Rogue mobile devices in your enterprise? RSA day one

While our recent post on BYOD focuses on the prevalence and/or risk of inadequately trained staff potentially creating problems for the core IT infrastructure using their own personal devices for work, it seems others here at RSA are concerned with preventing the exact same thing, but from a different angle. I attended one “lighting round” talk by Rob Malan of Arbor networks and Aaron Turner with N4struct, where they outlined steps enterprises can take toward stopping scammers exfiltrating data, or possibly targeting key individuals' mobile devices, which might be used to gain critical competitive data, for financial gain, potential espionage, or snooping on top execs in your organization.

So how would the crooks do it? Good question. It seems that hackers have managed to figure out how to create a hacked GSM base station “tower” with some low cost hardware – about $5,000 worth – that can emulate a tiny rogue tower, potentially tricking users’ GSM mobile devices into communicating with the fake network, before forwarding the traffic on to the real one. In this way, some of the data transmitted by the device, including potentially sensitive data, can be captured for later use, and/or transmitted back to the mothership for the scammers. Though the talks centered around GSM, Mr. Turner said other technologies like CDMA are not immune from scams either.

So how do you stop rogue mobile devices from compromising your communication? Turns out many organizations are looking at technology that will map out a baseline “signature level map” of all the wireless communication in their organization, so they’ll know when something goes wrong. This way, if a rogue device starts some shenanigans, you’ll know.

Another benefit from watching for spectrum spikes comes from monitoring for data exfiltration via 3G-enabled tiny servers which were demonstrated elsewhere at the show, but that Mr. Turner has seen in his testing in the wild. The tiny camouflaged rogue servers – no bigger than a printer power supply – could be quietly installed in areas with access to your core data. These servers come with 3G wireless access dongle provisions that allow remote access via ssh, and can be used to exfiltrate data, often at preset times every day. So if you already have a baseline for all your wireless profile, you can watch for uncharacteristic spikes in 3G traffic, at 3 a.m. every day, for example.

But how would a BYOD user know something’s wrong? One telltale that you might be connecting inadvertently to a rogue tower is that your service suddenly drops out of 3G or 4G to a lower level. A sudden connection downgrade like this, where you historically have had 3G connectivity can signal a potential rogue tower. Also, if you historically have had a “dead spot” in coverage at your site, and suddenly a connection shows up, it might be worth a closer look.

Also, for users traveling overseas, Mr. Turner said certain regions have a not-so-stellar record at protecting users from spying at the carrier level, so it’s a good idea to use alternate communication, especially, he said, in Southeast Asia, Latin America and the Middle East.

In the security posts we will be rolloig out about Bring Your Own Device (BYOD) there will be an emphasis on education. The takeaway from these two presentations is that users will need education on how to avoid being scammed by rogue towers by knowing what telltale signs to look for. Also, IT must be aware of the wireless profile for their organization, so they can tell when their data might be at risk, silently sneaking out over the airwaves.

The scammers’ motivations run the range from discovering trade secrets and insider financial information about your organization, to directly scamming the mobile devices for financial gain through premium SMS scams and others. How prevalent is it? Right now, the activity seems localized around “high value targets” like your senior staff, and those with specific access to key information the scammers are looking for. After all, the scammers have to spend some money and do some planning to pull it all off, and more traditional scams like phishing are much cheaper. But if scammers can know an insider trading secret that allows them to purchase stock before a major announcement, the potential profit from the stock spike could easily pay for their efforts. Also, capturing information on a key invention that can give competitors the edge in the marketplace, can make the efforts worth it. One thing is sure, that as the price for the technology to scam using wireless technologies drops, the barriers of entry will as well, so expect scammers to be snooping around soon, if they haven’t already.

Hat tip to Mr. Malan and Mr. Turner for their presentations, they were very informative.

Author , ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.