Amphion Forum 2013 Practical Attacks Against Popular MDM Solutions (and What Can We Do About It)

Michael Shaulov CEO, Co-Founder

Agenda

l  About Lacoon

l  Your Data

l  Exploits to target enterprise data on mobile devices

l  Your Information

l  Point & click mobile remote access Trojans

l  Your Life

l  Mobile device Trojans as a service (M-TaaS)

l  Hacking iOS devices?

Lacoon Mobile Security

l  Founded by mobile security experts from the Defense and

Security industries

l  Serving the Fortune-1000

l  Cutting edge research team

l  Partnerships with leading mobile operators

l  Well-funded and backed by security industry veterans and

Index Ventures

Why to Hack Mobile Devices?

BYOD and Corporate Mobility

“More than

60% of organizations enable BYOD”

Gartner, Inc. October 2012

Mobile Devices: Attractive Attack Target

Eavesdropping

Extracting contact lists, call &text logs

Tracking location

Infiltrating internal LANs

Snooping on corporate emails and application data

Enterprise Mobile Data Protection Solutions?

Enterprise Security & Data Protection Solutions

l  Mobile Device Management (MDM)

l  Secure Containers

l  Wrappers

l  VDI

YOUR DATA

Hacking Enterprise Data on Mobile

Devices

What is a Secure Container?

MDMs and Secure Containers

3 features:

l  Encrypt business data l  Encrypt communications to the

business l  Detect Jailbreak / Rooting of

devices

Difficulty to Hack?

or Cost of Attack?

12 Hours | 1000 USD

Attack Demo

Step 1: Infect the device

Step 2: Install a Backdoor / aka Rooting

Administrative Every process can run as an administrative (root) user if it is able to triggr a vulnerability in the OS

Vulnerability Each Android device had/ has a public vulnerability

Exploit Detection mechanisms don’t look at apps that exploit the vulnerability

Step 3: Bypass Containerization

Jo, yjod od sm r,so;

Storage

Jo, yjod od sm r,so;

Storage

Step 3: Bypass Containerization

Jo, yjod od sm r,so;

Hi, This is an email

Storage Memory

Step 3: Bypass Containerization

Jo, yjod od sm r,so;

Hi, This is an email

Storage Memory

Exfiltrate information

Step 3: Bypass Containerization

How Many Privilege Escalation Exploits are Out There?

Date Name Affected Devices 12/2012 Exynos Most Samsung

Devices (Galaxy S2/3, Note…)

6/2013 MasterKey 1

All devices

8/2013 MasterKey 2

All devices

11/2013 MasterKey 3 All devices

11/2013 V-Root All devices, bypass SEAndroid…

How Many Privilege Escalation Exploits are Out There?

Date Name Affected Devices 12/2012 Exynos Most Samsung

Devices (Galaxy S2/3, Note…)

6/2013 MasterKey 1

All devices

8/2013 MasterKey 2

All devices

11/2013 MasterKey 3 All devices

11/2013 V-Root All devices, bypass SEAndroid…

YOUR INFORMATION

Mobile Remote Access Trojans

(mRATs)

Point & Click | Free (0 USD)

AndroRAT – Point & Click mRAT Generator

l  Injects polymorphic mobile remote access Trojan to any

Android application

l  Released as Open Source on Nov 2012

l  https://github.com/DesignativeDave/androrat

l  Forked many times

l  Available on many dark forums

AndroRAT Demo

YOUR LIFE

Mobile Device Trojans as a

Service (M-TaaS)

Read the Manual | 60 USD per Year

Commercial mobile surveillance tools

mSpy Demo

Survey: Cellular Network 2M Subscribers Sampling: 650K

Infection rates:

June 2013:

1 / 1000 devices

Survey: Cellular Network 2M Subscribers Sampling: 650K

Infect a non-JB iOS 7 iPhone with

a mRAT?

Current Solutions in Use to Protect Mobility

http://www.lacoon.com/hand-of-thief-hot-moves-its-way-to-android/

Anti Virtual Machine - “the best way to infect the user is by placing the malware on Google Play”

Lacoon MobileFortress – Behavior-based Detection & Mitigation

Malware Analysis

Threat Intelligence

Vulnerability Research

Application Behavioral

Analysis

Device Behavioral

Analysis

Multi-Layer Mitigation

Thank You. Contact details: www.lacoon.com contact@lacoon.com Twitter: @LacoonSecurity