In the earlier days of operating systems, security considerations were considered, but they were not yet well established in the face of the blizzard of attack activity that had yet to emerge. Functionality was the main priority, and early generations of security enthusiasts exploring these emergent technologies for intellectual curiosity paved the way for the criminal element and to some degree for espionage actors. Security of mainstream operating systems has increased substantially in prior years, yet those building newer technologies do not always learn from the lessons of the past and are doomed to repeat some of the same mistakes along their process towards maturity.
I always try to evaluate the real-world risks of any technology explored and presented at any conference, and Blackhat and Defcon is no exception. While some attacks are too esoteric for all but the most advanced and resourceful threat actors, other material is either already in the wild or will soon be. Other talks may provide actors with seeds of an idea or a proof of concept that can be further weaponized. An early case of this was the eEye BootRoot presented at Black Hat 2005, as the first public “bootkit”. Some years later, the Mebroot malware implemented a variant of BootRoot in their own malicious code, and other actors such as those wielding the TDL4 malware began using bootkits in their arsenal. Researchers at the time may or may not have been able to predict the in-the-wild weaponization of such code, however researchers today have the benefit of learning from history and carefully evaluating risk against present or emergent technologies, since it is all too clear that threat activity is only set to increase as the stakes from a rapidly expanding technology landscape continue to go higher. Additionally, time to weaponize has decreased substantially, as the volume of threat research has increased in proportion to the perceived and actual ROI. This gives defenders a smaller window in which to react, and this window only shows signs of shrinking over time. Proactive security measures can help, but it’s clear that even the most well-designed systems can be exploited and therefore reactivity, while painful, is with us for the long haul.
At BlackHat 2018 and Defcon 26, a huge amount of threat surface and emergent attack activity was discussed. Among many other interesting matters, mobile technologies continued to receive scrutiny. Innovative research exposed the insecurity of various aspects of the mobile landscape that continues in its ubiquitous expansion into all areas of modern life. Just a few years back, serious mobile threats, especially to Android devices, were fairly limited and received comparatively little attention from the security industry. This has changed, with numerous global threat actors and spying vendors engaging in compromise-related activity facilitated via Android devices. While most mobile malware is still learning to walk compared to Windows-based equivalents, indicators of its growth are omnipresent for those with eyes to see. This is in addition to other threat surface in the mobile technology stack receiving scrutiny. We should never assume that the research presented at a conference such as BlackHat is not also being performed by hostile actors, who may already be ahead of the curve. The practicality of such research is always a point to consider when designing defenses and must be factored with the appropriate threat model.
Threats Exploiting Mobile Device Management (MDM)
Actors engaging in various threat campaigns rightly sense the mobile threat surface and are taking full advantage of third party app stores and are using the usual array of social engineering tricks in order to perpetuate their campaigns. Mobile Device Management offers an opportunity to help protect such devices in an enterprise network, yet threat actors themselves aren’t strangers to the deployment of highly targeted malicious MDM infrastructure, proving that security technologies in the wrong hands can lead to devastating consequences. Additionally, the compromise of any security or deployment infrastructure such as MDM provides clear access for persistent threat actors to utilize already trusted infrastructure for criminal or espionage purposes. Talks relating to this included “A Deep Dive into macOS MDM (and How it can be Compromised)"1 and other information was obtained from “Advanced Mobile Malware Campaign in India uses Malicious MDM”2 recently published by Cisco Talos.
Vulnerabilities in Mobile Payment Technologies
Another area receiving its turn under the microscope is related to mobile payment technologies. In “For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sale Systems”, numerous emergent mobile payment systems were scrutinized by researchers and findings were shared, providing those building and maintaining such systems with important insight. At this time, evidence suggests a great number of threat actors continue to target Windows-based machines running Point of Sale software in order to obtain credit card data that is then sold on the black market or used in other financing schemes. One need not look far to find extensive evidence of this – the FIN7 and FIN8 groups come to mind. Threat actor groups such as these and others that are yet to form are surely looking at mobile payment technologies, exploring their threat surface, and evaluating possible return on investment.
Denial of Service (DoS) Vulnerabilities in LTE Network
Other interesting things I saw in Las Vegas related to Denial of Service vulnerabilities in LTE network infrastructure due to non-validation of base stations, allowing a threat actor to insert a bogus base station at low cost. While the research work was done in an RF protected environment, the implications of this type of DoS attack could be substantial since the mobile networks are mission critical. Thankfully, countermeasures for this weakness are being addressed, although one may wonder why such a gap was present in the first place. This was covered in “LTE Network Automation Under Threat”.
Remote code execution (RCE) Vulnerability in Smartphone Baseband
The talk “Exploitation of a Modern Smartphone Baseband” was interesting as it covered a remote code execution vulnerability in a smartphone baseband triggered by an SMS and requiring no end-user interaction. This clever hack resulted in a $100,000 reward for the researchers. Some substantial effort appears to have been required for this work, yet the environment was not hardened (little to no memory corruption mitigations, memory unsafe languages, etc.) which made the exploitation less difficult. While out of reach of the average cybercriminal, such exploits are highly useful to various intelligence agencies and espionage-oriented threat actors and it is highly likely that baseband vulnerabilities represent an attack surface that warrants continued scrutiny.
Vulnerabilities in iOS
While Android-based devices receive a lot of attention from threat actors for various reasons, iOS devices aren’t immune to issues. While months of research were required, researchers demonstrated an iOS jailbreak by using two vulnerabilities to obtain “reliable kernel code execution from iOS application sandbox” as presented in “KeenLab iOS Jailbreak Internals: Userland Read-Only Memory can be Dangerous”. Additionally, the iOS async_wake exploit was presented by a Google Project Zero researcher who claims to have discovered over 30 bugs in iOS since 2016. Google Project Zero researchers are very bright, but don’t forget that nation-state espionage groups also employ highly skilled software engineers that are always on the hunt for new TTPs and exploits to express their tradecraft. Due to the greater difficulty of exploitation compared to Android, iOS exploits are known to command top-dollar in the exploit markets. Such bugs are only likely to be used in highly targeted, high value attack campaigns, unless they leak to the public.
The Meltdown Continues
Even more mobile insecurities were presented in “Meltdown: Basics, Details, Consequences” that demonstrated attacks on a Samsung Galaxy S7. Thankfully, Samsung patched the issue on July 10, 2018 3 however there is other threat surface still present. In a helpful move, the researchers published a countermeasure known as KAISER that has been incorporated in various places.4 Research into hardware-based vulnerabilities such as Meltdown and Spectre have a higher bar to entry than other types of security research, yet the widespread applicability of such vulnerabilities suggests that others will continue to dig deeper into other types of issues that allow access of sensitive memory that can leak vitally important data.
Security Flaws in Trading Technologies
No modern security conference would be complete without a look at client-side vulnerabilities in mobile applications. In this case, “Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies” examined 16 desktop applications, 29 websites, and 34 mobile applications. The fact that the volume of mobile applications exceeded the other technologies is a sign of what’s to come. The researcher in this case performed security testing on apps that many may assume to be secure by design, however a host of security issues were discovered and discussed. An interesting point here is that 7 of the websites reviewed dealt with cryptocurrency. Considering threat actor interest in this technology, such research provides insight not only for defenders and analysts but also for the criminal element who are on the lookout for new avenues of exploitation to enable their illicit gain.
Are we ready to face the challenge to help empower mobile technologies to operate in a secure manner? Will security measures be strong enough to deter most actors, who will then seek other lower hanging fruit? Or will the pain of compromise be required in order to shake loose the organizational and financial resources required to properly implement security across all relevant technologies (mobile and otherwise) in a proactive manner? Security researchers, and threat actors, have fertile ground on which to tread, and a large body of prior work to leverage as the mobile threat landscape continues to expand.
1Jesse Endahl and Max Bélanger. A Deep Dive into macOS MDM (and how it can be compromised), Blackhat, 2018. Retrieved August 2018 from https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Deep-Dive-Into-macOS-MDM-And-How-It-Can-Be-Compromised-wp.pdf
2Warren Mercer, Paul Rascagneres and Andrew Williams. Advanced Mobile Malware Campaign in India uses Malicious MDM. Cisco Talos. Retrieved July 12, 2018 from https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html
3Macy Bayern. Despite patches, Samsung Galaxy S7 open to Meltdown exploit and millions are affected. TechRepublic, 2018. Retrieved September 13, 2018 from https://www.techrepublic.com/article/despite-patches-samsung-galaxy-s7-open-to-meltdown-exploit-and-millions-are-affected/
4Samuel K. Moore. How the Meltdown Vulnerability Fix Was Invented. IEEE Spectrum, 2018. Retrieved September 13, 2018 from https://spectrum.ieee.org/tech-talk/semiconductors/processors/how-the-intel-processor-meltdown-vulnerability-was-thwarted