31 July 2009

Mobile Devices & Information Assurance

It has been far too long since my last post. My topic today was inspired by a number of articles over the past few weeks regarding vulnerabilities and exploits affecting mobile devices, some of which are very popular in the corporate world.

Mobile devices have always been a hassle for security folks because there isn't any hope of physical security over such devices. In the world of Smart Phones, this becomes especially worrisome. A Blackberry, iPhone, or other smart hand held device doesn't just place calls, hold contacts, and track calendar items; they now hold company email, MS Word and Excel documents, and can even provide access to an organization's network via WiFi or VPN. This growth in features has unfortunately outpaced the security that should be in place to safeguard the potentially sensitive information stored on these devices.

With inherently insecure communication technologies such as BlueTooth and unencrypted, or poorly encrypted, WiFi, the risk of a data breach increases significantly. I attended an excellent class in Austin last week taught by Gordon Smith of Canaudit, Inc.; one of the topics that was discussed was BlueTooth security on mobile devices. It was demonstrated how quickly and easily a BlackBerry device that belonged to a student in the class could be compromised. The instructor, Gordon Smith, was able to make a call and, if he had wanted to, access data stored on the BlackBerry. This type of attack not only affects BlackBerry devices but virtually any device with BlueTooth turned on, including laptops.

Consider this scenario. The CFO of ACME Corp. travels consistently each month to corporate sites across the country. His shiny new BlackBerry Tour is his primary weapon with which he conducts his business. His BlueTooth headset is also permanently attached to the side of his head. What he doesn't realize is that the gentleman sitting across from him at the airport is using another BlueTooth enabled smart phone to hijack his Tour and scan through his documents, contacts, and emails. To make things worse, the CFO keeps an Excel spreadsheet on his Tour that contains corporate bank account numbers and passwords for on-line banking services because he can never remember them all.

The above scenario is not at all out of the realm of possibility and can expose your company to a data or financial loss of substantial proportions. It is up to the information assurance policy makers to understand this and to assess balance between security and functionality and take appropriate action to safeguard corporate assets.

Another device that has been of concern recently is the iPhone. Two concerns have been raised in the past couple of weeks with the new iPhone 3G-S. The phone was marketed by Apple and AT&T as the most corporate friendly iPhone yet because of new security and encryption features. The phone has been bought up in the thousands by companies who have started issuing them to employees. This is especially disconcerting because of the popularity of the phone and the misguided belief that Apple products are completely secure and safe from hackers. The two latest iPhone issues prove this to be a complete fallacy.

The first issue is a vulnerability in the highly touted iPhone encryption as reported over at Wired. The claims came from Jonathan Zdziarski, a well-known iPhone developer who also teaches forensics classes for the iPhone. Jonathan found that the encryption used on the new 3G-S can be broken in a matter of a few minutes with readily available open source tools. This presents a problem for companies who are issuing these devices believing they are secure. The ability for a thief crack a phone's encryption in the time it takes you to get up and use the bathroom at the coffee shop where you feel comfortable and leave your phone sitting on the table is potentially disastrous.

The second issue that has been publicized recently affecting the 3G-S is a buffer overflow exploit in the wild. This exploit takes over an infected phone and is executed simply by receiving a series SMS text messages with the appropriate message content. The series of text messages may start with only one visible text message with the remaining being invisible to the iPhone user. The entire process of cracking the phone takes only a few minutes and doesn't require physical access to the phone as in the encryption issue noted above. This was first brought to my attention through the SANS Internet Storm Center Handler's Diary and is detailed further in this Forbes article. It appears that this vulnerability has existed in some form in all iterations of the iPhone and has yet to be patched on any of the versions.

These examples represent only a small sample of the vulnerabilities that exist, many of which are being actively exploited and remain unpatched. BlackBerry devices and the iPhone are definitely not alone in this predicament. Almost all smart phones come with BlueTooth and most people keep their BlueTooth service turned on permanently in order to use their wireless headsets. Other phone platforms, such as Windows Mobile and Google Android, have also been subject to exploits such as the text message problem with the iPhone. It is important for information assurance staff is to determine what equipment is in the field, what the key vulnerabilities are with each device platform, and how to mitigate the risk of loss. Since some vulnerabilities do not have patches available, this may be accomplished through disabling certain features or even disallowing certain mobile devices from being purchased.

The bottom line, however, is that mobile devices must be given a higher priority than the traditional "we can't do anything about it" attitude. They present a very real and current threat to the security of an organization's information and networks.