Security and the Smartphone Revolution
About the Speaker Joseph Granneman, MBA, CISSP Joseph Granneman has developed a passion and expertise in information security in his 20 years of experience as a CIO, CTO and CSO of hospitals and clinics in the Chicago region. His passion drove him to be an independent author, presenter and professor in the health care information technology and information security fields. He has been frequently consulted by the media and interviewed on various health care information technology and security topics. He has also been a member in many information security standards groups, including identifying security vulnerabilities in HIEs as part of the Health Information Security and Privacy Security Working Group for Illinois. He was also a volunteer for Certification Commission for Health Information Technology (CCHIT) Security Working Group, which developed the information security standards for ARRA certification of electronic medical records. He also continues to be involved in the FBI InfraGard program.
PUTTING MOBILE IN PERSPECTIVE
August 12, 1981
PC Growth April 2002 1 billion PCs shipped* 2007 2 billion PCs Shipped** *Gartner Dataquest statistics **Forrester Research
PC Growth Over 1 billion PCs in use today** 2 billion PCs in use by 2015** *Gartner Dataquest statistics **Forrester Research
PC Growth 27 years to reach first billion PCs in use.** Only 7 more years to reach 2 billion PCs in use.** *Gartner Dataquest statistics **Forrester Research
June 29, 2007
October 22, 2008
By the numbers 2 billion mobile devices in use by 2015 PC shipments decline by 10.6% in 2013 Tablet shipments increase by 67.9% Source: Gartner (June 2013)
By the numbers Worldwide Devices Shipments by Segment (Thousands of Units) Device Type 2012 2013 2014 PC 341,273 305,178 289,239 Ultramobile 9,787 20,301 39,824 Tablet 120,203 201,825 276,178 Mobile Phone 1,746,177 1,821,193 1,901,188 Total 2,217,440 2,348,497 2,506,429 Source: Gartner (June 2013)
OUR COMPUTING MODEL HAS FUNDAMENTALLY CHANGED
New Capabilities Fingerprint Scanner Heartrate Relative humidity Env. Temperature Barometer NFC Accelerometer Magnetic Field Light Flux Battery temp. GPS Proximity RGB Ambient Light Gyroscope
New Use Cases Always connected User proximity Personalized services Fitness Banking Healthcare Travel Shopping Mobile Payments
Health Care Perspective Providers Access EMR Hospital Rounding Coding Schedule Medical Imaging Prescriptions Photos Dictation Patients Access PHR Pay bills Schedule Appointments Email physician IOT (Internet of Things) Weight, BP, Pulse, etc.
The Perfect Storm Always on Full of personal information Adopted by almost everyone Rapid adoption without consideration for security Mobile = Increased Risk
Criminal Attention Cybercrime is quickly turning to mobile More profitable than PC malware Evolving much faster Infrastructure was already built over the last 10 years. People more trusting of phishing on mobile
Mobile Cybercrime Pricing Source: Antiphishing Workgroup Mobile Report
Nowhere to hide
Mobile/BYOD Risks Classified 1. Design/Architectural Vulnerabilities 2. Operating System Vulnerabilities 3. Application Vulnerabilities 4. Network Vulnerabilities 5. Cloud reliance
DESIGN/ARCHITECTURE VULNERABILITIES
Design/Architecture Mobile device storage issues Flash memory differences Limited number of write cycles Nothing is truly deleted DOD style data wipes cannot be used Differences in Android vs ios Differences in models of devices Standard forensic techniques very successful
Design/Architecture Encryption of Devices - Apple ios encrypted by default Hardware based AES 256 Bit encryption FIPS-140-2 Certified Wipes after 10 incorrect PIN entries
Design/Architecture Encryption of Devices Apple Private Key is NOT based on PIN Developer mode bypass allows brute force Older devices use software based keys Recovery times around 2 minutes
Design/Architecture Encryption of Devices Optional on Android device Various states of FIPS-140-2 Compliance Software based Key and Salt stored in boot footer Performance penalty 4 Digit pins recovered in seconds
Example Open source tools for security testing Santoko Linux Free for downloading Mobile Forensics Password Recovery Penetration testing Network Manipulation
Example
Example
Example
Technology Makes PINS Obsolete
Password Recovery Times Recovery times with a $1,500 PC: Password: 'Pa5$w0d - 2m12.367s Password: 'K#n&r4Z - 1m51.962s 7 Character passwords 40GB of possible combinations Dictionary words are almost instantaneous Only around 70,000 possible combinations. 4 Digit PINS only 10,000 possible combinations.
No Cracking Necessary ios Backups easier to recover Newer devices backup to icloud
OPERATING SYSTEM VULNERABILITIES
BYOD/Mobile Don t Forget the Basics Patching is still a key defense Many users do not apply patches but still access company data Apple pushes out patches Planned Obsolescence old devices Android devices left to the carrier Patches are not pushed out Many devices still vulnerable
Android MasterKey Hole Discovered in August 2013 Simple way to install malware How it works - Android Apps are simply digitally signed.zip files Modified.ZIP files fail digital signature checks Simply place two files with the same name in the.zip file. Android verifies the first but not the second.
Android Fragmentation
BYOD - Audits
Example Vulnerable iphone
APPLICATION VULNERABILITIES
Trust the App Store? The App Store Security Model Applications are tested before being posted Apple more closed but more scrutiny Android more open but less scrutiny
Trust the Google Play Store? Trend Micro Study Analyzed 700,000 Google Play apps Found more than 68,740 malicious 1 in 10 applications Cloning popular titles Angry Birds, Cut the Rope, Riptide GP Sent premium SMS messages
BYOD - Risky Behavior Rooted Phones Use vulnerability to bypass OS protections Third Party App Stores Pirated material more malware Android App Side Loading Direct loading of unverified apps Custom Android ROMS Full custom versions of Android from unknown sources None of these devices should be allowed to connect to sensitive networks.
Careless Mobile Apps Mobile App Security Study Tested for unencrypted private data Performed by NowSecure - https://www.nowsecure.com/resources/mobile-appsecurity-study/ Financial Apps 25% Failed, 31% Warning, 44% Pass Best category tested Recovered password, payment history, partial credit card numbers
Careless Mobile Apps Social Networking 74% Failed, 26% Warning, 0% Pass Included Facebook, Twitter, LinkedIn, Foursquare All stored username in cleartext IM Logs, Direct Messages, passwords stored in cleartext Retail 14% Failed, 86% Warning, 0% Pass Included Best Buy, Amazon, Groupon and Starbucks Storing search history, name and address Groupon was storing password Starbucks was storing full 16-digit credit card number
Careless Mobile Apps UUID serial number for ios devices AntiSec a subgroup of Anonymous Claimed to have 12 Million UUIDs from the FBI Released on Internet Bluetoad electronic publisher Stored customer s UUIDs Found that their systems compromised
Example 'ec166427e203c6302e2573a965f2a0b895a809d36da021be1ede10fb2553632a','aandrew..?','ipod touch' '02a7441f686282e9ecea010f977fa6bf9ca144d040625469b2676faabb26e016','aandrews s ipad','ipad' '900c55c8a03fede9896d9efbfd8c2f980a17d28aee6ebd63e300c1df7e047cae','Aanemy','iPad 20f22415fe803f444f46320a3819fa391b6057bee786c0bce9da7aad59cb6d6c','Aang','iPad' 'cbcbb2c2893dbb680c02bcf3800c2981b6526438f1c369e4dfbbd366de91cb47','aangle ipad','ipad' '7a4525b51996cac60d5c7c69cdd2e1650b7046933c9b37e9488264c07848829e','aan','iPad' 'fb277bff9503179d3dbf42bc8db482d3e6b6b6438a2fca0eae4e4e8ef32e5851','aan iphone 4','iPhone' 'fcb77c4ceb9fe7d9bdeab9783b42240d8a403e2b83a1a990908afa9dfb928be1','aanisha\'s ipad','ipad' '3fe6671e670acf9d2fcb7fdd9b2df5df4807687ec6553d7b08bdaec09c0f20e6','AANN','iPad' '647a3eba98396822bf860615cfbde050f641972a9f166159b4ddea0e4399fb43','Aansh Jagwani','iPad' '4d0ee301f8d44c7fdd40a2e80d8c28c588809028f159a1a184fbe857861541fc','Aan\'s ipad','ipad' '6f80d5941a78da97bf05ca2b00b797339cba4f86ab756658900a2d48c3c1b70b','aan s iphone','iphone' '6555e43aabaeb5fa47be4f1a0e1f4457ed729b4e9b3f1adc0fd6d1bff3464527','AANS Meeting','iPod touch' '8cffd1e5f4259c9c6c0ec45887007302581dbbc42507902e3f9b86bea384c038','AAntonov','iPad' 5282850b8731eda235df1a94f3c3e6b78821ab3e8f5b2314eb260aa80383a64b','AAntonov','iPhone'
NETWORK VULNERABILITIES
Insecure Communication Mobile devices are broadcasting for known wireless networks Malicious devices answer and route communications through How many have attwifi on their phone?
Man-in-the-Middle Attacks
Near Field Communication NFC mobile payments are projected to be a $1T market NFC risks Eavesdropping Data corruption Data manipulation MITM Attacks
RELIANCE ON THE CLOUD
icloud Weaknesses
Importance of Dual Factor
Google Wallet Brute Force
Google 2-Step Verification
MOBILE DEVICE MITIGATION ADVICE
Securing BYOD/Mobile Utilize some form of Mobile Device Management Disallow rooted devices Require updates to be installed Disallow 3 rd party app stores and apps Require stronger pin codes Require timeouts Require encrypted devices
Securing BYOD/Mobile Disallow clear communications over public networks. Inspect mobile applications for security flaws Use sandboxing when needed Utilize remote wiping
Securing BYOD/Mobile End User Training Lost phones must be reported immediately. Phishing identification Physical security Dangers of malicious applications
QUESTIONS?