Mobile Infrastructure: The Elephant in the Data Center

Saturday, August 25, 2012

Tripwire Inc


Article by Ken Westin

Mobile was a hot topic this year at Black Hat with a strong focus on client-side vulnerabilities and defenses.  

Apple made their first ever appearance at Black Hat with platform security manager Dallas De Atley walking attendees through the layered approach Apple has taken with iOS and the iPhone.  Apple’s focus on security is impressive.

I was particularly interested in the hardware level encryption via the A5 processor on the iPhone and how it integrates with iOS to encrypt and protect data. 

Security has been one of the key deficiencies critics mention when discussing Apple and the enterprise, given that the platform was less mature than RIM’s who have been entrenched in the enterprise. 

De Ately’s presentation shows that Apple is serious about security and the enterprise and that that the iPhone and iOS are ready for business.

The one area that seemed to be ignored was the infrastructure that supports the increasingly cloud dependent mobile devices. Possibly due to many not seeing server infrastructure as anything new and covered already, or in other sessions dealing specifically with server exploits and defenses.

However, as the popularity of mobile devices increase the size of the server infrastructure to support services such as the iCloud, push services and the like increases exponentially.

How much data do we really store on our devices vs. the Cloud?  The bulk of our sensitive data is not only on our devices but spread across servers around the world, across multiple companies, platforms and with differing levels of security.

Over the past year the press has been full of stories regarding “mobile hacking” where voicemails were accessed, or nude photos of celebrities compromised.

However, these “hacks” were not the hacking of the device itself, but due to vulnerabilities in the supporting infrastructure, such as  weak security measures to access voicemail, weak email passwords and servers being compromised where usernames and passwords are stolen wholesale. Many times these breaches occur without the provider being aware of it until they too see it in the press.

As more devices are sold that rely on this infrastructure it becomes an increasingly valuable target for malicious attackers. Why attack a single device when you can compromise an entire infrastructure and potentially gain access to a much larger trove of data, number of devices and users?  It’s simple black hat logic.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Cloud Security
Information Security
Cloud Security Vulnerabilities Mobile Devices Attacks Managed Services Infrastructure Servers hackers
Post Rating I Like this!
Lisa Simpson I've yet to see anyone discuss malicious apps in real detail. I've also been getting text messages with a link to an infected website that then tries to download a phone Trojan. Now that handheld devices are proliferating, anti-malware software is still at the users option, and they're becoming increasingly powerful, I am guessing that the bot-nets will be moving to mobile devices.
Ken Westin Hello Lisa,

The problem with anti-malware applications for mobile devices is that they are not very effective as they cannot run as root on a device. By the time a fix is sent via and update it is already too late if you are already infected. They are also signature based versus behavior based. I wrote a post on this here

Most malware for mobile has come from applications that are downloaded outside of the mainstream app stores. Google has been proactive in managing malware server side. However, imagine if Google's Play Store were compromised, that is a much more valuable target than a single device.

Most of the companies that sell anti-malware applications are over inflating the risk via FUD to sell more of their products. It is something to be cautious of, but the sky is not falling.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked