Penetration Testing mailing list archives
Re: IT Audits/PT's of Smartphones
From: Marco Ivaldi <raptor () mediaservice net>
Date: Sun, 4 Sep 2011 23:10:37 +0200 (ora legale Europa occidentale)
Hi, I apologize for the late reply, I was on vacation. On Wed, 3 Aug 2011, cribbar wrote:
HiMay I ask - does there exist a (if at all possible - free) vulnerability scanner specific to smartphones, namely blackberries/iPhones (various models/versions of each)?
You stumbled upon a typical example of attack vector that cannot be tested using automated vulnerability scanners. Actually, no attack vectors can be throughly tested just by means of automated scanning, but this is another story;)
Aside from encryption on the device itself, if you have audited or pen tested for a client their smartphone/smartphone infrastructure - are there any common security/management issues you find with them, or any good benchmarks you use to assess the phone itself?
I can contribute some issues typically found within BlackBerry Enterprise infrastructures.
Before I start, it's important to clarify that the BlackBerry Enterprise platform itself provides comprehensive granular control over the handhelds and can be configured to enable a degree of protection suitable for most environments. That said, in my experience as a Security Analyst I've verified that most deployments are actually configured in an insecure way and are therefore vulnerable to many attacks, such as:
- Malware infection: arbitrary software can usually be installed on handhelds, opening a broad attack surface (think of spear phishing, worms, spyware, etc.). - Remote access to the corporate network: most of the time admins don't bother to separate the different BES components on different servers and fail to apply proper ACLs to prevent attacks generating from the BES itself. - Insufficient handheld protection: most of the time, handheld passwords are not present or their robustess is not properly enforced. - Access to the underlying operating system of BES, due to server misconfiguration. Look for the usual suspects: predictable credentials (hint: especially SQL Server passwords!), Active Directory flaws, software vulnerabilities, configuration mistakes, and so on. - Theft of traffic logs: logging of all phone calls and MDS connections is enabled by default and logs are stored unencrypted on BES disk. - SSL attacks, mainly on poorly written applications (e.g. that do not properly check certificate validity). - Wireless attacks, including some against WPA Enterprise PEAP-MSCHAPv2.Bottom line: mobile devices always connected to the corporate network represents a huge opportunity for a remote attacker and therefore their presence should not be overlooked while assessing the security posture of an organization.
I hope this helps! Cheers, -- ------------------------------------------------------------------ Marco Ivaldi OPSA, OPST, OWSE Senior Security Advisor @ Mediaservice.net Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://www.mediaservice.net/ ------------------------------------------------------------------ PGP Key - https://keys.mediaservice.net/m_ivaldi.asc ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: IT Audits/PT's of Smartphones Marco Ivaldi (Sep 06)