More BYOD Insecurity from BlackHat EU 2013 by LPhifer
Another BlackHat Europe session that piqued my curiosity was “Dude, where’s my laptop?” presented by Simon Roses Femerling and Curro Marquez. This session’s abstract noted that users carry all sorts of mixed business/personal-use gadgets lost or stolen at alarming rates, costing employers millions in breach notifications etc.
While BYOD losses aren’t news, these presenters had a different take on the problem – specifically, by demonstrating that many of the tools used to mitigate this risk are themselves flawed.
It’s not uncommon for employers to mandate that BYODs used for business support remote wipe, PIN/passcode lock and data encryption. When a device goes missing, employers may use GPS tracking to find and map its current or recent location. Many phones and tablets can be made to display messages prompting return-to-owner or place sounds. Some anti-theft apps can also use a device’s camera and/or screen snap features to spy on a would-be thief to assist with recovery. If all else fails, resort to remote wipe to deter data breach or further corporate network access.
While these anti-theft measures are handy, just how fool-proof are they? Femerling and Marquez decided to do a little vulnerability testing to suss out weaknesses.
In their presentation, these researchers from VULNEX describe a lack of threat modeling on the part of those offering anti-theft apps. Specifically, through network analysis/attack, system analysis/attack, and reverse engineering, presenters found anti-theft apps that:
- Were easily identified and removed from supposedly-protected devices.
- Transmitting sensitive information such as owner names, account passwords, GPS coordinates, device IDs, phone numbers and application internals thieves might find interesting.
- Easily bypassed by techniques such as entering recovery mode and rooting or jailbreaking a device while shielded from connectivity and thus remote deterrents.
- Entirely unprotected or very weakly protected by crypto for data at rest or in motion.
- Prone to using OS data wipe functions that enable forensic data recovery.
The moral isn’t to abandon anti-theft measures. Rather, anti-theft developers are strongly advised to elevate their game. And users shouldn’t fall for broad claims that protected devices are entirely safe.
Finally, employers should heed these vulnerabilities and conduct their own assessments to verify that anti-theft measures are hardened against network, system and reverse engineering attacks. For example, try watching what a laptop or smartphone with your chosen anti-theft program actually spews out over Wi-Fi during periodic check-ins and when instructed to take action – you might be unpleasantly surprised.
Thanks to Femerling and Marquez for this reminder that someone always needs to be watching the watchguard, lest we become complacent about security - BYOD or otherwise. To download this BlackHat preso, visit: http://www.vulnex.com/data/VULNEX_BH_EU13_AntiTheft.pdf