Black Box Version 1.0 Manual de usuario descargar pdf (Pagina 26)

Evil Lackey

• Change:

–“Hotel” to “Office”

–“Maid” to “Passed-over Deputy to the Deputy”

–“Hotel Bar” to “Office Gym”

• Advantages:

–Longer time-frame for attack

–Better understand MDM setup in use

–With patience, can execute attack w/out DFU

• MITM target device

• Wait for legit server to send push notifications

Fixes?

• Better use of SSL

–Remember certificates (connections, commands)

• Require user acknowledgment for re-enroll

–So tokens don’t get sent silently

An alternative attack can take place within the ofﬁce environment itself.

This may actually have several advantages over the “Traveling CEO”

attack, in particular since the attacker will have more regular, long-term

access to the device, so the attack need not be rushed.

Also, if the attacker is able to better understand how the MDM system is

conﬁgured at that site (especially if they have their own device they can

experiment and test with), it might even be possible to execute the

attack without the complexities of the DFU Tethered Boot trick. Simply

acquire the enrollment proﬁle directly from the MDM server, set up a

MITM server that forwards all non-target MDM trafﬁc to the real server,

and then wait for the real server to send out regularly scheduled

commands. (If, for example, you discover that the server refreshes

device information every Monday night at 8, then just time your attack

for then and let the MDM server cause the target device to poll your

MITM server).

Fortunately, I think that ﬁxes to this (and other MDM issues) can be

pretty easily accomplished by Apple.

Better use of SSL-based authentication, both at the client to server

level, and at the command level, would also raise the bar for MITM

attacks. Finally, whenever the device enrolls in MDM (and thus sends an

Unlock Token to a 3rd party), the user should be directly notiﬁed,

especially if the device already appears to be enrolled.

It’d probably be nice to add some kind of authentication to the

EraseDevice call...perhaps requiring the UnlockToken. Though there

may be valid reasons why the current method was chosen.

1 2 ... 21 22 23 24 25 26 27 28 29 30 31

Sin comentarios

Black Box Version 1.0 Manual de usuario Pagina 26