In our second blog, I discussed why a mobile device needs to be protected. Exactly what are we talking about here? What are the ways an attacker can hack a mobile device to get what they need?
Gone are the days where attackers throw USB thumb drives in parking lots hoping someone from the target organization picks one up and inserts it into their desktop in the corporate network. Attacks have become more sophisticated and targeted to specific organizations.
There are four main vectors of attacks on mobile devices:
Attackers will use combinations of the above vectors to target their victims. The attack “kill chain” adopted by Lockheed Martin as a method for modeling intrusions on a computer network is applicable to mobile device attacks:
- Scan who is around
- Identify the best type of attack(s) given what device they are using
- Deploy the attack
- Elevate privileges with an unknown exploit
- Obtain remote control of the device, otherwise known as RAT (Remote Access Tool)
- Exfiltrate data or install more tools to continue hacking other servers nearby or when the device connects to the organizational or corporate WiFi network.
The Man-in-the-Middle Attack
The attack typically deployed redirects the victim’s traffic so the attacker could see where he/she was browsing and interacting. This redirect is considered a Man-in-the-Middle attack (MitM). If an attacker can see the victim’s traffic, then the perpetrator gains access to:
- Redirect the victim to a site owned by the attacker, complete with malicious content.
- Modify the traffic going back to the victim (think SSL Strip and others).
- Learn where the victim is browsing and build a catalog of social media exploits against the victim to be used in advanced attacks and even spear phishing emails or text messages.
- Decrypt the victim’s traffic.
- Guide the victim to install an app that provides further access to the device.
In one instance, a well-known company discovered their workers were under MitM attacks when they traveled by train back and forth to work. A rogue access point was setup to emulate the company’s internal WiFi network which allowed the attacker to see their traffic.
When WannaCry was seen in the wild, an Android app was discovered that would scan the WiFi network for any Windows devices that were vulnerable to WannaCry and attempt to infect them.
Keep in mind, the MitM attack is not a purely local phenomenon. It is possible through spear phishing or other means, for example, to get a user to install a profile that would route all the user’s traffic through a VPN/Proxy where the attacker can inspect it and also attempt to decrypt it.
All of these attacks aim to get more pieces in the puzzle to successfully infiltrate an organization. Doing so, gains access to data, intellectual property/information such as troop movements and plans, in the case of the military.
My next article, will describe how to best protect your mobile devices and your organization.