Top Banner
Mobile Device Security John Rhoton Hewlett Packard [email protected]
43

Mobile Device Security

Nov 02, 2014

Download

Technology

John Rhoton

Microsoft ExchangeConnections, Orlando, 2008
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Mobile Device Security

Mobile Device Security

John Rhoton

Hewlett Packard

[email protected]

Page 2: Mobile Device Security

But just what is mobility ?But just what is mobility ?Devices:

• Mobility = Mobile phones?• Mobility = Smart phones?• Mobility = PDAs ?

Wireless:• Mobility = Wireless LANs?• Mobility = GSM/GPRS?

Applications:• Mobility = Form-factor adaptation?• Mobility = Synchronisation?

Page 3: Mobile Device Security

Mobility: Challenges

Page 4: Mobile Device Security

Where is confidential data most vulnerable?

Source: ESG Research ReportSource: ESG Research Report

Page 5: Mobile Device Security

management

Facets of Mobile Security

devicesdevices

airtransmissions

PANLANWAN

airtransmissions

PANLANWAN

publicnetworkspublicnetworks

private networksprivate networks

applications

mobility wireless traditional security

11 22

3 VPN3 VPN

44

Page 6: Mobile Device Security

Agenda1. Mobile devices2. Air interfaces

• Bluetooth, 802.11b, WWAN3. Remote Access

• Tunnels (VPNs), Roaming4. Perimeter Security

• Compartmentalization, Access Controls

11 22

3 3

44

Page 7: Mobile Device Security

Device Security

(Windows Mobile)

Page 8: Mobile Device Security

Threats to Mobile Devices

• Stolen information● Host intrusion, stolen device

• Unauthorized network/application access● Compromised credentials, host intrusion

• Virus propagation● Virus susceptibility

• Lost information● Lost, stolen or damaged device

Source: Trend Micro

Page 9: Mobile Device Security

Windows Mobile Content ProtectionAccess Control Approaches• Simple Lock-out• Encryption

● Private key storage?● Smartcard / TPM● Hash private key (dictionary attack)

• Couple with strong password policies

• Prevent insecure boot● Analogous to BIOS password and Drivelock

• Choice depends on● Sensitivity of data● Sustainable impact on usability and performance● Trust in user password selection

Page 10: Mobile Device Security

iPAQ Content ProtectionAccess Control Solutions

• Native Pocket PC

• Biometric Authentication

• HP ProtectTools

• Pointsec

• Credant

• TrustDigital

• Utimaco

• Bluefire

Page 11: Mobile Device Security

Enterprise Requirements

• Integrated Management Console● Directory (AD/LDAP) integration

• Centralized Policies● Policy polling● User cannot remove● Screen-lock / Idle-lock

Page 12: Mobile Device Security

Air Interfaces:Bluetooth

Page 13: Mobile Device Security

Pairing & AuthenticationPairing

Access to both devices

Manual input of security code

No need to store or remember

Based on stored keysNo user intervention

Authentication

Page 14: Mobile Device Security

Bluetooth Security

• Acceptable Security Algorithms● Initialization● Authentication● Encryption

• Prevention of● Discoverability, Connectability and Pairing

• Proximity Requirement

KADA

B

C

D

MKMC

KMAKMD

KMB

Page 15: Mobile Device Security

Multi-tiered security

Page 16: Mobile Device Security

• PIN Attack● Often hard-coded● Usually short (4-digit)

• Bluejacking

• Bluesnarfing

• Virus Propagation

Centralized Policy Management is critical in the Enterprise !!

Bluetooth vulnerability

Page 17: Mobile Device Security

Air Interfaces:WLAN

Page 18: Mobile Device Security

SSID

MAC Filter

WEP

WPA/802.11i

Needs determine security

Page 19: Mobile Device Security

• Requires management of authorized MAC addresses

• LAA (Locally Administered Address) can override UAA (Universally Administered Address)

MAC Filters

Page 20: Mobile Device Security

Equipment of a Wi-Fi freeloader• Mobile device

● Linux● Windows● Pocket PC

• Wireless card● Orinoco card● Prism 2 card

• Driver for promiscuous mode

• Cantenna and wireless MMCX to N type cable

Page 21: Mobile Device Security

Increasing the transmission range

200 km

DEFCON 2005WiFi Shootout

•Large dishes

•High power levels

•Line-of-sight

Page 22: Mobile Device Security

Bringing the “War” to War Driving

Page 23: Mobile Device Security

Tools• NetStumbler—access point reconnaissance

● http://www.netstumbler.com

• WEPCrack—breaks 802.11 keys● http://wepcrack.sourceforge.net/

• AirSnort—breaks 802.11 keys● Needs only 5-10 million packets● http://airsnort.shmoo.com/

• chopper ● Released August 2004● Reduces number of necessary packets to 200-500 thousand

Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…

Page 24: Mobile Device Security

Ten-minute WEP crack

• Kismet● reconnaissance

• Airodump● WEP cracking

• Void11● deauth attack

• Aireplay● replay attack

Source: tom’s networking

Page 25: Mobile Device Security

Wireless LAN security evolution

1999 2003 2005+

WEPWEP

WPAWPA

802.11i /WPA2802.11i /WPA2

Timeline

Privacy: 40 bit RC4 with 24 bit IV

Auth: SSID and Shared key

Integrity: CRC

Privacy: Per packet keying (RC4) with 48 bit IV

Auth: 802.1x+ EAP

Integrity: MIC Privacy: AES

Auth: 802.1x+ EAP

Integrity: MIC

Secu

rity

Page 26: Mobile Device Security

• Ratified June 2004• AES selected by National Institute of Standards

and Technology (NIST) as replacement for DES● Symmetric-key block cipher● Computationally efficient● Can use large keys (> 1024 bits)

• Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP● RFC 3610

• May require equipment upgrades● Some WPA implementations already support AES

• Update for Windows XP (KB893357)

802.11i / WPA2

Page 27: Mobile Device Security

IEEE 802.1x Explanation

Supplicant Authentication Server

Authenticator

• Restricts physical access to the WLAN

• Can use existing authentication system

Client Access Point RADIUS Server

RADIUS802.1xEAP EAP

TKIP / MIC

Page 28: Mobile Device Security

WiFi Protect Access (WPA)

• Temporal Key Integrity Protocol● Fast/Per packet keying, Message Integrity Check

• WPA-Personal• WPA-Enterprise

Page 29: Mobile Device Security

Enterprise WLAN Security Options

• WPA – Enterprise● Transition to 802.11i● Requires WPA-compliant APs and NICs

• VPN Overlay● Performance overhead (20-30%)● VPN Concentrator required

• RBAC● Additional appliance and infrastructure● Most refined access

Home WLAN: WEP/WPA key rotation, firewall, intrusion detection

Public WLAN: MAC address filter, secure billing, VPN passthrough

Page 30: Mobile Device Security

Rogue and Decoy Access Points

• Highest risk when WLANs are NOT implemented● Usually completely unsecured● Connected by naïve

(rather than malicious) users

• Intrusion Detection Products ● Manual, Sensors, Infrastructure

• Multi-layer perimeters● 802.1x● RBAC, VPN

• Decoys can be counteractedwith automated configuration

InternetIntranetAccess

Page 31: Mobile Device Security

Air Interfaces:WWAN

Page 32: Mobile Device Security

Wireless WAN (Wide Area Network)

● GSM, GPRS, HSCSD, EDGE, UMTS, HSDPA

● CDMA 1XRTT, EV-DO,EV-DV, 3X

● 802.16, 802.20● 2G -> 2.5G -> 3G -> 4G● Bandwidth 9.6kbps - 2Mbps+● Large geographical coverage ● International coverage

through roaming

GPRS phone

GPRS iPAQ

e-mailpager

GSM/GPRSPC card

http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf

Page 33: Mobile Device Security

Multiple interfaces maximize flexibility

1

1 2

24 PAN Zone

WLAN Zone

3G ZoneGPRS Zone

Surfing: Person 1 improves bandwidth by moving into a 3G area

MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot

Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4

3

SatelliteZone

At sea: Person 5 maintains coverage via satellite after leaving GPRS range

55

Columbitech

Birdstep

Ecutel

Page 34: Mobile Device Security

Unauthorized Wireless Bridge

Private LAN

Public Network

Page 35: Mobile Device Security

Perimeter Security

Page 36: Mobile Device Security

• Restricted Network Access

• Role-based Access Control

• Network Compartmentalization

Perimeter Evolution

RoleScheduleLocation

User AccessControl

IP Address PortTimeVLAN

Page 37: Mobile Device Security

Credant OTA Sync Control

Exchange 2003

Local

ActiveSync

HANDHELD

Gatekeeper

Local Gatekeeper can

detect devices which sync

via local connection

Internet

Server

ActiveSync

Exchange Server

App Servers

OTA Sync

Control

OTA Sync Control detects

devices which sync via

Server Activesync.

Based on ISAPI extension

Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange

Page 38: Mobile Device Security

Trust DigitalMobile Edge Perimeter Security

• Wireless Provisioning Portal ● Device and user registration integrated with enterprise use

policy acceptance ● Over-the-air (OTA) delivery of Trust Digital software and policy

• Advanced Features ● Asset, activity, and compliance reporting ● Help Desk functionality including self-service portal

• Network Admission Control ● Ensures security/compliance of end-user device ● Interrogates devices before allowing access ● Integrated with Microsoft ISA Server

Page 39: Mobile Device Security

SMS

TCP/IP

WW Wireless Operator Networks

HP Enterprise Devices

SMS

TCP/IP

HP Enterprise Mobility Suite

HP Worldwide Hosting Facilities

Enterprise

HTTPS

Internet

HTTPS

• Device Support• S/W Maintenance• WW Network Support

FusionDM for Enterprise

• Device Troubleshooting• Device Security• Policy Mgmt• Asset Mgmt• IT Dash Board

• Exchange®• Domino®• Groupwise®

• Corporate Directory• Active Directory ®

• Intranet• CRM• Application Portal

Existing IT Systems

HTTPS

FOR ENTERPRISE

Leading OEM Device Manufacturers

Page 40: Mobile Device Security

Mobile Device Security Management

• Provisioning security tools

• Policy enforcement● Passwords● Device lock● Policy updates

• User support● Device lockout● Backup/restore

Security

Usability

Page 41: Mobile Device Security

Summary• Security concerns are the greatest inhibitor to

mobility● Wireless networks and devices introduce new risks● Some mobile security (e.g. WLAN) has been

inadequate● The industry has since recognized and addressed the

main threats

• The enterprise challenge:● Systematically reassess security architecture● Standardize on security configuration● Ensure user compliance through automation and policy

enforcement

Page 42: Mobile Device Security

Questions?

Contact me at: [email protected]

Page 43: Mobile Device Security

Your Feedback is Important

Please fill out a session evaluation form and either put them in the basket near

the exit or drop them off at the conference registration desk.

Thank you!