Pwn2Own lesson: Don't thumb nose at mobile security threats

As you move data around your mobile device it's important to understand that these can be hacked -- even in a mass-attack using a compromised ad-network -- and try to keep the damage to a minimum.
Written by Ryan Naraine, Contributor

AMSTERDAM -- As part of my job monitoring security threats and trends, I'm exposed to a healthy dose of paranoia from white hat researchers who find it trivial to hack into modern operating systems and platforms.

After a few days of hanging out in the hallways and bars with exploit writers, I always find myself clutching my laptop to my chest a little tighter and constantly peeking at my mobile phone to make sure nothing out of the ordinary is happening.

None of this paranoia is misplaced. Just pay attention to the lessons from the Pwn2Own contests organized by the CanSecWest/EuSecWest folks (shout-out to Dragos Ruiu for putting together top-notch events) and you get a real-world understanding of why it's near impossible to keep a motivated adversary at bay.

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) devices and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on smart phones and tablets.

Sure, anti-exploit mitigations like ASLR and DEP have put up roadblocks for hackers looking to break into mobile platforms but these are becoming more and more trivial to bypass. The hacking team from Certified Secure told me it took less than three weeks to break into Apple's iPhone 4S. That included the search for an exploitable vulnerability and the creation of a clean exploit to jump through anti-exploit mitigation hoops. Their motivation: PR and a $30,000 cash prize.

The motivations for targeted attackers -- whether it's nation-state cyber-espionage or APTs targeting businesses or political activists -- are much, much higher. As proven here, a skilled hacker can beam an exploit via NFC to automatically open a maliciously rigged document on your Android device. A few exploitation tricks later and it's game over. On iPhone, which is widely hailed as the most secure mobile OS platform, WebKit continues to be a security nightmare and a popular target for hackers building drive-by download exploits. There are still ways to bypass Apple's code signing and sandboxing mitigations.


The fact that the three main platforms (iOS, Android and Blackberry) all use WebKit and all struggle with timely patching of known WebKit vulnerabilities is cause for greater concern.

I'm particularly impressed by RIM's approach with "Balance," the technology that separates and secures work and personal information on BlackBerry devices. By separating personal and work personas, RIM is providing greater control over how businesses apps and data are accessed by personal apps. This helps ensure work information is kept separate and secure. "Balance" will effectively make sure a users' personal apps can't access work information, and work information can't be copied and pasted into personal apps or e-mail messages.

It's not perfect and I'm sure an enterprising researcher will eventually find a way to circumvent this but it's the right way to think about securing data on mobile platforms. If we can keep Angry Birds and Facebook/Twitter apps away from sales reports and Excel files, we'll feel better about that thing in our pockets.

If there's data you absolutely can't have in the hands of a cyber-criminal (think personal photographs, certain e-mails and SMS messages), then you want to keep them away from an easy-to-hack mobile device.

Remember to do the simple things like use a strong pass-lock code, uninstall bloatware from Android-powered devices, keep apps and the mobile OS fully updated and try to keep work and personal life separate.

As you move data around your mobile device(s), it's important to understand that these can be hacked -- even in a mass-attack using a compromised ad-network, for example -- and try to keep the damage to a minimum.

Editorial standards