black hat usa 2014 - a practical attack against virtual desktop infrastructure (vdi)
DESCRIPTION
CEO Michael Shaulov and Sr. Security Researcher Daniel Brodie will be presenting “A Practical Attack Against VDI Solutions” at this year’s conference in Las Vegas.TRANSCRIPT
Practical Attacks against Virtual Desktop Infrastructure (VDI) Solutions
Michael Shaulov, CEO
Daniel Brodie, Sr. Security Researcher
Lacoon Mobile Security
Lacoon Mobile Security
1
About Daniel
§ 10 years of security research § From PC to Mobile
§ Researcher and developer at Lacoon Mobile Security § Developing a virtual execution-based app behavioral analysis framework of mRATs and
mobile malware
§ Analysis of iOS and Android vulnerabilities and exploits
§ BH 2013: “A Practical Attack against Mobile Device Management (MDM) Solutions”
Lacoon Mobile Security
2
About Michael
§ Decade of experience researching and working in the mobile security space
§ From feature-phones to smartphones
§ Mobile Security Research Team Leader for Defense Contractors
§ CEO and co-founder of Lacoon Mobile Security
§ BH EU, BH USA, RSA Conf, GovWare …
Lacoon Mobile Security
3
Quick Disclaimer
This talk is NOT about:
§ Dismiss VDI value as an enterprise mobile solution
§ Specific vendor implementation
This talk is about:
§ Quantify risks that can compromise VDI sessions
§ Provide a framework to assess and mitigate the risks
Lacoon Mobile Security
4
Agenda
§ Mobile VDI 101
§ Practical Mobile Threats against
VDI
§ Augmenting VDI with Defense-in-
Depth Mobile Security
§ Conclusions
Threat 2
Grabbing credentials locally / Android
Threat 3
Screen-scraping/ Android
Threat 4
MitM Session Hijacking / iOS
Lacoon Mobile Security
5
In the Wild mRAT Key-loggers / Android Threat 1
Mobile VDI 101
Lacoon Mobile Security
6
Mobile VDI Motivation Key Requirements for BYOD / CYOD
§ Enablement
§ DLP / Lost Device
§ Intrusion
Lacoon Mobile Security
7
Enablement Simplify IT support of BYO devices
It can meet the increasing demand for BYO initiatives by delivering apps and desktops as an on-demand service.
Lacoon Mobile Security
8
DLP / Lost Device
X No content is saved on the device
On-demand session
Lacoon Mobile Security
9
Intrusion “Virtual desktop security to protect sensitive information
Centrally secured virtual desktops and apps in the datacenter reduce the risk of data loss or intrusion when delivered to any device. Corporate access remains secure while intellectual property and sensitive private information stays safe.”
Good Marketing
Lacoon Mobile Security
10
VDI Architecture - Example
Lacoon Mobile Security
11
VDI Players 2 major mobile VDI enterprise players: § Citrix § VMware
Lacoon Mobile Security
12
Threats to Mobile VDI Solutions
Lacoon Mobile Security
13
Threat 1 Using an mRAT for its Keylogging Capabilities
Lacoon Mobile Security
14
Emails
App Data
Contact Lists, Call & Text Logs
What is a Mobile Remote Access Trojan (mRAT)
Key Logger
Screen Scrapper
Memory Scrapping
Files and Photos
Microphone and Camera
Track Location
Lacoon Mobile Security
15
Recent High-Profiled Examples
Lacoon Mobile Security
16
mRAT Spectrum
$300K-$12M Government -> Terrorists / Activists
Free - $300 Cybercriminal -> ?
Free - $100 Everyone -> Everyone
Surveillance / Monitoring Tools Darknet mRATs Gov / Mil mRATs
Lacoon Mobile Security
17
mRAT Spectrum
$300K-$12M Government -> Terrorists / Activists
Free - $100 Everyone -> Everyone
Surveillance / Monitoring Tools Gov / Mil mRATs
Lacoon Mobile Security
18
“Hacking Team is really a very basic software with a public payload based on CVE bugs PUBLIC. Not different than any commercial spyware on internet. Even with lower features.” -- Mobile Malware Google Group
19
Lacoon Mobile Security
Commercial Surveillance Software
Data sample
Mobile devices communicating through corporate WiFi access points, connected to the Checkpoint firewall
Traffic from 95 gateways (~90 enterprises)
20
Lacoon Mobile Security
Survey: mRATs in the Enterprise A Lacoon-Checkpoint Research
21
Lacoon Mobile Security
Survey: mRATs in the Enterprise A Lacoon-Checkpoint Research
mRAT Network
Signatures CP Threat
Cloud
22
Lacoon Mobile Security
How common are mobile threats in the Enterprise?
% By Country 41.8
6.6
5.3
4.9
4.9
3.9
3.3
US
MX
NO
TM
EC
FR
BR
Key Findings: Number of infected Devices
• 290 • Median: 2 infected devices / enterprise
mRATS found
• 16 used • Most common: Spy2Mobile, Mspy, Mobile
Spy, Bosspy
Types of OS • 90% Android • 10% iOS
Country infection rates • Spread across 30 countries
The full report coming soon…
Stay tuned @LacoonSecurity.
Survey: mRATs in the Enterprise A Lacoon-Checkpoint Research
23
Lacoon Mobile Security
Lacoon Mobile Security
24
Recap
§ Looked at the two solutions § Test servers (citrixcloud, pivot3’s testdrive)
§ Vmware is more of a slim VDI while Citrix has
additional capabilities
§ Very configurable
§ Both provide a myriad of clients and logging in
capabilities
Lacoon Mobile Security
25
Threat 1 Using a Widely Popular mRAT on an Android-based Device
§ Keylogging for data or authentication info
§ mSpy § Lacoon-Checkpoint “mRATs in the Enterprise” survey
§ Mostly used in the enterprise
§ Detected in 19 countries, such as USA, Britain, and France
Cost: >$50
26
Lacoon Mobile Security
mSpy
Different Keylogging options
§ Repackage keyboard – done on SwiftKey in 2013 § Used by mRAT’s as a custom keyboard
§ MitM on the active input method – grant yourself the BIND_INPUT_METHOD permission § Pretty complicated and requires elevated privileges
§ Input Manager Service is a native process, hooking it at the InputDispatcher->dispatchOnce will give you access to all input events § Practically all Android ROMs use default symbol visibility
27
Lacoon Mobile Security
Threat 2 Grabbing Credentials Locally on Android
28
Lacoon Mobile Security
Threat 2 Grabbing Credentials Locally on Android
§ Keylogging has it’s own problems
§ Target the client itself to grab whatever credentials you need
Lacoon Mobile Security
29
Threat 2 Grabbing Credentials Locally on Android
1. Run a Privilege Elevation vulnerability 1. TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…
2. Exploit does not leave identifiable root marks
2. Enable jdwp debugging on all the apps installed on the device
3. Connect as a debugger to the VDI client
4. Set a breakpoint on a function that handles the credentials
Lacoon Mobile Security
30
31
Lacoon Mobile Security
Debugging the Session against the VDI Client
Enabling jdwp debugging on apps
§ By ptrace-ing the init process to dynamically change the ro.debugabble property § Similar to what setpropx does
§ By starting the jdwp thread by yourself in the relevant process § Easily done by calling the dvmJdwpStartup with ptrace
32
Lacoon Mobile Security
Possibilities to hook apps
JDWP easy way to simply sit on a specific java function after enabling debugging
XPosed / Cydia Substrate Also great way to dynamically hook a function without needing to resort to debugging
§ Uses a small jar injected into every process by zygote to initiate hooking, dalvik changes not neccesary
Native code hooking Through ptrace debugging or so-injection
§ Either by having a relevant native function somewhere in the stack
§ Also very useful for hooking ART
33
Lacoon Mobile Security
Threat 3 Screen Scraping against Android
34
Lacoon Mobile Security
Two possible methods § Leverage the clipboard access support
§ Record the screen automatically when the mRAT detects that the VDI client is connected
Threat 3 Screen Scraping against Android
35
Lacoon Mobile Security
Screen Scraping using Clipboard Access Support
Run a Privilege Escalation vulnerability § TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…
§ Exploit does not leave identifiable root marks
Monitor the current foreground activity using standard Android APIs getRunningTasks/getForgroundApp
Inject keyboard events to cause content to be copied from the file to the clipboard
§ Using InputManager’s injectInputEvent (as root/system) we can inject input events
§ Specifically Ctrl+A, Ctrl+C will work for most interesting applications
36
Lacoon Mobile Security
37
Lacoon Mobile Security
Screen Scraping using Clipboard Access Support
Inside the VDI client Data extracted from VDI client
Screen Scraping using Screen Recording
1. Run a Privilege Escalation vulnerability § TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…
§ Exploit does not leave identifiable root marks
2. Monitor the current foreground activity using standard Android APIs § getRunningTasks/getForgroundApp
3. Start recording the screen using one of the recording apis (go into depth)
§ 4.4 has a nice new screenrecorder – but possible even earlier by accessing framebuffer
§ SurfaceView.setSecure would need to be patched on 4.2 and up
Lacoon Mobile Security
38
Threat 4 Man-in-the-middle (MITM)
39
Lacoon Mobile Security
User VDI Credentials
Authorized
List of services & Organizational policy
Request for Service A
VDI
40
Lacoon Mobile Security
VDI Protocol Flow
Server
User Inserts VDI creds SSL Connections
VDI Client
Mobile Device
41
Lacoon Mobile Security
Malicious Configuration Profiles
Proxy/VPN Certificate Authority
42
Lacoon Mobile Security
Threat #4: MitM against iOS
This is an email with a phishing link to a configuration profile. It will be replaced with a screenshot.
VDI Server
More possibilities with MitM attacks
§ Duplicating the actual screen/input stream to a separate machine § VmWare Horizon Viewer uses either a proprietary protocol or RDP
§ Citrix Receiver uses a proprietary protocol called ICA – not widely analyzed yet
§ Simulate commands to the client and/or server § Can be used to do implementation specific actions, including gaining VPN credentials, etc…
43
Lacoon Mobile Security
Building the necessary
44
Lacoon Mobile Security
mobile security strategy
VDI depends on the integrity of the host system § Protects the data as long as the device is uncompromised
§ If the underlying device is compromised, so is the VDI solution
Conclusions
45
Lacoon Mobile Security
A multi-layer approach to mobile security. Detect. Assess. Respond to Mobile Threats.
A Layered Mobile Security Approach
46
Lacoon Mobile Security
A Layered Mobile Security Approach
47
Lacoon Mobile Security
• Assess Device, Configurations, Apps • Reduce attack surface
Accurate mitigation and dynamic access control of compromised devices, using a rich toolbox: • Integration to MDM, NAC and SIEM • On-device remediation and on-demand network mitigation
• Device, Application, Network anomaly detection • Mobile AV, advanced app reputation analysis • Detect and classify advanced threats (Zero-day, APT, malicious
applications, etc)
Advanced Mobile Threat Detection
Mobile Vulnerability Assessment
Mobile Risk Mitigation
Thanks to those that helped on the Lacoon-Checkpoint mRATs in the Enterprise Survey!
Lacoon § Pavel Berengoltz
§ Shai Yanovski
§ Shalom Bublil
§ Shayna Tichler
§ Amir Kessler
§ Noam Modai
Checkpoint § Inna Myslyuk
§ Gali Carmel
§ Ron Davidson
§ Inbar Raz
§ Alon Kantor
48
Lacoon Mobile Security