0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
209 Ansichten6 Seiten
Smartphones have become very important channel for business and personal communications. This paper will show how companies are looking for mobilizing their work, with the urge to push IT Staff to use the same security standards and policies for managing smartphones. Smartphone penetration test assist you to identify risks related to your organization mobile devices.
Smartphones have become very important channel for business and personal communications. This paper will show how companies are looking for mobilizing their work, with the urge to push IT Staff to use the same security standards and policies for managing smartphones. Smartphone penetration test assist you to identify risks related to your organization mobile devices.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
Smartphones have become very important channel for business and personal communications. This paper will show how companies are looking for mobilizing their work, with the urge to push IT Staff to use the same security standards and policies for managing smartphones. Smartphone penetration test assist you to identify risks related to your organization mobile devices.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
Student ID: elkassify2035100004 Network and Security Engineer Alexandria, Egypt Ebn_kassify@yahoo.com
Abstract— Smartphones have become very I. INTRODUCTION
important channel for business and personal communications. As much personal information Nowadays Cellular networks have become an migrates to mobile devices, hackers have increased important part of our critical information infrastructure. chances to listen on phone calls and intercept e-mails Smartphones devices are multifunction devices and or documents. Smart phones are becoming more very powerful, the more cellular companies are rapidly powerful and multifunctional, and beginning to reduce deploying broadband data services the more the other personal devices off the market. This will profitable an attack will be. offer both viruses and virus writers more vulnerability Smartphones provide all the functionality of a to exploit. computer; they are open to the same threats as a computer, including hackers, viruses, Trojans and This paper will show how companies are looking for worms. These threats find their way onto the mobile mobilizing their work, with the urge to push IT Staff to devices of unsuspecting users and from there can use the same security standards and policies for infect organization networks. managing smartphones as they do with the other personal devices like laptops, Which includes Smartphones will be used to connect business's Checking E-mail; accessing shared data, and remote network services, and in that case the network connection to company's using VPN tunnels. There is security is the responsibility of the organization IT a lot of work needed before smartphones truly Staff, not the phones users', on the other hand become ready to join the organization secure network security policies must be pushed from the top levels services. down. While training and awareness may be beneficial for users, to ensure that policies are We will be focusing on how to perform the correctly applied in the right manner we should penetration test for the smartphones and will show conduct with the mobile devices penetration testing the main phone’s vulnerabilities and suggest some Hackers have the chance to attack Smartphones by applicable countermeasures. Smartphones performing activities such as spoofing, sniffing and penetration test assist you to identify risks related to spamming. There are several malicious Malware your organization mobile devices. How smartphone applications in circulation like worms such as penetration testing differs from usual laptop Pen- SymbOS.Beselo and SymbOS.Beselo or the Trojans testing to secure network access. WinCE.Infojack [7], and Skulls Trojan horse which attack the content and functionality of mobile phones. Smartphones penetration test [11] is a method of The question is organization's security policy applied evaluating the security of these phones including all on the smart phones or laptops as the other PDA's contained features by simulating an attack by a like laptop, I think the answer will be NO because malicious hacker. This test requires analysis of the most of organization concerned about the required system for any weaknesses, or vulnerabilities. level of security for only laptop because it is an Focusing on gaining unauthorized access on tested important asset, organizations schedule a periodic phones and using that access to check if the network vulnerability assessment and penetration testing for services could be compromised or not. Laptops and they forgot about the more important devices like mobiles and smartphones. This paper will be discussing how to perform DDOS attacks on any target though internet or other penetration test for the mobile devices, what are the mobile communication cannels like SMS and MMS. mobile vulnerabilities, and what are the applicable After the solving the problem we expect that the countermeasures that could be suggest. whole organization will create it's security countermeasures for Smartphones attacks, build II. PROBLEM STATEMENT strong security policy, proceed with awareness In this paper we address the problem of how to pen- program to their employees, periodic vulnerability test Smartphones and what is the challenges facing assessment or penetration testing for phones to that test. When organizations and companies decide achieve the required security target. to use smartphones to increase mobility of their employees, currently most of organizations do pay attention for creating a security policy to set security III. BACKGROUND rules and instructions of how to treat these smartphones including the coverage of all sides of Most of Smartphone functions and services are at the smartphones security problems. Organizations risk like messages, Contacts, Video, Phone must establish strong security policies to face risks transcriptions, Call history and sensitive Documents. and vulnerabilities and conducting penetration Most of Malware targeting Smart phones have been testing. acting as evidences of concept rather than totally developed attack code. Malware damages include Smartphone penetration testing faces some screen distort, disable live applications, and the challenges, the most important challenge is the shutdown of the phone. culture of treating smartphone like other end points (laptops) because it has more risks than employees Smartphones will be the new workstations for can imagine, another challenge is concerned about organization employees; By the end of 2012 65% of what is the possibility of using employee's personal all cell phone could be smartphones [3], devices to connect the organization network, and Smartphones are susceptible to the same threats as sending E-mail while organization has no control on workstations or laptops, there are different employees personal devices. smartphones have smartphones like BlackBerry, Symbian (more than 40 varied brands and various operating systems 0f market share [6], Windows Mobile, apple for platforms, each platform has it's special iphone and Android, each Smartphone OS has vulnerabilities and threats. vulnerabilities differ from the other OS types. Smartphones have a lot of functions like SMS to send Smartphones support various operating systems text messages, Bluetooth for file transferring in a including Android and IOS are based off Linux and limited range, E-mail, WiFi (802.11)[2] used to Unix[5] But windows mobile based on windows connect to hotspot or WLAN, MMS to transmit operating system, Thus smartphone OS will be the pictures, audio files and video. Each function must be major security issue for pen-test team, this means tested and evaluated during the penetration testing smartphones will be affected by windows and Linux and disables if not required to be used in the vulnerabilities and exploits. business environment. More than 50% of mobile malwares are Trojans [7], Penetration testing must include attacks to there are few examples of smart phones Malware smartphones while being in use with employees and threats that will have harmful effect like information connecting to organization services, and must be leakage when deployed in business environment [1]. tested in case as if it has been lost or stolen, check what the possibility of extracting sensitive data is and 1. WinCE.Infojack : The Famous Trojan designed contact lists. to target Windows Mobile OS.. It is able to disable Windows Mobile security features and run harm If organizations do not pay attention for securing malicious code, plus transmit sensitive stored data devices access it will create a Zombie or botnet call to the intruder. smartphone, where attacker will use to perform 2. SymbOS.Yxes: worm is developed to spread Similar Smartphones security researches focusing on through SMS sent to all organization employees' the attacks and vulnerabilities [8] like Attacks from phone contact list. In that case the malware would the Internet, Infection from compromised PC during be digitally signed by Symbian certificate, and the data transfer, and Peer smart-phone attacks or harmful effect of a worm is the ability to be installed infections, on any Symbian smartphone without any warnings. But this paper has its own standard as it shows the 3. SymbOS.Beselo: The first worm that is being challenges to perform penetration testing and distributed via Bluetooth and MMS channels, dressed recommendation for a corporate to secure itself in in the common shapes and forms of the Real Media, case of deciding either to deploy the smarphones or while in fact it is Symbian software. It can be not in order to increase the mobility according to distributed using multimedia memory cards. It business needs. spreads the harmful effect after infection as it was sending its copy to phone numbers taken from user’s Some researches offer recommendation to secure phone contact list. Smartphones usages like using VPN connection to access organization resources or services, and use In case of corporate deploying smartephones in their antivirus. But they did not combine the risk of business, they must treat these devices like the other dangerous use of smrtphones with the risk of being end-point in their infrastructure hosts. Smartphones lost or stolen .This paper introduces integrated main usages in business environment are listed solution to secure phones in case of business usage below: and even incase it lost or stolen. • Organization’s e-mail feature (MS Mobile V. PROPOSED SOLUTION Outlook) • Organization’s calendar service (Microsoft This section will explain how a corporate can Exchange) Shared data systems (like MS establish a penetration testing for smartphones SharePoint). starting with treating smartphones as the other endpoint in the organization, searching for • Enterprise Resource Planning (ERP) systems. smartphone vulnerabilities and countermeasures • Remote Access organization’s network using differentiate between personal usage and business VPN connections or tunnels. usage of phones. • Applications dedicated to smart phones like SMS Smartphone penetration testing will combine the notifications [1] required steps for testing in case the phone become a botnet or spreading infections to other devices, and in case of it has been stolen or lost, and if these IV. RELATED WORK suggested steps are the same as testing the other Other researchers concerning about the idea of PDA’s devices like laptops or not, and what are the securing smartphones in case of lost or stolen and fields of similarity and dissimilarity in the test how to lock all data folders and encrypt the credit procedures. card and bank accounts, and does not cover the whole process of the smartphones penetration testing Smartphones are one of PDA’s but not treated as and how it differ from testing other PDA's like PDA when conduction Penetration testing. The Laptop's. following Figure (Table1) will show the Penetration Other researches participating in creation the Mobile testing for PDA’s, smartphones are considered as Device Vulnerability Database (MDVD) [9], it is an PDA’s but not treated as other PDA, some of steps online database for collecting vulnerability and are followed when test Laptops and not applied to countermeasure information on mobile computing smartphones due to careless, other steps are technologies (smart phones, WiFi, Bluetooth, and provided specially for smartphones and not more. and will help penetration testers to identify necessarily to be followed when testing the other vulnerabilities and find countermeasures. PDA’s like laptops Check if Check if always always followed followed Pen-test steps Comments on Smartphone Pen-test steps Comments on Smartphone with with PDA's PDA's Test Test Most of organizations start their testing by Test for Unauthorized access of Scan for active scanning for a live hosts whoever the host employee’ multimedia files like (photos, Yes Extract data via devices is Smartphone or PC "Have IP address" No videos, software, sound files) VIA MMS, MMS Some employees uses their personal this test never applied on the other phones to connect network, set a rule to PDA’s force smartphones passing the health Used to discover unknown vulnerabilities Identify if the Test MMS using such as a proof-of-concept remote code check for OS and updates and run No device is personal No fuzzing tool{ref} injection and execution exploit antiMalware before connecting , or or for business use prevent using any personal device in the Most pen-tester use it to test if business usages by using control list on application configuration and Firewall. Extract credentials can be compromised by the Smartphone has different OS like information from Yes attacker, then he will gain unauthorized Identifying the OS BlackBerry, Symbian, Windows Mobile, Yes application access to company’s resources and type apple for iphone and Android, which based services, but not totally followed when on Linux, Unix and windows testing smartphones till now. Most vulnerabilities scanning tool will be limited to windows, Linux and Unix which Testing if the sensitive data is well- Vulnerability scan Yes are most popular OS for endpoints, Look for encrypted and to safe it incase of being for each OS Yes ignoring other devices' OS like Symbian encrypted files sniffed, lost and stolen. and Android. Comparing Very important step to identify Check mobile web browser and tracing vulnerabilities vulnerabilities found but most of testers Check the web if employee visit malicious websites with Mobile escape it because they do not pay attention browser Yes because that may lead web browser to No Device to mobile vulnerabilities and do not treat it run attacker’s executable code Vulnerability as end-point Database Check for login It is normal procedure for testing Laptop's Table 1 password but not completely applied when testing Yes complexity and smartphones encryption level Smartphones Security Countermeasures: Smartphones have different services which Scanning for running services Yes in most cases will not totally scanneddue 1. Enforce orgnaization smartphone policy: Applying to careless like Bluetooth, WiFi, SMS and smartphone usage policy on all company’s employees, But it of functions MMS will be hard to enforce the policy on personal devices. In order Most pen-tester check for sensitive data to establish a corporate smartphone policy, we should Identifying during their testing for PDA's, however it Yes understand the range of vulnerabilities that facing smartphone. sensitive data will be different to check it on Smartphones The variety of nature smartphone will affect on the ratio of It is very important to check for contact password compromises, hacks, and information theft, Extract address smartphones security policy could force users use complex list and try to extract it because there are book Yes types of worms or malware extract that list and strong passwords to access the network services or even and contact list and send it to intruders to login to their phones, and require smartphone antivirus and It is checked with laptop's but not actually antimalware software updating. Look for stored with smartphones, passwords could be for Yes passwords credit card or bank account 2. Create access control list to allow only business’ phones No checked by pen-tester team with all to connect to its resources and prevent the other personal Check for auto devices to connect to avoid the risks of infection or attacks. No PDA’s devices laptops and smartphones lock Smartphone Data Interception and 3. Consider all smartphones as uncontrolled endpoints: Sniffing of Sniffing is very risky which must be generated PDA's No controlled and use encryption tunnels to Smartphone users' identities could be attacked, lost and stolen. traffic Device identification uses serial number information to allow eliminate it’s risk To Simulate the effect of worms which use organizations to control her assets and associate a Extract data via Bluetooth to sending copy to phone smartphone to a specific user. And allows IT to gain remote No Bluetooth numbers taken from employee’s phone control on all devices and disable it or erase all sensitive data. contact list. To Simulate the effect worm developed to 4.Use Host IDS for smartphones to detect all intrution Extract data via spread through SMS sent to all (signature-base and anomaly-base) and help to find the No organization employees' phone contact list. SMS devices which compromised by the same vulnerability and can alarm the administrator to take the required action to prevent that kinds of attacks in the future. 5.Create VPN secure tunnel (SSL) to access organization 15. Training and awareness for employees, to instruct them resources. VPN SSL to provide a centralized SSL VPN which following the organization security policy and awareness for acting as secure gate for authenticated and encrypted secure security concepts like use complex passwords to access their browser-based access to organization network resources or phones, informing employees to be careful before following URLs gateways from different smartphone OS (like Symbian, Windows, – especially shortcuts or tiny versions of URLs, when receiving Android, BlackBerry and iOS). such from un-trusted sources. Because most of the fake URL is Phishing attacks which may be very harmful for organization if 6. Inclusive scan all smartphone traffic. To ensure securing using gained data in social engineering attacks. Notify them when network resources and protection from smartphones attacks, IT vulnerabilities appear and they can take steps to protect should deploy Firewall and Packet Inspection of Secure Socket themselves. Layer (DPI-SSL) technology for inspection of all smartphone traffic traversing the SSL VPN. VI. EVALUATION AND RESULTS 7. Use varied Security software for smartphone’s OS like Antivirus and antimalware which may help in protecting phone Pen-testers teams must pay attention to the against most of known attacks. Some security software may danger of smartphone usage, and add phones to their offers possibility of remotely erasing or destroying phone's scope when conduction a Penetration testing for PDA, memory and storage incase the device is stolen. focusing of phones functions and serves, adding required steps matching with phones nature to 8. Maximize throughput of firewall to eliminate application latency [4]. Latency can be the reason for hack attacks. Security accomplish a successful test. administrators must control smartphone application traffic. In this Paper make use of the prior experience of other case, application control must be deployed in place in the researchers “related work section” to find new network to report how much application utilization of the smartPhone. integrated solution for pen-testers, like showing the value of Mobile Device Vulnerability Database (MDVD) [9] which has been disused in related work 9. Force a rule to control opening MMS and E-mails: prevent section, but paper offer new usage for this database opening all MMS and E-mails messages coming from unknown sources. Incase SMSes the situation is different as most of OS by creating New Signature-based Host IDS for opens them automatically. We have to find some method to smartphones to detect all vulnerabilities which learned change the default setting of the smartphone OS. from (MDVD) HIDS will be great protective 10. Control traffic of smartphone applications: Most of countermeasure for all smartphones, and security phones depend on Web 2.0 applications [10], and are especially researchers must co-operate to accomplish that HIDS disposed to their inveterate vulnerabilities. And report upon as fast as possible to secure smartphone business application usage over the network. usage in different organizations. 11. Securing smartphone wireless access smartphones have This paper explains the required steps to conduct WiFi for wireless communication, WiFi highly vulnerable to be penetration testing for phones and offers an hacked when connected to unencrypted WiFi hotspots. Security applicable recommendation for securing corporate for corporate wireless must be the same level as wired using from risks of phones business usages. Organizations apply SSL VPN connection and deploy comprehensive firewall have to add new rules and policies beside current for packet inspection existence rules to secure all PDA including 12. Manage smartphone VoIP traffic VOIP not applied on all smartphones. application it depend on the organization communication platform. VoIP traffic is related to QOS such as latency and VII. DISCUSSION packet loss ratio. VOIP bandwidth management will help in reduce bandwidth-consuming traffic. Proposed solution will work well in most cases but there are exceptions, when organization deploying a 13. Smartphone data back up frequently Backup sensitive data lot of brands of smartphones to connect to like Contact lists which very important to the company. If the list organization services, It will be variety of running is lost or stolen, data backup will help incase of smart phone has been infected, IT staff mat recover the default phone settings to operating systems and different types of fixing the system then restore the data backup. vulnerabilities which will be very difficult to pen-team to cover all vulnerabilities , exploits and fixes. 14. Disable us-used services like Bluetooth or WiFi when By the end of 2012 65% of all cell phone could be employee do not need for it. These services are easy to exploit for sending malicious code or viruses. It’s also possible that smartphones [3], but till now most cell phones are not sensitive information could be sniffed when these features are smartphones. So this paper will be very effective in enabled. the next two years. Instructing employee’s to use complex password will RFERENCES be difficult in case of multiple letters are associated with each numeric key on a keypad (like press once [1] Artur Maj, Marek Janiczek " Prevenity_Dangerous_smartphones" for A, press twice for B) many users would like to [2] Pablo Brenner, "A Technical Tutorial on the IEEE 802.11 Protocol". choose words that use the first (single-press) letters, [3] DevicesDaniel V. Hoffman " Smartphone Hacks andAttacks:A and that is logically reducing the number of possible DemonstrationofCurrent ThreatstoMobile" [4] George Gerza, Simon Hill "Establishing a Corporate Smartphone passwords and make it more easy to be cracked by Policy for Security" the hackers or intruders, so it is recommended to use [5] ADRIAN KINGSLEY-HUGHES, IOS USAGE SURPASSES LINUX\ smartphones with each letter has it is separate key on BY A WHISKER the keypad. [6] WWW.THREATCENTER.SMOBILESYSTEMS.COM [7] www.threatcenter.smobilesystems.com [8] Chuanxiong Guo , Helen J. Wang, Wenwu Zhu " Smart-Phone Attacks and The solution will perform less than expected incase Defenses' [9] Wayne Jansen, Karen Scarfone, "Guidelines on Cell Phone and PDA of organization's IT staff is not qualified enough to Security (Draft)" follow the rules and steps and pay attention to monitor [10] Patrick Sweeney," 10 Best IT Practices for Smartphone Security" traffic and periodic backup for phones data, because [11] SANS Institute InfoSec Reading Room, "Conducting a the most of load and responsibilities will be handled by Penetration Test on an Organization" them,
VIII. CONCLUSIONS AND FUTURE W ORK
In this position paper, we would like to warn the
community on the dangers of potential smart-phone vulnerability, as smartphones become small Computers, viruses will originate to take advantage of an increasing number of available features and services, In case of companies decide using smartphones to Increase the mobility of their employees, they must establish an updated security policy and conducting penetration testing for PDA including all smartphone devices. Organizations must treat smartphones like other end- points. penetration testing must cover two targets first securing smartphones business usages' and the other target is securing phones in case of lost or stolen. We introduce a new testing technique for pen-testers which in smartphone testing with the required special steps and common steps with other PDA , and solving problems which may face testing team during their project . And offer many security countermeasures for using smartphones. We have also outlined how an attacker could extract information gained from Bluetooth, SMS, and MMS attacks from a smudge attack to improve the likelihood of guessing a user’s patterns Smartphones have many operating system lot of functions and services, and each Service has its vulnerabilities and exploits, which may used to send user's data to attackers and user will not even realize the data leakage. Feature work could be developing new technologies like work on the idea of generating Host intrusion detection (HIDS) for smartphones which will assist in securing the devices and also help administrators to take the appropriate action.