Page 1
www.senseofsecurity.com.au © Sense of Security 2012 Page 1 – May 2012
Compliance, Protection & Business Confidence
Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia
Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia
T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455
[email protected] www.senseofsecurity.com.au ABN: 14 098 237 908
Help! My Mobile Device is Spying on Me
AusCERT 2012 Conference, 17 May 2012
Delivered by Murray Goldschmidt, Chief Operating Officer
Page 2
www.senseofsecurity.com.au © Sense of Security 2012 Page 2 – May 2012
Agenda
Our “Targeted Voice Recorder” research
addresses
• Relevance - Extent of exposure
• Simplicity - Anatomy of the attack
• Protection - Mitigating controls
Page 3
www.senseofsecurity.com.au © Sense of Security 2012 Page 3 – May 2012
High Level Process Flow
Phase 0
Target
Page 4
www.senseofsecurity.com.au © Sense of Security 2012 Page 4 – May 2012
High Level Process Flow
Phase 0
Target
Phase 1
Identification Physical ID Remote ID
Page 5
www.senseofsecurity.com.au © Sense of Security 2012 Page 5 – May 2012
High Level Process Flow
Phase 0
Target
Phase 1
Identification Physical ID Remote ID
Phase 2
Acquisition
App App
Page 6
www.senseofsecurity.com.au © Sense of Security 2012 Page 6 – May 2012
High Level Process Flow
Phase 0
Target
Phase 1
Identification Physical ID Remote ID
Phase 2
Acquisition
App App
Phase 3
Exploit
Page 7
www.senseofsecurity.com.au © Sense of Security 2012 Page 7 – May 2012
Mobile Device Platforms
Page 8
www.senseofsecurity.com.au © Sense of Security 2012 Page 8 – May 2012
Mobile Device Platforms
Page 9
www.senseofsecurity.com.au © Sense of Security 2012 Page 9 – May 2012
Mobile Device Platforms
Page 10
www.senseofsecurity.com.au © Sense of Security 2012 Page 10 – May 2012
Mobile Device Platforms
Page 11
www.senseofsecurity.com.au © Sense of Security 2012 Page 11 – May 2012
Mobile Device Platforms
Page 12
www.senseofsecurity.com.au © Sense of Security 2012 Page 12 – May 2012
Android - Path of Least Resistance
Volume of devices and growth
Market fragmentation
Lag for software updates
Open platform
Vetting controls
Page 13
www.senseofsecurity.com.au © Sense of Security 2012 Page 13 – May 2012
Proof of Concept - Overview
Objective: Obtain a voice recording of the user
using the device (not phone call)
Knowledge of their mobile device platform
Physical or remote acquisition techniques
A mobile app that can trigger at a specific location,
act as a recorder and post recorded files
An app that is in the market place (ideally)
An app that can be remote controlled (ideally)
Requires:
Page 14
www.senseofsecurity.com.au © Sense of Security 2012 Page 14 – May 2012
Simple but Efficient
Page 15
www.senseofsecurity.com.au © Sense of Security 2012 Page 15 – May 2012
Simple but Effective (Devastating)
Voice recorder - > Targeted Individual
~$few hundred
• Corporate Espionage
• Insider Trading
• Financial Gain
• Political Gain
• Competitive
Advantage
~600 LOC
Page 16
www.senseofsecurity.com.au © Sense of Security 2012 Page 16 – May 2012
Functions • ~600 Lines of Code
• Polls a specific server for instructions (where to trigger,
radius, duration)
• Triggers on GPS co-ordinates (or derived location from GSM
Network, Wireless etc)
• Records for 30 seconds. Continuous looping for demo.
Proof of Concept - Application
Permissions Required • access your location (GPS)
• your personal information (contact info)
• network communications (make outbound connections)
• storage (store file)
• hardware controls (record audio)
Visibility • None – will operate in the background and not alert the
owner it is triggered (although PoC app presents logging
information on the screen for demo purposes, and
vibrates to indicate recording!)
Page 17
www.senseofsecurity.com.au © Sense of Security 2012 Page 17 – May 2012
Write App for Purpose “Triggered Voice
Recorder”
Anatomy of the Attack
Page 18
www.senseofsecurity.com.au © Sense of Security 2012 Page 18 – May 2012
Write App for Purpose “Triggered Voice
Recorder”
Anatomy of the Attack
Page 19
www.senseofsecurity.com.au © Sense of Security 2012 Page 19 – May 2012
Write App for Purpose “Triggered Voice
Recorder”
Anatomy of the Attack
Page 20
www.senseofsecurity.com.au © Sense of Security 2012 Page 20 – May 2012
Write App for Purpose “Triggered Voice
Recorder”
Anatomy of the Attack
Page 21
www.senseofsecurity.com.au © Sense of Security 2012 Page 21 – May 2012
Write App for Purpose “Triggered Voice
Recorder”
Anatomy of the Attack
Page 22
www.senseofsecurity.com.au © Sense of Security 2012 Page 22 – May 2012
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Anatomy of the Attack
Page 23
www.senseofsecurity.com.au © Sense of Security 2012 Page 23 – May 2012
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Anatomy of the Attack
Page 24
www.senseofsecurity.com.au © Sense of Security 2012 Page 24 – May 2012
Demo Application “Notepad”
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Anatomy of the Attack
Page 25
www.senseofsecurity.com.au © Sense of Security 2012 Page 25 – May 2012
Demo Application “Notepad”
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Anatomy of the Attack
Page 26
www.senseofsecurity.com.au © Sense of Security 2012 Page 26 – May 2012
Demo Application “Notepad”
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Anatomy of the Attack
Page 27
www.senseofsecurity.com.au © Sense of Security 2012 Page 27 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Anatomy of the Attack
Page 28
www.senseofsecurity.com.au © Sense of Security 2012 Page 28 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Anatomy of the Attack
Page 29
www.senseofsecurity.com.au © Sense of Security 2012 Page 29 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Anatomy of the Attack
Page 30
www.senseofsecurity.com.au © Sense of Security 2012 Page 30 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Anatomy of the Attack
Page 31
www.senseofsecurity.com.au © Sense of Security 2012 Page 31 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Anatomy of the Attack
Page 32
www.senseofsecurity.com.au © Sense of Security 2012 Page 32 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Anatomy of the Attack
Page 33
www.senseofsecurity.com.au © Sense of Security 2012 Page 33 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Anatomy of the Attack
Page 34
www.senseofsecurity.com.au © Sense of Security 2012 Page 34 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Demo APP
Anatomy of the Attack
Page 35
www.senseofsecurity.com.au © Sense of Security 2012 Page 35 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Demo APP
Application Re-Vetted(?) & Published
Anatomy of the Attack
Page 36
www.senseofsecurity.com.au © Sense of Security 2012 Page 36 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Demo APP
Application Re-Vetted(?) & Published
Anatomy of the Attack
Page 37
www.senseofsecurity.com.au © Sense of Security 2012 Page 37 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Demo APP
Application Re-Vetted(?) & Published
Anatomy of the Attack
Page 38
www.senseofsecurity.com.au © Sense of Security 2012 Page 38 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Demo APP
Application Re-Vetted(?) & Published
Demo APP
Anatomy of the Attack
Page 39
www.senseofsecurity.com.au © Sense of Security 2012 Page 39 – May 2012
Demo Application “Notepad”
Demo APP
Write App for Purpose “Triggered Voice
Recorder”
Select & Publish Demo App (e.g. Notepad) to
Market (e.g. Google play)
Inject Triggered Voice Recording App into
Published App
Demo APP
Application Re-Vetted(?) & Published
Demo APP
Anatomy of the Attack
Page 40
www.senseofsecurity.com.au © Sense of Security 2012 Page 40 – May 2012
Seek Target
Anatomy of the Attack
Page 41
www.senseofsecurity.com.au © Sense of Security 2012 Page 41 – May 2012
Seek Target
Anatomy of the Attack
Page 42
www.senseofsecurity.com.au © Sense of Security 2012 Page 42 – May 2012
Seek Target
Anatomy of the Attack
Page 43
www.senseofsecurity.com.au © Sense of Security 2012 Page 43 – May 2012
Seek Target
Anatomy of the Attack
Page 44
www.senseofsecurity.com.au © Sense of Security 2012 Page 44 – May 2012
Seek Target
Anatomy of the Attack
Page 45
www.senseofsecurity.com.au © Sense of Security 2012 Page 45 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
Anatomy of the Attack
Page 46
www.senseofsecurity.com.au © Sense of Security 2012 Page 46 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
Anatomy of the Attack
Demo APP
Page 47
www.senseofsecurity.com.au © Sense of Security 2012 Page 47 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
Anatomy of the Attack
Demo APP
Page 48
www.senseofsecurity.com.au © Sense of Security 2012 Page 48 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
Anatomy of the Attack
Demo APP
Page 49
www.senseofsecurity.com.au © Sense of Security 2012 Page 49 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Page 50
www.senseofsecurity.com.au © Sense of Security 2012 Page 50 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Page 51
www.senseofsecurity.com.au © Sense of Security 2012 Page 51 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Page 52
www.senseofsecurity.com.au © Sense of Security 2012 Page 52 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Page 53
www.senseofsecurity.com.au © Sense of Security 2012 Page 53 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Page 54
www.senseofsecurity.com.au © Sense of Security 2012 Page 54 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Page 55
www.senseofsecurity.com.au © Sense of Security 2012 Page 55 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
App Polls Attacker’s Server & Downloads
GPS Co-ord’s
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Page 56
www.senseofsecurity.com.au © Sense of Security 2012 Page 56 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
App Polls Attacker’s Server & Downloads
GPS Co-ord’s
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Demo APP
Page 57
www.senseofsecurity.com.au © Sense of Security 2012 Page 57 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
App Polls Attacker’s Server & Downloads
GPS Co-ord’s
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Demo APP
Page 58
www.senseofsecurity.com.au © Sense of Security 2012 Page 58 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
App Polls Attacker’s Server & Downloads
GPS Co-ord’s
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
Demo APP
Page 59
www.senseofsecurity.com.au © Sense of Security 2012 Page 59 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
App Polls Attacker’s Server & Downloads
GPS Co-ord’s
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
40°26′47″N 79°58′36″W
Demo APP
Page 60
www.senseofsecurity.com.au © Sense of Security 2012 Page 60 – May 2012
Seek Target Download & Install App
(Thru Remote or Physical Acquisition)
App Polls Attacker’s Server & Downloads
GPS Co-ord’s
40°26′47″N 79°58′36″W
Set the GPS Co-ordinates for Desired Recording
Location on server
Anatomy of the Attack
Demo APP
40°26′47″N 79°58′36″W
Demo APP
Page 61
www.senseofsecurity.com.au © Sense of Security 2012 Page 61 – May 2012
Recording Device Activated at Prescribed
Location
Anatomy of the Attack
Page 62
www.senseofsecurity.com.au © Sense of Security 2012 Page 62 – May 2012
Recording Device Activated at Prescribed
Location
Anatomy of the Attack
Page 63
www.senseofsecurity.com.au © Sense of Security 2012 Page 63 – May 2012
Recording Device Activated at Prescribed
Location
40°26′47″N 79°58′36″W
or SSID
Anatomy of the Attack
Page 64
www.senseofsecurity.com.au © Sense of Security 2012 Page 64 – May 2012
Recording Device Activated at Prescribed
Location
40°26′47″N 79°58′36″W
or SSID
Anatomy of the Attack
Page 65
www.senseofsecurity.com.au © Sense of Security 2012 Page 65 – May 2012
Recording Device Activated at Prescribed
Location
40°26′47″N 79°58′36″W
or SSID
Anatomy of the Attack
Page 66
www.senseofsecurity.com.au © Sense of Security 2012 Page 66 – May 2012
Recording Device Activated at Prescribed
Location Recording
40°26′47″N 79°58′36″W
or SSID
Anatomy of the Attack
Page 67
www.senseofsecurity.com.au © Sense of Security 2012 Page 67 – May 2012
Recording Device Activated at Prescribed
Location Recording
40°26′47″N 79°58′36″W
or SSID
Demo APP
Anatomy of the Attack
Page 68
www.senseofsecurity.com.au © Sense of Security 2012 Page 68 – May 2012
Recording Device Activated at Prescribed
Location Recording
40°26′47″N 79°58′36″W
or SSID
Demo APP
Anatomy of the Attack
Page 69
www.senseofsecurity.com.au © Sense of Security 2012 Page 69 – May 2012
Recording Device Activated at Prescribed
Location Recording
40°26′47″N 79°58′36″W
or SSID
Demo APP
Anatomy of the Attack
Page 70
www.senseofsecurity.com.au © Sense of Security 2012 Page 70 – May 2012
Recording Device Activated at Prescribed
Location Recording Recording File sent to
Attacker’s Server
40°26′47″N 79°58′36″W
or SSID
Demo APP
Anatomy of the Attack
Page 71
www.senseofsecurity.com.au © Sense of Security 2012 Page 71 – May 2012
Recording Device Activated at Prescribed
Location Recording Recording File sent to
Attacker’s Server
40°26′47″N 79°58′36″W
or SSID
Demo APP
Anatomy of the Attack
Page 72
www.senseofsecurity.com.au © Sense of Security 2012 Page 72 – May 2012
Recording Device Activated at Prescribed
Location Recording Recording File sent to
Attacker’s Server
40°26′47″N 79°58′36″W
or SSID
Demo APP
Anatomy of the Attack
Page 73
www.senseofsecurity.com.au © Sense of Security 2012 Page 73 – May 2012
Recording Device Activated at Prescribed
Location Recording Recording File sent to
Attacker’s Server
40°26′47″N 79°58′36″W
or SSID
Demo APP
Anatomy of the Attack
Page 74
www.senseofsecurity.com.au © Sense of Security 2012 Page 74 – May 2012
Demo
Page 75
www.senseofsecurity.com.au © Sense of Security 2012 Page 75 – May 2012
Elevator
Physical Identification
Page 76
www.senseofsecurity.com.au © Sense of Security 2012 Page 76 – May 2012
Lobby
Elevator
Physical Identification
Page 77
www.senseofsecurity.com.au © Sense of Security 2012 Page 77 – May 2012
Lobby
Exec Desk Elevator
Physical Identification
Page 78
www.senseofsecurity.com.au © Sense of Security 2012 Page 78 – May 2012
Lobby
Exec Desk Elevator
Coffee Shop
Physical Identification
Page 79
www.senseofsecurity.com.au © Sense of Security 2012 Page 79 – May 2012
Lobby
Exec Desk Elevator
Coffee Shop
Physical Identification
Page 80
www.senseofsecurity.com.au © Sense of Security 2012 Page 80 – May 2012
Physical Acquisition
Page 81
www.senseofsecurity.com.au © Sense of Security 2012 Page 81 – May 2012
No Password No pin/password controls by default; Not complex by default
Physical Acquisition
Page 82
www.senseofsecurity.com.au © Sense of Security 2012 Page 82 – May 2012
Password Guessing
Common password combinations; Common patterns
No Password No pin/password controls by default; Not complex by default
Physical Acquisition
Page 83
www.senseofsecurity.com.au © Sense of Security 2012 Page 83 – May 2012
Password Guessing
Common password combinations; Common patterns
Smudge Attack
No Password No pin/password controls by default; Not complex by default
Physical Acquisition
Page 84
www.senseofsecurity.com.au © Sense of Security 2012 Page 84 – May 2012
Password Guessing
Common password combinations; Common patterns
Face Recognition
Smudge Attack
No Password No pin/password controls by default; Not complex by default
Physical Acquisition
Page 85
www.senseofsecurity.com.au © Sense of Security 2012 Page 85 – May 2012
Password Guessing
Common password combinations; Common patterns
Face Recognition
Smudge Attack
No Password No pin/password controls by default; Not complex by default
Physical Acquisition
Page 86
www.senseofsecurity.com.au © Sense of Security 2012 Page 86 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Remote Identification & Acquisition
Page 87
www.senseofsecurity.com.au © Sense of Security 2012 Page 87 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
User Agent Info
Remote Identification & Acquisition
Page 88
www.senseofsecurity.com.au © Sense of Security 2012 Page 88 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Gmail Compromise
User Agent Info
Remote Identification & Acquisition
Page 89
www.senseofsecurity.com.au © Sense of Security 2012 Page 89 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Gmail Compromise
User Agent Info
Remote Identification & Acquisition
Page 90
www.senseofsecurity.com.au © Sense of Security 2012 Page 90 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Gmail Compromise
User Agent Info
Remote Identification & Acquisition
Page 91
www.senseofsecurity.com.au © Sense of Security 2012 Page 91 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Gmail Compromise
User Agent Info
Drive by Download
Remote Identification & Acquisition
Page 92
www.senseofsecurity.com.au © Sense of Security 2012 Page 92 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Gmail Compromise
User Agent Info
Drive by Download
Remote Identification & Acquisition
Page 93
www.senseofsecurity.com.au © Sense of Security 2012 Page 93 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Gmail Compromise
User Agent Info
Drive by Download
Remote Identification & Acquisition
Page 94
www.senseofsecurity.com.au © Sense of Security 2012 Page 94 – May 2012
Email Trailer Sent from my HTC Velocity 4G on the Next G network
Gmail Compromise
User Agent Info
Drive by Download
Remote Identification & Acquisition
Spear Phishing
Page 95
www.senseofsecurity.com.au © Sense of Security 2012 Page 95 – May 2012
Broader Implications
Access to Personal or Corporate Email
Access to SMS
Access to Images
Access to Network (personal, wireless, corporate, VPN)
Access to Corporate Apps & Data
Send SMS to Premium Rated Services “Toll Fraud”
Page 96
www.senseofsecurity.com.au © Sense of Security 2012 Page 96 – May 2012
Controls and Mitigations
Educate users on best practices regarding mobile
devices
Whitelist specific applications (or blacklist 2nd pref) APP
APP
Strong alphanumeric passcode; smudge protection
Controls that will assist in addressing this issue
Restrict default apps and resources such as browser,
camera, YouTube, and Google Play
Page 97
www.senseofsecurity.com.au © Sense of Security 2012 Page 97 – May 2012
Controls and Mitigations
Bring corporate and employee-owned phones under
centralised IT management
Enforce security policies to protect corporate data
Configure device security such as encryption of data-
at-rest and passcodes
Connect mobile devices securely to enterprise
resources including email, Wi-Fi and VPN
Other MDM controls that should be considered … but won’t all address this issue
Enforce secure bring your own device (BYOD) policies
if you allow staff to use their devices inside the
network
Page 98
www.senseofsecurity.com.au © Sense of Security 2012 Page 98 – May 2012
Controls and Mitigations
Internal segregation controls on what access mobile
devices have inside the network
Detect rooted devices and remote wipe when found
Keep highly confidential data off mobile devices
No removable media such as SD cards allowed in
corporate mobile devices
Block attachment execution or downloading to the SD
card
Page 99
www.senseofsecurity.com.au © Sense of Security 2012 Page 99 – May 2012
Controls and Mitigations
Rogue app protection as well as inventories of
installed apps
Define and enforce allowed device types, OS, and
patch levels
Ensure anti malware/anti virus is up to date
Expedite handling of secure lost, stolen or retired
smartphones through full and selective wipe
Page 100
www.senseofsecurity.com.au © Sense of Security 2012 Page 100 – May 2012
Mobile Device Platforms These attacks are valid across the other major platforms.
Page 101
www.senseofsecurity.com.au © Sense of Security 2012 Page 101 – May 2012
SOS Research
Special note of thanks to
the dedicated, motivated
and highly talented team
at SOS.
This presentation is the
culmination of a research
program delivered through
effective collaboration,
teamwork and
perseverance to push the
envelope on the cutting
edge.
Page 102
www.senseofsecurity.com.au © Sense of Security 2012 Page 102 – May 2012
Conclusion
Extreme exposure
Severe implications for privacy of the individual
Remote control capability to spy extends the scope and
risk
Severe implications for confidentiality of information for
business/government
The fact that every person has/will have a mobile device means
that every person is a walking/moving/sitting voice/video recorder
that can be exploited
MDM controls are good for general security – but not all
will address this issue
Requires user education; however curiosity of users and
inclination to trust will result in continued exposure
Page 103
www.senseofsecurity.com.au © Sense of Security 2012 Page 103 – May 2012
Questions?
Page 104
www.senseofsecurity.com.au © Sense of Security 2012 Page 104 – May 2012
Thank you
Recognised as Australia’s fastest growing information security and risk management consulting firm through the Deloitte Technology Fast 50 & BRW Fast 100 programs
Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. This presentation will be published at http://www.senseofsecurity.com.au/research/presentations Whitepaper will be published at http://www.senseofsecurity.com.au/research/it-security-articles Attribution – icons from iconfinder.com http://www.senseofsecurity.com.au/research/it-security-articles
Sydney, Melbourne T: 1300 922 923 [email protected] www.senseofsecurity.com.au