CONTEXT- AWARE SECURIT Y
THROUGH RAIN ™ RFID
ADVANCED ATTACKS AGAINST MOBILE/IOT DEVICES
2
S O F T W A R E W I R E L E S S / N E T W O R K SH A R D W A R E
• Cold-Boot Attacks
• Chip-Extraction
• Side-Channel Attacks
• BIOS/UEFI Exploits
• App Vulnerability Scanning
• Reverse Engineering
• Privilege Escalation Attacks
• Advance Persistent Threats
• Man-in-the-Middle Attacks
• Over-the-Air Fuzzing
• Signature Tracking & Analytics
• Protocol Analysis
CHALLENGES FACING CURRENT MOBILE SECURITY APPROACHES
+ MOST MOBILE PLATFORMS ARE DEVELOPED FOR COMMERCIAL USE AND INCREASINGLY PROPRIETARY
- Companies like Apple and Samsung are developing more and more isolated hardware and software that requires
organizations to stay within their ecosystem – resulting in single vulnerabilities inflicting system wide weaknesses.
+ MANY HIGHLY SECURE PLATFORMS FALL BEHIND AND ARE DIFFICULT TO UPGRADE
- While some custom solutions offer high levels of security, they are difficult to update to new hardware and operating
systems. Customized OS builds are difficult to maintain and require rebuilds when major changes are released.
+ MOST ORGANIZATIONS THINK “TABLET = SMARTPHONE,” INSTEAD OF “TABLET = PC” FOR SECURIT Y
- My organizations still lower their security posture for tablets due to misunderstanding hardware capabilities. Tablets
are now capable of being high performance machines with the same (or better) hardware than laptops.
+ MOST ORGANIZATIONS’ SECURIT Y PROFESSIONALS THINK DEFENSIVELY, NOT OFFENSIVELY
- Many mobile security professionals focus on network and app-level security threats, often failing to understand most
advanced offensive attackers focus on hardware, firmware, and OS-level vulnerabilities to defeat higher-level defenses.
3
DUE TO VULNERABILITIES, STRICT IT POLICIES ARE NEEDED
+ Devices must be powered off when outside of organizationally controlled buildings
+ Devices can only connect to approved wireless networks
+ Device must have network and data-at-rest encryption
+ Data must be capable of being wiped remotely
+ Bluetooth, NFC, and other wireless communication capabilities must be disabled
+ Cameras, microphones, and other hardware must be disabled
4
EXAMPLE POLICIES FOR MOBILE/IOT SECURIT Y
THE ROLE OF CONTEXT IN ORGANIZATIONAL POLICIES
+ Contextual elements – such as location – play a critical role in organizational security
policies for IT assets
+ Two major constraints exist with enforcing policies on IT assets:
- Most rules/responses require manual user action
- Contextual triggers are only available when the device is powered-on, post-boot, and
user is authenticated
5
CONTEXTUAL TRIGGER RULE/RESPONSEPERSON/ACTOR/ASSET
ORGANIZATIONAL POLICIES
CONTEXT-AWARE SECURITY TRIGGERS
6
LOCATION/PROXIMIT Y
DEVICE POWER S TATE
PERIPHERAL CONNECTIONS
NET WORK ACCESS/AUTHENTICATION
USER PROXIMIT Y
USER CREDENTIALS
CORRELATED SECURIT Y
RESPONSE BASED ON
POLICY RULES
R F I D
W I - F I
G P S
B L U E T O O T H
CONTEXTUAL TRIGGERS
DISTRICT: DEFEND™ SOLVES TRADITIONAL MOBILE WEAKNESSES
7
I n t e l v P r o ™
Hyper visor
Vir tual Machine
Operating System
App/Files
Imp
inj™
RF
ID T
ag MOBILE DEVICE POLICY CONTROL
Control access to VMs, HW features, networks, OS,
applications, and data based on client’s location policies
MOBILE DEVICE PROTECTION
Enforce disk encryption, disable power controls, alert IT
when devices leave authorized areas, and wipe dataLo
ca
tio
n-S
pe
cif
ic P
oli
cy
8
District 1:
Hallway & Open
Conference Rooms
District 3:
Sensitive Information
Access Point
District 2:
Typical User
Work Spaces
District 0:
Lobby & Exterior
StartTestUser
• Device Powered On
• WiFi/NIC Disabled
• Launch VM (Thick)
• Access to Basic Apps
DISTRICT: DEFEND™ LOCATION-BASED SECURITY (EXAMPLE)
9
District 1:
Hallway & Open
Conference Rooms
District 3:
Sensitive Information
Access Point
District 2: Typical
User Work Spaces
District 0:
Lobby & Exterior
StartTestUser
NGT Search Alerts
!8
Data
Finder
• WiFi/NIC Enabled
• Connect to Network
• Enable Full App Suite
• Access to Personal Files
DISTRICT: DEFEND™ LOCATION-BASED SECURITY (EXAMPLE)
10
District 1:
Hallway & Open
Conference Rooms
District 3:
Sensitive Information
Access Point
District 2:
Typical User
Work Spaces
District 0:
Lobby & Exterior
StartTestUser
NGT Search Alerts
!8
Data
Finder
• WiFi Disabled/NIC Enabled
• Enable Full App Suite
• Launch VM (Thin)
• Access Secure Files
DISTRICT: DEFEND™ LOCATION-BASED SECURITY (EXAMPLE)
11
District 1:
Hallway & Open
Conference Rooms
District 3:
Sensitive Information
Access Point
District 2:
Typical User
Work Spaces
District 0:
Lobby & Exterior
• Device Powered Off
• Full Encryption
• Disable Power On
DISTRICT: DEFEND™ LOCATION-BASED SECURITY (EXAMPLE)
SECURE LOCATION DATA VIA RAIN™ RFID
12
• RFID is unsecure for
transferring sensitive data
• No sensitive data is being
transmitted over RFID
• All data is management data
and has signature/encryption
• RFID is susceptible to
cloning or denial of service
• Passive RFID does not
function well through walls
• Random number and nonce
prevents replay
OVERCOMING MISCONCEPTIONS+ Location-based security provides the ability to automatically enforce
organizational policies based on a mobile device’s physical location
+ Why Passive RFID?
- Does not actively transmit
- Does not penetrate well through walls
- Out-of-band and does not comingle with sensitive data
- Allows for policy updates and tracking even when device is
powered off
SIGNIFICANCE TO RAIN™ COMMUNITY
DRIVE ORGANIZATIONAL ADOPTION
+ Many organizations will not spend money on RFID infrastructure for “dumb” assets
+ Connected devices have access to sensitive information and networks – higher security budget
ESTABLISH NEW MARKETS
+ Global adoption of mobile devices has exceeded that of traditional desktops
+ Indoor, office environments (low ceilings) are untapped, yet in need of reliable asset management solutions
EXPAND VENDOR ADOPTION
+ Booz Allen has worked to integrate RAIN RFID tags into two of the world’s largest mobile hardware vendors
+ Promote “informed” devices that utilize data from RFID tags
13
AN ORGANIZATION’S MOST VALUEABLE ASSET IS INFORMATION
NEAR AND LONG-TERM FOCUS
+ Expand customer base beyond government into healthcare, oil & gas, and finance
+ Support partners in deploying RAIN RFID-embedded secure server technology (e.g., Intel AIR)
+ Deploy District: Detect asset analytics and management tool
+ Work with partners on smartphone solutions
+ Continue working with laptop and tablet OEMs to embed RAIN RFID tags into additional
product lines
14
LONG-TERM PRIORITIES
NEAR-TERM PRIORITIES
BOOZ ALLEN’S DISTRICT: DETECT ANALYTICS & MGMT TOOL
15
OPPORTUNITIES IN RAIN RFID-RELATED TECHNOLOGY
+ Accurate real-time positioning in sub-10ft (3m) ceiling height
+ Low-cost (<$1,000), small footprint doorway reader capable of directional detection and
independent writes for each direction
+ On-tag protections against advanced replay and cloning attacks
+ Embedded tags with I2C communications
16