In this video, researcher Don Bailey of iSec Partners discusses the myriad mobile device threats, and how to create an effective mobile device security policy to stop them.
- The most pressing mobile device security issues
- Weaponizing mobile devices via GPS
- What enterprises can do to lock down mobile devices
- The difficulty of securing different mobile platforms
- Crafting mobile security policy
- Is theft or loss of devices a bigger problem than smartphone malware?
- What proactive enterprises are doing to address mobile threats
- Are mobile standards needed?
Read the full transcript from this video below:
Don Bailey on mobile device threats, mobile device security policy
Rob Westervelt: Hi, I'm Rob Westervelt with SearchSecurity.com. Thanks very much for watching this video. In this edition, we're going to talk about mobile security issues with Don Bailey. Don is a Mobile Security and Embedded Systems Expert with iSEC Partners. Don, thanks very much for joining us.
Don Bailey: Thank you, I appreciate it.
Rob Westervelt: So, Don, why don't you set the stage for us. What are some of the issues that enterprises have to deal with right now in terms of the threat landscape?
Don Bailey: The general overview? Everything is own-able. No, really, everything is own-able. We've proven that, right? It's difficult to build a sufficient application architecture from a security point of view. You need programs to integrate, interact, but you need them to do it securely. Obviously, that's not something that's an easy feat. So there are going to be threats all over the place from that point of view. The operating themselves have to be locked down substantially as well. That's traditionally difficult to do, as we've seen for years in Windows, Linux architectures, and things of that nature. Then again, we have entirely new areas of threats coming from just the cellular area as well.
The radio links, interactive peripherals, things of that nature, where now you can be attacked from six different radios, all available on the same baseband that's implementing your cellular device. So I can man the middle of your communications with your phone, your other phone across the household, your heart rate monitor, and things of that nature, which are all intertwined together now thanks to the smartphone. I can also intercept communications between your handset and the base station that talks to the cell tower. So from top to bottom, there's just too much that's vulnerable, which makes this the right platform for researchers.
Rob Westervelt: Don, I know you've done a number of talks on turning embedded devices into weapons via GPS. Can you tell us a little bit about that?
Don Bailey: That was a really fun project. So, I just had this device sitting around. It's called a Zoombak. They're actually quite cool. The manufacturers have done a really good job to make them pretty sweet from a customer experience point of view. But there was a little problem with them. I was actually able to communicate with these things over the telephone network and solicit information from the device without anyone knowing I was doing it. So if you own one of these devices, and were using it to say, track your supplies, or where your child goes in her vehicle, etc., I would be able to force that device to give me its location data, without you knowing, without her knowing, and without Zoombak knowing.
Obviously, that's a horrible thing, from a security point of view, and just from a lifestyle point of view. You don't want somebody random on the telephone network trying to stalk your car. It's ridiculous. We don't want that kind of stuff. So there was just a simple flaw in their engineering. I was able to bypass their security controls and leak that kind of information. I also figured out that I could spoof the information back to Zoombak, then when you retrieve information, "Where is my car?" "Where is my daughter?" etc., I could actually trick it into giving you false information.
We showed this in a Fox interview I did with Heidi Cuda, where I could actually impersonate that the device was in Abbottabad, Pakistan instead of being in L.A., California, where we actually were. So that was really exciting, but what was really revealing about that project is that now, today, we're seeing a very huge market booming of these new embedded devices that are GSM enabled, and they allow interaction with people to devices that, before, could never be interacted with. I mean, your traditional GPS device is just a little handheld thing that received the GPS signal. You walk around with it and say, "Oh, I'm in New York City," or whatever. You never could send that information somewhere remotely. Now, thanks to GSM and the lowering cost of GSM modules, you can.
So embedded developers have actually been able to add this new functionality to their products, and then roll it out at a cheap cost so consumers have this great functionality and they say, "Oh, now I can query this cool device from my mobile phone" or "I can query this cool device over the telephone network via my computer, and always know what's going on with this particular application." Well there are dangers with that if you don't implement your security properly. Now anybody on the telephone network can just probe at these devices, and then determine what kinds of devices they are, and then exploit them remotely.
That's a dangerous thing because on the telephone network, there is no concept of firewalling. It's not like an IP, where I can just go talk to your Mac or whatever, but if it's firewalled, I can no longer talk to it. It's behind some kind of DMZ or other security boundary that I can't access or cross. But on the telephone network, if they say, "You've got a phone number," you're on the telephone network. I can call it from any phone. There is no borderline there. So it's a completely different threat model.
Rob Westervelt: So let's talk about what enterprises can actually do. Should they rely on mobile device management vendors? Should they turn to their endpoint security vendor?
Don Bailey: Well, it really depends on what's the goal. I mean there's a general enterprise goal of, "we want X to be secured for deployment on Y," with X being some kind of mobile device, and Y being some kind of corporate network. Overall, I think the best thing to do is just break down the information for each platform. What's available on it from a security point of view? How many apps are deployable on it? What's the app model? All that kind of information is very difficult for a corporation to come up with. They're going to need to rely on security consultancies. It's a difficult and very chaotic environment to walk through. It's difficult to navigate. You need somebody on the ground that's actually going to be able to pool all this information together and give it to you in a way that's going to be practical to use, which is difficult in these days. So I would really suggest that they just go with a security consulting firm that's well versed in mobile.
Rob Westervelt: So why is it so difficult? Is it because of all the different platforms out there?
Don Bailey: Absolutely. It's the multiple platforms, and it's all the moving parts. As I mentioned before, you have application vulnerabilities, platform vulnerabilities, hardware vulnerabilities, and now cellular vulnerabilities, as well as other radio vulnerabilities that are packaged onto your baseband. There are too many threats and there are too many changes going on every day. I mean there's a new iOS version that comes out very couple of months, with new features and new add-ons and things of that nature. Those are all going to be vulnerable to new types of threats. So you need somebody that's going to be able to research those threats quickly, efficiently, and give you a practical outlook on how to mitigate any potential issues.
Rob Westervelt: Let's talk briefly about mobile security policy. With all of these different devices connected to the network, is that a major issue for enterprises?
Don Bailey: Oh yeah, absolutely. Because think about it this way, what's the traditional way you would go about assessing whether or not a computer is safe to load on your network? You do two things. You analyze it from the operating system point of view, as in an authenticated scan, saying, "Oh yeah, there's no malware on it because we have this information from this AV, and this information from other enterprise software we've loaded on it." Two, typically people like to throw pen-testing around, and say, "Let's scan it, and see if there are any vulnerabilities active." You can't do that with phones. I can't give you permission to log onto my phone and check all the applications to make sure they're secure.
You can't scan my phone with a normal pen-testing tool like Core, Metasploit, etc., and determine, "Oh, hey, there's a vulnerable port open, and it's got some weird application running." It doesn't function the same way. It's kind of useless to pen test at this point with those kinds of devices. You don't have the same amount of information as you would with a laptop or a desktop computer. So it's extremely difficult to be able to manage these things from a security point of view, because a lot of times they're more of a black box than we realize.
Rob Westervelt: We've heard a lot about data leakage and the theft of cell phones. Isn't that a bigger issue than some of the issues that you bring up when it comes to threats?
Don Bailey: Well, I don't know about bigger. It's just different. It's a different issue because now we have ways of accessing our data that is no longer compartmentalized by the security controls that you could easily load on a laptop. On a laptop, I can ensure that I have full disk encryption, maybe even two-factor login, depending on what level of security you want to go with, etc. But on the mobile phone itself there are only certain things that you can ensure, and those things can sometimes be bypassed. The iOS encryption was a great example of that, where they said, "Yeah, everything on the phone is encrypted," but if you actually plug it into a computer, you can access quite a bit of information that should be encrypted but is not. There are other issues with key management, etc. It's platform to platform. This, again, is a moving target, and you don't necessarily know from today to tomorrow when they update the software, "How is that going to change this threat?" whereas you have a longer outlook with a stationary device such as a desktop, or even a mobile computing platform like a laptop.
Rob Westervelt: Tell us what some of the more proactive enterprises are doing to address mobile security threats.
Don Bailey: They throw it out the window. Well usually they just segment it. They say, "We know we have to give our executives iPhones," because everybody loves the iPhone. I personally love the iPhone, but it can be a dangerous device. So what do you do? You just throw it in a separate network and say, "all the iPhones are going to connect to this Wi-Fi, WPA2 enabled," or whatever, "and you're going to surf from there. We're not going to allow this to connect directly to our corporate network because that's just ridiculous." You enforce those controls. You know people are going to bypass them because that's what people do, but you ensure that you have enough policy and enough protocol laid out so that people can minimally move from network to network on their own. Right now, there isn't an overall solution. There is no one good standard that says, "You can perform A, B, and C and you'll be safe." So it's just understanding the volatile surface, analyzing it effectively, and then deploying what mitigating controls are relevant to your company.
Rob Westervelt: Are more mobile standards needed?
Don Bailey: Oh yeah, absolutely. There are some that are in place now, and there are new ones that are coming out in the near future, but nothing's solid. Again, this is a very volatile area. We're seeing a lot of change and it's going to keep changing. There are only, what, four primary smartphones today? We're going to see that explode in the next coming years. Obviously, as new manufacturers gain ground, they're going to want a piece of those policies. They're going to be influencing things from a monetary point of view, and just campaigning. So it's not going to stop changing for the next few years. I think the open bubble associations, etc., and the GSMA, etc., really need to sit down and hash out, "here's how we see the future," not only from a cellular point of view, but from an architectural point of view. We're seeing some of that now, but it needs to be refined.
Rob Westervelt: Well, Don, thanks very much for joining us.
Don Bailey: Thank you, I appreciate it.
Rob Westervelt: And thank you all for joining us. For more information on mobile security threats and issues, you can go to SearchSecurity.com. Thanks.