Dan Guido, a NYU-Poly hacker-in-residence and a conference organizer
With more than 6 billion cell phone users around the globe, a very relevant question to ask is just how secure are these devices – the subject of a recent day-long NYU-Poly conference (THREADS) where Black Hat quality mobile security experts presented cutting edge research. What these industry leaders are learning is that it’s a bigger problem than anyone had realized – one mushrooming in scale and sophistication. Just one indication of our vulnerability: more than half of Android devices are vulnerable to known security flaws that can be exploited by malicious applications to gain complete access to data and the operating system.
The result is that after at least two decades in the trenches battling threats to desktops, IT security professionals now face a huge new challenge securing the rapidly expanding universe of mobile devices – coupled with millions more Internet-connected machines. “Mobile is definitely a class of its own, it is not a smaller desktop, the issues are unique and the ways that attacks are going to play out will be much different from what you’d expect,” explained Dan Guido, a NYU-Poly hacker-in-residence and a conference organizer. “There are hundreds of millions of devices in people’s pockets, and at least as many as machines that essentially function as cell phones because they have SIM cards - smart meters, Kindles, GPS devices, car alarms, etc, around the world - this is a security problem now, and we might not be ready, so we should be talking about it.”
But rather than talking about any and all possible vulnerabilities, experts at THREADS – part of NYU-Poly’s by now famous annual Cybersecurity Awareness Week (CSAW), which hosts the world’s largest Capture the Flag competition (9,100 students participated) – focused on actual attack vectors, which are most relevant to industry, as well as mobile users. This is a central operating principle for the school’s cybersecurity training approach, explains Guido, who is helping graduate students become familiar with the industry’s “pain points.” “Keeping up in this industry is a key difficulty for academia – much of the available data and research being done at universities today addresses threats from 3-5 years ago, but this is old news to an IT security professional,” explained Guido, a NYU-Poly alum, who made a name for himself, and the school’s cyber-chops, with work stints at Goldman Sachs, the Federal Reserve Bank, then international consulting, before starting his own firm Trail of Bits.
The findings about Android’s vulnerabilities was presented by Jon Oberheide, the chief technical officer (CTO) of DUO Security which this past summer launched a free assessment tool application, known as X-Ray (www.xray.io). Results from tens of thousands of devices worldwide determined at least half had known ‘privilege escalation vulnerabilities’ which can be exploited to gain administrator (root) access allowing manufacturer firmware to be circumvented. That essentially defines jailbreaks, which are exploits that allow users to get around manufacturer-imposed limitations, to enable downloads of additional applications, extensions, and themes not otherwise available through, for instance, the official Apple App Store.
These jailbreaks are made of sophisticated attack code but are not necessarily malicious. How ‘good’ jailbreaks go bad, was the subject of another presentation by Mike Arpaia of iSEC Partners, done in partnership with Dan Guido. Studying jailbreak communities – which share many of the same motivations as attackers, including wanting the widest possible diffusion and longest shelf-life for their hacks – was the focus of research presented by Dino Dai Zovi, Trail of Bits’ CTO. The premise: ‘know thy adversary.’ Both attackers and defenders live with finite resources; studying actual attack vectors optimizes defense expenditures.
By probing the mobile operator networks run by AT&T, Verizon and all the other carriers, Collin Mulliner, from Northeastern University’s Systems Security Lab, exposed a scary universe of additional vulnerabilities among the new generation of machines that are all connected to the web, most of which have never been adequately inspected or evaluated. Chris Rohlf, principal at Leaf SR, offered insights about how Google’s Native Client, a sandboxing technology that allows web-based apps to safely run at near-native speed, might become useful in future mobile security. What’s likely to be next in malicious attacks was the focus on another presentation by Vincenzo Iozzo, Director of Security Engineering at Trail of Bits, whose research examined BlackBerrys, considered one of the more secure smart phones.
“We (students) all generally tend to think about these problems from one particular perspective, we try to solve these problems in the ways we know, so I was amazed at the different approaches being used by these other (presenting) researchers,” said Sai Teja Peddinti, a doctoral candidate in IT security, who had until the THREADS conference assumed that Google’s browser were made satisfactorily safe, but didn't know the working details. “But that Google is looking at running some kind of native code in the browser itself to give a better user experience without compromising security, this was completely new to me - so attending these presentations I was able to get introduced to areas of research I hadn’t thought about at all before.”