A Practical Attack Against MDM Solutions

We’re looking forward to presenting today at BlackHat USA 2013. It’s going to be our first time taking the stage at BlackHat Las Vegas – and we’re excited!

Lacoon-website-v04-sliers-03-1-e1375151827665.jpg”>Lacoon-website-v04-sliers-03-1-e1375151827665.jpg” alt=”BlackHat USA” width=”827″ height=”431″ />

As our title says – this is going to be one of those practical talks. Straight and to the point: we’re going to adopt the same techniques that current common commercial spyware use to intercept 3rd party apps, such as WhatsApp, to show how mobile mobile can bypass MDM and containerization solutions. We’ll be demo’ing the attack both for Android and iOS devices.

At the base of the attack is the underlying notion that secure containers rely on the operating system’s sandbox security model. Under this model, each mobile application is executed in its own separate environment. In other words, each application is allocated its own separate storage space, is assigned to run in a specific memory location and is entitled to perform only a specific set of device functionalities such as GPS, Network and SMS. These three restrictions are defined upon application installation, and once the application is installed they cannot be altered.

What the secure containers do is “wrap” up the mobile’s inherent sandbox model to prevent any application from accessing the content of any other application within the secure container. The additional layer of security that they provide comes in the form of encryption:

– Data in motion. Encrypts the communication between the application and the enterprise resources by using a SSL VPN.

– Data at rest. Encrypts all the data that is stored on the mobile device.

The thing is that all mobile operating systems, across all models and versions, contain a large number of vulnerabilities. Malware that exploits these vulnerabilities (i.e. jailbreak/ root the devices) receive elevated privileges -namely, the same privileges as the operating system itself. By alleviating itself from any permission restrictions, malware breaks the sandbox security model. The malware can then bypass any encryption measure as well as access the storage, memory and specific functionalities of any desired application.

The common way the malware then accesses encrypted content is by grabbing that content once it gets decrypted in the application’s memory- say, when a user pulls up an email to read. In a similar fashion, the malware can expose all the enterprise’s confidential data.

Of course, there’s more to it when it comes to the nitty-gritty details. But for that, you’ll have to attend the talk today and see for yourself. Location: Palace 3, Time:  3:30pm.

See you there!