iOS Threats - Malicious Configuration Profiles Threat, Detection & Mitigation
1
A Little About Lacoon 2
Who We Are What We Do § Develop new mobile security
technologies that can detect and prevent mobile threats
§ Partner with leading mobile
operators and technology companies to provide comprehensive mobile security solutions
§ Founded by mobile security experts from Military Intelligence and Telco Industries
§ Supported by a Security Research Team
focused on uncovering undiscovered threats to mobile apps and platforms
§ Well-funded and backed by successful
security industry veterans
3
iOS Configuration Profiles can be loaded on any iOS device with relative ease. Each configuration profile can include settings for managing the devices proxy, VPN, and certificates
Introduction – iOS Malicious Configuration Profile
Through social engineering like email phishing or web link an attacker can convince the user to install a malicious profile and compromise the device settings
The attack can silently route network traffic from a device using the profile to a remote proxy over SSL using a self-signed certificate authority that appears valid to the end user
Once the attacker re-routed all traffic from the mobile device to an attacker-controlled server, he can further install rogue apps, and decrypt SSL communications
1 2 3 4
1 2 3 4
4 How iOS Attacks 'Get in"
Three Main Infection Vectors for iOS Attacks
Physical Access
Social Engineering
Rogue WiFi HotSpots
• Malicious Profiles • Fake Certificates • Zero-Day Vulnerabilities
1 2 3
5
Malicious Profiles example LinkedIn Intro
1
User downloads app or accepts new functionality from one of their apps that requires an update to their device’s Profile.
Example: LinkedIn Intro’s new Profile reroutes all email to the LinkedIn Servers.
Example:
LinkedIn Intro
LinkedIn is now intercepting all emails and modifying their content (adding user info).
This is known as a man-in-the-middle (MitM) attack!
More Info 2
1 2
Holes in Existing Technologies 6
Capabilities needed to protect against MALICIOUS PROFILES
Analyze Configuration Profiles
Identify Suspicious Traffic Patterns
Key: Cannot Protect Some Protection Can Protect ✓
Certificate Validation
Ability to check validity of certificates and accurately identify the source of the application
Lacoon MobileFortress - iOS Threat Coverage
Advanced Jailbreak Detection
Ability to identify when a device has been jailbroken using continuous background service
Configuration Profile Analysis
Ability to identify changes to configuration profiles and understand when those changes make the device vulnerable (e.g. compromise secure containers)
Malicious App Detection
Ability to understand communications from the app, regardless of how it was installed on the device, to see what it’s doing (e.g. recognize traffic to and from unknown servers)
Man-in-the-Middle Attack Mitigation
Ability to trigger a VPN to isolate user when on a WiFi or other unsecured network
8
Lacoon iOS App checks for modified network settings every 10 min and sends configuration info to the Behavioral Risk Engine (BRE)
How Lacoon MobileFortress Works – iOS Malicious Configuration Profiles
The BRE analyzes the new network configuration and determines if it can compromised the device communication
The appropriate Risk Score is automatically assigned to the device and triggers the active protection layers
Active Protection prevents data exfiltration- by notifying the user on-the-device, activating network protection and via MDM/NAC integration
Full visibility and control over the compromised settings are available on the Lacoon Dashboard. Whitelisting capabilities are available for known settings 1 2 3 4 5
1 2 3
4 5
MobileFortress App Behavioral Risk Engine Risk Score
Active Protection Dashboard
Contact details www.lacoon.com
Top Related