Trust Digital Best Practices

Transcription

1 > ARMING IT AGAINST SMARTPHONE THREATS Trust Digital Best Practices April 2009 The information contained herein is subject to change at any time, and Trust Digital makes no warranties, either express or implied, with the respect to this documentation and disclaims all implied warranties of merchantability and fitness for a particular purpose. Trust Digital, the Trust Digital logo, are trademarks or registered trademarks of Trust Digital, Inc. All other trademarks are the property of their respective holders Trust Digital. All rights reserved.

2 TABLE OF CONTENTS Introduction Smartphone Convergence SMS As An Attack Vector Business Card Attacks Lost Device Attack The Security Fix Deploying the Fix Conclusion Trust Digital. All rights reserved. 2

3 Introduction In the last decade, mobile devices have evolved from basic cell phones to Internet connected devices accessing Web applications and VPNs via the enterprise network. As such, users have come to depend on these devices to facilitate work and play. Enticed by the latest and coolest smartphones like the Apple iphone and Google Android, employees have begun using these devices for work unbeknownst to corporate IT. This employee independence is creating security angst for IT organizations responsible for the data contained on that phone. The growing number of smartphones being used at work represents an opportunity for corporate spies since smartphones are typically the weak link in IT security policies. Most organizations fail to take precautions to secure smartphones and therefore cannot track or manage which devices are hooked up to the network. Attacks via short message service (SMS) are a prime example of how a hacker may exploit this weak link. Although consumers think of SMS as simply just text messaging for cell phones, SMS is actually a far richer protocol. This white paper discusses SMS security threats, describes some easy to duplicate attacks on smartphones, and suggests approaches to both recognize and mitigate SMS threats. Smartphone Convergence Smartphones offer a number of ways to connect to a network, including USB, infrared and WiFi. Hackers can use these capabilities in a variety of malicious ways including: injecting viruses and malware, creating denial of service attacks against the enterprise, stealing employee s data ( s, contacts, text messages and proprietary files) and eavesdropping on employee conversations. USB Attacks Protocol Stack Attacks Cell Tower Server GPS IrDA Internet IrDA/Bluetooth Attacks Installing Malware 2009 Trust Digital. All rights reserved. 3

4 While WiFi, USB and browser based vulnerabilities are shared with laptops, other security holes that affect the network protocol stack or employ SMS messages are unique to the cellular capabilities of the smartphone. So, what is IT to do? The remainder of this paper will explain how hackers can exploit SMS messaging and how IT can counter the hacker using an enterprise mobility management (EMM) platform. SMS As An Attack Vector Approximately seven billion SMS text messages are exchanged daily worldwide according to GSM-World reports. The SMS protocol can deliver rich data, control messages and applications to devices that control usability and change security policies. As a result, the SMS protocol can be used as an attack mechanism to send a message that is device or SIM card specific. Typically all that is needed is a phone number, which is easily gleaned from a business card or signature. The following scenarios will detail how SMS messages can be used to compromise a smartphone. Business Card Attacks The Business Card attack can be performed by the hacker without any knowledge of the intended victim other than their mobile phone number. To exploit the Business Card attack, the hacker sends a series of SMS messages to the phone. These messages are known as control messages. Control messages instruct the phone to act on the SMS instead of displaying it as a text message. These control messages can download applications to the phone, collect and forward data from the phone, force the phone to visit a website or change phone configurations. This gives the hacker control over the phone and access to the data on the phone. Much like viruses found on laptops today, the attack can happen silently and is highly targeted. It gives a hacker access to a device that otherwise may be under careful control. THE HACKER S TOOLKIT Laptop with WiFi connectivity to the Internet Tools available on the Internet Smartphone Mobile number of victim The Business Card attack can be separated into three different attacks. The first attack utilizes a wireless application protocol (WAP) PUSH message. WAP PUSH messages have the ability to redirect a device to a website to download an application which is then installed on the targeted device. The application accesses information such as contact lists, text messages and s and sends it back via SMS or . The second attack involves sending the device an SMS control message that causes the phone to silently change configuration. This attack can be used for multiple purposes, for example it can expose user information by turning off 2009 Trust Digital. All rights reserved. 4

5 security settings for transmission such as SSL or it can render the data capabilities of the device useless by remotely wiping the device. The third attack is a Denial of Service attack. A denial of service attack sends multiple control SMS messages to the targeted device making the device slow and ultimately rendering it useless with no indication as to the cause of these issues. The Business Card attack is easy to understand and simple to perform even for a non-expert hacker. Free software is available and can be downloaded directly from the Web to help create these SMS control messages. The hacker uses his/her own phone to send the messages. Lost Device Attack In our second scenario, the hacker targets a lost or stolen smartphone. Like the Business Card attack, the Lost Device attack works even if the phone is locked with a PIN or password screen, since the hacker can push an application via SMS that unlocks the device. Once unlocked, the hacker has full control of the device and can access any information on the device or use the device to access corporate resources. The Security Fix The security fix for SMS attacks is to deploy a software file that blocks control messages on the affected smartphones. In effect, this fix only permits the smartphone to receive SMS text messages and prevents silent attacks. The Trust Digital EMM platform for smartphones blends security and device management into a single solution, providing IT with the facilities and tools needed to effectively counter SMS attacks and other smartphone security threats. Trust Digital EMM is a Web Services platform that provides robust support across a diverse set of handheld mobile devices and includes: A self-service portal allowing end-users to load security software and policies on personal devices A flexible device agent enabling IT to secure and manage a wide variety of device platforms including Windows Mobile, Symbian and iphone Policy-controlled security for protecting against hacker access and device loss A centralized management console with integrated help desk capabilities for simplifying policy implementation and user support A compliance management and reporting facility to ensure users adhere to IT policy 2009 Trust Digital. All rights reserved. 5

6 Arming IT Against Smartphone Threats Deploying the Fix To deploy the security fix to affected users, IT can run asset management reports to identify users that may own an affected smartphone. The granular software distribution facilities of the Trust Digital EMM platform can deploy the needed software according to a criteria that includes: carrier, user group, device or operating system. In our SMS example, IT would use the EMM platform to push the needed CAB file to those users of affected smartphones. For ongoing support and reassurance, compliance reporting and enforcement ensures the CAB file remains in place and alerts IT if a device is not compliant. Group Based Policies & Software SQL AD Executives Single Console for Centralized Control TD_Centralized_Control_Dia_ Conclusion Unlike laptops, smartphones converge voice and data, creating new security challenges for IT. Hackers are increasingly focused on corporate espionage and the smartphone is a ripe target. Frequently ignored by IT, smartphones are often the weak link in enterprise security strategies. New threats, such as Business Card attacks will continue to appear and evolve. Trust Digital EMM arms IT with a sophisticated device management facility that quickly delivers security solutions on an individual or group basis to tactically counter hackers as they employ new methods to penetrate the enterprise Trust Digital. All rights reserved. 6

7 Trust Digital is the leading provider of enterprise mobility management software for government organizations and Global 2000 companies. IT organizations rely on Trust Digital s solution to cost-effectively secure, rapidly deploy and centrally manage their smartphones. Trust Digital s unique software-overlay methodology simplifies how IT administrators and help desk specialists implement policies, assist users and enforce compliance for mobile applications. Trust Digital is the trusted mobility company. For more information, please visit our website, Trust Digital 1760 Old Meadow Road, Suite 550 McLean, VA Toll Free info@trustdigital.com 2009 Trust Digital. All rights reserved.