On Wednesday, November 12, Bluebox Security hosted a webinar titled, “200:1 – Do You Trust Your Mobile Security Odds?” Jeff Forristal, CTO of Bluebox, shares real-life iOS and Android case studies revealing the amount of implicit trust, risk and insecurity found in today’s mobile devices, and what users can do about it.
Watch the recorded webinar in it’s entirety here:
http://offers.bluebox.com/webinar-trust-security-odds.html
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
200:1 - Do You Trust Your Mobile Security Odds?
1. 200:1 - Do You Trust Your
Mobile Security Odds?
Jeff Forristal / CTO
2.
3. Secure:
Statement of current security posture
Trustable:
Holistic statement of intent; forward-looking
& comprehensive
4. Secure
Insecure
Time
0day / Vulnerability found
Vendor pushes a patch
Vendor support EOL
5. You trust a system
will achieve & maintain
your security needs
6. Remember these vulnerabilities?
s λ
goto fail;
goto fail;
Heartbleed
Fake ID
iOS jailbreaks
Pangu
TowelRoot
Points in time where we know our mobile devices were insecure…
7. 2014 Vulnerabilities Reported for iOS & Android
168
78 – Webkit/UIWebview
4 – SSL
5 – Kernel code exec
10 – System code exec
62
38 – Lollipop changelog
~ 16 are unconfirmed
5 – Kernel code exec
3 – Bootloader code exec
~ 7 – System code exec
3 – SSL
20 – Chrome/webview
Circa Nov 2014; Data from Apple security advisories IOS 7.0.6, 7.1, 7.1.1, 7.1.2, 8, 8.1; Android collected from multiple sources
8. What / who are
we trusting?
(and are they making good security choices on our behalf?)
9. With so many devices, how do you know which meets your risk
management needs?
Listen to the webinar recording:
http://bit.ly/1xvjzlc
Data from Google Play 11/11/2014 for API 10+; Apple developer portal
10. Over 7,200 active Android devices http://bit.ly/1xvjzlc
running across the eco-system!
42
Listen to the webinar recording:
Data from Google Play 11/11/2014 for API 10+; Apple developer portal
11. Who are the main third-parties we choose to put in our mobile circle of trust?
Hardware Manufacturers Operating Systems Device Manufacturers Carriers
12. The effectiveness of mobile risk
management is largely dependent on
lottery results …
Listen to the webinar recording:
http://bit.ly/1xvjzlc
41. Secure
Vulnerable
Secure
Vulnerable
Industry-wide security vulnerabilities
Secure
Vulnerable
Vendor patching variables with industry-wide security vulnerabilities…
some devices live in a mostly in-secure state!
42. Bluebox Labs Research -
How long it took vendors to
patch Master Key and Fake
ID vulnerabilities:
~3 attempts and 9 months
to patch all vulnerabilities!
Data from Bluebox Security Scanner, since public release; 250k installs
MK = Master Key
43. 2013 Sep Nov 2014 Mar May Jul Sep
iOS Releases
7.0 7.0.3 7.0.4 7.0.6 7.1 7.1.1 7.1.2 8.0 8.1
evasi0n7
7.1 jailbreak
reports
Pangu (IOS7)
Nov
Pangu8
Secure
Vulnerable
iOS Jailbreaks
45. 1. Exploit one or more vulnerabilities to escape the security
model & execute code in a system-privileged state
2. Make one or more modifications to the system to
generically persist control of the system-privileged state
3. Install user-convenience standard jailbreak utilities
(Substrate, Cydia, SuperSU, etc.)
48. Device specific security
posture analysis is necessary for
Android
OS version (4.4.2 vs 4.4.3 vs. 4.4.4) may not be relevant
Example: Android Fake ID patch back-ported to 4.1.x, 4.2.x,
4.3.x, 4.4.x and released to ODMs
Example 2: Linux kernel futex vulnerability patched by ODMs
without changing the Android version
49. Go beyond traditional
rooting/jailbreak detection
System-level (non-root) compromises are still game-over
Malware can favor non-persistent roots/breaks
50. Consider the total circle of
trust
Trojan keyboards, trojan VPN clients, untrusted system CA
certs, accessibility agents, untrusted app extensions can
undermine device & app security operations
51. Look inwards into the app’s
sandbox
App anti-tampering & fortification to survive a
vulnerable/hostile device environment
Not just data-at-rest, etc. process space integrity
Keep apps & their transactions secure during the inevitable
periods of device insecurity
It’s secure, until the next 0day surfaces – very point in time. Trustable is a more holistic concept that incorporates what it was, is, and will be, irrespective of any point in time insecurity faults. Since risk management programs look at risk over periods of time, the notion of trust is more appropriate to how we actually manage risk, rather than security.
Did you throw away your devices because they were secure?
Not all trusts are equal…
Not all trusts are equal…
So what winds up happening is the effectiveness of your mobile risk management strategy is largely dependent upon lottery results
An interesting failure in security & trust….
Note3 patch timelines, for US carriers (and an international model representation); data from SamMobile
MotoG; stock, then user changes to proactively have better security
An interesting failure in security & trust….
Note3 patch timelines, for US carriers (and an international model representation); data from SamMobile