Lesson 13 Flashcards
Mobile Device Deployment Models
- Bring your own device (BYOD)
- Corporate owned, business only (COBO)
- Corporate owned, personally-enabled (COPE)
- Choose your own device (CYOD)
- Virtual desktop infrastructure (VDI)
BYOD
•Bring your own device (BYOD)
COBO
•Corporate owned, business only (COBO)
CYOD
•Choose your own device (CYOD)
VDI
•Virtual desktop infrastructure (VDI)
EMM
Enterprise mobility management (EMM) is a class of management software designed
to apply security policies to the use of mobile devices and apps in the enterprise. The
challenge of identifying and managing attached devices is often referred to as visibility.
EMM software can be used to manage enterprise-owned devices as well as BYOD.
There are two main functions of an EMM product suite:
• Mobile device management (MDM)—sets device policies for authentication,
feature use (camera and microphone), and connectivity. MDM can also allow device
resets and remote wipes.
• Mobile application management (MAM)—sets policies for apps that can process
corporate data, and prevents data transfer to personal apps. This type of solution
configures an enterprise-managed container or workspace.
Visibility
The
challenge of identifying and managing attached devices is often referred to as visibility.
EMM software can be used to manage enterprise-owned devices as well as BYOD.
Mobile device management (MDM)
sets device policies for authentication,
feature use (camera and microphone), and connectivity. MDM can also allow device
resets and remote wipes.
Mobile application management (MAM)
sets policies for apps that can process
corporate data, and prevents data transfer to personal apps. This type of solution
configures an enterprise-managed container or workspace.
Unified endpoint management (UEM)
Additionally, distinguishing whether client endpoints are mobile or fixed is not really
a critical factor for many of these management tasks, with the consequence that
the latest suites aim for visibility across PC, laptop, smartphone, tablet, and even IoT
devices. These suites are called unified endpoint management (UEM) (redmondmag.
com/Articles/2017/10/01/Unified-Endpoint-Management.aspx).
The core functionality of endpoint management suites extends the concept of
network access control (NAC) solutions. The management software logs the use of a
device on the network and determines whether to allow it to connect or not, based
on administrator-set parameters. When the device is enrolled with the management
software, it can be configured with policies to allow or restrict use of apps, corporate
data, and built-in functions, such as a video camera or microphone.
Device enrollment program, Volume Purchase Program and develper Enterprise program
Corporatecontrol over iOS devices and distribution of corporate and B2B (Business-to-Business)
apps is facilitated by participating in the Device Enrollment Program the Volume Purchase Program, and the Developer Enterprise Program
ios risks
There remains the risk that a vulnerability in either iOS or an app
could be discovered and exploited. In this event, users would need to update iOS or the
app to a version that mitigates the exploit.
SEAndroid
SEAndroid
(source.android.com/security/selinux) uses mandatory access control (MAC) policies to
run apps in sandboxes. When the app is installed, access is granted (or not) to specific
shared features, such as contact details, SMS texting, and email.
Mobile Access Control Systems
Smartphone authentication •Password •PIN •Swipe pattern •Biometric
Screen lock
Context-aware authentication
Context-Aware Authentication
It is also important to consider newer authentication models, such as context-aware
authentication. For example, smartphones now allow users to disable screen locks
when the device detects that it is in a trusted location, such as the home. Conversely,
an enterprise may seek more stringent access controls to prevent misuse of a device.
For example, even if the device has been unlocked, accessing a corporate workspace
might require the user to authenticate again. It might also check whether the network
connection can be trusted (that it is not an open Wi-FI hotspot, for instance).
Remote wiop
- “Kill switch”
- Sets device to factory defaults or clears storage (or storage segment)
- Initiated from enterprise management software
- Thief might be able to keep device from receiving the wipe command
MicroSD HSM
MicroSD HSM is a small form factor hardware security module designed to store
cryptographic keys securely. This allows the cryptographic material to be used with
different devices, such as a laptop and smartphone.
Full Device Encryption and External Media
iOS device encryption
•Secure erase encryption
•Data protection
Android device encryption
•From version 10, only uses file-level encryption of user data
External media
MicroSD HSM
Geolocation
Geolocation is the use of network attributes to identify (or estimate) the physical
position of a device. The device uses location services to determine its current position.
Location services can make use of two systems:
• Global Positioning System (GPS)—a means of determining the device’s latitude and
longitude based on information received from satellites via a GPS sensor.
• Indoor Positioning System (IPS)—works out a device’s location by triangulating
its proximity to other radio sources, such as cell towers, Wi-Fi access points, and
Bluetooth/RFID beacons.
GPS vs IPS
• Global Positioning System (GPS)—a means of determining the device’s latitude and
longitude based on information received from satellites via a GPS sensor.
• Indoor Positioning System (IPS)—works out a device’s location by triangulating
its proximity to other radio sources, such as cell towers, Wi-Fi access points, and
Bluetooth/RFID beacons.
Primary concern for geolocation
privacy
Geofencing
Geofencing to apply location-based policies automatically
•Disable on-board camera/video through MDM/EMM controls
Geofencing is the practice of creating a virtual boundary based on real-world
geography. Geofencing can be a useful tool with respect to controlling the use of
camera or video functions or applying context-aware authentication. An organization
may use geofencing to create a perimeter around its office property, and subsequently,
limit the functionality of any devices that exceed this boundary. An unlocked
smartphone could be locked and forced to re-authenticate when entering the
premises, and the camera and microphone could be disabled. The device’s position is
obtained from location services.
GPS tagging
GPS tagging is the process of adding geographical identification metadata, such
- Risksto personal information
- Track movements (assist social engineering)
Mobile app management
- MDM/EMM application use policies
- Corporate workspaces
- Restricting third-party app stores
- Enterprise app development and fulfillment
- Sideloading
corporate workspaces
When a device is joined to the corporate network through enrollment with
management software, it can be configured into an enterprise workspace mode in
which only a certain number of authorized applications can run. (apple uses Apple Business Manager)
sideloading
Unlike iOS, Android allows for selection of different stores and installation of untrusted
apps from any third party, if this option is enabled by the user. With unknown sources
enabled, untrusted apps can be downloaded from a website and installed using the
.apk file format. This is referred to as sideloading.
Conversely, a management suite might be used to prevent the use of third-party stores
or sideloading and block unapproved app sources.
content managemnt
- Privately owned but corporate use issues
- Data ownership
- Privacy
- Containerization sets up a corporate workspace segmented from the employee’s private apps and data
- Storage segmentation ensures separation of data
- Enforcing content management/DLP policies
containerization
•Containerization sets up a corporate workspace segmented from the employee’s private apps and data
•Enforcing content management/DLP policies
Containerization also assists content management and data loss prevention (DLP)
systems. A content management system tags corporate or confidential data and
prevents it from being shared or copied to unauthorized external media or channels,
such as non-corporate email systems or cloud storage services.
rooting and jailbreaking
Rooting
•Principally Android
•Custom firmware/ROM
Jailbreaking
•Principally iOS
•Patched kernel
•Tethered jailbreak
Carrier unlocking - unlocking the restr
Risks to enterprise management
carrier unlocking
Carrier unlocking—for either iOS or Android, this means removing the restrictions
that lock a device to a single carrier.
rooting and jailbraking risks to enterprise management
If the user has applied a custom firmware image, they could have removed the
protections that enforce segmentation. The device can no longer be assumed to run a
trusted OS.
EMM/UEM has routines to detect a rooted or jailbroken device or custom firmware with
no valid developer code signature and prevent access to an enterprise app, network,
or workspace. Containerization and enterprise workspaces can use cryptography to
protect the workspace in a way that is much harder to compromise than a local agent,
even from a rooted/jailbroken device.
LICENSED FOR
Cellular
- Disable cellular data if unmonitored or unfiltered
- Prevent use for data exfiltration
- Attacks on cellular connections
Attacks on cellular connections
There have been attacks and successful exploits against the major infrastructure
and protocols underpinning the telecoms network, notably the SS7 hack . There is little that either companies or
individuals can do about these weaknesses. The attacks require a high degree of
sophistication and are relatively uncommon.
GPS
GPS signals can be jammed or even spoofed using specialist radio equipment. This
might be used to defeat geofencing mechanisms, for instance
A-GPS
As this triangulation process can be slow, most
smartphones use Assisted GPS (A-GPS) to obtain coordinates from the nearest cell
tower and adjust for the device’s position relative to the tower. A-GPS uses cellular
data.
Risks from Wifi
Risks from Wi-Fi
•Legacy security methods
•Open access points
•Rogue access points
Mobile devices usually default to using a Wi-Fi connection for data, if present. If the
user establishes a connection to a corporate network using strong WPA3 security,
there is a fairly low risk of eavesdropping or man-in-the-middle attacks. The risks from
Wi-Fi come from users connecting to open access points or possibly a rogue access
point imitating a corporate network. These allow the access point owner to launch any
number of attacks, even potentially compromising sessions with secure servers (using
a DNS spoofing attack, for instance).
Personal Area Network (PAN) technologies
(not hotspot)Personal area networks (PANs) enable connectivity between a mobile device and
peripherals.
Ad hoc (or peer-to-peer) networks between mobile devices or between
mobile devices and other computing devices can also be established. In terms of
corporate security, these peer-to-peer functions should generally be disabled. It might
be possible for an attacker to exploit a misconfigured device and obtain a bridged
connection to the corporate network.
Wi-Fi Direct
Wi-Fi Direct
•Ad hoc networks
•Soft access point
•Wireless mesh networking
Wi-Fi Direct allows one-to-one connections between stations, though in this case one
of the devices actually functions as a soft access point. Wi-Fi Direct depends on Wi-Fi
Protected Setup (WPS), which has many vulnerabilities. Android supports operating as
a Wi-Fi Direct AP, but iOS uses a proprietary multipeer connectivity framework. You can
connect an iOS device to another device running a Wi-Fi direct soft AP, however.
ad hoc network,
Wireless stations can establish peer-to-peer connections with one another, rather than
using an access point. This can also called be called an ad hoc network, meaning that
the network is not made permanently available.
Tethering and hotspots
you know this
Bluetooth
Bluetooth is one of the most popular technologies for implementing PANs. While native
Bluetooth has fairly low data rates, it can be used to pair with another device and then
use a Wi-Fi link for data transfer. This sort of connectivity is implemented by iOS’s
AirDrop feature.
bluetooth device discovery
Device discovery—a device can be put into discoverable mode meaning that it will
connect to any other Bluetooth devices nearby. Unfortunately, even a device in nondiscoverable
mode is quite easy to detect.
Authentication and authorization—bluetooth
devices authenticate ("pair") using a simple
passkey configured on both devices. This should always be changed to some secure
phrase and never left as the default. Also, check the device's pairing list regularly to
confirm that the devices listed are valid.Malware (bluetooth)
there are proof-of-concept Bluetooth worms and application exploits,
most notably the BlueBorne exploit (armis.com/blueborne), which can compromise
any active and unpatched system regardless of whether discovery is enabled
and without requiring any user intervention. There are also vulnerabilities in
the authentication schemes of many devices. Keep devices updated with the
latest firmware.
bluetooth security issues
- Device discovery
- Authentication and authorization
- Malware and exploits
bluejacking,
Unless some sort of authentication is configured, a discoverable device is vulnerable to
bluejacking, a sort of spam where someone sends you an unsolicited text (or picture/
video) message or vCard (contact details). This can also be a vector for malware,
as demonstrated by the Obad Android Trojan malware
Bluesnarfing
refers to using an exploit in Bluetooth to steal information from someone else’s phone
bluetooth (peripheral devices)
Other significant risks come from the device being connected to. A peripheral device
with malicious firmware can be used to launch highly effective attacks. This type of
risk has a low likelihood, as the resources required to craft such malicious peripherals
are demanding.
Infrared
Infrared signaling has been used for PAN in the past (IrDA), but the use of infrared in
modern smartphones and wearable technology focuses on two other uses:
• IR blaster—this allows the device to interact with an IR receiver and operate a device
such as a TV or HVAC monitor as though it were the remote control handset.
• IR sensor—these are used as proximity sensors (to detect when a smartphone is
being held to the ear, for instance) and to measure health information (such as
heart rate and blood oxygen levels).
IR blaster vs IR sensor
• IR blaster—this allows the device to interact with an IR receiver and operate a device
such as a TV or HVAC monitor as though it were the remote control handset.
• IR sensor—these are used as proximity sensors (to detect when a smartphone is
being held to the ear, for instance) and to measure health information (such as
heart rate and blood oxygen levels).
Radio Frequency ID (RFID)
Radio Frequency ID (RFID) •(Usually) unpowered tags •Transmit when in range of reader •Skimming attack •Encrypt sensitive information
means of encoding information into passive tags,
which can be easily attached to devices, structures, clothing, or almost anything else. A
passive tag can have a range from a few centimeters to a few meters. When a reader
is within range of the tag, it produces an electromagnetic wave that powers up the tag
and allows the reader to collect information from it or to change the values encoded in
the tag. There are also battery-powered active tags that can be read at much greater
distances (hundreds of meters).
RFID Skimming
One type of RFID attack is skimming, which is where an attacker uses a fraudulent
RFID reader to read the signals from a contactless bank card. Any reader can access
any data stored on any RFID tag, so sensitive information must be protected using
cryptography.
Near Field Communications (NFC)
NFC is based on a particular type of radio frequency ID (RFID). NFC sensors and
functionality are now commonly incorporated into smartphones. An NFC chip can
also be used to read passive RFID tags at close range. It can also be used to configure
other types of connections (pairing Bluetooth devices for instance) and for exchanging
information, such as contact cards.
nfc Connection configuration/bump
An NFC chip can
also be used to read passive RFID tags at close range. It can also be used to configure
other types of connections (pairing Bluetooth devices for instance) and for exchanging
information, such as contact cards.
An NFC transaction is sometimes known as a bump,
bump
An NFC transaction is sometimes known as a bump,
Mobile wallet apps
machines. To configure a payment service, the user enters their credit card information
into a mobile wallet app on the device. The wallet app does not transmit the original
credit card information, but a one-time token that is interpreted by the card merchant
and linked backed to the relevant customer account. There are three major mobile
wallet apps: Apple Pay, Google Pay (formerly Android Pay), and Samsung Pay.
NFC vulnerabilties
- Eavesdropping/skimming
- Denial of service
Despite having a close physical proximity requirement, NFC is vulnerable to several
types of attacks. Certain antenna configurations may be able to pick up the RF signals
emitted by NFC from several feet away, giving an attacker the ability to eavesdrop
from a more comfortable distance. An attacker with a reader may also be able to skim
information from an NFC device in a crowded area, such as a busy train. An attacker
may also be able to corrupt data as it is being transferred through a method similar
to a DoS attack—by flooding the area with an excess of RF signals to interrupt the
transfer.
USB OTG
- USB OTG allows a port to function as a device or hub
Some Android USB ports support USB On The Go (OTG) and there are adapters for
iOS devices. USB OTG allows a port to function either as a host or as a device. For
example, a port on a smartphone might operate as a device when connected to a
PC, but as a host when connected to a keyboard or external hard drive. The extra pin
communicates which mode the port is in.
USB OTG vulernabilitie
- USB with malicious firmware might be able to perform an exploit
- Spread malware between computers using the device as a vector
- Install or run malware to try to compromise the smartphone itself
•Juice jacking
juice-jacking
It is also possible that a charging plug could act as a Trojan and try to install
apps (referred to as juice-jacking), though modern versions of both iOS and Android
now require authorization before the device will accept the connection.
sms and mms
The Short Message Service (SMS) and Multimedia Message Service (MMS) are
operated by the cellular network providers. They allow transmission of text messages
and binary files. Vulnerabilities in SMS and the SS7 signaling protocol that underpins
it have cast doubt on the security of 2-step verification mechanisms (kaspersky.com/
blog/ss7-hacked/25529).
RCS
Rich communication services (RCS)
•Exploits against handling of attachments or rich formatting
Rich Communication Services (RCS) is designed as a platform-independent advanced
messaging app, with a similar feature set to proprietary apps like WhatsApp and
iMesssage. These features include support for video calling, larger binary attachments,
LICENSED FOR USE ONLY BY: TYLER LUKE · 16249171 · MAY 26 2021
Lesson 13: Implementing Secure Mobile Solutions | Topic 13B
The Official CompTIA Security+ Student Guide (Exam SY0-601) | 361
group messaging/calling, and read receipts. RCS is supported by carriers via Universal
Profile for Advanced Messaging (gsma.com/futurenetworks/digest/universal-profileversion-
2-0-advanced-rcs-messaging). The main drawbacks of RCS are that carrier
support is patchy (messages fallback to SMS if RCS is not supported) and there is no
end-to-end encryption, at the time of writing (theverge.com/2020/5/27/21271186/
google-rcs-t-mobile-encryption-ccmi-universal-profile).
Vulnerabilities in processing attachments and rich formatting have resulted in DoS
attacks against certain handsets in the past, so it is important to keep devices patched
against known threats.
Push notifications
- Potential vector for spam, phishing, or hoaxing
- Make sure developer account credentials are kept secure
Push notifications are store services (such as Apple Push Notification Service and
Google Cloud to Device Messaging) that an app or website can use to display an alert
on a mobile device. Users can choose to disable notifications for an app, but otherwise
the app developer can target notifications to some or all users with that app installed.
Developers need to take care to properly secure the account and services used to
send push notifications. There have been examples in the past of these accounts being
hacked and used to send fake communications.
Firmware Over-the-Air Updates
This is updates to the device’s modem’s operating systems…not the devices operating system (ios, android)…might need to read this section again.
- Baseband updates and radio firmware
- Over the Air (OTA) update delivery
- Risks from rooted/jailbroken devices
- Risks from highly targeted attacks
Microwave Radio
Cellular networks are microwave radio networks provisioned for multiple subscribers.
Microwave radio is also used as a backhaul link from a cell tower to the service
provider’s network. These links are important to 5G, where many relays are required
and provisioning fiber optic cabled backhaul can be difficult. Private microwave links
are also used between sites.
Modes a microwave link can be provisioned
Point-to-point (P2P) microwave
Point-to-multipoint (P2M)
P2P
Point-to-point (P2P) microwave uses high gain antennas to link two sites. High
gain means that the antenna is highly directional. Each antenna is pointed directly
at the other. In terms of security, this makes it difficult to eavesdrop on the signal,as an intercepting antenna would have to be positioned within the direct path. The
satellite modems or routers are also normally paired to one another and can use
over-the-air encryption to further mitigate against snooping attacks.
P2M
Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each
covering a separate quadrant. Where P2P is between two sites, P2M links multiple
sites or subscriber nodes to a single hub. This can be more cost-efficient in high
density urban areas and requires less radio spectrum. Each subscriber node is
distinguished by multiplexing. Because of the higher risk of signal interception
compared to P2P, it is crucial that links be protected by over-the-air encryption.
Other types of multipoint
Multipoint can be used in other contexts. For example, Bluetooth supports a multipoint
mode. This can be used to connect a headset to multiple sources (a PC and a
smartphone, for instance) simultaneously.
