Ollie Whitehouse
Architect, Advanced Threat Research, Symantec Corporation
So if you had told me that one day I would be invited to Microsoft to talk about a subject I’ve now been involved in researching on and off for over six years and something I must say that has burned in my belly with passion for most for most of it, I would have said ‘unlikely’. However as I write, this is indeed what I’m doing. Microsoft has invited for a second time an employee of Symantec to present at BlueHat- Matt Conovor was the first on heap overflows.
Before I go into detail on what I’m speaking about at BlueHat, let me first provide a little background on the security of mobile devices and where we are today. Today we sit in a world where there are security risks with most devices – however these risks are in most cases difficult to exploit due to the proprietary nature of the operating systems on them.
These proprietary systems, by their very nature, have little or no public information – this precludes even the most determined attacker from reverse engineering and exploiting them unless they have access to resources confined to a few. However with the arrival and increased uptake of COTS on the handset, this is changing.
Today we have three major players – Symbian, Windows Mobile (CE) and Linux. These systems due to the fact they are designed to be customized, extended and developed for by device developers, operators as well as aftermarket means that there is both commonly within devices running the same OS as well as a wealth of information. This in turn helps aid the successful exploitation – we have also seen the emergence of traditional malicious code on two of these platforms (Symbian and Windows Mobile).
To say this malicious code is on the same scale as the desktop as I’ve said many times before would be only to overplay the situation. However the following points are true – we now have mobile devices that have such ubiquitous communication and that comparative to their desktop counterpart are at least a generation or two behind in security evolution. This means that as the value and sensitivity of the data held on mobile devices increases, combined with the facts that their prevalence is increasing, their links into the corporate infrastructure increase. The fact that the desktop is becoming harder to attack means that it is logically only a matter of time before we see the emergence of, at best case, targeted attacks against mobile devices, and at worse case, epidemics as we see on the desktop today.
Many people ask why we haven’t seen widespread mobile attacks to date. My reply is often simple and sometimes quite short – that is ‘why bother when the desktop is still so fruitful?’ We have to remember attackers are lazy – they will rarely innovate of their own volition – often only choosing new targets when forced to do so. This, combined with the fact that the handset market is quite fragmented between the three players and the mix of proprietary platforms, means that locating the correct type of device to attack or propagate to in a non discriminatory manner (Microsoft doesn’t have 90% of this space) is much harder, and is likely to fail. The attack is also more likely to be detected and mitigations installed in the network where possible and signatures rolled out to handset Antivirus.
However we have had one good example where most vendors made some sort of mistake – and that, my friends, was Bluetooth. One standard, with many implementations, and many mistakes – this demonstrated that implementation issues or standards interpretations through standard stack based overflows could exist in code developed by many vendors with an impact on security. This was quite a scare - but since then the industry has not had to respond to anything of this scale.
So before I ramble for too long, on to what I’m at Microsoft to talk about. Well I’ve been working for Advanced Threat Research for nearly two years now and before that Government Research at Symantec. I’ve been looking at the types of threats mobile devices and networks are susceptible to. Some of this research has been summarized on a Symantec Blog [1] [2]. The rest has been directed solely at our internal product teams. As part of this research, I’ve spent a lot of time documenting the attack surfaces of mobile devices [3], as well as doing some deeper analysis on Windows CE/Mobile. It is both of these subjects that I’m here at Microsoft to present on. In summary, my talk covers:
§ General Summary of CE 5.x’s, WM 5’s and WM6’s security posture
§ The susceptibility of CE 5/WM 5 & 6 to rootkits and why there is no real difference from the desktop [4]
§ Mobile Device Attack Surfaces
§ Experiences of interacting with MSRC when discussing security issues [5] [6]
The goal is really to leave the audience with six messages:
§ Security investment in CE/WM has paled when compared to the desktop
§ The net result being that it doesn’t have many of the same mitigations as the desktop
§ The vulnerabilities it’s susceptible to are no different than the desktop and their impact no less
§ The ubiquity of communications means they have the largest attack service of any system currently in existence
§ That by addressing these issues today we can stop a repeat of the running battles we’ve seen on the desktop – i.e. Let’s learn from what’s happened before
And with that I’ve think I’ve typed enough, all pretty logical, all pretty straightforward…
I raise my beer to change and improvement!
[1] http://www.symantec.com/enterprise/security_response/weblog/security_response_blog/mobile_wireless/
[2] http://www.symantec.com/enterprise/security_response/weblog/authors/ollie_whitehouse.html
[3] http://www.symantec.com/enterprise/security_response/weblog/upload/2007/02/MobileThreatBlog-lg.jpg
[4] http://www.symantec.com/enterprise/security_response/weblog/2007/07/windows_cemobile_rootkits.html
[5] http://www.symantec.com/enterprise/security_response/weblog/2006/05/the_elephant_under_the_carpet.html
[6] http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_elephant_is_still_under_th.html
-—————–
Editor’s Note: For more information on Microsoft’s Mobile and Embedded Security, see http://msdn2.microsoft.com/en-us/embedded/aa714508.aspx