SANS Penetration Testing

Invasion of the Mobile Phone Snatchers - Part 1

[Editor's Note: Last Friday, Josh Wright did an awesome webcast on how penetration testers can extract sensitive information from mobile devices during an ethical hacking project, simulating what could happen if a bad guy snags a device and uses it to gather info to attack an organization. Josh provides some commentary as well as his slides below. These slides are a sampling of Josh's brand-new 575 course on Mobile Device Security and Ethical Hacking. I have to say — the new course is completely amazing! It gives folks the knowledge they need to help protect their organizations against the onslaught of new mobile devices popping up everywhere — iPhones, iPads, Android devices, RIM Blackberries, and Windows Phone are all covered. The course is selling out wherever SANS offers it, usually a month or two in advance. Course details are available here. -Ed.]

by Josh Wright

Last week I had the opportunity to deliver my webcast "Invasion of the Mobile Phone Snatchers (Part 1)". Inspired from the famous movie "Invasion of the Body Snatchers", we looked at the threat of lost of stolen mobile devices, and the ability for an attacker to extract information from a recovered device.

Mobile devices store tremendous amounts of information, a lot of which is valuable to an adversary. Stored passwords are an obvious target, but even beyond passwords there is a lot of interesting content stored with locally installed applications, web browser cache, search history from apps and even the user dictionary content containing all the keywords you type into SMS, email, web browser search and other applications. If your smart phone is anything like mine, the user dictionary is an autobiography of where you go and what you do, representing a substantial privacy threat if lost.

I was at my optometrist yesterday, and the patient next to me pulled out his iPad and unlocked it with the passcode "0000". Turns out he was a US Government employee, and we had a nice chat about the very limited security he gets with such a simple PIN. Even with a more complex PIN, an attacker can quickly leverage platform weaknesses in Apple iOS and BlackBerry to bypass the authentication without trigger device wipe policies from failed login attempts.

Check out my presentation content (downloadable here) for more information on how an attacker can leverage a stolen device to extract information, bypassing authentication requirements on the platform. I also make some recommendations for organizations on how to mitigate these attacks through device management systems and organizational policy and procedures, an essential task for any organization deploying mobile devices.


[Josh will be teaching his SANS Security 575 course at SANS FIRE in Washington DC in July to a sold-out room. The next course offering is in Virginia Beach in late August, and then at SANS Network Security in Las Vegas starting September 17. You really should check it out!

Also, this webcast is the first in a trilogy Josh is offering to help folks test and secure there mobile environments. The second webcast in the trilogy will be June 29 (covering mobile device malware), and the third (explicitly addressing the topic of mobile device penetration testing) will be on July 19. I'm really looking forward to these new webcasts, where Josh will build on the ideas of this session with additional tools and tips. Please mark your calendars and register now! -Ed.]




Posted September 11, 2017 at 4:28 AM | Permalink | Reply

captcha bypass

It's awesome designed for me to have a site, which is helpful for my know-how.
thanks admin

Post a Comment


* Indicates a required field.