MOBILE SECURITY OVERVIEW Tim LeMaster tim.lemaster@lookout.com
Your data center is in the cloud.
Your users and customers have gone mobile.
Starbucks is your fall-back Network.
Your mobile device is a gold mine for hackers ENTERPRISE EMAIL ENTERPRISE APPS SaaS, Custom Apps CREDENTIALS Stored, Soft Tokens PHOTO ALBUM Whiteboard Screenshots, IDs ENTERPRISE NETWORK VPN, WiFi SENSORS GPS, Microphone, Camera
How are you protecting your corporate data? APPS DEVICE NETWORK WEB & CONTENT Selected, purchased, and managed by organization Selected, purchased, and managed by organization LAN / corporate Wi-Fi VPN when traveling Filtered at organizational perimeter PC - Anti-Virus - DLP - Vulnerability scanning - Administered by IT - Managed by SCCM - OS version control - OS integrity monitoring - Behavioral monitoring - On device firewalls - perimeter firewall - Secure Web Gateways Selected, purchased, and managed by user* Organizational issued, some BYOD Always on cellular User selected Wi-Fi Often unfiltered MOBILE - Partially managed using MDM Lookout 2017 Confidential and Proprietary
COMPONENTS OF RISK MOBILE RISK MATRIX VECTORS APPS DEVICE NETWORK WEB & CONTENT THREATS - Spyware & surveillanceware - Trojans - Other malicious apps - Privilege escalation - Remote jailbreak/root - Man-in-the-middle - Fake cell towers - Spoofed WiFi APs - Root CA installation - Phishing - Drive-by-download - Malicious websites & files SOFTWARE VULNERABILITIES - Out-of-date apps - Vulnerable SDKs - Poor coding practices - Out-of-date OS - Dead-end hardware - Vulnerable pre-installed apps - Network hardware vulnerabilities - Protocol stack vulnerabilities - Malformed content that triggers OS or app vulnerabilities BEHAVIOR & CONFIGURATIONS - Apps that leak data - Apps that breach org security policy - Apps that breach regulatory compliance - User initiated jailbreak/root - No pin code/password* - USB debugging - Proxies, VPNs, root-cas - Auto-joining unencrypted networks - Opening attachments and visiting links to potentially unsafe content Lookout 2017 Confidential and Proprietary
Multiple attack vectors utilized End user jailbreak/root Malicious jailbreak/root OS vulnerabilities exploitation Data on stolen devices OS Apps Malicious apps Non-compliant apps App vulnerability exploits Data leakage Network Malicious MitM attacks Anomalous Root CA
COMPONENTS OF RISK MOBILE RISK MATRIX VECTORS APPS DEVICE NETWORK WEB & CONTENT THREATS - Malicious apps - Spy & surveillanceware - Trojans - User initiated jailbreak/root - Privilege escalation - Remote jailbreak/root - Man-in-the-middle - Fake cell towers - Root CA installation - Phishing - Drive-by-download - Malicious code injection SOFTWARE VULNERABILITIES - Out-of-date apps - Vulnerable SDKs - Poor coding practice - Out-of-date OS - Dead-end hardware - Vulnerable pre-installed apps - NIC driver vulnerabilities - Protocol stack vulnerabilities - Malformed content that triggers OS or app vulnerabilities BEHAVIOR & CONFIGURATIONS - Apps that breach leak data company - security Apps that policy breach org - Apps security that policy breach - regulatory Apps that breach compliance regulatory compliance - No pin code/password - USB debugging - Proxies, VPNs, root-cas - Auto-joining unencrypted networks - Message attachments and links to content that result in security policy breaches Lookout 2017 Confidential and Proprietary
For ios enterprise devices: Lookout 2017 Confidential and Proprietary
COMPONENTS OF RISK MOBILE RISK MATRIX VECTORS APPS DEVICE NETWORK WEB & CONTENT THREATS - Malicious apps - Spyware & surveillance & ware - Trojans surveillanceware - Trojans - User initiated jailbreak/root - Privilege escalation - Remote jailbreak/root - Man-in-the-middle - Fake cell towers - Root CA installation - Phishing - Drive-by-download - Malicious code injection SOFTWARE VULNERABILITIES - Out-of-date apps - Vulnerable SDKs - Poor coding practice - Out-of-date OS - Dead-end hardware - Vulnerable pre-installed apps - NIC driver vulnerabilities - Protocol stack vulnerabilities - Malformed content that triggers OS or app vulnerabilities BEHAVIOR & CONFIGURATIONS - Apps that breach company security policy - Apps that breach regulatory compliance - No pin code/password - USB debugging - Proxies, VPNs, root-cas - Auto-joining unencrypted networks - Message attachments and links to content that result in security policy breaches Lookout 2017 Confidential and Proprietary
COMPONENTS OF RISK MOBILE RISK MATRIX VECTORS APPS DEVICE NETWORK WEB & CONTENT THREATS - Malicious apps - Spy & surveillance ware - Trojans - User Privilege initiated escalation - jailbreak/root Remote jailbreak/root - Privilege escalation - Remote jailbreak/root - Man-in-the-middle - Fake cell towers - Spoofed Root CA installation WiFi APs - Root CA installation - Phishing - Drive-by-download - Malicious code injection SOFTWARE VULNERABILITIES - Out-of-date apps - Vulnerable SDKs - Poor coding practice - Out-of-date OS - Dead-end hardware - Vulnerable pre-installed apps - NIC driver vulnerabilities - Protocol stack vulnerabilities - Malformed content that triggers OS or app vulnerabilities BEHAVIOR & CONFIGURATIONS - Apps that breach company security policy - Apps that breach regulatory compliance - No User pin initiated code/password - USB jailbreak/root debugging - No pin code/password* - USB debugging - Proxies, VPNs, root-cas - Auto-joining unencrypted networks - Message attachments and links to content that result in security policy breaches Lookout 2017 Confidential and Proprietary
MITM Example MitM Demo
COMPONENTS OF RISK MOBILE RISK MATRIX VECTORS APPS DEVICE NETWORK WEB & CONTENT THREATS - Malicious apps - Spy & surveillance ware - Trojans - User initiated jailbreak/root - Privilege escalation - Remote jailbreak/root - Man-in-the-middle - Fake cell towers - Root CA installation - Phishing - Drive-by-download - Malicious code injection SOFTWARE VULNERABILITIES - Out-of-date apps - Vulnerable SDKs - Poor coding practice - Out-of-date OS - Dead-end hardware - Vulnerable pre-installed apps - NIC driver vulnerabilities - Protocol stack vulnerabilities - Malformed content that triggers OS or app vulnerabilities BEHAVIOR & CONFIGURATIONS - Apps that breach company security policy - Apps that breach regulatory compliance - No pin code/password - USB debugging - Proxies, VPNs, root-cas - Auto-joining unencrypted networks - Message attachments and links to content that result in security policy breaches Lookout 2017 Confidential and Proprietary
ANDROID Android Patches 101 patched CVEs in Jun 76 high or critical 120 patched CVEs in May 88 high or critical Android Security Advisory 2016-03-18 Rooting app Kernel vuln Deployment challenges Older devices not getting updates https://source.android.com/security/bulletin/2017-06-01
IOS ios Patches ios Status ios version 10.3.2 released 15 May 49 CVEs patched ios version 10.3.1 released 3 Apr WiFi chip vulnerability patch ios version 10.3 released 27 Mar 91 CVEs patched Scareware for Ransom Safari browser pop-ups loop Need employees to update https://support.apple.com/en-us/ht207617
MOBILE RISK HIGHLIGHTS Alternative App stores Fraudulent/Fake Apps Pegasus and Trident MilkyDoor ViperRAT surveillanceware App take downs
Lots of alternative app stores
Pegasus and Trident Pegasus: The Threat Trident: The Three Vulnerabilities A professionally developed and highly advanced threat leveraging, zero-day vulnerabilities, code obfuscation, and encryption and sophisticated function hooking to subvert app controls. Describes a trifecta of three related zero-day vulnerabilities in ios, that collectively allowed the attacker to automatically jailbreak the device and install far-reaching spyware.
Pegasus causes catastrophic data compromise All encrypted data from any apps on the device User passwords from the keychain All wifi passwords for every network the device has been on All passwords from any connected Apple router / Airport / Time Capsule GPS / User location All calls audio and history All data from calendar including meetings Sensitive conversations recorded via microphone conversations All contacts on the device And more
MilkyDoor Provides access to internal networks Covertly grants attackers access to enterprise's services web, FTP, SMTP in the internal network Repackaged Android Apps 200 unique apps on Play Communicates to C&C over SSH Android.process.s
ViperRAT Surveillanceware Social media for targeting Fake Profile as young women Build trust Install app for easier communication Multi-stage malware Dropper for profiling 2 nd stage is more capable Extract files and Photos
210 Lookout-discovered threats in the Google Play Store (2016) 1 4 13 3 1 2 167 July 15 August 4 September 7 September 30 October 19 October-November November 25 BouncerBounce OverSeer DressCode DressCode TcemuiPhoto Uploader WakefulApp Download XRanger Malware that works around Google s review process to plant malicious apps in Play Store. Spyware targeting foreign travelers searching for Embassy locations. Steals contact and location data Can make the device a proxy for network traffic on corporate networks. We discovered more apps on Play injected with this trojan. Lookout discovered this malware family in fake versions of popular apps on Play. Malware hidden in "File Explorer" app that had gotten into Play, downloads and launches additional apps. 167 apps in Play infected with this app dropper. = Discovered by Lookout in Play Store and subsequently removed by Google.
Gartner Market Guide for Mobile Threat Defense Solutions It is becoming increasingly important that security leaders look at the anti-malware, mobile threat defense solutions market, the products available and how they should be used. * This Gartner report is available upon request from Lookout Lookout Mobile Endpoint Security meets all four functional capabilities, including: Behavioral Anomaly Detection Vulnerability Assessment Network Security App Scan Source: Gartner Market Guide for Mobile Threat Defense Solutions, John Girard and Dionisio Zumerle, July 2016 *Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
What Should You Do?? Layered Defenses Stick to official app stores Lock your screen MDM Don t connect to unknown WiFi Use a VPN Be wary of phishing attempts Unknown links in text messages, emails and web sites Use a Mobile Threat Detection solution