Mobile Security Threat and Countermeasures

Zuleika G. LópezPolytechnic University of Puerto Rico

zuleikaglopez@gmail.comAdvisors: Jeffrey Duffany

Alfredo Cruz

Abstract It’s common to have mobile devices such as smartphones or tablets as part of your daily routine. Despite the high-risk of losing important data, more companies are agreeing to let their employees bring their personal devices to the work area. Some companies provide smartphones, tablets, and other devices to their employees to be used as company tools. Hence, more employees are using their mobile devices for their personal usage as well as for business purposes. Therefore, hackers have been redirecting their sight from the traditional Data Centers to mobile devices. In this paper, we will discuss different malwares and how the hackers could reach your “hand” and which is the most likely information that they look for. The paper will present statistical data regarding the most commonly infected mobile devices at a global scale. The focus of the research is examining several applications that hackers use to invade the user’s privacy and explain what the hackers are looking for. The objective is to be aware of these threats to the business community and to the average user. Remember the Hackers are closer than you think. Key words: wireless attack, hacking tools, infected mobile device.

IntroductionAnalyzing the statistics data the mobile device usage, such as Tablets and smartphones has increases considerably. The tendency to use mobile device for both business and personal use is increasing every year. The use of personal devices has doubled in 2014 compared to the previous year. Corporate America allows their employees to bring their own devices, known as “Bring your own device (BYOD)” to their facilities. On the other hand, the companies those provide tablets to their employees’ increased 30%. This thirty percent represents three out of ten companies are constantly changing their policies and their security. These devices are used a variety ways, such as e-mail service, where sensitive company information may be exchanged or even the companies’ server may be accessed in order to approve transactions. Managing this information in such a way is a security risk that companies undergo, sometimes without even knowing that they exist. Hackers take advantage of these opportunities to gain sensitive information.

The main objective of this paper is to build awareness and present the risks of threats to the general users and to the business community.

Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 1

Author López

First, the document will discuss several security connections. Next, it will discuss the information that Hackers are looking for. One of the main sessions will be to understand how the Hackers can obtain personal and business data. The paper will demonstrate the MITM proxy tool that Hackers use in their attacks. Finally it will suggest and recommend some tips to prevent or minimize Hacker attacks.

Security ConnectionsThis section will discuss different types of encryption. The first one is the Wired Equivalent Privacy (WEP) protocol. Based on IEEE 802.11 specifications, the purpose of WEP was to provide a level of security in wireless networks similar to that found in wired networks. The WEP turned unsecure due to a mistake on it and easy access to the hackers. Years later born the Wi-Fi Protected Access (WPA) standard, an enhanced version was later published with the name WPA2 and until know it is harder to hack it. Even though WPA provides security enhancements, it is still susceptible to dictionary attacks. Now more than ever, WEP encryption is still being used for personal or business purposes. The purpose of this document is to create awareness on how easy it is to break this type of encryption. One of the first and basic errors is leaving the original configuration of the wireless access point, provided by their Internet Service Provider (ISP). This common error occurs in homes and businesses. In some cases businesses might not have the right personnel to implement this type of encryption.

The companies should contract Ethical Hackers to examine its network. They understand the methods and tools used by “external” hackers. They can develop a method to protect the data. It is important to understand that once an attacker gains access to the network a new set of attacks can be executed against those clients connected to the network.

There exist plenty of tools that hackers could use. In addition, most of those tools are available as open and free source online and there are many tutorials explaining their usage. For test purposes the following tools were obtained and used from the internet for free:

Kismet (Airmont) Wardrive (Blueman) Wireshark Man-in-the-Middle proxy (Python) Aircrack-ngBrute Force

For example the following figure presents the Kismet application tool, in which the hacker can obtain the SSID of the web and the type of the security encryption, which in this case is none.

2 Editors: Gurpreet Dhillon and Spyridon Samonas

Author last name1; last name2; last name 3

Figure 1: Kismet Application – Security encryption: NoneThe figure below shows a connection that has better encryption. For example, it shows the manufacturing information that is “BelkinIn” and the type of encryption, which are the following: WPA+PSK, WPA+AES-CCM, and channel 5 of security. Although it has all of those security levels the hacker will still know the MAC address and the SSID which could use it to attack.

Figure 2: Kismet Application – Security encryption: WPA+PSK, WPA+AES-CCM

Kismet application is used by the attacker to know which kind of connection the possible victim has.

Based on the documentation previously discussed, the first step in attacking a protected wireless network must be to gain access to it by breaking the encryption. Then it can proceed with other attacks. For the purpose of this research, it was necessary to use a wireless adapter as extended equipment. Particularly the Alfa AWUS036H is a USB

Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 3

Author López

wireless adapter from the company ALFA, Network Inc. (www.alfa.com.tw). This is a common antenna used by the hackers and easy to use and purchase in different stores with an accessible price. In addition, the web has several video and information, which show how to use it.

Ethical Hacking

One of the most important variations on security is ethical hacking. This division of security should be considered seriously, because it attempt to improve system security based on knowledge of its vulnerabilities.

One of the jobs that an Ethical hacker could do is test beta unreleased software, and scan networks of computers for vulnerabilities. Therefore, they are very helpful and the difference between good and bad intensions should be established when referring to hacking. The cracker, or black hat (discussed below) hackers obtains unauthorized access with the purpose of obtaining financial gain, sabotage systems, promote political causes or steal information. To further help differentiate a good hacker from a bad one; hackers can be divided into the following three groups:White Hats: This group refers to ethical hackers who use their hacking skills for

defensive purposes. White-hats hackers are security professionals that understand how hackers work and use that knowledge to locate weaknesses and implement countermeasures. They hack with permission from the data owner.

Black Hats: This group refers to malicious hackers or crackers who use their skills for illegal or malicious purposes.

Gray Hats: This group refers to those hackers who may work offensively or defensively, depending on the situation.

The information security personnel who perform penetration tests (specific and controlled attacks) are often consultants or outsourced contractors, also known as tiger teams or red teams.

Malwares and their ThreatsIt is important that the people and the IT personnel constantly review the list of new mobile malwares. This section will present some of the latest malwares and Third party Malware apps:

Zitmo – which is a Mobile version of the Zeus Malware Nickspy Trojan – began infecting mobile devices since 2011(Fake Google Plus app)

TigerBot – uses SMS to control the installed bot. It’s an application that can be downloaded from a 3rd party store and predominantly in Asia).

When a potential victim connects to an unsecure wifi source, hackers can also use applications to obtain their information. For example, Faceniff – is an Android version of

4 Editors: Gurpreet Dhillon and Spyridon Samonas

Author last name1; last name2; last name 3

the Firesheep - It uses packet sniffing to intercept unencrypted cookies and stealing user’s credential.

Tools used by HackersIn addition to the example previously discussed, Hackers use different methods to perform criminal activities. They are constantly looking for connections and vulnerabilities to take advantage and perform attacks. The invasion has different steps to follow: 1) Sniffing, 2) Scanning, 3) Gaining Access (actually hacking the system), 4) Maintaining Access, 5) Covering tracks.

This document presents how the hacker’s attack using mainly unsecure wireless connections. They could use different ways to perform the attack, but this section will mention the methodology and testing using two applications; first Wireshark and then Man-in-the Middle proxy attack (MITM). The purpose of this section is not to train on how to use these applications, but instead to obtain a high level knowledge about which tools hackers use and what kind of data they could get access to.

Wireshark

Using Wireshark, the Ethical Hacker or Hackers could see the network’s traffic. For example, the figure below shows the packages of traffic captured by Wireshark while the test is performed. The package traffics captured are identified by default colors: green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic and black identifies TCP packets with problems (for example, they could have been delivered out-of-order).

Figure 3: Wireshark Traffic Captured

Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 5

Author López

This application is very helpful, because it lets use filters to look and inspect something specific; for example, the traffic using SSD or HTTP. It helps to close down all other applications using the network so you can narrow down the traffic. Using these options make it easier to sniff the large amount of packets and there traffic. The image below represents some of the tests using Wireshark, which it shows the specific hexadecimal at the left side and “encrypted” message at the right side.

Figure 4: Wireshark - Hexadecimal and “Encrypted” messageThe Wireshark tool accesses the sources of the packages. Using it the hacker can obtain the MAC address where the package came from and the MAC address where it goes.

This application has different sections, and its main purpose is to demonstrate the traffics. The third section on the left side shows the data encrypted using hexadecimals, and the right side will change based on security. Although Wireshark is a sniffing tool it still has plenty of information very valuable for hackers.

On the other hand, the companies and their Ethical Hackers could use the Wireshark tool to detect and prevent attack as an Address Resolution Protocol (ARP) spoofing. This is because Wireshark can also provide a summary of ARP flooding and ARP spoofing attack events. The company could trace and obtain the attacker’s information and present it to the court.

Man in the middle

On the other hand, another tool used by hackers is the Man in the Middle (MITM) proxy to attack and obtain more information. MITM proxy is an interactive console program that allows traffic flows to be inspected and edited instantly. The following figure shows the penetration traffic test. Figure 5, shows the log-in information to an e-mail account, which includes password and status of access, if could or not. Figure 6, is an e-mail which shows the recipient, subject, and whole body as plain text. Once the Hacker had access to the connection can trace and see any http traffic in the devices.

6 Editors: Gurpreet Dhillon and Spyridon Samonas

Author last name1; last name2; last name 3

Figure 5: MITM Proxy - Email sign-in, includes password information

Figure 6: MITM Proxy - Email sent, includes whole body text without encryption

Editor’s note: While this paper discusses general strategies that could be used maliciously, the tools discussed in the previous sections are intended for defensive purposes only, and should not be employed for any other reason.

Recommendation

The users, either for personal or business purposes has to be alert of threats. The security and prevention recommendations apply to both personal and business purposes: • Closely know about the enemy and its techniques. • Once in a page, if the Certificate Security Error is activated, close it immediately. • Take advantage of the free credit report. Request it every year. Carefully corroborate all

the information included in it. • Download the mobile application only from the official store. (Apps Store, Play /Google store) • Do not open a bank account using a link from the email. It’s preferred to not include any

bank information in an e-mail. Prevent phishing account. • Do not connect any unauthorized device on the work area. • Preferably use a secure connection to minimize easy attacks.

Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 7

Author López

• Activate the mobile device Login password. • Use different password for your bank account and other accounts. (Do not use the same

4-digit mobile device password login as use in the ATM security code).

Based on the analysis of these tools and the knowledge of the threat, I recommend that the companies provide more training to their personnel to improve the information security.

Conclusion

Taking as a starting point the increasing rate of mobile threats, we can assume that there will be a consistent increase of acceptance towards mobile global usage. As this acceptance increases, there can’t be an absolute certification or a guarantee that stolen data cases will stop, but it can be reduced using a basic method and being alert to any possible threat. Thus, with the above stated, enterprises should protect their data with secure software, but have to be diligent and provide the corresponding trainings to their personnel in order to minimize the hacking risk. Hackers are closer than what may be thought. Knowing the threat you can defend yourself.

Acknowledgement:This material is based upon work supported by, or in part by, the U. S. Army Research Laboratory and the U. S. Army Research Office under contract/grant number W911NF1110174.

References

Hubbard, D., (2012). “Top Threats to Mobile Computing”, Cloud Security Alliance.

Kesäniemi, A., (2013). “Mobile Application Threat Analysis”, The OWASP Foundation.

Lemos, R. (2013). “4 mobile device danger that are more of a threat than malware”.

Titus, K. (2013). “China, Ukraine and Saudi Arabia See Record Growth in Malware Threats in 2013, According to NQ Mobile Mid-Year Report”.

Toksal, A. (2012). “The year of the Enterprise tablet infographic”

Jodoin, E. (2013). SANS. “SOHO Remote Access VPN. Easy as Pie, Raspberry Pi…”

8 Editors: Gurpreet Dhillon and Spyridon Samonas

Author last name1; last name2; last name 3

Search Mobile Computing, (2013). “Mobile Device protection and security threat measures”.

Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 9