VDI Solutions: Background, Threats & Mitigation

Accompanying our upcoming presentation at Blackhat in Las Vegas on August 6-7, this post discusses some of the vulnerabilities that exist in Virtual Desktop Infrastructure (VDI) frameworks, as well as provides some insights into the implications of using VDI in your enterprise.

We recently held a relevant podcast with Daniel Brodie, a Sr. Security Researcher at Lacoon, who will be hosting the BH talk along with our CEO, Michael Shaulov. The podcast and this post don’t completely overlap, so if you have the time, we’d recommend giving both due care and attention.

Why enterprises are turning to VDI Solutions
With enterprises around the world adopting Bring Your Own Device (BYOD) initiatives, addressing mobile security has become increasingly important. IT and management teams are working hard to understand and address the different methodologies and technologies available both for security and device management purposes – whether on iOS or Android.

One such security solution is the Virtual Desktop Infrastructure (VDI). VDI creates a setup where devices act as a remote workstation thus preventing data from being stored locally on an endpoint device – providing security against data theft.

A VDI server holds multiple virtualized instances to which the VDI client requests access, while the VDI client app requests connection to an instance. If the request is granted, then the server opens a VDI connection with the client and all succeeding information is passed within that session.

Can a VDI solution provide all the security an enterprise needs?
Not necessarily. VDIs are certainly a beneficial tool to minimize the storage of data on a local device and consequently, the exposure of confidential data due to device theft. However, VDI solutions do not provide protections against targeted threats such as mobile Remote Access Trojans and Man-in-the-Middle. In fact, as we show in the research, threats against the underlying VDI platform are fairly easy to carry out by using widely-distributed free tools.

Here at Lacoon Mobile Security, we decided to look into both the potential threats and methods of mitigation when employing a VDI solution. Rather than comparing VDI solutions, we looked at potential threats based on the foundations in all VDIs. We considered different attack vectors that threat actors could use to bypass the VDI solutions and efficiently glean sensitive and confidential corporate information.

What are the main types of threats?
There are two main categories that can pose a threat to an enterprise using VDI:

  1. MRATs – Mobile Remote Access Trojans. MRATs are mobile surveillance software installed on a device that become privy to all data and all communications passed on the device, as well as the capability to manipulate mobile resources. MRATs come in many different shapes and sizes – ranging in intelligence, resilience and vector of attack
  2. Man-in-the-Middle (MitM) – Attacks that target unsecure communications between two devices or a device and a server. The threat of Man-in-the-Middle (MitM) has always been a concern for mobile devices that are not on trusted networks. Additionally, typical alert and warning signs that individuals are used to noticing on PCs and laptops are much more subtle in their mobile counterparts.

Our presentation at Blackhat will include in-depth demonstrations of several different threats to VDI, including those mentioned above.

What enterprises should be doing to combat threats to VDI:

  1. Look at all the different threat vectors that threat actors can use to exploit mobile devices to ensure nothing goes undetected. Correlate and analyze all the information from:
    • Devices. Continuous monitoring of the operating system (Android, iOS), including processes, configurations and vulnerable libraries that could impact the security stance of a device.
    • Applications. Understanding the behaviors and intent of applications (including the interfaces) on specific devices to identify immediate and long-term risky activities (e.g. time bombs); applications downloaded from “official” markets (e.g. Google Play, iTunes Store), as well as those that have been repackaged and side–loaded. Behavioral App Reputation technologies are best positioned to address this gap, but one must make sure that they are capable of detecting unknown keyloggers, screen scrapers and packaged privilege escalation exploits.
    • Network Connections. Identifying rogue access points or compromised connections, as well as recognizing anomalous network traffic to and from a device that indicates an exploit.
  2. Accurately classify low level threats (that have no implication on corporate assets) and more targeted advanced threats to enable appropriate responses and effective risk mitigation.
  3. Provide proactive threat remediation as part of a Risk Based Mobile Management (RBMM) approach – be able to mitigate the threat on the device, in the network, and most importantly by risk score loopback to the VDI or container service, to block access to corporate resource when (and only when) the device is compromised.

To mitigate MitM-related threats, we’d strongly recommend that VDI vendors to introduce a robust framework for certificate validation and pinning to avoid unauthorized interception of the authentication and communication protocols.

The Bottom Line
The point is to recognize that VDI depends on the integrity of the host system. This means that as long as the device is uncompromised the solution protects the data. On the other hand, once the underlying platform is compromised, so does the VDI solution. In order to undermine the security of VDI solution, it is enough for the threat actor to target the device itself.

Unfortunately, as we’ll demonstrate throughout our talk at Blackhat, compromisable devices are increasingly being introduced into the enterprise. Accordingly, enterprises need to approach mobile security as a layered approach.

Image Credit: carouselindustries