Avoid Hacks of Phones and Tablets
This is a brave new era. You have to trust that your phone and tablet users are making good decisions about security to avoid hacking, and you have to figure out how to manage each and every device, platform, and app. This management task is arguably the greatest challenge
IT professionals have faced to this point. Further complicating matters, you have criminal hackers, thieves, and other hooligans doing their best to exploit the complexity of it all, and it’s creating some serious business risks. The reality is that very few businesses — and individuals — have their phones and tablets properly secured.
Plenty of vendors claim that their mobile device management (MDM) solutions are the answer to phone and tablet woes. They’re right . . . to an extent. MDM controls that separate personal information from business information and ensure the proper security controls are enabled at all times can help you make a big leap toward locking down the mobile enterprise.
One of the greatest things you can do to protect phones and tablets from unauthorized use is to implement a tool that dates back to the beginning of computers: passwords. Your phone and tablet users should employ good old-fashioned passwords that are easy to remember yet hard to guess. There are plenty of mobile devices with no passwords or passwords that are easily cracked.
Mobile apps can introduce a slew of security vulnerabilities into your environment, especially certain apps for Android via Google Play that aren’t properly vetted. In recent source code analysis using Checkmarx’s CxDeveloper, it’s been discovered that these apps to have the same flaws as traditional software, such as SQL injection, hard-coded encryption keys, and buffer overflows that can put sensitive information at risk. The threat of malware is still great.
Crack iOS Passwords
Many phone and tablet passwords can be guessed outright. A mobile device gets lost or stolen and all the person recovering it has to do is try some basic number combinations such as 1234, 1212, or 0000. Soon, voilà! — the system is unlocked.
Many phones and tablets running iOS, Android, and Blackberry OS are configured to wipe the device if the incorrect password is entered X number of times. A reasonable security control indeed. But what else can be done? Some commercial tools can be used to crack simple passwords/PINs and recover information from lost or stolen devices or devices undergoing a forensics investigation.
Elcomsoft’s iOS Forensic Toolkit provides a means for demonstrating just how easily passwords/PINs on iOS-based phones and tablets can be cracked. Here’s how:
Plug your iPhone/iPod/iPad into your test computer and place it into Device Firmware Upgrade (DFU) mode.
To enter DFU mode, simply power the device off, hold down the Home button (bottom center) and sleep button (upper corner) at the same time for 10 seconds, and continue holding down the Home button for another 10 seconds. The mobile device screen goes blank.
Load the iOS Forensic Toolkit by inserting your USB license dongle into your test computer and running Tookit.cmd.
Load the iOS Forensic Toolkit Ramdisk onto the mobile device by selecting option 2 LOAD RAMDISK.
Loading the RAMDISK code allows your test computer to communicate with the mobile device and run the tools needed for cracking the password (among other things).
Select the iOS device that’s connected.
You now see the toolkit connect to the device and confirm a successful load. You should see the Elcomsoft logo in the middle of your mobile device’s screen as well.
To crack the devices password/PIN, simply select option 6 GET PASSCODE on the main menu.
iOS Forensic Toolkit will prompt you to save the passcode to a file. You can press Enter to accept the default of passcode.txt. The cracking process will commence and, with any luck, the passcode will be found and displayed.
So, having no password for phones and tablets is bad, and a 4-digit PIN such as this is not much better. User beware!
You can also use iOS Forensic Toolkit to copy files and even crack the keychains to uncover the password that protects the device’s backups in iTunes (option 5 GET KEYS).
If anything, you need to be thinking about how your business information, which undoubtedly is present on phones and tablets, is going to be handled in the event one of your employee’s devices is seized by law enforcement personnel. Sure, they’ll follow their chain-of-custody procedures, but overall, they’ll have very little incentive to ensure the information stays protected long-term.
Be careful with how you sync your mobile devices and, especially, where the file backups are stored. They may be off in the wild blue yonder (the cloud), which means you have no real way to gauge how secure the personal and business information truly is.
On the other hand, when synched files and backups are stored without a password, with a weak password, or on an unencrypted laptop, everything is still at risk given the tools available to crack the encryption used to protect this information. For instance, Elcomsoft’s Phone Password Breaker can be used to unlock backups from BlackBerry and Apple devices as well as recover online backups made to iCloud.
Oxygen Forensic Suite is an alternative commercial tool that can be used for cracking iOS-based passwords as well as additional recovery functionality for Android-based systems.com.
Countermeasures against password cracking
The most realistic way to prevent such password cracking is to require strong passwords such as multidigit PINs consisting of 5 or more numbers or, better yet, complex passphrases that are very easy to remember yet practically impossible to crack such as I_love_my_j0b_in_IT!. MDM controls can help you enforce such a policy. You’ll likely get pushback from employees and management, but it’s the only sure bet to prevent this attack.