Transcript Document

A Comprehensive Guide to Mobile
Targeted Attacks
(and What Can You Do About It)
Ohad Bobrov, CTO
[email protected]
twitter.com/LacoonSecurity
Agenda
• The collapse of the perimeter
• Why mobile devices are targeted
• Mobile Remote Access Trojans (mRATs)
• Demo
• Infection vectors
• Detection, remediation, and building a secure
BYOD / HYOD architecture
About Lacoon Mobile Security
• Protecting organizations from mobile threats
• HQ SF, USA. R&D Israel
• Cutting edge mobile security research team
• Protecting tier-1 financial, manufacturing, legal
and defense organizations
The Collapse Of The Corporate Perimeter
> 2011
TARGETED
MOBILE THREATS
Why To Hack Mobile Device?
Snooping on corporate emails and
application data
Infiltrating internal LANs
Eavesdropping
Extracting contact lists, call &text logs
Tracking location
The Mobile Threatscape
Business Impact
mRATs /
Spyphones
Mobile Malware
Apps
Targeted:
Personal
Organization
Cyber espionage
Consumer-oriented. Mass.
Financially motivated, e.g.:
Premium SMS
Fraudulent charges
Botnets
Complexity
The Mobile Threatscape
mRATs /
Spyphones
High End:
Government / Military grade
Mid Range:
Cybercrime toolkits
Low End:
Commercial surveillance toolkits
HIGH END:
GOV / MIL mRATs
High
Low End
End
FinSpy – Mobile
Extracted from: http://wikileaks.org/spyfiles/docs/gamma/291_remote-monitoring-and-infection-solutions-finspy-mobile.html
MID: CYBERCRIME
TOOLKITS
High
Low End
End
Recent High-Profiled Examples
LOWER END:
COMMERCIAL
SURVEILLANCE
TOOLKITS
Commercial Mobile Surveillance Tool
(Spyphone)
Commercial Mobile Surveillance Tools:
A Comparison
Varying Costs, Similar Results
Capability
FlexiSpy
AndroRAT
FinFisher
Real-time listening on to phone calls
+
+
+
Surround recording
+
+
+
Location tracking (GPS)
+
+
+
Retrieval of text
+
+
+
Retrieval of emails
+
+
+
Invisible to the user
+
+
+
SMS C&C fallback
+
+
+
Physical
Repackage
Exploit?
$279
Free
€287,000
+
-
-
Infection vector
Cost
Activation screen
STATISTICS
Survey: Cellular Network 2M Subscribers
Sampling: 650K
Data sample
1 GB traffic sample of spyphone targeted traffic, collected over a 2-day period.
Collected from a channel serving ~650K subscribers
Traffic constrained to communications to selected malicious IP address
Communications
Traffic included both encrypted and non-encrypted content
Survey: Cellular Network 2M Subscribers
Sampling: 650K
Infection rates:
June 2013:
1 / 1000 devices
Survey: Cellular Network 2M Subscribers
Sampling: 650K
DEMO
INFECTION
VECTORS
Infection Vectors - Android
Current Security
Status
Current Solutions – FAIL to Protect
Mitigation: Current Controls
Mobile Device Management (MDM)
Multi-Persona
Wrapper
Active Sync
NAC
Mitigation: Current Controls
Mobile Device Management (MDM)
Multi-Persona
Wrapper
Active Sync
NAC
Detection: Adding Behavior-based Risk
Malware
Analysis
Threat Intelligence
Application
Behavioral
Analysis
Device Behavioral
Analysis
Vulnerability Research
Vulnerability
Assessment
Lacoon Solution
Thank You.
Ohad Bobrov , CTO
Lacoon Security Inc.
[email protected]
twitter.com/LacoonSecurity