Monday, February 5, 2018

What are the real mobile security threats? Part 1: Network

Lately the concern for the safety of our beloved smartphone has begun to grow, after some attacks such as the so-called DoubleLocker, had a lot of media impact perhaps greater than its actual impact.

However, data from specialized analysts suggest that mobile threats will represent, within 1 or 2 years, 25% of all threats, although Windows will remain the focus of all attention ...

This post is divided in 3 parts: this first part will deal with network threats, the second with apps and configuration threats, and the last part will propose some actions and solutions to protect yourself.

ARP Spoofing.


Smartphones are confronted with an additional threat, by their very essence: they are mobile devices, and they move, much more than a laptop.

We all have had to connect to public Wi-Fi networks in airports, cafeterias, restaurants, or even when visiting the offices of a client or supplier.

And the main danger comes from these unknown Wifis: using Google with a few well-chosen keywords, it's easy to find free programs that allow you to spy on any device that is on the same network as your laptop or even smartphone or tablet.

ARP Spoofing using Cain and AbelOne can settle quietly in a Starbuck and start intercepting the internet traffic of this man in suit sitting 2 tables away.

Intercept traffic only requires a simple technique called ARP Spoofing. This technique is usually detected immediately when used in the networks of companies that have minimally advanced security equipment, but this is not the case in the Wifis of the street, or at home, and smartphones are completely defenseless against these attacks.

Not only Wifi: GSM Man in the Middle (MiTM)


And this danger is not limited only to the Wifis. With a minimum of technical knowledge and a hardware investment of less than $1000, an attacker can simulate a network of a public 3G / 4G operator in a 10-20 meter beam, deceiving nearby smartphones that plan to communicate with their usual operator. 

GSM MiTM Fake BSS allows hackers to eavesdrop on conversations, read texts, and track your smartphone locationNormally, the data circulating in the operator's network cannot be seen, as they circulate encrypted to a remote point in the operator's network. For this reason, the attacker simulating an "antenna" of the operator will try to force the devices to communicate using the 2G protocol whose encryption is very weak or even disabled (2G fallback mode downgrade). In this way the attacker will be able to access all the IP traffic of the device, as if it were in the same Wifi, and start analyzing the data traffic.

These kind of attacks are becoming each day more difficult to be carried out since smartphone operators and manufacturers are slowly retiring 2G networks and disabling the possibility of unsafe 2G data communications.

Interception of unsafe traffic


Once an attacker has access to internet traffic by having interposed between a device and the rest of the internet (Man In The Middle), all the information that is not encrypted using SSL, TLS or any other method, is accessible to the attacker:

You can for example access session identifiers, certain passwords encrypted in an unsafe way, connections to databases, and any personal data that is not encrypted.

You can even redirect a query to one Web to another and in this way force the execution by the attacked device browser of a malicious code to access data within the device, control it or force download an application.

Falsification of digital certificates (Fake SSL)


Some attackers go further and try to also intercept the encrypted traffic, supplanting the server to which the device wants to connect.

To understand it, it is enough to know the simple mechanism that these types of connections use:

  • The device that connects to the server receives a "digital certificate" from this server, which contains a key that will be used by the device to encrypt everything transmitted to it.
  • What the attacker does is request the certificate to the server on behalf of the device: once it has it, it returns a false certificate to the device: the device will communicate with the attacker using this false certificate known by the attacker, and will be able to decrypt all the exchanges.
  • In turn, the attacker will communicate with the server with the real certificate, relaying the data back and forth, as if it were the device, as an intermediary that sees everything that happens.


Digital certificates are all issued by Certifying Authorities (CA), and the information of who issued the certificate is within the certificate. Anyone can generate certificates, however, there are reputable entities called trusted CAs. The devices have a "factory" list of these trusted CA entities (about 100).

  • Most attackers use certificates generated and signed by themselves in the moment the connection is established (self signed). When these certificates are used, any browser gives an alarm message for the reason that the entity that has issued this certificate is not trusted.
  • You must also know that a certificate contains the information of the domain for which it can be used to communicate, as an additional check mechanism.
  • However, some mobile apps accept the certificate despite not coming from a trusted entity, exposing their communications to the attackers: These apps are vulnerable to this kind of attack.
  • There have even been cases of trusted CAs that have been tricked by attackers into issuing certificates for large public domains (i.e. google.com), and these "false true certificates" have been used by attackers: in this case browsers and applications cannot detect the attack, since the Certificate is authentic, and issued by a trusted CA.
Fake SSL man in the middle attacks
Some of these attacks have even been performed by powerful organization, like that of a government, as was the case of the Iranian government in 2011 who was able to simulate access to the gmail website with a false certificate and access accounts of thousands of people.

But it can also be performed by less organized people. From time to time some false / true certificates leaks to the dark web and are used by all kind of hackers. To counter this weakness of the certification mechanism, between 2016 and 2017 a public, non-forgery record of the issued certificates has been launched so that everyone can consult them and verify that the certificates they receive are really from who they say they are ("Certificate Transparency System").


Other threats: malwares, configurations


If you are interested in getting more information about non network threat such as apps or configuration, please also read our next post.

What are the real mobile security threats? Part 2: Apps and Devices

In our previous post we had a look to the most dangerous threats mobile devices are facing: network threats.

What about the apps?


The apps are potentially another strong danger for mobile users. There are millions of apps in official stores, and the truth is that it is likely that in this mass of applications some malicious app has managed to get to pass the filters set up by Google or Apple.

However, we must recognize that unlike what happened for Windows, there are official and controlled sources of apps, and the controls are up to now quite effective.

But even so every now and then some threat appears, sometimes unexpectedly. It has been the case for example of thousands of applications that were developed using XCodeGhost, a light and unofficial version of Apple's official development environment called XCode. This development environment included a spyware that was automatically added to the apps developed without the developers knowing.

Since this latest incident in 2015, the owners of the stores have redoubled their efforts and are even auditing the code of the applications in search of malicious code.

Another source of threats are apps from unofficial stores. Except for specific cases, unofficial stores do not offer the same guarantees, and it is very likely that if an application is only available in an unofficial store, it is because they are not allowed to be in the official store.
Apps from non official stores can be installed at your own risks

And although the initial reason for not being in the official store is not due to security reasons, for example, due to the shop's ethical rules (money games, etc.), or copyright protection, once in the store the temptation of malicious extra income is great: theft of personal data, invasive advertising, etc.

And if an app also exists in the official store, there is no guarantee that the version of the non-official store will be the same, or that its version will be the last one and will include corrections of new vulnerabilities.

Location


Many applications collect location information, and worse, some publish them in such a way that your friends or people in the vicinity know you are nearby.
Some Apps let people know where you areThis information can be used to perform "passive intelligence" such as knowing if you have visited a potential client or site.

For example, in January 2018, global usage maps of the Strava fitness application were published, and looking at the map of Iraq or Syria, you could see isolated points corresponding to American soldiers who used it while training at their bases, revealing where these training camps were.

Vulnerabilities


As for any operating system, vulnerabilities of iOS and Android are regularly discovered. Unlike Windows, the frequency of updates to mobile devices is quite long. For example, it is monthly in the case of Android.

Worse yet: the monthly patching mechanism has only recently been launched, and most of the devices currently on the market do not have regular updates.

In contrast, at the application level the pace of updates is permanent, and many vulnerabilities at the operating system level are solved at the application level, at least if we talk about the applications of the most important providers such as Facebook, Google, etc.

Configuration


A final point to take into account when protecting yourself is the use of certain dangerous configurations.

We already mentioned the practice to avoid downloading applications outside the official stores, which can be limited by disabling this option.

Then there are other modes that allow malicious applications to access more data than they could: "rooted" phones, developer /debugging mode. A "rooted" or "Jailbreaked" phone is a smartphone in which the manufacturer's operating system (Android/iOS) has been replaced by an unofficial version in order to access additional functions and bypass the normal permissions of a normal user.
Rooted or jailbreaked mobile devices are more exposed to threats
An application can then access protected information of the phone. And it may even be the owner of the phone, which in this case is the danger wanting to access these functions and data: if we are talking about a professional telephone, there are no plausible reasons to that an employee should use a phone with these modes enabled.


Finally we must think that a phone can be stolen or lost, and we must ensure that the data in it cannot be accessed, through storage encryption or access mechanisms controlled by code, scheme, etc.

In our next postwe will review all the precautions that can and should be taken to protect against the security threats in our smartphones.

How to protect against mobile threats


If you want more information on about how to protect against mobile threats, you an read the 3rd part of our post.

What are the real mobile security threats? Part 3: How to protect?

In our 2 previous posts, we made a review of majors Network, Apps and configuration threats smartphone are facing.

So what can we do to protect ourselves against mobile threats?

There are a number of precaution one can take by himself, or that an organization can enforce using the appropiate tools.

Network threat defense

As we mentionned in part 1 of this post, public wifi are easy to use as a mean for Man in the midlle attacks using ARP Spoofing techniques. So the first thing is to protect yourself from public Wi-Fi networks:
    beware of unknown networks
  • It would be better never to use them, and in particular to disable the option of automatic connection to open Wifis.
  • If you connect to a public Wifi, protect yourself using a virtual private network (VPN), which allows all traffic to be hidden from the attacker.
  • Be cautious as well when connecting to a company networks: your provider or customer may be interested in your inside information.
Solutions like Samoby Mobile Security are able to detect ARP Spoofing attacks, or SSL spoofing, and notify you in real time and force the use of a VPN

The second great precaution is to avoid the use of non-secure connections:
  • Do not connect to websites that do not use certificates
  • heed the warnings of unsafe connections: accepting a certificate of unknown entity exposes to Man In The Middle attacks
  • Use a solution like Samoby Mobile Security that detects ARP Spoofing and when an attacker tries to use unreliable certificates.

App threats defense 

Following recommandations and conclusions in part 2 of this post, regarding applications there are several precautions that can be taken:
    Beware of unknown apps
  • never use unofficial apps stores,
  • let the apps update as often as possible
  • Avoid the use of applications that communicate their location publicly: snapshat, Strava, etc. You can even recommend deactivating the location for people whose activity is very sensitive.

Samoby Mobile Security allows you to validate that the installed apps are not in its database of Malware or applications with vulnerabilities. It also allows limiting the use of certain applications based on several criteria: Unofficial applications, dangerous applications, time, location, etc.

Configuration threats

Both apps and network threats protection also requires you to take care when configuring the device that you do not make the job easier for attackers. For what are the device configurations, the main measures to adopt are:
  • Always apply the last safety patch
  • Do not use "rooted" or "Jailbreaked" versions of the phone
  • Do not enable development or debug mode
  • Encrypt the phone data, enabling this option on the phone if it is not by default
  • Have a phone lock scheme or code that is automatically enabled when the phone is idle
  • Disable the installation of applications from unofficial stores
  • Disable the option of automatic connection to open Wifis.

Samoby mobile security
Samoby mobile Security allows a permanent Audit of the configuration, and establish lists of vulnerabilities such as:
  • old versions of OS or security patches not applied
  • Lists of potentially dangerous configurations, such as authorization to install applications from unknown sources, devices in debug mode, or rooted, etc.
  • List of applications on a device from unofficial stores,
  • List of applications installed in a vulnerable version
  • List of applications that use suspicious permissions: access to keys pressed, to camera, location, recorder, etc.

You can contact Samoby to ask for a demo of its mobile security solution.