“BYOD = Bring Your Own Demise?”

June 22, 2013

What a great quote by David Weinstein…

The BYOD fever is well embedded into Financial Services management thinking.  In some circles, “BYOD” is a reason to like virtually anything.  It is difficult to help some leaders learn what they need to learn to make informed-enough decisions about integrating unmanaged, often anonymous endpoints into heavily-regulated, capital concentrated financial services operations.

Some mobile device users need to see and hear examples in “real life” demonstrations in order for it to make sense to them.

Others are just not motivated to invest additional effort in attempting to understanding the rapidly-evolving risks associated with using their mobile device in a Financial Services business context.

Some are interested in cybercrime and how it might influence their personal or professional life, and may just need better access to useful inputs from the hype-rich fog of inputs on this topic.

And then there are those of you who hunt for this stuff…

Regardless of where you are on this continuum, there is a new video for you.

In “Corporate Espionage via Mobile Compromise” by viaForensics put together this excellent demonstration of how a “legitimate” application on a mobile phone can be a conduit for malware at a later date.

Their RSS reader really works.

It also includes, though, remote control functionality that enables:

  • Accessing device data:
    • Serial number, etc.
    • Local wireless access points
    • Local bluetooth devices
  • Send local device commands
  • File listing for memory card in the phone
    • Retrieve those a hostile party wants
  • List all contact information, including photos
    • Send SMS messages to any of them
    • Ask boss or admin for password
  • Send any SMS via the remotely-exploited phone
  • SMS Monitor (capture replies or strong auth tokens)
  • Read SMS messages
  • Send URLs
  • Access the Call log
    • Full feature filtering
  • Map the target’s location using their GPS.
  • Audio surveillance
    • Phone in pocket or belt is a remote listening device
  • Photo surveillance
  • When the user plugs into a laptop or desktop.
    • Attacker can use the phone as a USB keyboard
    • Mouse control as well
    • Can then execute malware installed on the phone’s storage
    • Or it can fetch it from a remote site

Using this type of malware the attacker bypasses all perimeter defenses and can run any command or application at the permission level of the logged on user.

The demonstration is simple, without hype, and full of good visuals.

In a longer and more detailed video, David Weinstein puts this attack in the context of the mobile kill chain.

He describes the situation that he argues in passing results in BYOD equaling “Bring Your Own Demise,” and backs it up with a demonstration of the mobile compromise from the perspective of a hostile developer.

From the perspective of a security professional, this is the type of presentation that anyone would like to be associated with.  It is top tier con-talk quality, and presented with an almost casual ease that suggests Mr. Weinstein really understands his topic.

But given the topic and the details of the demonstration, and the logic it leads to, by the end of this demonstration, one begins to wilt…

To help counter some of these threats, Mr. Weinstein offers the following risk mitigation recommendations:

  • Enforce constant VPN for corporate devices — which translates into denying split-tunnel to your user base.
  • Limit third party apps and proactively analyze them — which requires device inventory to one extent or another
  • Consider given ecosystems of devices rather than any individual device attack
  • Use and properly configure DLP software on all business endpoints
  • Invest in regular and effective user training and awareness

Part of me wants to push for more, but these presentations stand on their own.

These are extremely well done demonstrations.

With professional production and at a 9-minute run-time, the first is suitable for corporate risk awareness channels or use as management meetings where you are attempting to educate leaders to make better-informed risk decisions.

The second , a 45 minute video from TROOPERScon 13 earlier this year, is perfect for security professionals who need to understand the threat landscape in greater detail.

Don’t miss these resources.

REFERENCES:
“Corporate Espionage via Mobile Compromise – viaForensics.” June 18, 2013.
http://vimeo.com/68588556

“Corporate Espionage via Mobile Compromise: A Technical Deep Dive.” by David Weinstein, May 7, 2013. TROOPERS13 (TROOPERScon)
http://www.youtube.com/watch?v=hkgX6pmf6ic
Slides for this video (12.6 MB):
https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13-Corporate_Espionage_via_Mobile_Compromise_A_Technical_Deep_Dive-David_Weinstein.pdf

AndroRAT project (Remote Administration Tool for Android devices https://github.com/wcb972/androrat).

1 Comment | Application Security, Data Leakage, Malicious-Code, Mobile, Risk Management, Vulnerabilities | Tagged: , , , , , , , , , , , | Permalink
Posted by completosec