Ken Munro, partner at Pen Test Partners
Ken Munro, partner at Pen Test Partners

Mobile device management might have progressed – but so too have the attack vectors and vulnerabilities.

It's been a couple of years since I last wrote about iPhone/iPad security. Since then, there's been significant progress in mobile device management (MDM) offerings, but also lots of new attack vectors and vulnerabilities. I have brought some of the issues that I found interesting together here, by way of an update.

Our early concerns about simple man-in-the-middle attacks over WiFi, as a result of lousy self-signed SSL certificate alerts in iOS, have been partly resolved. The SSL error presented to the user is more verbose now, and the user can inspect the certificate. However, it's easy to forge enough information in the certificate to fool most users. That can be done on the fly, using, for example, a WiFi Pineapple and Ettercap. However, using MDM, one can enforce the use of only trusted certificates, which helps prevent trivial disclosure of domain creds. That said, Accuvant Labs' Charlie Miller and others have been doing a lot of research into bypass of code and certificate signing in iOS.

I also like the fact that many MDM products can detect jailbreaking, and prevent the user from connecting to corporate services if so. Combined with enforced deployment of iOS updates, that's quite a nice offering. However, updating devices over the air can be problematic, particularly for remote workers who don't visit the office that often.

Even with MDM in place, if a jailbreak is available for the iOS and hardware version, there is the potential to capture a forensic image of the device. That's where attacks get interesting. While you're usually limited to brute force against a PIN, instead of the MDM locking out after x number of strikes and wiping local data, you simply brute force the image instead. After, say, four attempts, you automatically reload the image and continue cracking.

The last time we tried this technique on a well-known MDM product, it took just under eight hours to brute force a four-digit PIN, after which we had access to the sensitive data ‘secured' within it. More recently, some MDM products have started defending reasonably well against forensic attacks, though we don't believe the defences are complete yet.

If MDM isn't in place, then brute force is even easier. Again, you need a jailbreak and ability to load a custom-boot ROM onto the device. Using optimised cracking tools such as the Elcomsoft iOS Forensic Toolkit, a four-digit PIN can be cracked in as little as eight seconds.

Even without expensive tools, there are Python scripts around that aren't as quick to brute force the PIN, but still get that four-digit code done in under 20 minutes. Once cracked, you can extract wireless encryption keys for corporate wireless networks, often VPN credentials and domain credentials. One stolen device, and your whole network becomes vulnerable.

Caching of corporate data on iOS devices also presents problems. We tested a document-reviewing app for corporates, available from the App Store, a couple of weeks ago. Cached documents could be shared locally from the device over WiFi by the user. One click by the user, and a web server was started, accessible over wireless, with no authentication. Worse, that web server was vulnerable to the ../../ method of directory traversal, allowing access to the iPad file system, device password hashes, etc. How old school – clearly one shouldn't trust everything in the App Store.

I support the concept of mobile device management offerings. However, they don't remove the need for basic security sense. PIN codes need to be long, or they will be cracked. You will no doubt get resistance from executives and others if you enforce long, complex passwords on a mobile device. But at the very least, make it eight numbers.

You don't allow four-digit PINs on your corporate laptops. I'll bet you have full disk encryption and robust domain policies on them too. So why is a mobile device much different nowadays, given the data stored on them, and the access they have to corporate systems?