Inspired by a True Story
The 2017 RSA Conference offered great opportunities, as usual, for the NCCoE staff to learn from the cyber community and engage with industry. The conference supported an entire track of mobile security talks, and common themes included the intersection of mobile security/IoT, and the (lack) of privacy within mobile ecosystems. As the NCCoE continues its work in mobile device security, we were excited to see mobile security gaining more traction at the RSA Conference.
If you’ve been to the RSA Conference, you know there are often multiple simultaneous sessions. Although we heard great things about the other mobile security/IoT presentations, we attended two mobility presentations – both of which emphasized the continuously changing nature of the mobile threat landscape.
One presentation, given by Max Bazaliy and Andrew Blaich of Lookout Technologies, focused on the Pegasus attack. A detailed rundown of Pegasus can be found on the Lookout blog, but the short story is that Pegasus was an extremely sophisticated attack that combined technical prowess and social engineering. Delivered via an innocuous text message, the attack linked together multiple zero-day exploits in iOS to exfiltrate personal data and obtain complete control of an iOS device. Even applications that used strong, end-to-end encryption were vulnerable to this attack, which was able to inject itself in-between the OS and applications.
The Pegasus attack reminded us of the work we’ve done on the Mobile Threat Catalogue – which describes, identifies, and structures the threats posed to mobile information systems. We outlined three related threats and potential countermeasures to thwart such attacks. One such countermeasure mentions the use of Enterprise Mobility Management (EMM) systems, which would be a traditional approach of defense. However, as we’ll talk about in the next paragraph, mobile OS enhancements are changing the landscape for security tools.
On the defensive side of things, the second presentation focused on Android and iOS security enhancements that may hinder security tools from detecting threats. For example, newer versions of iOS now restrict the backups of application binaries on the device, making analysis difficult. Andrew Hoog of NowSecure made a great point that while OS hardening is on the whole great progress, it also limits visibility into the device, which organizations need to detect anomalies and to defend against potential zero days such as the aforementioned Pegasus attack.
What can organizations do to defend themselves against these evolving threats while staying within the bounds of changing device restrictions? A holistic view of mobile security is necessary. The NCCoE's Mobile Device Security project aims to help organizations protect their data; in phase two of the project, we are also taking into account privacy concerns of mobile device users.
The project will demonstrate the integration of Enterprise Mobility Management (EMM), threat intelligence, and application vetting technologies, among other technological capabilities. We are currently signing Cooperative Research and Development Agreements (CRADAs) with technology companies that have responded to the Federal Register Notice (FRN).
Are you a mobile security technology vendor? If you are interested in participating in this project, which will result in a reference design and lab implementation of enterprise mobile device security, we’d like to hear from you.
Did you attend the RSA Conference and catch any mobile security sessions? What did you hear at the conference that was compelling? We’d like to hear from you. Industry members with an interest in mobile security can join our community of interest or contribute to the Mobile Threat Catalogue to help us shape the project as we move forward.