Mobile Based MiTM Attack Example

I just want to put this disclaimer out there first before I show an example of a Mobile Man in the Middle (MiTM) Attack. I do not accept any liability whatsoever for the content, or for the consequences of any action taken on the basis of the information provided. This is just a proof-of-concept example illustrating how a Mobile MiTM Attack would be carried out; therefore this information should only be used for educational purposes.

Here’s a classic scenario using an Android Mobile Device to act as a MiTM to eavesdrop on a User’s Internet activity.

People generally go to coffee shops to grab a quick lunch, get some coffee, socialize, work, etc. People also tend to bring along their laptops because most coffees shops offer free WiFi. Almost all users have their WiFi settings to connect automatically to the nearest WiFi Access Point. Users don’t know any better and are not usually aware of whether they connected to a trusted WiFi or not. Users also do not know the implications of connecting to an untrusted WiFi Access Point. Once users are connected to the Internet they may access their Facebook page, email account, and online bank account. All is well as far as the user is concerned. General users are not aware of all the bad deeds a malicious attacker can peform at their local coffee shop.

Figure 1 –  Illustration of a Mobile Based MiTM Attack

Mobile Baseed MiTM Attack Example

A malicious attacker would have a mobile device that has the ability to provide hotspot access; therefore they can act as an access point at the coffee shop and provide Internet access for all the users.  So instead of a user connecting to the coffee shop’s Access Point they would be connected to the malicious attacker’s Access Point or Hotspot.  Essentially, the malicious attacker has taken over the coffee shop’s Access Point and set his own into place so users would connect to his hotspot.  At this point all users connecting to the malicious attacker’s hotspot would have their Internet connections going through the malicious attacker’s hotspot.  Now all Internet activity conducted by the users can be viewed by the malicious attacker.  This is a man in the middle attack.  The malicious attacker was able to hijack all wireless connection requests from the users and had them connect to his/her hotspot.  He/She is now able to eavesdrop without any issues on all connected users.

I wrote about a tool before that would allow you to do all of this.  Check out my post on the Android Network Toolkit.  Here’s a link for you:  https://michaelkaishar.wordpress.com/2011/12/21/android-network-toolkit/

Regards,
Michael Kaishar, MSIA | CISSP

Disclaimer:  This post is solely for educational purposes.  The author does not accept any liability whatsoever for the content, or for the consequences of any action taken on the basis of the informatioin provided.

Categories: Information Security, InfoSec Tools, Mobile Device Security, Pen-Testing, Security Attacks | Tags: Android, Anti, Content Inspection, Data breach, Free Security Tools, vulnerability, ZImperium | Permalink.

Bring Your Own Device To Work

People bringing in their own device to work is not something new.  It’s been around for quite sometime; but people were bringing in their laptop or BlackBerry and not iPhone, iPad, Android, etc.  The company IT department would then go ahead and install protection mechanisms on the laptop; most likely anti-virus and encryption.  The BlackBerry would be secured using the company’s BlackBerry Server with all of the protection features offered.  There would also be sufficient security policies documenting acceptable usage.  It was easier to place technical and administrative controls around such devices.

Bring Your Own Device or BYOD has really picked up momentum.  Now, people want to use their personal iPads, iPhones, Androids, and so forth to conduct company business as well as use their device for personal business.  Instead of carrying several devices, people want to use one device for everything.  That is very nice and great but it presents many problems for the people as well as for the companies allowing these devices on their business networks.  BYOD is a nightmare for us security people!

Here’s a scenario for you. I bring in my own iPad to use at work for business purposes. I save confidential information on the iPad and then head over to Starbucks for coffee. I leave my iPad on the table to go grab my coffee and in less than 30 seconds my iPad is GONE!!! Someone has just stolen my personal device.  Now not only do I have to worry about the intrinsic value of the iPad but I also have to worry way more about the confidential data that is on my personal iPad.  To continue on with the scenario; let us say that the company follows a great information security program and they have all iPads encrypted.  Now I no longer have to worry about the data on the iPad because it’s encrypted.  The iPad is also protected in the sense that it has all of the best practices in locking down the device including the number of attempts an attacker would try to login to the iPad.  Given that all of these protection methods are all in place; are you willing to have the company REMOTE WIPE YOUR iPAD?  They cannot only remote wipe company data, they would need to wipe EVERYTHING from the iPad.  This is something you as the user would have to consider when bringing in your own device to conduct company business.

Another issue to consider is this.  What kind of privacy are you expected to have once you bring in your own device to work.  Will the company monitor your personal information as well as company information?  Are there any security policies documenting the fact of acceptable use regarding personal vs business information and how the data is handled?  I personally would not bring in my own iPad to use it for company business.  If the company is willing to give me an iPad, then by all means I would not have an issue with it.  However, having your personal iPad to conduct company business opens a can of worms for the individual and for the company.

There have been numerous accounts of data breaches involving company laptops.  So what’s new here?  A personal device might contain some really embarrassing information about the individual, as well as, sensitive and confidential company information.  Now, not only would a company have to answer to a data breach regarding it’s confidential data, but it might have to answer to the individual’s embarrassing content.  The individual might be put on the spot and might also lose their job given the fact that they have some embarrassing content on their personal device that they also use for work. 

I rambled on and on with this…but it is definitely a tough situation these days.

Regards,

Michael Kaishar, MSIA | CISSP

 Tweet
!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=”//platform.twitter.com/widgets.js”;fjs.parentNode.insertBefore(js,fjs);}}(document,”script”,”twitter-wjs”);

Categories: Data Breaches, GRC, Information Security, Security Issues, Threat Mitigation, Vulnerability Assessment | Tags: Acceptable Use, Android, Data breach, Intrinsic Value, iPad, iPhone, Security Policy | Permalink.

Data Breaches

Get your daily dose of Data Breaches from DATALOSSdb!

What does DATALOSSdb do?

According to their ABOUT page DATALOSSdb does the following:

Every day, project curators and volunteers scour news feeds, blogs, and other websites looking for data breaches, new and old. We search for incidents that need to be updated, or incidents that are not yet in the database. We then add them to the database, mail out members of the mailing list, and Tweet the breach out to Twitter.

News that we find in the course of searching for breaches that does not fully qualify as a breach, but that is still relevant to identity theft or data security gets added to the Blotter.

In addition to scouring the internet for breaches, we also regularly send out Freedom of Information (Public Records / Open Records) requests to various US States requesting breach notification documents they receive as a result of various state legislation.

These notices are then added to the Primary Sources Archive where they can then be viewed by all. Volunteers comb through these documents and associate them with Incidents, and enter in some basic information regarding the notifications.

These Primary Sources give us deeper insight into data loss incidents, and also uncover incidents that slipped by the media unnoticed.

Regards,

Michael Kaishar, MSIA | CISSP

Categories: Data Breaches, Information Security, InfoSec Tools, Security Issues | Tags: Data breach, Data security, Identity theft | Permalink.