Next time you are sitting in a coffee shop, waiting for that flight or riding the office elevator using your mobile device, consider this; how secure is that mobile device? Could it be possible that your mobile device is spying on you?
Sense of Security, an information and security risk management consulting company, recently posed this question by undertaking a research project to determine if an attack against an individual’s mobile device is both plausible and feasible. As it turned out, the answer is a resounding yes on both counts - and with alarming simplicity, ease and cost effectiveness!
There is nothing complicated about this research project or its execution. The aim was to place an application onto a device and then use the voice recorder and GPS functions of the device to spy on its owner – by remotely instructing the application where and when to record and how long for. The security implications could include: corporate espionage; insider trading; financial gain; political gain; competitive and strategic advantage.
With the huge global uptake of mobile devices has come another global phenomenon; the personal attachment of individuals to their mobile devices. People neither switch them off nor will allow themselves to be separated from what has arguably become their link to their lives. Are we dealing with a mobile device separation anxiety epidemic? One fact remains, exposure and therefore opportunity to exploit by the cyber-criminal is at an all-time high.
Our research delves into the possibility and plausibility of spying on an Android device owner. In summary the Android platform was selected for the following reasons:
- The volume and rapid uptake of Android devices in the market;
- Market fragmentation;
- Google Play vetting controls;
- The open platform of the Android operating system;
- The lag for software updates.
The proof of concept
The following describes our attack scenario:
Once a target has been identified one needs to identify their mobile device. This can be achieved physically or remotely. For example a target can be tricked into browsing the attacker’s website. The attacker can then determine the target’s device by way of the information shared between the target’s mobile device and the web server.
Similarly installing an application on a mobile device can be done physically or remotely. If the device has been acquired physically and has no password installed then installing an application can be somewhat elementary. If the target phone has a password/passcode the next approach is passcode guessing. Interestingly passcodes do demonstrate certain common trends. One recent study revealed “15 per cent of all passcodes sets are represented by only 10 different passcodes”.
If one does not have physical access, remote acquisition may be achieved by one of the following:
- Google play. By compromising the target’s Gmail account the attacker will then be able to push an application to the mobile device.
- Spear phishing, whereby a spoofed email together with an appealing application (spying application embedded) is sent to the target from a purported trusted source tricking the target into downloading the application from the marketplace.
- Drive by Download, where acquisition may be possible by getting the target to click on a link where the application is hosted on an attacker’s server.
Our research team wrote a Proof of Concept (PoC) Triggered Voice Recorder application for the specific purpose to act as a GPS triggered voice recorder. The application is less than 600 lines of code and is designed to poll a server and download commands describing the location of where to activate the inbuilt voice recorder. The application was written to run in the background and not require user interaction with the device owner.
To ensure that the application was accepted by the marketplace we needed to confirm that it could be concealed through another host application. We nominated a demonstration application as the host (Notepad), renamed it and published it to market via Google play. Since this was a demonstration application the vetting process was successful and the application was published in eight (8) hours. The host application was then repackaged by injecting the Triggered Voice Recorder code into the application and then republished under the same name.
The application was then downloaded on the target Android device. The GPS coordinates and recording duration were configured on the “attack” server. The PoC application then polls the attack server for instruction and activates the recorder at a prescribed location. Conversations are recorded and the recording file is sent to the attacker’s server, all transparent to the user.
Mitigating controls
As organisations are becoming increasingly mobile, IT departments have to balance their users need to stay connected with maintaining mobile device security and the protection of corporate data. Ensuring security for enterprise mobility now has to extend beyond just the security of laptop devices. Accordingly, organisations are now looking to Mobile Device Management (MDM) platforms to manage their fleet of mobile devices.
There are a few core components to mobile device security. These components are hardware encryption, remote wiping and the ability to set a passcode policy. While MDM platforms have a number of features that can be configured to improve the security of mobile devices, not all of these will address the attack scenario exhibited in this article (which is to get an application onto a device and then use the functions of the device to spy on its owner). In this case the data on the device is not compromised – so encrypting the device is irrelevant. Similarly, the ability to remote wipe the device will not address the issue “after the fact”.
A strong passcode policy may improve security and make physical acquisition of the device a lot harder – but it won’t address remote acquisition techniques. A significant advantage of some MDM platforms is the ability to whitelist applications. This feature ensures only specific approved applications can be installed on the mobile device which greatly reduces the end user (or an attacker’s) ability to install malicious or unwanted applications.
Conclusion
There is no doubt that as mobility solutions are increasingly adopted and the world becomes a more interconnected place, our reliance on these “tools of the trade” will ultimately lead to increased exposure and risk.
This research has demonstrated the degree to which all mobile device users, including corporate executives, are exposed to the very real possibility of becoming a victim of a targeted attack. It is therefore incumbent on security and risk managers to exercise ‘due care’ in understanding the risks and issues with mobility and to implement reasonable controls to address those risks.
The supporting whitepaper to this article can be located at: http://www.senseofsecurity.com.au/research/it-security-articles.
Sense of Security can be contacted by:
Web: www.senseofsecurity.com.au
Email: info@senseofsecurity.com.au
Phone: 1300 922 923