Penetration Testing: Re: IT Audits/PT's of Smartphones

[Marco Ivaldi <raptor () mediaservice net>]

Hi,

I apologize for the late reply, I was on vacation.

On Wed, 3 Aug 2011, cribbar wrote:

> Hi
>
> May I ask - does there exist a (if at all possible - free) vulnerability 
> scanner specific to smartphones, namely blackberries/iPhones (various 
> models/versions of each)?
You stumbled upon a typical example of attack vector that cannot be tested 
using automated vulnerability scanners. Actually, no attack vectors can be 
throughly tested just by means of automated scanning, but this is another 
story;)
> Aside from encryption on the device itself, if you have audited or pen tested 
> for a client their smartphone/smartphone infrastructure - are there any 
> common security/management issues you find with them, or any good benchmarks 
> you use to assess the phone itself?
I can contribute some issues typically found within BlackBerry Enterprise 
infrastructures.
Before I start, it's important to clarify that the BlackBerry Enterprise 
platform itself provides comprehensive granular control over the handhelds and 
can be configured to enable a degree of protection suitable for most 
environments. That said, in my experience as a Security Analyst I've verified 
that most deployments are actually configured in an insecure way and are 
therefore vulnerable to many attacks, such as:
- Malware infection: arbitrary software can usually be installed on
  handhelds, opening a broad attack surface (think of spear phishing,
  worms, spyware, etc.).
- Remote access to the corporate network: most of the time admins don't
  bother to separate the different BES components on different servers
  and fail to apply proper ACLs to prevent attacks generating from the
  BES itself.
- Insufficient handheld protection: most of the time, handheld passwords
  are not present or their robustess is not properly enforced.
- Access to the underlying operating system of BES, due to server
  misconfiguration. Look for the usual suspects: predictable credentials
  (hint: especially SQL Server passwords!), Active Directory flaws,
  software vulnerabilities, configuration mistakes, and so on.
- Theft of traffic logs: logging of all phone calls and MDS connections is
  enabled by default and logs are stored unencrypted on BES disk.
- SSL attacks, mainly on poorly written applications (e.g. that do not
  properly check certificate validity).
- Wireless attacks, including some against WPA Enterprise PEAP-MSCHAPv2.

Bottom line: mobile devices always connected to the corporate network 
represents a huge opportunity for a remote attacker and therefore their 
presence should not be overlooked while assessing the security posture of an 
organization.
I hope this helps! Cheers,

--
------------------------------------------------------------------
Marco Ivaldi                          OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------