The Security of MDM systems. Hack In Paris 2013 Sebastien Andrivet

Transcription

1 The Security of MDM systems Hack In Paris 2013 Sebastien Andrivet

2 Who am I? Sebastien Andrivet Switzerland (Geneva) Specialized in security Mobiles (ios, Android) Forensic Developer C++, x86 and ARM (Cyberfeminist & Hacktivist) 2

3 Agenda Smart devices, BYOD, COPE,... MDM typical features MDM market MDM & security - on paper MDM & security - findings 3

4 Smart devices 4

5 5

6 MDM, MAM,... MDM Mobile Device Management MAM Mobile Application Management MCM Mobile Content Management Etc. 6

7 MDM - Typical features Device inventory tracking Software inventory tracking Telephone expense management Device tracking Backup & restore Remote lock, wipe, etc App deployment Etc. 7

8 BYOD - COPE BYOD: Bring Your Own Device COPE: Corporate Owned, Personally Enabled Differences Costs Ownership Management 8

9 NOC, not NOC Some products use a central relay Network Operations Center - NOC Blackberry Good Technologies Some others are not MobileIron 9

10 Deployment On premise (virtual server) Appliance Cloud-based 10

11 MDM Market Source: Gartner (May 2013) 11

12 MobileIron Management of devices ios, Android, BlackBerry, Windows Phone,... Enterprise App Store Integration into Enterprise with API Exchange/Notes Proxy (Sentry) No NOC, on-premise or cloud Uses native apps (thin agent) 12

13 Good Management of devices ios, Android, Windows Phone,... Not BlackBerry Enterprise App Store Access to Exchange/Notes through Good Server NOC Uses its own apps (thick agent) s, calendar, contact 13

14 Security on Paper 14

15 CVE, exploit-db,... CVE Details Nothing Exploit-DB Only 1 entry for MobileIron (June 10, 2013) Open Security Research About Good hacking (read mails) A paper from isec Partners Some references about SCEP xcon 15

16 Switzerland 16

17 My Target Is it possible for an operator (MDM admin) to: Read / steal s Without authorization If yes, is it traceable? 17

18 In other terms Is it possible for an IT employee to steal information from its employer like s of the management, about clients,... and sell them to Germany, France, United States,... 18

19 My Tests These products are big It takes time to test then entirely So I focus only one some aspects Installation / Deployment Enrollment of devices Management interface 19

20 Timeframe First series of tests in Oct.-December 2012 Second series in June 2013 MDM MobileIron Good Both with Exchange On premise (virtual machines) 20

21 Good - Network self-service Good NOC your network MDM server Firewall No DMZ 21

22 MobileIron - Network MDM server Firewall 22

23 MobileIron - Network Internal LAN DMZ Internet Firewall Firewall MDM Exchange AD etc. tcp/ tcp/443 (https) tcp/443 (https) tcp/8080 tcp/9997 tcp/

24 Operating Systems MobileIron CentOS Good Windows Server

25 Processes Good runs as Administrator of the server No least privilege Not possible to change it MobileIron users tomcat, apache, mysql,... 25

26 Exchange MobileIron Exchange proxy (ActiveSync) Sentry Good You have to give to Good MDM almost all rights to Exchange mailboxes 26

27 Good & Mails You are not reading s Good Server did All you need to read s of someone is to enroll a new device (OTA) No need of user s password An MDM admin can do that See Open Security Research (April 2012) 27

28 Admin Interface MobileIron Important this was the state last year (Dec. 2012) 28

29 Admin Interface <Removed in this public version> 29

30 Retrieve Passwords in Clear Magic request action=getlocaluserlist&limit=20 Gives the password in clear of... your colleagues! My password Password of my colleague Mitigation: You have to be authenticated 30

31 Another magic request action=getldapconfigs Gives the password in clear of the LDAP (AD) account! Mitigation: You have to be authenticated 31

32 Cross-Site Scripting In various places <img src=1.gif onerror=alert( XSS_in_Name )> 32

33 Cross-Site Scripting <Removed in this public version> 33

34 Cross-Site Scripting Good They take anti-xss measures everywhere except in one place 34

35 Mitigation Good & MobileIron session cookies Secure HttpOnly So not so easy to steal (by XSS,...) MobileIron X-Frame-Options: SameOrigin 35

36 Cross-Site Request Forgery MobileIron Everywhere, no anti-csrf measures POST can be replaced by GET So very easy to use an image,... to trigger Good Everywhere, no anti-csrf measures But POSTs 36

37 Example - PoC #1 Remove iphone passcode When an ios device is enrolled (configuration profile), a MDM can remove the passcode over-the-air only MDM can do that (validated by certificates) Using CSRF vulnerabilities of MobileIron, I have developed an PoC to remove the passcode of a given iphone 37

38 Example - PoC #1 The PoC sends the following (using an <IMG> tag) action=unlockpassword&phone=[{%22devicei d%22%3a %23fb2acc3e-47c7-502a-8a80-8fd7dfd97a86% 22}] 23fb...86 is the UUID of the phone to unlock Of course, some social engineering (or XSS) is necessary 38

39 Example - PoC #2 Good By combining data leakage + XSS + CSRF, we were able to give admin rights to any user 39

40 Example - PoC #2 Contrary to MobileIron, CSRF with GET is not possible Use POST instead 40

41 Command Line MobileIron has also a command line interface A little like a router enable command for privileged actions May also be accessible from SSH or Telnet Depending of configuration 41

42 Remote Command Execution Not found by myself, but by prdelka Exploit-DB, June 10, 2013 Command show log uses less underneath and sudo Execute a shell command inside less with! or Executed as root This is patched now 42

43 Today These problems (XSS, CSRF, retrieve passwords in clear,...) have been fixed in latest versions of MobileIron Filtering and replacement to avoid XSS Not sure (hum...) it is correctly done but no time to investigate further Anti-CSRF tokens (per session) But some other problems remain... 43

44 Weak Encryption Both products are using AES, SHA, etc. They are FIPS-blah blah certified But what about keys... 44

45 MobileIron Local Users With MobileIron, administrators are local users Not possible to use LDAP (AD) users Stored in an XML file identityconfig.xml Password encrypted 45

46 MobileIron Local Users base-64 encoding AES encryption, with ECB PKCS#5 padding key... <actual passphrase not disclosed in this public version> This passphrase is derived with SHA-1, one time 46

47 PoC #3 Fix, identical key for all installations No salt, no iterations (1), no PBKDF2,... We have made a small java application to recover passwords from a given installation The same encryption is used for various information 47

48 User Accounts MobileIron stores accounts (smart devices users) in a MySQL database table mi_users Same hash, but not same encrypted password (sometimes). Are they using salt? 48

49 Keys No. It uses... 5 keys These keys are initialized at startup with fixed, hardcoded values To encrypt a password, one of those keys is chosen randomly To verify a password, each key is tried one by one... Same mechanism is used for other passwords 49

50 PoC #4 We have made a small Java application to recover passwords from a mysql database a MobileIron backup 50

51 But wait a minute...! Why MobileIron is storing those password? In particular for LDAP (external users)? Where are these passwords coming from? From self-service portal? From Sentry server (ActiveSync)? From NSA? From space? 51

52 They come from... From the smart device app during enrollment Password is transmitted and stored Save User Password Preferences Related to Exchange profiles MobileIron recommends to check Yes DO NOT DO THAT! 52

53 Agents on devices Practical Attacks against Mobile Device Management (MDM) BlackHat 2013, Lacoon Mobile Security How to break Good (and others) secure containers But I personally don t agree with them regarding ios 53

54 Agents on devices Auditing Enterprise Class Applications and Secure Containers on Android isec Partners, Dec Only Android Good & MobileIron Breaking encryption keys, defeating rooting detection,... 54

55 More... There are several more points MobileIron & ios keychain Good AES keys generation Jailbreak detection Etc. But time is limited Perhaps for another talk... 55

56 Conclusion Actual security of MDM solution very dependent of their configuration For ex. Save user password Very dependent of the deployment context Case by case Like any somehow complex system 56

57 Conclusion Security was not the priority of MDM sys At least during development Situation is improving But still vulnerable points like encryption Difficult to say that one product is safer than another Good is better programmed But Good NOC is a problem 57

58 Thank you! Follow me on Web site My 58