Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IT Audits/PT's of Smartphones

From: Marco Ivaldi <raptor () mediaservice net>
Date: Sun, 4 Sep 2011 23:10:37 +0200 (ora legale Europa occidentale)
Hi,

I apologize for the late reply, I was on vacation.

On Wed, 3 Aug 2011, cribbar wrote:


Hi
May I ask - does there exist a (if at all possible - free) vulnerability scanner specific to smartphones, namely blackberries/iPhones (various models/versions of each)?
You stumbled upon a typical example of attack vector that cannot be tested using automated vulnerability scanners. Actually, no attack vectors can be throughly tested just by means of automated scanning, but this is another story;)
Aside from encryption on the device itself, if you have audited or pen tested for a client their smartphone/smartphone infrastructure - are there any common security/management issues you find with them, or any good benchmarks you use to assess the phone itself?
I can contribute some issues typically found within BlackBerry Enterprise infrastructures.
Before I start, it's important to clarify that the BlackBerry Enterprise platform itself provides comprehensive granular control over the handhelds and can be configured to enable a degree of protection suitable for most environments. That said, in my experience as a Security Analyst I've verified that most deployments are actually configured in an insecure way and are therefore vulnerable to many attacks, such as: 

- Malware infection: arbitrary software can usually be installed on
  handhelds, opening a broad attack surface (think of spear phishing,
  worms, spyware, etc.).
- Remote access to the corporate network: most of the time admins don't
  bother to separate the different BES components on different servers
  and fail to apply proper ACLs to prevent attacks generating from the
  BES itself.
- Insufficient handheld protection: most of the time, handheld passwords
  are not present or their robustess is not properly enforced.
- Access to the underlying operating system of BES, due to server
  misconfiguration. Look for the usual suspects: predictable credentials
  (hint: especially SQL Server passwords!), Active Directory flaws,
  software vulnerabilities, configuration mistakes, and so on.
- Theft of traffic logs: logging of all phone calls and MDS connections is
  enabled by default and logs are stored unencrypted on BES disk.
- SSL attacks, mainly on poorly written applications (e.g. that do not
  properly check certificate validity).
- Wireless attacks, including some against WPA Enterprise PEAP-MSCHAPv2.
Bottom line: mobile devices always connected to the corporate network represents a huge opportunity for a remote attacker and therefore their presence should not be overlooked while assessing the security posture of an organization. 

I hope this helps! Cheers,

--
------------------------------------------------------------------
Marco Ivaldi                          OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 
http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: