the security of mdm systems - hack in paris · the security of mdm systems hack in paris 2013 ......
TRANSCRIPT
The Security of MDM systemsHack In Paris 2013Sebastien Andrivet
Copyright © 2013 ADVTOOLS SARL
Who am I?
Sebastien Andrivet
Switzerland (Geneva)
Specialized in security
Mobiles (iOS, Android)
Forensic
Developer C++, x86 and ARM
(Cyberfeminist & Hacktivist)
2
Copyright © 2013 ADVTOOLS SARL
Agenda
Smart devices, BYOD, COPE, ...
MDM typical features
MDM market
MDM & security - on paper
MDM & security - findings
3
Copyright © 2013 ADVTOOLS SARL
Smart devices
4
Copyright © 2013 ADVTOOLS SARL 5
Copyright © 2013 ADVTOOLS SARL
MDM, MAM, ...
MDM
Mobile Device Management
MAM
Mobile Application Management
MCM
Mobile Content Management
Etc.
6
Copyright © 2013 ADVTOOLS SARL
MDM - Typical featuresDevice inventory tracking
Software inventory tracking
Telephone expense management
Device tracking
Backup & restore
Remote lock, wipe, etc
App deployment
Etc.7
Copyright © 2013 ADVTOOLS SARL
BYOD - COPEBYOD: “Bring Your Own Device”
COPE: “Corporate Owned, Personally Enabled”
Differences
Costs
Ownership
Management8
Copyright © 2013 ADVTOOLS SARL
NOC, not NOC
Some products use a central relay
Network Operations Center - NOC
Blackberry
Good Technologies
Some others are not
MobileIron
9
Copyright © 2013 ADVTOOLS SARL
Deployment
On premise (virtual server)
Appliance
Cloud-based
10
Copyright © 2013 ADVTOOLS SARL
MDM Market
11
Source: Gartner (May 2013)
Copyright © 2013 ADVTOOLS SARL
MobileIronManagement of devices
iOS, Android, BlackBerry, Windows Phone, ...
Enterprise App Store
Integration into Enterprise with API
Exchange/Notes Proxy (Sentry)
No NOC, on-premise or cloud
Uses native apps (thin agent)12
Copyright © 2013 ADVTOOLS SARL
GoodManagement of devices
iOS, Android, Windows Phone, ...
Not BlackBerry
Enterprise App Store
Access to Exchange/Notes through Good Server
NOC
Uses its own apps (thick agent)
e-mails, calendar, contact13
Copyright © 2013 ADVTOOLS SARL
Security on Paper
14
Copyright © 2013 ADVTOOLS SARL
CVE, exploit-db, ...CVE Details
Nothing
Exploit-DB
Only 1 entry for MobileIron (June 10, 2013)
Open Security Research
About Good hacking (read mails)
A paper from iSEC Partners
Some references about SCEP
xCon15
Copyright © 2013 ADVTOOLS SARL
Switzerland
16
Copyright © 2013 ADVTOOLS SARL
My Target
Is it possible for an operator (MDM admin) to:
Read / steal emails
Without authorization
If yes, is it traceable?
17
Copyright © 2013 ADVTOOLS SARL
In other terms
Is it possible for an IT employee to steal information from its employer
like e-mails of the management, about clients, ...
and sell them to Germany, France, United States, ...
18
Copyright © 2013 ADVTOOLS SARL
My Tests
These products are big
It takes time to test then entirely
So I focus only one some aspects
Installation / Deployment
Enrollment of devices
Management interface
19
Copyright © 2013 ADVTOOLS SARL
Timeframe
First series of tests in Oct.-December 2012
Second series in June 2013
MDM
MobileIron
Good
Both with Exchange
On premise (virtual machines)
20
Copyright © 2013 ADVTOOLS SARL
Good - Network
21
MDM server Firewall
Good NOC
No DMZ
your network
self-service
Copyright © 2013 ADVTOOLS SARL
MobileIron - Network
22
MDM server Firewall
Copyright © 2013 ADVTOOLS SARL
MobileIron - Network
23
tcp/443 (https)tcp/8080tcp/9997tcp/9998
tcp/398-636tcp/443 (https)
Internal LAN DMZ Internet
Firewall Firewall
MDM
ExchangeADetc.
Copyright © 2013 ADVTOOLS SARL
Operating Systems
MobileIron
CentOS
Good
Windows Server 2008
24
Copyright © 2013 ADVTOOLS SARL
Processes
Good runs as Administrator of the server
No least privilege
Not possible to change it
MobileIron
users tomcat, apache, mysql, ...
25
Copyright © 2013 ADVTOOLS SARL
Exchange
MobileIron
Exchange proxy (ActiveSync) “Sentry”
Good
You have to give to Good MDM almost all rights to Exchange mailboxes
26
Copyright © 2013 ADVTOOLS SARL
Good & Mails
You are not reading e-mails
Good Server did
All you need to read e-mails of someone
is to enroll a new device (OTA)
No need of user’s password
An MDM admin can do that
See Open Security Research (April 2012)
27
Copyright © 2013 ADVTOOLS SARL
Admin Interface
MobileIron
Important
this was the state last year (Dec. 2012)
28
Copyright © 2013 ADVTOOLS SARL
Admin Interface
29
<Removed in this public version>
Copyright © 2013 ADVTOOLS SARL
Retrieve Passwords in Clear“Magic” request
https://server.lab/misc/misc.html?action=getLocalUserList&limit=20
Gives the password in clear of... your colleagues!
Mitigation: You have to be authenticated
30
My password Password of my colleague
Copyright © 2013 ADVTOOLS SARL
Another magic request
https://server.lab/mifs/admin/ud.html?action=getLDAPConfigs
Gives the password in clear of the LDAP (AD) account!
Mitigation: You have to be authenticated31
Copyright © 2013 ADVTOOLS SARL
Cross-Site ScriptingIn various places
32
<img src=1.gif onerror=alert(‘XSS_in_Name’)>
Copyright © 2013 ADVTOOLS SARL
Cross-Site Scripting
33
<Removed in this public version>
Copyright © 2013 ADVTOOLS SARL
Cross-Site ScriptingGood
They take anti-XSS measures everywhere except in one place
34
Copyright © 2013 ADVTOOLS SARL
Mitigation
Good & MobileIron session cookies
Secure
HttpOnly
So not so easy to steal (by XSS, ...)
MobileIron
X-Frame-Options: SameOrigin
35
Copyright © 2013 ADVTOOLS SARL
Cross-Site Request Forgery
MobileIron
Everywhere, no anti-CSRF measures
POST can be replaced by GET
So very easy to use an image, ... to trigger
Good
Everywhere, no anti-CSRF measures
But POSTs36
Copyright © 2013 ADVTOOLS SARL
Example - PoC #1
Remove iPhone passcode
When an iOS device is enrolled (configuration profile), a MDM can remove the passcode over-the-air
only MDM can do that (validated by certificates)
Using CSRF vulnerabilities of MobileIron, I have developed an PoC to remove the passcode of a given iPhone
37
Copyright © 2013 ADVTOOLS SARL
Example - PoC #1The PoC sends the following (using an <IMG> tag)
https://server/mifs/admin/ud.html?action=unlockpassword&phone=[{%22deviceId%22%3A%23fb2acc3e-47c7-502a-8a80-8fd7dfd97a86%22}]
“23fb...86” is the UUID of the phone to unlock
Of course, some social engineering (or XSS) is necessary
38
Copyright © 2013 ADVTOOLS SARL
Example - PoC #2
Good
By combining data leakage + XSS + CSRF, we were able to give admin rights to any user
39
Copyright © 2013 ADVTOOLS SARL
Example - PoC #2Contrary to MobileIron, CSRF with GET is not possible
Use POST instead
40
Copyright © 2013 ADVTOOLS SARL
Command Line MobileIron has also a command line interface
A little like a router
“enable” command for privileged actions
May also be accessible from SSH or Telnet
Depending of configuration
41
Copyright © 2013 ADVTOOLS SARL
Remote Command Execution
Not found by myself, but by “prdelka”
Exploit-DB, June 10, 2013
Command “show log” uses “less” underneath and sudo
Execute a shell command inside “less” with “!” or “|”
Executed as root
This is patched now
42
Copyright © 2013 ADVTOOLS SARL
Today
These problems (XSS, CSRF, retrieve passwords in clear, ...) have been fixed in latest versions of MobileIron
Filtering and replacement to avoid XSS
Not sure (hum...) it is correctly done but no time to investigate further
Anti-CSRF tokens (per session)
But some other problems remain...
43
Copyright © 2013 ADVTOOLS SARL
Weak Encryption
Both products are using AES, SHA, etc.
They are FIPS-blah blah certified
But what about keys...
44
Copyright © 2013 ADVTOOLS SARL
MobileIron Local UsersWith MobileIron, administrators are local users
Not possible to use LDAP (AD) users
Stored in an XML file identityconfig.xml
Password encrypted
45
Copyright © 2013 ADVTOOLS SARL
MobileIron Local Users
base-64 encoding
AES encryption, with ECB
PKCS#5 padding
key...
This passphrase is derived with SHA-1, one time
46
<actual passphrase not disclosed in this public version>
Copyright © 2013 ADVTOOLS SARL
PoC #3
Fix, identical key for all installations
No salt, no iterations (1), no PBKDF2, ...
We have made a small java application to “recover” passwords from a given installation
The same encryption is used for various information
47
Copyright © 2013 ADVTOOLS SARL
User AccountsMobileIron stores accounts (smart devices users) in a MySQL database
table mi_users
Same hash, but not same encrypted password (sometimes). Are they using salt?
48
Copyright © 2013 ADVTOOLS SARL
KeysNo. It uses... 5 keys
These keys are initialized at startup with fixed, hardcoded values
To encrypt a password, one of those keys is chosen randomly
To verify a password, each key is tried one by one...
Same mechanism is used for other passwords
49
Copyright © 2013 ADVTOOLS SARL
PoC #4
We have made a small Java application to “recover” passwords from
a mysql database
a MobileIron backup
50
Copyright © 2013 ADVTOOLS SARL
But wait a minute...!Why MobileIron is storing those password?
In particular for LDAP (external users)?
Where are these passwords coming from?
From self-service portal?
From Sentry server (ActiveSync)?
From NSA?
From space?51
Copyright © 2013 ADVTOOLS SARL
They come from...From the smart device app
during enrollment
Password is transmitted and stored
“Save User Password Preferences”
Related to Exchange profiles
MobileIron recommends to check Yes
DO NOT DO THAT!52
Copyright © 2013 ADVTOOLS SARL
Agents on devices
“Practical Attacks against Mobile Device Management (MDM)”
BlackHat 2013, Lacoon Mobile Security
How to break Good (and others) secure containers
But I personally don’t agree with them regarding iOS
53
Copyright © 2013 ADVTOOLS SARL
Agents on devices
“Auditing Enterprise Class Applications and Secure Containers on Android”
iSEC Partners, Dec. 2012
Only Android
Good & MobileIron
Breaking encryption keys, defeating rooting detection, ...
54
Copyright © 2013 ADVTOOLS SARL
More...
There are several more points
MobileIron & iOS keychain
Good AES keys generation
Jailbreak detection
Etc.
But time is limited
Perhaps for another talk...
55
Copyright © 2013 ADVTOOLS SARL
Conclusion
Actual security of MDM solution very dependent of their configuration
For ex. “Save user password”
Very dependent of the deployment context
Case by case
Like any somehow complex system
56
Copyright © 2013 ADVTOOLS SARL
ConclusionSecurity was not the priority of MDM sys
At least during development
Situation is improving
But still vulnerable points like encryption
Difficult to say that one product is safer than another
Good is better programmed
But Good NOC is a problem57
Copyright © 2013 ADVTOOLS SARL
Thank you!
Follow me on Twitter
@AndrivetSeb
Web site
www.advtools.com
My e-mail
58