It’s a little late, but I’m first now catching up on some of the recent news. :-) With the BlackHat and DefCon conferences in Las Vegas recently completed, there was a flurry of security news happening last few months. Here is a brief run-down of some highlights I found as it possibly affects the mobile computing world.
Slow patching puts Android users at further risk:
http://www.infoworld.com/t/mobile-security/slow-patching-puts-android-users-further-risk-198668
Take away: Android Beam (via NFC or Bluetooth) vulnerabilities to execute files, down-level OS and apps still being used by mobile operators.
Tools released at Defcon can crack widely used PPTP encryption in under a day:
http://www.infoworld.com/d/security/tools-released-defcon-can-crack-widely-used-pptp-encryption-in-under-day-198882
Take away: Stop using PPTP VPN and WPA2 Enterprise, use IPSec or OpenVPN and don’t use WPA2 for WiFi if using MS-CHAPv2 authentication..
Inside how Google scans for Malware:
Slidedeck: https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Bouncerland_Slides.pdf
Whitepaper of their findings: https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf
Take away: Google bouncer app verification holes, how to make your internal or public applications more secure.
BTW, Google has now updated their Developer policy per August 1st 2012 (unknown if Trustwave helped pushed this along): http://play.google.com/about/developer-content-policy.html.
Google now is combatting spam, malware, and SMS/email usage. Any app updates after 30 days of this new policy and don’t comply are subject to warning or removal from Google Play immediately. This is excellent news!
Devices scanned on Mobile Networks:
https://media.blackhat.com/bh-us-12/Briefings/Mulliner/BH_US_12_Milliner_Probing_Mobile_Operating_Slides.pdf
Takeaway: If deploying on a public mobile network, especially M2M devices, make sure the devices can be locked down in some fashion. Reminds me of the old modem war-dailing days. :-)
Advanced Android Exploitation with AFE (Android Framework for Exploitation):
http://toorcamp.org/content12/38
http://www.infoworld.com/t/mobile-security/android-malware-made-easy-modular-kit-199294
Takeaway: The Android platform could quickly become infested with bot networks as the current Windows platform. Understand malware and secure against it.
Apple iOS SMS Security Vulnerability
http://www.pod2g.org/2012/08/never-trust-sms-ios-text-spoofing.html
Takeaway: Careful to take basic communications as granted, SMS spoofing exists on any platform. Apple states it’s iMessage verifies addresses.
Marco..
A component that most Mobile Device Management (MDM) products use today is the Simple Certificate Enrollment Protocol (SCEP). This was propelled by the use from Apple for iOS 4 devices in 2010, and Cisco and VeriSign who designed it in early 2000. The protocol was designed to make the issuing and revocation of digital certificates as scalable as possible. Especially its usage in MDM solutions for the growing BYOD footprint could be of a concern.
Vulnerability Details
US Computer Emergency Readiness Team (US-CERT) released this Vulnerability Note #971035 on June 27th: http://www.kb.cert.org/vuls/id/971035
It stated: “An attacker could elevate their permissions by requesting a certificate of a different, possibly higher privileged user that would allow them to access resources that they would not otherwise be able to access.”
Certified Security Solutions (CSS) is credited to report the vulnerability and more exact details are documented in their 8-page whitepaper here: http://www.css-security.com/wp-content/uploads/2012/05/SCEP-and-Untrusted-Devices.pdf
A 12 minute video demoing the vulnerability and security overview is available here: http://www.css-security.com/scep/
Product Concerns
Mark Diodati from Gartner has pointed out that the following vendors have modified or proxied their SCEP enrollment process so better validation of the distinguished name is performed to better protect against this potential vulnerability:
AirWatch, Good Technology, Fiberlink, MobileIron, and Zenprise
The same can also be said about Silverback MDM, and probably several other vendors. If you are concerned you should ping your vendor and get more details.
But as Ted Shorter from CSS also points out his blog article, even if the various products in use might not be directly affected, it’s important to look at the full solution and what potential risks you may have and how it is implemented.
The Future
As the US-CERT posting highlights, the IETF Draft for SCEP has since March 2011 also mentioned other solutions such as Certificate Management Protocol (CMP) [RFC4210] and Certificate Management over CMS (CMC) [RFC5272] that have more comprehensive functionality. And “implementers are encouraged to support one of these comprehensive standards track certificate management protocols in addition to the protocol defined in this specification”.
As the market matures further with Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) I would suspect an increase in functionality and use of newer security standards and processes. With all the MDM products on the market, the top players continue to add features that they hope will differentiate themselves better.
Marco..