iOS Threats - Malicious Configuration Profiles Threat, Detection & Mitigation

1

A Little About Lacoon 2

Who We Are What We Do §  Develop new mobile security

technologies that can detect and prevent mobile threats

§  Partner with leading mobile

operators and technology companies to provide comprehensive mobile security solutions

§  Founded by mobile security experts from Military Intelligence and Telco Industries

§  Supported by a Security Research Team

focused on uncovering undiscovered threats to mobile apps and platforms

§  Well-funded and backed by successful

security industry veterans

3

iOS Configuration Profiles can be loaded on any iOS device with relative ease. Each configuration profile can include settings for managing the devices proxy, VPN, and certificates

Introduction – iOS Malicious Configuration Profile

Through social engineering like email phishing or web link an attacker can convince the user to install a malicious profile and compromise the device settings

The attack can silently route network traffic from a device using the profile to a remote proxy over SSL using a self-signed certificate authority that appears valid to the end user

Once the attacker re-routed all traffic from the mobile device to an attacker-controlled server, he can further install rogue apps, and decrypt SSL communications

1 2 3 4

1 2 3 4

4 How iOS Attacks 'Get in"

Three Main Infection Vectors for iOS Attacks

Physical Access

Social Engineering

Rogue WiFi HotSpots

•  Malicious Profiles •  Fake Certificates •  Zero-Day Vulnerabilities

1 2 3

5

Malicious Profiles example LinkedIn Intro

1

User downloads app or accepts new functionality from one of their apps that requires an update to their device’s Profile.

Example: LinkedIn Intro’s new Profile reroutes all email to the LinkedIn Servers.

Example:

LinkedIn Intro

LinkedIn is now intercepting all emails and modifying their content (adding user info).

This is known as a man-in-the-middle (MitM) attack!

More Info 2

1 2

Holes in Existing Technologies 6

Capabilities needed to protect against MALICIOUS PROFILES

Analyze Configuration Profiles

Identify Suspicious Traffic Patterns

Key: Cannot Protect Some Protection Can Protect ✓

Certificate Validation

Ability to check validity of certificates and accurately identify the source of the application

Lacoon MobileFortress - iOS Threat Coverage

Advanced Jailbreak Detection

Ability to identify when a device has been jailbroken using continuous background service

Configuration Profile Analysis

Ability to identify changes to configuration profiles and understand when those changes make the device vulnerable (e.g. compromise secure containers)

Malicious App Detection

Ability to understand communications from the app, regardless of how it was installed on the device, to see what it’s doing (e.g. recognize traffic to and from unknown servers)

Man-in-the-Middle Attack Mitigation

Ability to trigger a VPN to isolate user when on a WiFi or other unsecured network

8

Lacoon iOS App checks for modified network settings every 10 min and sends configuration info to the Behavioral Risk Engine (BRE)

How Lacoon MobileFortress Works – iOS Malicious Configuration Profiles

The BRE analyzes the new network configuration and determines if it can compromised the device communication

The appropriate Risk Score is automatically assigned to the device and triggers the active protection layers

Active Protection prevents data exfiltration- by notifying the user on-the-device, activating network protection and via MDM/NAC integration

Full visibility and control over the compromised settings are available on the Lacoon Dashboard. Whitelisting capabilities are available for known settings 1 2 3 4 5

1 2 3

4 5

MobileFortress App Behavioral Risk Engine Risk Score

Active Protection Dashboard

Contact details www.lacoon.com

sales@lacoon.com