Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mobile enterprise management tools are targeted by spyphones, researchers warn

Loek Essers | March 15, 2013
Enterprises that use mobile device management (MDM) systems to protect their corporate data on employees' mobile phones are not safe from attacks from spyphones, researchers warned at BlackHat Europe on Thursday.

iOS devices are much harder to crack but are probably more appealing to spyphone makers since a lot of companies are standardizing on iOS, Brodie said. An attacker has to install a signed application on the targeted device using an enterprise- developer certificate. The attacker then uses a jailbreak exploit -- removing limitations and protections to gain root access to iOS -- to inject container-bypass code into the secure container. After that, the attacker removes every source of the jailbreak.

"If you're looking at the phone you're not going to see if it's jailbroken," said Brodie, adding that he and Shalouv had several times tried to jailbreak an iPhone that was already jailbroken. They simply did not notice it already was, they said.

Once the jailbreak is removed, the spyphone places hooks in the secure container using Objective-C hooking mechanisms. The spyphone is than alerted when an email is read, is able to pull the email and subsequently sends every loaded email to a command and control (C&C) server that is controlled by the attackers, according to Brodie.

While mobile OSes try to protect themselves by protecting the OS from attackers and users, jailbreaking and rooting methods are rendering this security mechanism irrelevant, according to Brodie.

"Infection is inevitable," Brodie said. This however doesn't mean that MDMs are not useful. They are useful for separating personal and business data and also can be very useful when use for remote-wipe operations, the researchers said.

Companies need to be aware though that MDMs cannot provide absolute security, the researchers said. The security industry therefore should try to find a way to solve this problem, they added. Solutions could for instance look at different network parameters and abnormal behavior to signify an infected device. Those parameters for example could consist of behavioral analysis to signify strange behavior, traffic to well known C&C servers, and data intrusion detection, they said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.