Embed Size (px)
Citation preview
#RSAC
AndrewHoog
HowAndroidandiOSSecurityEnhancementsComplicateThreatDetection
SessionID:MBS-R03R
CEONowSecure@ahoog42
#RSAC
MobileSecurityIncidentsAreGoingUndetected
#RSAC
Highprofileexamplesofmobilecompromise
CYBERCRIMEFORFINANCIALGAIN
TARGETEDATTACKS
THRIVINGMARKETFORMOBILEEXPLOITS
#RSAC
Historicrecurrence– Web/PCattacksasproxy
Malware
Ransomware
Targetedattacks
“Historymaynotrepeatitselfbutitsuredoesrhyme.”—MarkTwain(reputedly)
#RSAC
Predatorfollowsprey: 2of3minutesarenowmobile
476,553 480,967 550,522 491,743
409,847621,410
778,954 864,32877,081
97,440
118,299 124,787
2013 2014 2015 2016
TOTALMINUTESSPENTONDIGITALMEDIAMobileWebMobileAppDesktop
http://www.comscore.com/layout/set/popup/content/download/36073/1978401/version/1/file/2016_US_Mobile_App_Report.pdf
#RSAC
Knownvulnerabilitiesperplatform(CVEs)
561
492425 423
168112
33 20 6 1 0
173 155 160
87124
74
275
0 0 0 1
DenialofService
ExecuteCode Overflow MemoryCorruption
GainInformation
BypassSomething
GainPrivilege XSS DirectoryTraversal
CSRF SQLInjection
iOS Android
Android• 619lifetimeCVEs(2009– 2016)• 523CVEsin2016
iOS• 984lifetimeCVEs(2007– 2016)• 161CVEsin2016
http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
#RSAC
Theapertureisspiralingshut
Legacytoolsandmethodsdon’tworkformobile
PlatformarchitectureandAPIrestrictionsrestrictvisibility
Platformsecurityenhancementsdisarmresponders/defenders
Attackersknowmorethantherestofus(asymmetricadvantage)
Securitytelemetryisephemeral,onlyonepointintime
#RSAC
PlatformSecurityEnhancementsThatPutBlindersOnDefenders/Responders
#RSAC
1.Prohibitingadmin/rootaccess
PROS
Sandboxing& lackofrootaccesslimitsimpactofsecurityflaws–knownandunknown
Improvesprivacybyrestrictingapp’saccesstosensitivedeviceandotherappdata
CONS
Attackerscontinuetofindwaystoelevateprivileges,givingthemthemtheadvantage
Securitysoftwarecannotrunonthesystemwithsufficientaccesstodetect/preventattacks
#RSAC
PROS CONS
2.Hamstringingsecuritytoolsonmobiledevices
ForcesOSvendorstobuildsecurityintotheirsystem
Preventstheinstallationofsecurityappsthatmightharborvulnerabilities(e.g.,somePC-basedsecuritysoftwarehasseriousflaws)
Securityappsgeneratedatathatcaneasilybeabused
Lackofvisibilityfordefendersmakesdetectingattacksnearlyimpossible
Continuousmonitoring,anomalydetection,etc.becomeimpossible
Securityinnovationwithers
#RSAC
PROS CONS
3.Restrictingback-ups
Reducesoverallattacksurface
Datafromadeviceisfarlessaccessibletoattackers
Informationcriticaltoinvestigatingasecuritybreachisnolongeraccessibletodefenders
Attackersbarelyhavetocovertheirtrackswithfewfootprintsleftbehind
Importantdevice-specificartifacts(e.g.theactualappbinary)notavailableforanalysis
#RSAC
PROS CONS
4.EliminatingaccesstoAPIs&devicedata
Endusers’privacy& datacannotbeviolated(un)intentionallybydevelopers
ReducingcomplexityandquantityofAPIsreducesoverallattacksurface
Defenderslackeventhemostbasicvisibilityintowhat’shappeningonthedevice
(Near)continuousmonitoringisimpossibleviaanapp
Forcesdefenderstophysicallyconnectadevicetoextractrelevanttelemetry
#RSAC
PROS CONS
5.Implementingsecurebootmechanisms
Defenderscannotaccesssystemimagesorcriticaldevicedataforaninvestigation
Security-consciousexpertscannotinstallalternativeoperatingsystems
Securityresearch,instrumentation,&honeypotsbecomeincrediblydifficult
Anattackerwithphysicalaccesstoyourdevicecan’tbootanalternativeROM& extractyourdata
Abilitytoimplement“TrustedComputing”capabilitiesliketrustedplatformmodules(TPMs)andvendor-specificextensions(e.g.,KNOX,QualcommHaven,etc.)
#RSAC
Platformowners’policies,responsetogovernment&LE
Platformownerswanttogrowandexpandworldwide
Platformownershavemadeconcessionstogovernmentrequestsinthepast(e.g.,inordertooperateinothercountries)
Iftheplatformownerdoesn’tyieldtogovernmentpressure,thegovernmentwilltapthemarkettogetwhattheywant(aswesawintheSanBernardinocase)
#RSAC
OvercomingCurrentForensicTools’Limitations
15
#RSAC
Thelimitsofavailableforensictoolsasrelatestomobile
Samefundamentals,butdifferentangle–weneedmorethancourt-admissibleevidence
Can’taccesssomedataduetoplatformsecurityenhancements
Lessemphasisonappdataandintegrityofoperatingsystemandapps,keyareasdefendersexamineforcompromise
#RSAC
Examplesofwhataforensicanalystislookingfor
STOREDANDDELETEDDATA
(e.g.,iMessages,SMS,e-mail,etc.)
USERLOCATIONHISTORY
TIMELINEOFEVENTS
(basedontherecoverabledata)
10101010101010101010101010101010
#RSAC
Examplesofwhatadefender/responderislookingfor
DEVICEINTEGRITYINFORMATION
(e.g.,OS,bootloader,howhealthyisthedeviceitself?)
APPDATA
(e.g.,installed/uninstalledapps,securityflaws,datacollected)
TRAFFICDESTINATIONS
(e.g.,wasdataexfiltrated andifso,wheretoandisitpersistent?)
1010101010101010101010101010101010101010101010101
#RSAC
iCloudversuson-deviceiOSforensics
vs.
DATARECOVEREDFROMICLOUD
DATARECOVEREDVIAON-DEVICEFORENSICS
Moredataisaccessiblewithaccesstothephysicaldevice(providedyouhavethePIN/password)
Ifenabled,devicesbackupmorefrequentlytocloudthaniTunes.
SomecommercialandOSStoolsavailableandaccessdatasuchas:callhistory,messages,attachments,contacts,Safaridata,Googledata,Calendardata,Notesdata,info&settingsdata,CameraRolldata,andsocialcommunications
#RSAC
Introducing:TheMobile-triageTool
#RSAC
ios-triage
WHATITIS:amobileincidentresponsetool
WHOIT’SFOR:incidentresponders,defenders,hackers
WHATITDOES:extractsmobileartifactsthatmatter,presentsthemforanalysis,combinesandcorrelatesthemwithotherrelevantdata
HOWIT’SDIFFERENT:providesmorevisibilityintodatarelevanttodefendingagainstorrespondingtomobilesecurityincidents
WHERETOGETIT:https://github.com/ahoog42/ios-triage
#RSAC
Toolsetarchitecture/workflow
1 EXTRACT
Unlocked&Trusted
OSX(Linux)
USB
2 PROCESS<dir>/UDID/epoch/artifacts
/processed/report
Multipleepochs(i.e.,timestamps)
ios-triageprocess
3 REPORT
1010101010101010101010101010101010101010101010101
#RSAC
LiveDemo- Details
Overviewofdeviceandappanalysis
Detailedviewofartifactdataforalldomains
Appspecifictelemetryincludingentitlements,backgroundmodes,privacysensitiverequests,transportsecurityexceptions
#RSAC
LiveDemo- Issues
Flagissuesinonecentrallocation
Includestheissue,levelofimpact,description,andremediationtips
Flexibleandextensibletransformationofprocessedartifactsintoissues
#RSAC
LiveDemo- Diffs
Display`diff`intheoutputfromtwoseparatereports
Abilitytotrackchangestoadeviceovertime
#RSAC
LiveDemo- Community
Contributenon-PIItelemetry
Detectanomalies
Addnewthird-partydatasources
Enablecommunitydrivenresearch(e.g.IOCs,TTP,etc.)
#RSAC
ExampleofdiffsbetweeniOS8.xand10.x
iOS8showeddeletedapps,usefultodetectifaforensicsappwasInstalledThenremovedafterexfiltration
InabilitytodownloadtheactualappsinstalledonthedeviceAllowingattackerstohideHindertheabilitytodetermineIOCs,TTPs,etc
#RSAC
FutureWork
Allowsharingofnon-identifyingdatatocreatecrowd-sourceddatabase
Movetoadatabasebackend
DownloadiOSappsviaiTunesandperformstaticanalysis
Integrateseveralthird-partydatasources
Releaseandroid-triage
#RSAC
Howyoucancontribute
Runthetool
Contactmewithfeedback,bugs,suggestionsTwitter:@ahoog42GitHub:https://github.com/ahoog42Email:[email protected]
Participateincrowd-sourcedefforts
Pitchinonfuturedevelopmentwork
#RSAC
SummaryandNextSteps
#RSAC
Keytakeaways
Theplatformsbuildsecurityoutratherthanin(i.e.,attackerscanpenetratethe“walledgarden,”butdefenders/responderscan’tseewhat’sgoingonbecauseweplaybytherules)
Asaresult,followingthetrajectoryoflaptopsecurityisimpossibleunlesstheindustrychangesorwesummonthepowertomakeitchange
Weneedtodiminishattackers’asymmetricadvantage,butwithoutmoresharingofmoredata,wehaveephemeraldatawecan’tcomparetoanything
1
2
3
#RSAC
Applywhatyou’velearned
NEXTWEEKYOUSHOULD:Downloadthetoolandrunitagainstyourpersonalphone
WITHIN30DAYSYOUSHOULD:Runthetooloncriticaldeviceswhereyouseethehighestrisk(e.g.,usedbyCEOandCFO)sothatyouhaveabaselineforcomparison/detection
WITHINTHREEMONTHSYOUSHOULD:Educateusersonhowtoreportpotentialincidentstoyou,baselineasmanydevicesasyoucansoyoucanalsoidentifyanomalies
#RSAC
AndrewHoog
ThankYou
CEONowSecure@ahoog42
