The Security of MDM systems Hack In Paris 2013 Sebastien Andrivet
Who am I? Sebastien Andrivet Switzerland (Geneva) Specialized in security Mobiles (ios, Android) Forensic Developer C++, x86 and ARM (Cyberfeminist & Hacktivist) 2
Agenda Smart devices, BYOD, COPE,... MDM typical features MDM market MDM & security - on paper MDM & security - findings 3
Smart devices 4
5
MDM, MAM,... MDM Mobile Device Management MAM Mobile Application Management MCM Mobile Content Management Etc. 6
MDM - Typical features Device inventory tracking Software inventory tracking Telephone expense management Device tracking Backup & restore Remote lock, wipe, etc App deployment Etc. 7
BYOD - COPE BYOD: Bring Your Own Device COPE: Corporate Owned, Personally Enabled Differences Costs Ownership Management 8
NOC, not NOC Some products use a central relay Network Operations Center - NOC Blackberry Good Technologies Some others are not MobileIron 9
Deployment On premise (virtual server) Appliance Cloud-based 10
MDM Market Source: Gartner (May 2013) 11
MobileIron Management of devices ios, Android, BlackBerry, Windows Phone,... Enterprise App Store Integration into Enterprise with API Exchange/Notes Proxy (Sentry) No NOC, on-premise or cloud Uses native apps (thin agent) 12
Good Management of devices ios, Android, Windows Phone,... Not BlackBerry Enterprise App Store Access to Exchange/Notes through Good Server NOC Uses its own apps (thick agent) e-mails, calendar, contact 13
Security on Paper 14
CVE, exploit-db,... CVE Details Nothing Exploit-DB Only 1 entry for MobileIron (June 10, 2013) Open Security Research About Good hacking (read mails) A paper from isec Partners Some references about SCEP xcon 15
Switzerland 16
My Target Is it possible for an operator (MDM admin) to: Read / steal emails Without authorization If yes, is it traceable? 17
In other terms Is it possible for an IT employee to steal information from its employer like e-mails of the management, about clients,... and sell them to Germany, France, United States,... 18
My Tests These products are big It takes time to test then entirely So I focus only one some aspects Installation / Deployment Enrollment of devices Management interface 19
Timeframe First series of tests in Oct.-December 2012 Second series in June 2013 MDM MobileIron Good Both with Exchange On premise (virtual machines) 20
Good - Network self-service Good NOC your network MDM server Firewall No DMZ 21
MobileIron - Network MDM server Firewall 22
MobileIron - Network Internal LAN DMZ Internet Firewall Firewall MDM Exchange AD etc. tcp/398-636 tcp/443 (https) tcp/443 (https) tcp/8080 tcp/9997 tcp/9998 23
Operating Systems MobileIron CentOS Good Windows Server 2008 24
Processes Good runs as Administrator of the server No least privilege Not possible to change it MobileIron users tomcat, apache, mysql,... 25
Exchange MobileIron Exchange proxy (ActiveSync) Sentry Good You have to give to Good MDM almost all rights to Exchange mailboxes 26
Good & Mails You are not reading e-mails Good Server did All you need to read e-mails of someone is to enroll a new device (OTA) No need of user s password An MDM admin can do that See Open Security Research (April 2012) 27
Admin Interface MobileIron Important this was the state last year (Dec. 2012) 28
Admin Interface <Removed in this public version> 29
Retrieve Passwords in Clear Magic request https://server.lab/misc/misc.html? action=getlocaluserlist&limit=20 Gives the password in clear of... your colleagues! My password Password of my colleague Mitigation: You have to be authenticated 30
Another magic request https://server.lab/mifs/admin/ud.html? action=getldapconfigs Gives the password in clear of the LDAP (AD) account! Mitigation: You have to be authenticated 31
Cross-Site Scripting In various places <img src=1.gif onerror=alert( XSS_in_Name )> 32
Cross-Site Scripting <Removed in this public version> 33
Cross-Site Scripting Good They take anti-xss measures everywhere except in one place 34
Mitigation Good & MobileIron session cookies Secure HttpOnly So not so easy to steal (by XSS,...) MobileIron X-Frame-Options: SameOrigin 35
Cross-Site Request Forgery MobileIron Everywhere, no anti-csrf measures POST can be replaced by GET So very easy to use an image,... to trigger Good Everywhere, no anti-csrf measures But POSTs 36
Example - PoC #1 Remove iphone passcode When an ios device is enrolled (configuration profile), a MDM can remove the passcode over-the-air only MDM can do that (validated by certificates) Using CSRF vulnerabilities of MobileIron, I have developed an PoC to remove the passcode of a given iphone 37
Example - PoC #1 The PoC sends the following (using an <IMG> tag) https://server/mifs/admin/ud.html? action=unlockpassword&phone=[{%22devicei d%22%3a %23fb2acc3e-47c7-502a-8a80-8fd7dfd97a86% 22}] 23fb...86 is the UUID of the phone to unlock Of course, some social engineering (or XSS) is necessary 38
Example - PoC #2 Good By combining data leakage + XSS + CSRF, we were able to give admin rights to any user 39
Example - PoC #2 Contrary to MobileIron, CSRF with GET is not possible Use POST instead 40
Command Line MobileIron has also a command line interface A little like a router enable command for privileged actions May also be accessible from SSH or Telnet Depending of configuration 41
Remote Command Execution Not found by myself, but by prdelka Exploit-DB, June 10, 2013 Command show log uses less underneath and sudo Execute a shell command inside less with! or Executed as root This is patched now 42
Today These problems (XSS, CSRF, retrieve passwords in clear,...) have been fixed in latest versions of MobileIron Filtering and replacement to avoid XSS Not sure (hum...) it is correctly done but no time to investigate further Anti-CSRF tokens (per session) But some other problems remain... 43
Weak Encryption Both products are using AES, SHA, etc. They are FIPS-blah blah certified But what about keys... 44
MobileIron Local Users With MobileIron, administrators are local users Not possible to use LDAP (AD) users Stored in an XML file identityconfig.xml Password encrypted 45
MobileIron Local Users base-64 encoding AES encryption, with ECB PKCS#5 padding key... <actual passphrase not disclosed in this public version> This passphrase is derived with SHA-1, one time 46
PoC #3 Fix, identical key for all installations No salt, no iterations (1), no PBKDF2,... We have made a small java application to recover passwords from a given installation The same encryption is used for various information 47
User Accounts MobileIron stores accounts (smart devices users) in a MySQL database table mi_users Same hash, but not same encrypted password (sometimes). Are they using salt? 48
Keys No. It uses... 5 keys These keys are initialized at startup with fixed, hardcoded values To encrypt a password, one of those keys is chosen randomly To verify a password, each key is tried one by one... Same mechanism is used for other passwords 49
PoC #4 We have made a small Java application to recover passwords from a mysql database a MobileIron backup 50
But wait a minute...! Why MobileIron is storing those password? In particular for LDAP (external users)? Where are these passwords coming from? From self-service portal? From Sentry server (ActiveSync)? From NSA? From space? 51
They come from... From the smart device app during enrollment Password is transmitted and stored Save User Password Preferences Related to Exchange profiles MobileIron recommends to check Yes DO NOT DO THAT! 52
Agents on devices Practical Attacks against Mobile Device Management (MDM) BlackHat 2013, Lacoon Mobile Security How to break Good (and others) secure containers But I personally don t agree with them regarding ios 53
Agents on devices Auditing Enterprise Class Applications and Secure Containers on Android isec Partners, Dec. 2012 Only Android Good & MobileIron Breaking encryption keys, defeating rooting detection,... 54
More... There are several more points MobileIron & ios keychain Good AES keys generation Jailbreak detection Etc. But time is limited Perhaps for another talk... 55
Conclusion Actual security of MDM solution very dependent of their configuration For ex. Save user password Very dependent of the deployment context Case by case Like any somehow complex system 56
Conclusion Security was not the priority of MDM sys At least during development Situation is improving But still vulnerable points like encryption Difficult to say that one product is safer than another Good is better programmed But Good NOC is a problem 57
Thank you! Follow me on Twitter @AndrivetSeb Web site www.advtools.com My e-mail sebastien@advtools.com 58