walled garden that they call it. Those walls are gone on mine. And that makes it where I can do a heck of a lot more on this iPad than a normal iPad. But it means that my iPad is far less secure than a normal iPad. >> All right, Don, I know you really want to get into showing us Android, but let's go back to the share dialogue thing a little bit, and can you show us a little bit about it. >> I didn't think about that, Ronnie. You're not an iPhone user, so you don't get exposed to this like I do. I try and use as many devices as I can, but iPhone is a lot different from Android in the way that it shares things. You have what's called the share dialogue, in the share dialogue, it really is the gatekeeper in between applications, so it truly represents the sandboxing. Let me show you an example. I've got my iPad mirrored to my computer right here. And let's say that for example browsing the web, right? So I'm gonna fire up Safari and when I browse to a website like, we're gonna slash that, so when I browse to a website it's gonna pull up, right, here in the web browser and I start to see that content, right? And everything's fine. And then I say something like, boy, I want to print this web page, or I want to save it as a PDF, or save it to Dropbox, or do something with the content of this page. Maybe I want to take this web page and add it to Microsoft OneNote or Wunderlist or something like that. I want the application to talk. The only way I can do that is through the Gatekeeper. And the Gatekeeper is represented in most applications with this little square with an up arrow, that's the share button. And when I hit that share button, so I'm just gonna punch that, a little drop down will appear. And I'll see what I'm allowed to do. And notice what I'm saying, what I'm allowed to do. I could do a ton of things, but Apple is only allowing me to do certain things. So I can save it as a PDF to iBooks. I can send it to Facebook or Twitter or I can add to my notes or my reminders. I see approved activities right here, okay. And there might be some that aren't turned on. So if I hit more or I might see some here that are not enabled, it looks like all of mine are enabled, the same thing with the top row. Sometimes you can find, like maybe I have Twitter turned off, and I could turn that one on. So, you have a little bit of control. But all the applications are in this list, have been through Apple's quality control. They've evaluated whether or not that communication should be allowed and whether it's done in a secure manner, and if it hasn't been, they don't allow it. So, if I want to say this is a PDF to iBooks, I can't let my web browser talk right to iBooks. I have to go through this method. And that can be a challenge, because sometimes I might download a PDF, and I want it to be available in my Kindle app, and I don't have a way to send that between applications. They don't allow that communication. But when I choose save PDF to iBooks, what's happening is, it's creating the PDF, it's sending it to iOS and iOS is then gonna create that inbox folder I was talking about in the documents folder for iBooks, and it's dropping that PDF there. And then immediately, iBooks pops up and it says, there's something in my inbox. It's a PDF, let's go ahead and bring it in like and send it to iCloud or we'll bring it right in here, and now it's in the library. But iBooks never actually talked to the web browser. iBooks just saw it's inbox folder and saw this PDF appear, and there it is. Now I've got this stored as a PDF and I can go back to Safari and continue browsing the web and going wherever it is that I wanna go. Apparently no, we're too exciting. So we can go and browse the Internet and do our thing. The applications are separate. They talk to the operating system, they never talk to each other. So that's a key thing to remember with iOS devices like these. Is Apple is always in between you and any communication that you make. In-between every single bit, which gives them a high degree of control. >> All right Don, I know you really wanna get an Android, but I think we're pretty much out of time. >> [LAUGH] >> So I'm gonna need you to come back for a part two Don. To help us out and seeing the other part which is the Android part as well. Remember what you took a look at in this episode as Don really did talk about the idea of bringing in that BYOD, and some of the different things that can happen when we do that. So the idea of a managed environment is pretty key for us when we take a look here too. As well as some of the different attacks, and now Don is showing us some of the different security features that are built into these devices as well, especially on the Apple side. But if you want to come back and learn more about the Android side and some of the other ones that are out there, come back for our part two. It's a great place for us to go ahead and sign off then. For ITProTV, I've been your host, Ronnie Wong. >> And I'm Don Pezet. >> Stay tuned right here for more emerging technology security demonstrations. [MUSIC] >> Thank you for watching ITProTV.