Monday Oct 30, 2023

Physical threats to mobile phones, SIM hijacking, out of band SMS, and Yubikeys

Part 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.

Cohost: Tom Dean – Consulting Ventures

  • Tom has decades in capital goods manufacturing industry (fortune 500 scale)
  • Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
  • Current focus is strategy & risk management consulting
  • Lifelong learner and an interest in technology.
  • Strategy + risk management ---> mobile devices

Personal travel:

Laptops have transformed to mobile devices (phones and tablets)

Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?"

Biometrics are convenient but quite dangerous

Biometrics are a proxy for a numeric passcode on a mobile device.

Physical compromise is a 5-alarm fire situation.

Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up.

Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen.

Avoid banking apps.

The first things that the baddies go after are Venmo, Apple Pay, Cash apps.

Out of band SMS for MFA

SIM swapping risk, or eSIM embedded in the phone

Put a PIN on your physical SIM.

MySudo – Can clone that instance to other phones.

Password manager on phone

Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey.

Password manager helps you recover.

Segmentation strategies

They can see all the emails on your phone and change passwords or password reset is typically done via email

Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers.

Need to have an out of band mechanism to receive alerts and ability to remove kill the device.

Microsoft Authenticator and Google Authenticator do not have a separate PIN.

Authy is free. It has its own separate PIN.

Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain.

Diversification strategy with inventory.

MDM

  • Kill apps
  • Apple configurator – small scale
  • Apple Business Manager
  • Jamf – requires Apple Business account for security
    • Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that.
    • Don’t let anyone change the account on this device.
    • You have to figure out a lot on your own and block URLs that you don’t want accessed.
  • Apple devices need to be in supervised mode, so it matters how you buy them.
  • Intune

Risk examples

  • loss of device (resiliency e.g. MFA)
  • theft of device involving passcode surrender (loss mitigation)
  • SIM swap (cellular store employees)
  • SIM card theft (removal of SIM card from phone)

Risk reduction / resiliency

  • OS decision (iOS vs. android)
    • Note that one is not better than the other
    • Risk reduction is all about an individual's ability to manage the risks based upon platform selection
  • MDM (remote data wipe): small-scale co (Apple Configurator or JamfNow) vs. corporate MDM
  • MFA backup/diversification (SMS via cell or VOIP providers vs. TOTP vs. passkey/yubikey etc.)
  • App selection (OS-based or Independent)
  • App protection (‘independent’ PIN protection vs. face/touch ID)
  • ‘Attack Surface’ – minimization of exposure (e.g. banking apps, cash apps, findmyfriends etc.)

Resources

https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim

https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/

 

Comments (0)

To leave or reply to comments, please download free Podbean or

No Comments

Copyright QPC Security All rights reserved.

Podcast Powered By Podbean

Version: 20240731