Post on 07-Jul-2015
description
Jeff Forristal / CTO
200:1 - Do You Trust Your
Mobile Security Odds?
Secure:
Trustable:
Statement of current security posture
Holistic statement of intent; forward-
looking & comprehensive
Secure
Insecure
Time
0day / Vulnerability found
Vendor pushes a patch
Vendor support EOL
You trust a system
will achieve & maintain
your security needs
sλ
goto fail;
goto fail;
Remember these vulnerabilities?
Heartbleed
Fake ID
iOS jailbreaks
Pangu
TowelRoot
Points in time where we know our mobile devices were insecure…
168
Circa Nov 2014; Data from Apple security advisories IOS 7.0.6, 7.1, 7.1.1, 7.1.2, 8, 8.1; Android collected from multiple sources
78 – Webkit/UIWebview
4 – SSL
5 – Kernel code exec
10 – System code exec
2014 Vulnerabilities Reported for iOS & Android
6238 – Lollipop changelog
~ 16 are unconfirmed
5 – Kernel code exec
3 – Bootloader code exec
~ 7 – System code exec
3 – SSL
20 – Chrome/webview
What / who are
we trusting?(and are they making good security choices on our behalf?)
Data from Google Play 11/11/2014 for API 10+; Apple developer portal
With so many devices, how do you know which meets your risk
management needs?
Listen to the webinar recording:
http://bit.ly/1xvjzlc
42
Data from Google Play 11/11/2014 for API 10+; Apple developer portal
Listen to the webinar recording:
http://bit.ly/1xvjzlcOver 7,200 active Android devices
running across the eco-system!
Who are the main third-parties we choose to put in our mobile circle of trust?
Hardware Manufacturers Operating Systems Device Manufacturers Carriers
Listen to the webinar recording:
http://bit.ly/1xvjzlc
The effectiveness of mobile risk
management is largely dependent on
lottery results …
Case Study: Samsung Note3 on AT&T
Listen to the webinar recording:
http://bit.ly/1xvjzlc
Samsung Note3 on AT&T: Third-parties included in the “circle of trust”
Device specific apps that are uniquely installed based on the carrier
…
312
45
151
apps pre-installed
are non-Samsung (3rd party)
pre-installed roots of trust
Samsung Note3 comes with …
54
86
1
apps have system-level privileges
apps have “dangerous” permissions
hard-coded open wifi profile
and …
54
86
1
apps have system-level privileges
hard-coded open wifi profile
Blackphone – how secure is it really?
Samsung Note3: Inherent Circle of Trust
Circle of trust grows with third parties: over 200 entities driving & effecting our
security and data on the device
Certificate authorities with Government/State
interest: pre-installed on Android
Pre-installed root certificates for
academic research: pre-installed on
Android
…
Pre-installed root certificates on iOS 8
236pre-installed roots of trust
(and no way to disable any of them)
iOS 8 includes…
Questioning the
Chain of Trust
Download whitepaper here:
https://bluebox.com/blog/technical/
122shared libraries
on apps
It’s not just about the device …
don’t forget about the apps
libremotedesktop_client.so
122shared libraries
on apps
189dylibs (including Swift)
Internal testing on IOS 8.1 iPod Touch, using hybrid Swift app
iOS 8 also includes…
“AttackSurface”
What version is your device
running on?
Sep Nov 2014 Mar May Jul Sep
Sprint
AT&T
US
Cellular
T-Mobile
Verizon
2013
4.3
4.3
4.3 4.3
4.3
4.3
4.4.2 4.4.2
4.3 4.4.2
4.4.2 4.4.2 4.4.2 4.4.2 4.4.2
4.4.4
4.4.2
4.3
4.4.4
4.4.2
4.4.2
4.4.2
Int’l/UK et al. 4.4.24.4.2 4.4.2 4.4.2 4.4.24.3 4.3 4.3 4.3
Data from sammobile.com, for SM-N900A/SM-N900P/SM-N900R4/SM-N900T/SM-N900V/SM-N9005, circa Oct 1 2014
Google4.4.2 4.4.3, 4.4.4
Analysis of Samsung Note3 Patch Updates by Major Carriers
So… are we really making
the best trust
choices?
With so many choices, how do
we pick the most trustable
device?
Can we measure something
as a basis for trust?
Quantify the trust of a device with “Trustable
by Bluebox” for Android
How users affect security and trust scores (you can improve!): Motorola example
Motorola out of the box Motorola w/ proactive security
Trustable by
Bluebox
Methodology and details available
as downloadable whitepaper
https://bluebox.com/trustable-by-
bluebox/
Samsung Note3 Trust Score
Call to Action: Mobile Risk Management
Recognize the realities(shortcomings) of
mobile security
Secure
Vulnerable
Secure
Vulnerable
Industry-wide security vulnerabilities
Secure
Vulnerable
Vendor patching variables with industry-wide security vulnerabilities…
some devices live in a mostly in-secure state!
Data from Bluebox Security Scanner, since public release; 250k installs
Bluebox Labs Research -
How long it took vendors to
patch Master Key and Fake
ID vulnerabilities:
~3 attempts and 9 months
to patch all vulnerabilities!
MK = Master Key
Sep Nov 2014 Mar May Jul Sep2013
iOS Releases7.0.6 7.1 7.1.1 7.1.2 8.0 8.17.0.47.0.37.0
evasi0n7
7.1 jailbreak
reports
Pangu (IOS7)
Nov
Pangu8
Secure
Vulnerable
iOS Jailbreaks
A note about
rooting/jailbreaking…
1. Exploit one or more vulnerabilities to escape the security
model & execute code in a system-privileged state
2. Make one or more modifications to the system to
generically persist control of the system-privileged state
3. Install user-convenience standard jailbreak utilities
(Substrate, Cydia, SuperSU, etc.)
Manage risk in
a hostile environment
Device security guides
https://bluebox.com/android-user-security-guide/
https://bluebox.com/ios-user-security-guide/
Device specific security
posture analysis is necessary for
Android
OS version (4.4.2 vs 4.4.3 vs. 4.4.4) may not be relevant
Example: Android Fake ID patch back-ported to 4.1.x, 4.2.x,
4.3.x, 4.4.x and released to ODMs
Example 2: Linux kernel futex vulnerability patched by ODMs
without changing the Android version
Go beyond traditional
rooting/jailbreak detection
System-level (non-root) compromises are still game-over
Malware can favor non-persistent roots/breaks
Consider the total circle of
trust
Trojan keyboards, trojan VPN clients, untrusted system CA
certs, accessibility agents, untrusted app extensions can
undermine device & app security operations
Look inwards into the app’s
sandbox
App anti-tampering & fortification to survive a
vulnerable/hostile device environment
Not just data-at-rest, etc. process space integrity
Keep apps & their transactions secure during the inevitable
periods of device insecurity
&AppDevice
Integrity
Questions?
jeff@bluebox.com
https://bluebox.com/trustable-by-bluebox/
https://bluebox.com/blog/
https://bluebox.com/ios-user-security-guide/
https://bluebox.com/android-user-security-guide/
https://play.google.com/store/apps/details?id=com.bluebox.trust