Contenu connexe




200:1 - Do You Trust Your Mobile Security Odds?

  1. 200:1 - Do You Trust Your Mobile Security Odds? Jeff Forristal / CTO
  2. Secure: Statement of current security posture Trustable: Holistic statement of intent; forward-looking & comprehensive
  3. Secure Insecure Time 0day / Vulnerability found Vendor pushes a patch Vendor support EOL
  4. You trust a system will achieve & maintain your security needs
  5. Remember these vulnerabilities? s λ goto fail; goto fail; Heartbleed Fake ID iOS jailbreaks Pangu TowelRoot Points in time where we know our mobile devices were insecure…
  6. 2014 Vulnerabilities Reported for iOS & Android 168 78 – Webkit/UIWebview 4 – SSL 5 – Kernel code exec 10 – System code exec 62 38 – Lollipop changelog ~ 16 are unconfirmed 5 – Kernel code exec 3 – Bootloader code exec ~ 7 – System code exec 3 – SSL 20 – Chrome/webview Circa Nov 2014; Data from Apple security advisories IOS 7.0.6, 7.1, 7.1.1, 7.1.2, 8, 8.1; Android collected from multiple sources
  7. What / who are we trusting? (and are they making good security choices on our behalf?)
  8. With so many devices, how do you know which meets your risk management needs? Listen to the webinar recording: Data from Google Play 11/11/2014 for API 10+; Apple developer portal
  9. Over 7,200 active Android devices running across the eco-system! 42 Listen to the webinar recording: Data from Google Play 11/11/2014 for API 10+; Apple developer portal
  10. Who are the main third-parties we choose to put in our mobile circle of trust? Hardware Manufacturers Operating Systems Device Manufacturers Carriers
  11. The effectiveness of mobile risk management is largely dependent on lottery results … Listen to the webinar recording:
  12. Case Study: Samsung Note3 on AT&T
  13. Samsung Note3 on AT&T: Third-parties included in the “circle of trust” Listen to the webinar recording:
  14. Device specific apps that are uniquely installed based on the carrier …
  15. Samsung Note3 comes with … 312 45 151 apps pre-installed are non-Samsung (3rd party) pre-installed roots of trust
  16. 54 86 1 apps have system-level privileges apps have “dangerous” permissions hard-coded open wifi profile and…
  17. Blackphone– how secure is it really? 54 86 1 apps have system-level privileges hard-coded open wifi profile
  18. Samsung Note3: Inherent Circle of Trust
  19. Circle of trust grows with third parties: over 200 entities driving & effecting our security and data on the device
  20. Certificate authorities with Government/State interest: pre-installed on Android
  21. Pre-installed root certificates for academic research: pre-installed on Android
  22. Pre-installed root certificates on iOS 8 …
  23. iOS 8 includes… 236 pre-installed roots of trust (and no way to disable any of them)
  24. Questioning the Chain of Trust Download whitepaper here:
  25. It’s not just about the device … don’t forget about the apps 122 shared libraries on apps
  26. 122 shared libraries on apps
  27. 189 dylibs (including Swift) Internal testing on IOS 8.1 iPod Touch, using hybrid Swift app iOS 8 also includes…
  28. “Attack Surface”
  29. What version is your device running on?
  30. Analysis of Samsung Note3 Patch Updates by Major Carriers 4.4.4 Google 4.4.2 4.4.3, 4.4.4 4.3 4.3 4.3 4.3 4.4.2 4.4.2 4.4.2 4.4.2 Sep Nov 2014 Mar May Jul Sep AT&T Sprint Verizon T-Mobile US Cellular 2013 4.3 4.3 4.3 4.3 4.3 4.3 4.4.2 4.4.2 4.3 4.4.2 4.4.2 4.4.2 4.4.2 4.4.2 4.4.2 4.4.2 4.3 4.4.4 4.4.2 4.4.2 4.4.2 Int’l/UK et al. 4.4.2 Data from, for SM-N900A/SM-N900P/SM-N900R4/SM-N900T/SM-N900V/SM-N9005, circa Oct 1 2014
  31. So… are we really making the best trust choices?
  32. With so many choices, how do we pick the most trustable device?
  33. Can we measure something as a basis for trust?
  34. Quantify the trust of a device with “Trustable by Bluebox” for Android
  35. How users affect security and trust scores (you can improve!): Motorola example Motorola out of the box Motorola w/ proactive security
  36. Trustable by Bluebox Methodology and details available as downloadable whitepaper
  37. Samsung Note3 Trust Score
  38. Call to Action: Mobile Risk Management
  39. Recognize the realities (shortcomings) of mobile security
  40. Secure Vulnerable Secure Vulnerable Industry-wide security vulnerabilities Secure Vulnerable Vendor patching variables with industry-wide security vulnerabilities… some devices live in a mostly in-secure state!
  41. Bluebox Labs Research - How long it took vendors to patch Master Key and Fake ID vulnerabilities: ~3 attempts and 9 months to patch all vulnerabilities! Data from Bluebox Security Scanner, since public release; 250k installs MK = Master Key
  42. 2013 Sep Nov 2014 Mar May Jul Sep iOS Releases 7.0 7.0.3 7.0.4 7.0.6 7.1 7.1.1 7.1.2 8.0 8.1 evasi0n7 7.1 jailbreak reports Pangu (IOS7) Nov Pangu8 Secure Vulnerable iOS Jailbreaks
  43. A note about rooting/jailbreaking…
  44. 1. Exploit one or more vulnerabilities to escape the security model & execute code in a system-privileged state 2. Make one or more modifications to the system to generically persist control of the system-privileged state 3. Install user-convenience standard jailbreak utilities (Substrate, Cydia, SuperSU, etc.)
  45. Manage risk in a hostile environment
  46. Device security guides
  47. Device specific security posture analysis is necessary for Android OS version (4.4.2 vs 4.4.3 vs. 4.4.4) may not be relevant Example: Android Fake ID patch back-ported to 4.1.x, 4.2.x, 4.3.x, 4.4.x and released to ODMs Example 2: Linux kernel futex vulnerability patched by ODMs without changing the Android version
  48. Go beyond traditional rooting/jailbreak detection System-level (non-root) compromises are still game-over Malware can favor non-persistent roots/breaks
  49. Consider the total circle of trust Trojan keyboards, trojan VPN clients, untrusted system CA certs, accessibility agents, untrusted app extensions can undermine device & app security operations
  50. Look inwards into the app’s sandbox App anti-tampering & fortification to survive a vulnerable/hostile device environment Not just data-at-rest, etc.  process space integrity Keep apps & their transactions secure during the inevitable periods of device insecurity
  51. & App Device Integrity
  52. Questions?

Notes de l'éditeur

  1. It’s secure, until the next 0day surfaces – very point in time. Trustable is a more holistic concept that incorporates what it was, is, and will be, irrespective of any point in time insecurity faults. Since risk management programs look at risk over periods of time, the notion of trust is more appropriate to how we actually manage risk, rather than security.
  2. Did you throw away your devices because they were secure?
  3. Not all trusts are equal…
  4. Not all trusts are equal…
  5. So what winds up happening is the effectiveness of your mobile risk management strategy is largely dependent upon lottery results
  6. An interesting failure in security & trust….
  7. Note3 patch timelines, for US carriers (and an international model representation); data from SamMobile
  8. MotoG; stock, then user changes to proactively have better security
  9. An interesting failure in security & trust….
  10. Note3 patch timelines, for US carriers (and an international model representation); data from SamMobile