Oct 2014 Mobile Device Security @ IIR

Day 2Marc Smeets

Passionate about• IT security and hacking • Fast cars and champagne (not together)

IT Security advisor / Ethical hacker • Jan 2014 - now: Independent advisor @ Linq42 • 2006 – 2013 @ KPMG Information Protection Services • Strong technical skills -> business use • Testing mobile since 2009

Who am I

Management of Mobile devices

Platforms

Agenda - day 1

Background and landscape

Other platforms

Agenda - day 2

Usage statistics

Amount of smartphones sold in 2013? • 968.000.000 • 57,6% of all phone sales • 1st time surpassing non smartphones

Major vendors in 2013?• Samsung: 300.000.000 • Apple: 150.000.000

The older platforms

Other mobile platforms - BlackberryBlackBerry• Since 1999 • Since August 2013 “intention to sell the company” • Custom hardware and custom OS, many releases • Since 4.0 ‘modern’, 7.1 latest of old OS, 10.0 new OS

BlackBerry Enterprise Server• MDM before it was called MDM

BlackBerry Tablet OS• QNX-based • V1.0 -> V2.0 -> BlackBerry 10 • Android .apk support

Other mobile platforms - Symbian

Multiple owners, original Psion

Long used by Nokia for N and E series

Nokia now switched to Windows Mobile

New platforms

The battle beyond mobile

Battle beyond mobile

SWOT Apple Microsoft Google

Strength• Strong in mobile phones and

tablets in corporate world, partly in consumer world

• Shininess-factor

• Strong in corporate world (servers, desktop, training, services, etc.)

• Strong “ownership” of the consumer’s online ID

• Allows for cheap devices -> strong in consumer world

Weakness• Small presence of desktop

and server in corporate world• Corporate presence due to

MDM

• Tablets and mobile phones, both corporate and consumer market

• Android almost non existing in corporate world

• Android’s reliance on 3rd party vendors

Opportunity • Macs and OSX in corporate environment

• Windows Phone 8 and Windows 8 have great new features

• Android *anywhere*• Corporate services around

online ID

Threat• OSX not meeting corporate

needs and demands• Too expensive

• If not acting soon will become ancient computer company

• Android’s open model may result in too little too late

• Prone to malware

Battle beyond mobile

How about wearables?

Battle beyond mobile - Windows 8 family

How to get to the level of iOS/Android, and beyond?• Desktop = Windows • Phones = Windows Phone • Tablets = ??

"They draw the line between the phone/tablet and the PC.

We are drawing the line between the PC/tablet and the phone."

Battle beyond mobile - Windows Mobile/PhoneHistory• ‘90s • Windows CE – PocketPC 2000/2 • Windows Mobile 2000 -2003, 6 – 6.5 • Windows Phone 7 – 7.5 • Windows Phone 8

Architecture• Stylus • Related to Windows but different software origin • Dedicated vendors make hardware • Exchange ActiveSync

• Proprietary but licensed to others

Battle beyond mobile - Windows 8

Windows 8• New operating system for desktops and tablets • Single OS for both X86 / Arm architectures

• except, not exactly: • Windows RT - ARMv7 - Surface RT • Windows 8 - x64 - Surface Pro

• Metro interface for easy touch - Can switch between interfaces • Surface RT / Windows RT all in Metro interface

• Surface devices in-house created by Microsoft

Battle beyond mobile - Windows 8 (cont.)

Windows 8• Strong integration with existing MSFT architecture

• Active Directory / SCCM / InTune • Windows Store • Multi user • Nifty features

• Security features Secure boot, measured boot, ELAM, DAC • DirectAccess • Hyper-V virtualization • Picture Password

Desktop platforms - Mac OS X

History• Not talking pre OS X • Mac OS X, strong but small client base • Lost battle for the corporate world due to lack of mngt tools

(amongst other reasons)

• iOS huge success in consumer world • iOS not welcome in corporate world due to lack of control

Into corporate world• The path that worked for iOS:

• Open up iOS for security checks • Allow 3rd party MDMs control iOS

• The path that may work for OSX: • Slingshot OSX using iOS functionality

• Maps / iMessage / FaceTime / iCloud / Notification Center / etc • Open up OSX for security checks a la iOS • Allow 3rd party MDMs • But also make own MDM

Desktop platforms - Mac OS X (cont.)

Summary

Enrolling mobile devices results in new risks• Broader then expected, e.g. legal, technology, cloud integration, backup • Broader eco-system, thankfully the proper tools are now here

How to continue• Stay up-to-date with recent developments • Know your weaknesses. Take a look at your

organization from an attacker’s perspective. • 100% security is not possible. And undesirable! • No technical solution fixes it all, mitigate risks by people

processes and technology • Prevention is insufficient. Invest in detection and response.

Hands-on hacking demos

marc@linq42.nl

+31 6 5136 6680

@mramsmeets