cysecure.orgcysecure.org/.../gpr_subinthomas_johnnuccio_anwarca… · web viewa man in the middle...

Mobile Device Network Security-IASP 470

Capstone Group Project: Mobile Device Network Security

IASP 470 Capstone

Professor: Dr. Yoon

Group Members-

Subin Thomas

John Nuccio

Anwar Campbell

Page | 1


Student Name Project Contribution

John Nuccio Introduction to MITM on Mobile Devices, Man in the Middle

attack on mobile devices, Overall steps to reduce risk, MDM

Testing, Topic Conclusion, Project Formatting and Review

Subin Thomas Our Defensive Approach to MITM via MDM, MDM

Implementation & Testing, Initial Configuration- MDM Server,

Administrator Console & Device Configuration, Conclusion,

Project Formatting and Review

Anwar Campbell Preliminary MITM Introduction, Types of MITM Attacks &

Scope of overall threats

Page | 2


Abstract

Mobile devices have increased exponentially in popularity in the last few years. Devices

have become more powerful and efficient, as such users are no longer bound to larger desktops

for processing power. With more and more people working remotely, connecting to public Wi-Fi

networks has become essential in order to access data with mobile devices. However, these

public Wi-Fi networks cannot be trusted as they are targeted by hackers looking to exploit/spoof

the victim in order to gain unauthorized data from your device. Once the device has been

compromised, sensitive data from the user’s device is now accessible by the hacker and often the

user does not realize till it’s too late. With free Wi-Fi being accessible all over now within New

York City, restaurants, cafes and basically anywhere where places connect to the Internet. With

this being said Man in the Middle attacks which used to be hard to attempt with limited Wi-Fi

can now be done by the person getting coffee right next to you or someone walking along side

within the city.

Page | 3


Table of ContentsAbstract 3Introduction 5

1.1 Preliminary MITM Introduction 51.2 Types of MITM Attacks & Scope of overall threats6

2.1 Man in the Middle attack on mobile devices 8 2.2 Overall steps to reduce risk 103.1 Our Defensive Approach to MITM Via MDM 113.2 MDM Implementation & Testing 12 3.2.1 Initial Configuration- MDM Server 12

3.2.2 Administrator Console & Device Configuration 13

Conclusion 14References 15

Page | 4


Introduction

With the growth of mobile devices being used for personal and work uses. The risk of

mobile devices being attacked are extremely high. The most common attacks that we have found

is the Man in the middle attack. A brief summary of what a MiTM attack is that an attacker

intercepts a connection from the server to the user or vice versa. The victims of these attacks do

not always know this attack is happening or what information the attacker has retrieved. Most of

the information that the attackers gain are personal information like credit card information,

emails, contact information or any notes that the user has saved on their phones. This is even

more concerning in a business environment. In a enterprise scenario users have to work off their

phones, and with a compromised device, a attacker can access work emails or even work files.

Within the following paper our team has come up with a solution that we believe is the best way

to help companies prevent MiTM happening on their employee’s mobile devices.

1.1 Preliminary MITM Introduction

A Man in the Middle is one of the most popular types of attack on a network because it is

simple to implement. The goal of the attack is to secretly intercept communications between two

parties to spy on individuals or redirect a user to another location where they can steal

information. During the attack the information can altered or used to gain access to the system in

the future. “Man in the Middle attacks are one of the oldest forms of cyber attacks and

computer scientists have been looking at ways to prevent of tampering or eavesdropping on

communications since the early 1980s” (Swinhoe). These types of attacks are an ever-present

threat to individuals and organizations and we need to take the steps necessary to eliminate it or

reduce the risk.

Page | 5


1.2 Types of MITM Attacks & Scope of overall threats

There are several techniques that can be used in a Man in the Middle attack. Attackers

are able to use DNS spoofing, IP spoofing, ARP spoofing, email hijacking and session hijacking.

Email hijacking is the process where the malicious user gains access to the users email account

and monitors their communication. Sometimes they will use the information that they obtain to

begin phishing attacks or sell the information to someone. A man in the browser attack is a form

of attack where the attacker compromises one to the browsers being used to carry out some form

of fraud usually includes finances. The attacker usually takes advantage of the vulnerabilities in

the browser to manipulate the inherent browser functionality to modify its behavior and intercept

the information that they intend to steal.

Two other ways that an attacker can use includes “SSL stripping, where the attacker

establish a secured connection between themselves and the server, but with an unsecured

connection with the user and an Evil Twin attack where he has mirrored a legitimate Wi-Fi

Page | 6


Access Point where he can monitor and collect all information the user sends” (Swinhoe).

Although these types of attacks are mainly focused on hardwire and wireless computer networks

it is also possible to conduct these attacks using fake cell towers to steal information from your

mobile device. Starting a Man in the Middle attack can be done with freely available internet

tools like Wireshark, Ettercap and Kane & able.

There are a several steps that you can take to try and protect yourself from becoming a

victim in a Man in the Middle attack. Encryption is a great way to protect yourself and it can be

easily implemented by only accessing secured websites. According to Google, over 90 percent

of traffic in now encrypted in some countries. “Though flaws are sometimes been discovered,

encryption protocols such as TLS are one of the best ways to help protect against Man in the

Middle attacks” (Swinhoe). Another way is to make sure that you only access trusted Wi-Fi

networks or utilize virtual private networks (VPNs) and to never join free or open Wi-Fi because

Page | 7


anyone could be capturing your sensitive information being transmitted from your device.

Another option is to make sure that all unused switchports are administratively shutdown.

2.1 Man in the Middle attack on mobile devices

Before we get into the how Man in the middle attacks works on mobile devices, I want to

show a graph from 2017.

This graph shows that more the 7% of all mobile devices in 2017 had a reconnaissance scan

performed on them. This scan allows attackers to see which mobile devices are vulnerable for an

attack. Once the scan has detected the right phone the attack begins.

So, that said Man in the Middle attacks that are performed on mobile devices are setup

just like those that are performed on normal computers. The same rules apply when it comes to

man in the middle attacks on mobile devices. Before in order for a man in the middle attack to

work on a mobile device the victim has to be in the ideal location at the right time. What I mean

Page | 8


is that for an attacker to pull off a man in the middle attack the attacker needs to be monitoring a

particular unsecured network that the victim is connected too. Not only does the victim have to

be on a poor network but the victim also needs to have their devices and apps configured wrong

for the attack to work. If the attacker is able to get a victim to meet these conditions the outcome

can be dangerous. Not only can they see what apps you use, emails, contacts or any important

information that you have saved on your phone. But most importantly any credit card

information you have saved on your phone. Especially if you have Apple pay, Google pay or

Samsung pay these are what the attackers will look for. Once they are able to log into your

mobile device all that information is easily accessible and can take you card information. These

types of attacks may not just only be to steel your personal information but the attackers can also

get to your work information. With the growth of free WI-FI being offered in almost every

coffee shop, people are now doing work at their favorite coffee shop. Which allows attacker to

exploit bad apps and devices to steel important work information. The below diagram compares

man in the middle attacks on a computer and those that are exploited by mobile devices and

apps. (Mythbuster: MiTM is the Biggest Mobile Threat, n.d.)

Page | 9


This diagram shows that with mobile apps and devices are more impactive then a normal MiTM

attack. It shows when apps and devices are attacked that 43TB of data is exposed to the world

and that 1 thousand apps are affected by the attack. The most shocking is that when apps are

affected by MiTM attacks that 265 years of audio data is recorded which mean that everyone

including business owners and head executives should be more aware of connecting to public

Wi-FI.

2.2 Overall steps to reduce risk

Now that we have went over what a Man in the Middle attacks are and how affective they

are when an attacked is used on a mobile device. Here are some very simple steps that a non tech

savvy person can do to avoid being attacked. One of the easiest ways to avoid these types of

attacks is to never connect to public Wi-Fi. This might be an obvious to most if not all people but

a lot of people still connect to public Wi-Fi. Yes, connecting to the Wi-Fi is better to download

your emails and sending email are faster than being on 4G but using 4G is a lot safer then public

Wi-Fi. It doesn’t take that long for an experience attacker to connect to your device and steel

your information. If you are in a dire need to connect to a network this brings me to my next

solution which is connect using VPN. Using a “VPN encrypt your internet connection on public

hotspots to protect the private data you send and receive while using public Wi-Fi” (employee,

n.d.). Using a VPN is more secure because in order to access the VPN you would need to input a

password which most attackers won’t know or it would take to long to crack. Another easy way

to avoid getting attacked is to make sure when using your mobile device to access websites is to

always make sure that the URL starts with HTTPS. HTTPS means that the Hypertext Transfer

Protocol is more secure and that he commination protocol is encrypted and is harder for people

to attack you through a website. For the more tech savvy people there are apps that you can

Page | 10


install to protect yourself from these types of attacks. Most programs that you install on your

computer to prevent attacks are mostly all available for any mobile devices. Some apps like

Norton which helps protect you from attacks and also has a VPN app as well are great but they

do come with a price. The steps that I have mentioned are the easiest ways for non-savvy people

to prevent attacks from happening to them. Not only are they easy but they are free and cost

nothing.

3.1 Our Defensive Approach to MITM Via MDM

Now that an overall depiction of MITM on mobile devices are understood, our approach

to combating these types of attacks is by limiting connections to only trusted Wi-Fi sources

through the use of a mobile device management software. As previously explored, these attacks

can only occur when an end user has an unsecure connection. In our case, we have chosen to

configure a business grade MDM software by Manage Engine in order to test our scenario. This

software agent would then be configured to only connect to a pre-defined Wi-Fi network. In our

approach, we look to establish a test secured wi-fi network with the SSID “carbonX1” (secured

wi-fi; carbonX1, fig. 1) as our predefined network of choice in our MDM software profile.

Having it as

the only

approved network, the end user’s device would only connect to that network when in range and

Page | 11

Fig.1


quickly turn down any other connections. This is also the case if the end user was also trying to

connect to a known private network, even with the right authentication credentials, the MDM

software will not allow the new connection. In turn, our approach would limit the connections

the device could have to those only pre-approved by the MDM administrator and thus reduce the

risks of MITM.

3.2 MDM Implementation & Testing

Having conducted a review of all the mobile device management software available, we

chose to implement and test our approach using Mobile Device Manager plus by Manage

Engine. This company is highly used and recommended in corporate environments and have

built their success initially with a workstation management software called Desktop central.

Having this type of experience, the company developed a mobile management console that is

truly flexible and easily configurable to any business size or need. The MDM software also

supports android, IOS and Windows mobile devices. As for our research purpose, Manage

Engine provided a 30-day trial of the software along with free support and a user support

document. Ideally, the software agent should be installed on a server and integrated with active

directory accounts to further enhance the security.

3.2.1 Initial Configuration- MDM Server

In our testing environment, we chose to simply install the software on a local machine

with administrative privileges. From here, we enabled the MDM service to run and then

configured our network connection via port 9383 HTTPS in order for the MDM app and MDM

server to communicate. Since we we’re using a Samsung Galaxy S6(android device) as our test

device, we also enabled port 443 HTTPs for successful connections between the MDM server

Page | 12


and FCM (android wake up service which allows commands to execute remotely). In addition,

ports 5228,5229 and 5230 we’re also allowed on our firewall so that the target device could

communicate with the MDM server. Lastly, we also had to allow a list of domains that the MDM

server was allowed to reach in order to fully configure.

3.2.2 Administrator Console & Device Configuration

Now that all the preliminary requirements we’re configured and met, we proceeded to

reach our MDM management console by the set IP address via web browser. For our testing

purposes, we chose to use the default service account credentials rather then active directory as

that was not previously configured. Once in the administrator management portal, we proceeded

to create a test group followed but a test profile. Within this test profile, a variety of parameters

and restrictions can be set accordingly. From requiring simple/complex value password to not

allowing devices the ability to use certain apps or features, ever aspect of the end device can be

managed. In our case, we only set that the pre-defined Wi-Fi network “carbonx1” is the only

approved external source for network connections. We also chose to disable the end user’s Wi-fi

toggle on/off button in order to allow for remote access when with in range. This is useful in a

scenario if the device was stolen, we could execute a remote wipe of the device even if the sim

card was taken out. The device would receive the command when in range of our defined Wi-Fi

network.

Now that the profile and groups we’re set up, we proceeded to download and install the

MDM management app on our Samsung Galaxy device from the play store. Once installed, we

chose the on-premise option and entered our MDM port and user credentials. After verification,

we agreed to the legal disclaimers and accepted the remote management disclosures from the

MDM agent. The device was now enrolled and available on the MDM console. We proceeded to

Page | 13


add it to our test group with the applied Wi-Fi restriction profile. In a matter of a few seconds,

the changes we’re applied and the device could no longer toggle Wi-Fi on/off or connect to any

other networks other then our test network. This was also the case when we tried to manually

connect to a new network. Even with the correct credentials, the connection was refused as

MDM serves at the intermediary between the device and network. It only would authenticate the

external connection if it was previously defined in the management profile.

Conclusion

With the rise of mobile communication, everyday users are reliant on network connection

in order to access information. As such, some place convenience over security and will

sometimes connect to unverified Wi-fi sources. When these connections are made, most do not

see the vulnerabilities of a public Wi-Fi network before it’s too late. Attackers can access user

information by man in the middle attacks and the best way to thwart these types of attacks are by

only connecting to trusted secure sources. In our testing, we have found that by implementing a

business grade mobile device management software; mobile device manager plus, we we’re able

to successfully mitigate the risk of connecting unknown Wi-Fi networks by only connecting to a

trusted pre-established network. With our configurations, we developed a plan to only assign a

trusted Wi-Fi source that was predefined in our MDM profile. This strict parameter was executed

successfully by mobile device manager plus as it is the device administrator between the console

and the user. As a result, ultimately our target device was able to only connect to the assigned

secure network and revoked other possible networks which effectively reduced the chance of

MITM. Lastly, we also disabled the Bluetooth functionality of the device through MDM, further

layering our security to the mobile device.

Page | 14


ReferencesKing, S. (2017, 5 18). Mobile Device Threat Data – Q1 2017. Retrieved from

https://blog.zimperium.com/mobile-device-threat-data-q1-2017/

Mythbuster: MiTM is the Biggest Mobile Threat. (n.d.). Retrieved from https://www.appthority.com/mobile-threat-center/blog/mythbuster-mitm-biggest-mobile-threat/

Swinhoe, D. (2019, February 13). What is a man-in-the-middle attack? How MitM attacks work and how to prevent them. Retrieved April 25, 2019

Manage Engine. “Setting Up MDM.” ManageEngine Mobile Device Manager Plus:: Help Documentation, www.manageengine.com/mobile-device-management/help/index.html.

ManageEngine, [email protected]. “Knowledge Base - Resources.” ManageEngine, www.manageengine.com/mobile-device-management/knowledge-base.html.

Page | 15

cysecure.orgcysecure.org/.../gpr_subinthomas_johnnuccio_anwarca… · web viewa man in the middle...

Documents