16. Mobile Devices – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_16

16. Mobile Devices

Morey J. Haber1 
Heathrow, FL, USA

Mobile devices represent a unique attack vector for a threat actor. They have accounts and credentials, but no role-based access, and there are generally only two permission types: user and root. In addition, root is generally not available to the end user, and there is only one account with a single owner and identity operating the device. These are simple facts regarding mobile device design. To aid in this discussion, a mobile device is defined as a handheld computer with a touchscreen interface and optional physical buttons that allows connectivity to the Internet or other computing devices via wireless protocols. These are typically smartphones and tablets and by definition, rarely include laptops or notebooks unless they are handheld in size.

For a successful attack to occur, a threat actor needs to compromise the operating system, gain access to the root account, and inappropriately leverage the device. This can be achieved through malware, jailbreak, or an exploit. The delivery of the malicious payload exceeds the scope of this book, but it can be anything from juice jacking to malicious software in a vendor’s application store. The goal of the threat actor is to leverage the device to do the following:
  • Egress information from the device considered personally identifiable or organizationally sensitive.

  • Enable surveillance via GPS, camera, or audio.

  • Leverage the device using lateral movement to attack other corporate, home, public, or roaming assets.

  • Establish a persistent presence for new or other advanced persistent attacks.

The threat actor’s goal is the same regardless of whether it is a traditional corporate asset or other Internet of Things (IoT) device. Once privileged access is obtained, the offense by a threat actor is the same. However, the defense is completely different since there is no role-based access, access to root is restricted unless an exploit or jailbreak occurs, and protection in the form of antivirus is not permitted on some platforms (Apple iOS). Therefore, the best defense is to adapt to the models for security that are permitted:
  • For businesses using mobile devices in a bring your own device (BYOD) or organizationally supplied model, utilize a mobile device manager (MDM) to provide application and data segmentation. This will allow the organization to enforce acceptable use policies and even block (uninstall) potentially malicious applications that could compromise the device. Also, most MDM solutions can also detect and block a jailbreak attempt, preventing root access.

  • For non-Apple devices, there are a plethora of security solutions that can scan for malware, inappropriate permissions, and even poor configurations (like USB debugging) that could be used to compromise the device. Many of these agents are in the appropriate marketplace, but are also supplied by MDM solutions and traditional antivirus vendors. It is recommended they be utilized to identify risks and mitigate any platform-specific threats for that mobile device.

  • When possible, mobile devices should never have direct access to the data center and sensitive systems. Their connections should always be proxied or routed through a jump host for remote access. Virtual desktops and remote applications are ideal for mobile device segmentation to restrict access, enforce multi-factor authentication, and prevent lateral movement. You may also use password management solutions to make the additional connections and session monitoring to capture that any potential roaming access is appropriate.

Mobile devices have provided the world with a vehicle to always stay connected. For a threat actor, they present a way to breach the perimeter of an organization, even when the asset is not in the office. Gaining privileged access to these devices is not as critical, and, as such, these devices just do not have the same robust security models as traditional information technology resources. However, leveraging a mobile device to gain a foothold may be good enough for an exploit or malware to do eventually inflict the same amount of damage as root.

So, how can a threat actor gain nonroot access needed to commit these crimes? It is easier than you think, and the security models for mobile devices are riddled with blatant flaws. Consider these potential scenarios:
  • The installation of new software from a trusted marketplace can contain malware. Vendors can only provide so much screening for applications, and, repeatedly, malware has bypassed detection and been published. This is either intentional by the vendor or a consequence of a flaw in their supply chain that allowed the insertion of malware before the application was published.

  • Some applications utilize their own auto-update or download mechanisms to retrieve supporting data or additional binaries. A successful man-in-the-middle (MitM) attack can intercept these updates and replace the contents with malicious code. While this may sound a little farfetched, simple DNS spoofing is all that is needed to redirect this traffic on a compromised Wi-Fi network.

  • Biometrics have become the primary mechanism for authentication and authorization on mobile devices, and it even allows access to third-party application credentials. A compromise of biometrics not only provides device access, but it can also provide access to applications like banking or other applications dependent on two-factor authentication. Relying on biometrics for authentication is just a bad idea. Once a biometric data point is compromised, it is forever exposed and puts its owner at risk. Biometrics should only be applied as part of multi-factor since the base credentials can always be changed, while biometrics only proves your identity electronically. Unfortunately, many mobile device manufacturers are blurring this line and have ignored security best practices by making biometrics the only form of identification required to access a device during normal operations. This is gambling on the strength of their biometric security module, and time will tell whether the designs will be robust enough to stop modern threats. To date, they have not been.

  • Mobile devices (outside of Qi charging) require a corded connection for battery recharging, typically on daily basis. Also, they have various bidirectional communication systems from NFC, Bluetooth, and Wi-Fi. The flaw is that there are minimal controls around remote exploitation of these communication paths. These include USB chargers (juice jacking) infected with malware to man-in-the-middle attacks that can compromise Wi-Fi communications. These are just security flaws due to the nature of mobile devices and represent a high risk with no real resolution outside of locking them down to known, trusted sources for charging. Basically, all mobile devices are at risk if plugged into a malicious charging source.

  • For Android devices only, the operating system and hardware fragmentation represent unique security challenges per operating system version and device. The scope of the problems well exceeds the confines of this section, and, in many cases, a flaw on one Android device may not be present on another, nor may the manufacturer choose to remediate the flaw. For businesses, allowing Android devices via BYOD or corporate-purchased, minimum (or specific) versions and vendors should be considered (i.e., consider the US government ban on Huawei devices). Not all manufacturers maintain the same service level agreement (SLA) for supplying patches. Some manufacturers have been known to supply purposely built backdoors for their own devices for targeted updates and monitoring; neither of which may be acceptable to a business with sensitive operations.

Despite these flaws, there exist strategies and technologies to mitigate these risks. For example:
  • Never use biometrics for both device access and sensitive applications on a mobile device. Implementing this policy is good practice to ensure the privileges of one system (biometric access) cannot be used against another (application). In fairness, this is a perfect example of password reuse via biometrics and a perfect reason to implement a multi-factor authentication to safeguard credentials and biometrics used on the device.

  • Using MDM technology ensures that your organization can lock down BYOD devices to trusted networks and disable features like debugging mode that can make them susceptible to USB charging attacks (juice jacking).

  • Decide on what you can support and what you cannot. BYOD does not mean every device an employee may own can be connected to the corporate network, even if your MDM can support it. Having a finite list of manufacturers, quantity of connected devices, and operating system versions will help mitigate risks, especially from outlier threats.