Monday, 20 June 2016

Phones Show Chat 347 Notes on Smartphone, Mobile and IT Security

I recently had the pleasure of being a guest on Steve Litchfield and Ted Salmon's Phones Show Chat podcast for episode 347, which was published on 19th June 2016. I've been a regular guest on the podcast over the years, and I've worked in the IT information security industry for 13 years (you can find me here and here for more details) which is probably why Steve and Ted asked me to discuss the topic in detail during the show.

We covered a lot of ground around mobile and IT security, with a lot of terminology and acronyms, so this blog post is designed to be a companion or reference to the podcast episode.

Let's start with some terminology:
  • Vulnerability. The bug, hole or weakness in the software or operating system, usual unintentional, sometimes maliciously inserted (aka the backdoor). This can lead to the ability to, for example, execute code or escalate privileges (obtain root or administrator rights) either locally on the device, or even more scary, remotely from afar. When there is a way to use the vulnerability to do such a thing, we have an...
  • Exploit. This is taking advantage of the vulnerability to mount a successful attack. A vulnerability can be known, and there may not necessarily be an exploit in the wild. Once there is a working exploit, we get even more concerned about a vulnerability, as before that point, threat is only theoretical.
  • Patching. This is basically updating software or operating systems, and should be done regularly. It will ensure that you receive fixes developed for known vulnerabilities. In the mobile world, this will come through your OEM/carrier for the phone OS itself, and the app store should be the mechanism for keeping apps up-to-date.
  • Zero Day. This refers to the scenario where a vulnerability exists but has not been publicly disclosed to the vendor. This is dangerous because the vulnerability could be abused and exploited by attackers, but if the developers don't know about it, they can't write and distribute a patch or update to close the hole. Zero day vulnerabilities with working exploits, especially for highly used systems like Windows, Android and iOS, can trade hands for hundreds of thousands of dollars on the 'dark web'. This ties in with...
  • Responsible disclosure. Where if you find a vulnerability, you should inform the developers privately, so they can fix the hole or weakness in the system. Not sell it on the dark web. Also, should you choose to publicise the vulnerability first, you give attackers a window of opportunity to exploit the vulnerability before the developers have had chance to fix and update the software. Publicise your great work finding the vulnerability after the fix has been available for some time.
  • Bug bounties. Companies will give money to people who find vulnerabilities in their products, systems and services and disclose them responsibly. This even includes The Pentagon! In the last year, Google paid out more than $500,000 in these types of rewards. This type of scheme hopes to make hackers disclose responsibly rather than trade on the 'dark web'.
  • CVE (Common Vulnerabilities and Exposures). This is the industry standard library of vulnerabilities, and gives us a uniform and standardised way to refer to vulnerabilities in precise language, rather than using common language which can get mangled, abbreviated, or otherwise abused or confused. Some vulnerabilities are so serious that the industry also gives them nicknames, like Heartbleed, Shellshock, and most recently Badlock. Sometimes these are justified to get publicity so we all make sure we patch our systems. Other times it is research organisation trying to publicise themselves.
  • CVSS (Common Vulnerability Scoring System). This it the industry standard way of rating the severity of a vulnerability. It uses factors like the vector used (is it local and I have to get on the system first, or can I perform an attack remotely), complexity of the potential exploit, authentication required, and impact to the CIA of data (confidentiality, integrity, availability).

At the end of day, security is about minimising risk to an acceptable level, and this is no different with our smartphones. Risk is classically defined as "impact x probability". The impact of the thing happening could be anything from an app crashing, to your whole phone and digital identity being stolen or abused. The probability of the thing happening depends on how easy it is for the attacker. Many attacks require users to be in one of 3 scenarios: installing apps from 3rd party app stores, to have rooted or jailbroken your device, or they require the attacker to be between your phone and the Internet, to have somehow got inside the flow of the network traffic (called "man in the middle", or MiTM). Classic MiTM is achieved with the public wifi scenario, where you think you are connecting to a safe wifi provided by a venue, but you are actually connecting to a wifi network created someone with a wifi pineapple or similar, and they're going to snoop into your data and try to attack you. Seriously, don't use public wifi unless you really need to, you just can't trust it.

These three scenarios (3rd party app stores, root/jailbreak, MiTM) are for most normal users, and even you technically savvy PSC listeners, quite unlikely. This is why my main conclusion on the podcast was that yes, it is shame that many Android phones are behind on OS updates and security updates/patches; it would be better if they weren't, but the risk to users is low. This is because whilst the impact or an attack could be very high, the probability is low, so referring the impact x probability calculation, the inference is that the risk is low.

It gets more interesting when we have vulnerabilities with higher probability...
  • Stagefright (a collection of at least 8 individual vulnerabilities, each with their own CVE number) made lots of news, partly because one exploit involved simply sending an MMS to an Android device, which by default will retrieve the multimedia content referred to in the message, and then execute code and escalate privileges. You don't need to use 3rd party app stores, be rooted, or have a MiTM.
  • XcodeGhost also made lots of news, based on the potential risk. A modified version of Xcode, the development kit for Apple apps, had been distributed in the Far East, and developers were using that version instead of downloading it from Apple, because it was quicker to download from the Internet than from Apple's servers in USA, so the theory went. This modified Xcode was then inserting malware into apps constructed with the development kit. Again, no 3rd party app store required, no jailbreak required, no MiTM required.
These two issues show examples where the probability is higher, principally because the user does not need to do something silly or out of their way to make the device more vulnerable. If impact is high and probability is high, suddenly that's a big risk. However, these are the exception when you look through all the mobile-related headlines about security issues or potential for attacks.

It might be easier for me to see through the headlines because I work in IT security, but if you read some of the following headlines, they sound very serious! I've listed each one along with the source of the headlines (generally IT security companies publishing things they've found, to flex their muscles publicly or show they have great threat research capability in order to help win business from enterprise organisations) and the methodology needed, to show that there's little here to be massively worried about for 99.9% of users...
  • "87% of Android devices insecure" (link)
    • Press release for research org, most need 3rd party app stores
  • "New type of auto-rooting Android adware is nearly impossible to remove" (link)
    • Security company research, 3rd party app store
  • "Devastating Vulnerability Affects 66 Percent of Android Phones" (link)
    • Security company research, 3rd party app store
  • "Critical Vulnerability Plagues 60% of Android Devices" (link)
    • Security company research, requires root
  • "More than a Billion Snapdragon-based Android Phones Vulnerable to Hacking" (link/link)
    • Security company research, 3rd party app store
  • “Android Installer Hijacking estimated to impact 49.5 percent of all current Android users" (link)
    • Security company research, 3rd party app store
Some 'news stories' are worse than others. Take this analysis of one such news story: “Our Symantec pals wax poetic for a whopping 750 words before mentioning a teensy, weensy asterisk to all of this: The malicious app is not found on Google Play and may be downloaded from third-party app stores, forums, or torrent sites. Users who have Google Play installed are protected from this app by Verify Apps even when downloading it outside of Google Play."

Here's a tongue in cheek summary from a well-known blogger in the IT security industry, he's worth subscribing to on YouTube as his videos are very entertaining...

Here's a summary and some closing thoughts and recommendations for mobile and IT security:
  • Software will always have vulnerabilities, software engineering is not 100% science (unlike some other engineering disciplines)
  • Remember, enterprises (£Ms of budget) are getting successfuly attacked, the attackers are very clever. However, mobile phones have a much smaller "attack surface" than enterprises with 1000s of Windows desktop PCs, so the odds or more in our faviour when considering smartphones alone
  • Best practices: never re-use passwords, use a password manager if it makes it easier; never open attachments unless you need to or were 100% expecting the attachment form someone; only use 1st party app stores; always accept updates for the OS and apps; avoid public wifi where possible.
  • Don’t confuse vulnerability with exploit. This might help you wade through the nonsense and sensationalist headlines.
  • Be annoyed that Android has a big problem with getting updates to users (through OEMs, carriers and many other obstacles) but also realise that you are far more likely to be exploited through your PC or laptop through things like malvertising via Flash, ransomware via attachments
  • You're also more likely to have digital accounts compromised through the services themselves getting hacked, like LinkedIn for example. By the way, did I mention...
  • Don't re-use passwords!
  • And please uninstall Flash on all your PCs and laptops as soon as possible, thank you!