I have always had a deep appreciation for the skills of a good pentester. However, elite pentesters – those who rule their craft and make magic happen on their keyboards – are generally quite rare. So I was excited when I met one – the subject of this interview – at a recent Dreamport session. For those who never heard of Dreamport, it is a cyber innovation, collaboration, and prototyping facility located in Columbia, MD. It was created by USCYBERCOM through a Partnership Intermediary Agreement awarded to the Maryland Innovation and Security Institute (MISI) in May 2018. It hosts regular sessions to share knowledge and ideas regarding cybersecurity. It was at one of these sessions where I heard Georgia Weidman speak about mobile security and her new book on penetration testing. I was duly impressed and asked for her to share her insights into mobile security which you can find in the interview below.
Spotlight on Ms. Georgia Weidman
» Title: Founder and CTO, Bulb Security LLC; Founder and CTO, Shevirah, Inc.
» LinkedIn: linkedin.com/in/georgiaweidman
Read her bio below.
Chris Daly, Active Cyber™: What do you see as the major trends affecting mobile security? What are some new attacks and how do they change the approach to mobile security? Are the attackers winning?
Georgia Weidman, Founder and CTO, Bulb Security LLC: Mobile is more a new platform than a new category of attacks. As we closed the door to bad actors on previous platforms they have increasingly moved to mobile. Phishing, malicious apps, ransomware, and cryptojacking are all examples of old attack vectors moving to new platforms. All are increasingly common on mobile and IoT. Mobile phishing is perhaps the most common / important. According to mobile security vendor Lookout, in 2018, 56% of users clicked on a mobile phishing link. Contrast that with Proofpoint’s report of 4% of users clicking on phishing links on traditional devices. That means that mobile users were 14 times more likely to be phished! While some people scoff at phishing as untechnical and ineffective, Proofpoint also reports that “phishing was involved in 70% of breaches.” The market is only just beginning to realize that mobile phishing isn’t limited to email. Any way a user can be served a link to click can be an attack vector. Text messages (SMS) are a common attack method, but Near Field Communication, QR codes, social media messengers such as Snapchat, WhatsApp, and Facebook Messenger, etc. can be as well. I wouldn’t say that the attackers are “winning,” but security is ever evolving and defenders are almost always reactive. And, the opportunity to pre-emptively better the security of mobile platforms using lessons learned on previous platforms is all but wide-open.
Active Cyber™: What do you see as significant in terms of mobile security protections over the past couple of years? Do third party security software providers provide much benefit to mobile customers? Is there a particular class of protections that seem to offer the best return on investment? How is AI/ML being applied as part of mobile security protections?
Weidman: Mobile device security used to come down to an on-device anti-virus app that, due to sandboxing restrictions, could only periodically check whether it itself was a virus. In the last couple of years, Mobile Threat Defense (MTD) has emerged as a new, more effective player in mobile security. MTD is moving to on-device agents that are tied into AI/ML networks that pre-emptively identify malware and malicious websites and provide real-time notifications to users. With fake banking apps being one of the fastest growing categories of mobile malware, whitelisting, though a primitive solution, continues to provide additional value and AI/ML is increasingly being used to maintain these whitelists.
Active Cyber™: What role does a zero trust model play in the protection model for mobile phones? Do you see evidence of zero trust being adopted by vendors and enterprises for mobile users?
Weidman: As the paradigm of computing shifts away from the trusted network perimeter model, all applications have to move to a model where each is responsible for providing data security individually. In many ways the mobile era has driven the move to zero trust by forcing enterprises to adopt fine-grained role-based authorization and authentication and, due to the presumption that the network connection is insecure, end-to-end encryption. The move to zero trust is still in its infancy, but mobile will remain a prime driver going forward.
Active Cyber™: The ARM Trustzone model is widely used as part of the trusted execution environment on mobile phones. It provides ARM partners with a highly integrated security subsystem. It does this by isolating roots of trust in a very robust manner, while increasing the ease of reuse. ARM claims that this reuse is especially beneficial in domains like payment, identity and critical infrastructure. What has been your experience in finding holes in the Trustzone architecture and do you feel that this technology is adding significant value to improving mobile security?
Weidman: While I can’t comment on my particular work in this area due to client privilege, I think we all saw with Intel’s Trusted Execution Technology (TXT) and Samsung’s early Knox issues that the industry has additional work to do in this area. I advise my clients to focus on making things more secure because they will never be completely secure. The ARM Trustzone is a useful building block and is certainly better than every developer trying to roll their own hardware security.
Active Cyber™: Mobile devices are more susceptible to data breaches due to being lost or stolen or communications being intercepted. What is your view of the state of device encryption – both data at rest and data in transit? Are the encryption protections up to snuff?
Weidman: On-device encryption has been moderately to highly successful on Apple devices but somewhat less successful and more vendor dependent on Android devices. That having been said, the level of protection is more a question of the quality of your adversary. Nation state actors can decrypt any device. Fortunately, it is atypical to have a nation state as an adversary. Data-in-transit is more of a per application issue and we have much work remaining here as the move to zero trust continues. All too many applications still rely solely on Transport Layer Security (TLS) which is a fundamentally flawed approach in the era of man-in-the-middle attacks against Wi-Fi and edge networking devices and nation states controlling the issuance of SSL certificates.
Active Cyber™: Mobile devices have special significance from a privacy perspective since they are carried by the mobile user generally everywhere they go and are at the center of all the user’s communications. Digital forensics can unlock this geo-location information along with the history of communications on the phone. What protections are afforded the user from a digital forensics viewpoint? Do you leverage the forensics information on the phone in your pentesting? What is your view on the privacy versus law enforcement access issue as it deals with encryption and forensics?
Weidman: As a pentester it is rare to be allowed a scope that allows one to take advantage of a user’s personal data. As a mobile pentesting tool developer, we, of course, have to provide tools that access those things for those companies that are ahead of the curve on mobile pentesting or those involved in offensive cyber operations. So the user data is certainly at risk. There is relatively little user protection of this data. On iOS there is a fast emergency reset to factory defaults. However, wiping your device of all your personal settings and data is certainly not protecting the data as it’s potentially lost forever! The balance between privacy, security, and law enforcement has been ongoing my entire career; I don’t expect it to end anytime soon. At least encryption is no longer generally classified as a munition.
Active Cyber™: The mobile application stack is often used as the attack vector for mobile phones. What is your impression on the policing of applications that get added to Apple and Google appstores? What about third party app stores? What can be done to improve the overall security model and monitoring of mobile applications?
Weidman: Hahahahahahahhahahah. Policing? With hundreds to thousands of counterfeit, copycat, spyware, malware, and ransomware having made it through to the Google app store, it is discouraging to say the least. Apple has done better, but even Xcode Ghost made it into 344 apps in the App Store including the official WeChat app. Third party app stores are even worse. Apple and Google attempt to police their app stores. But end-users would be ill-advised to rely solely on this policing. Mobile Threat Defense products monitor for apps outside of the official app stores. While they can’t stop you from using them, they can at least flag suspicious applications in real-time.
Active Cyber™: What are some actions that mobile users should be taking to protect themselves from successful attack? What reference guidance do you recommend for mobile users?
Weidman: For end users, as discussed above, official app stores are better than third-party app stores. So start with that and considering adding MTD products. Mobile users need to be aware that any mechanism that can deliver a URL or a website can host a phishing or malware attack, but today’s mobile users are famously 10x more likely to fall for mobile phishing than traditional phishing. Mobile users need to recognize that their connection may be insecure so they need to use a VPN and/or applications that provide their own end-to-end encryption. While Google and Apple are more secure they are not and will never be completely secure, so users must be vigilant.
Active Cyber™: IoT and 5G will likely change the landscape of mobile security as the number of interconnected devices increases dramatically. What is your view of the security impacts of these technologies on mobile security?
Weidman: While it may be more difficult to make a 5G Stringray, from an end user’s perspective 5G simply provides a huge increase in bandwidth. Cellular devices already bypass network egress protections; this problem exists today. Similarly Shadow IT/Stealth IT (aka IoT) is already a problem. Google Voice and Amazon Alexa devices and even Samsung TVs literally listen to every word in the office and potentially send them off site. While not new, this problem remains unsolved.
Active Cyber™: As a researcher and pentester, you are probably developing or looking for new tools to support your craft. What are some of the tool capabilities on your wish list and what are some recent advances you have seen or are researching in the area of mobile pentesting tools?
Weidman: Simply discovering and categorizing every device on the network would help blue teams and operations tremendously, as well as being useful for pentesters. My primary focus is on tools for penetration testing, vulnerability assessment, impact analysis, simulated phishing, and end user security awareness training focused on mobility and IoT. The needs of mobilty vendors and security vendors continue to converge, so this space is, to say the least, interesting.
Thank you Georgia for enlightening me and my followers on some of the key issues and trends related to mobile security. There seems to be quite a bit of work left to make our ubiquitous smartphones more secure. And our IoT devices. And our 5G networks. Well, it looks like you are going to be busy for a long time with your research, pentesting, and training. I look forward to hearing more about Bulb Security’s innovative work in the market. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other security topics. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at Active Cyber™.
About Georgia Weidman
Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She is a member of the CyberWatch Center’s National Visiting Committee, on the board of advisors at Cybrary, and an Adjunct Professor at UMUC and Tulane University. She is a New America Cybersecurity Policy Fellow. She has presented or conducted training around the world and is regularly featured internationally in print and on television. She authored Penetration Testing: A Hands-On Introduction to Hacking. Georgia founded the security consulting firm Bulb Security and was awarded a DARPA Cyber Fast Track grant for her work in mobile device security culminating in the release of the Smartphone Pentest Framework. She founded Shevirah whose products assess and manage the risk of mobile devices in the enterprise and is a graduate of the Mach37 cybersecurity accelerator. She was the 2015 Women’s Society of CyberJutsu Pentest Ninja. She holds a MS in computer science and CISSP, CEH, and OSCP certifications.