The Risk of Mobile Pivoting in the Enterprise

While users and enterprises are becoming aware of the risk of mobile-based malware to the sensitive data stored on mobile devices, an often overlooked attack vector is attackers using a compromised mobile device to attack other devices on the network. Mobile devices, as their name implies, are upwardly mobile, often connecting to a plethora of different Wi-Fi networks as they accompany their owner to work, school, home, the coffee shop, the airport, etc. Each new platform is a gateway to a direct network connection to vulnerable systems.

Some penetration testers drop malicious devices that call home on a network as part of a physical access attack, simulating compromised devices on a network. This provides a pivot point to attack internal assets from the Internet. While this is a valid attack vector, what is being overlooked is that any of the mobile devices that are joining the network have this functionality by design, if they are compromised. Attached to the corporate network as well as the carrier mobile network, these devices are a natural pivot point.

Devices can become compromised while not on an enterprise’s watch. Users can download malicious applications or open malicious web pages. Mobile devices can be attacked on hostile networks they encounter as they travel outside the office with the user. Or, they could fall victim to remote code execution attacks, such as the recent Stagefright vulnerability that only required sending a malicious MMS (text message with media attachment) to a vulnerable phone.

When a compromised device attaches to an enterprise network, it can begin hunting for vulnerabilities in the internal network. As any penetration tester or security engineer will tell you, most networks are hard on the outside, but soft on the inside. Many corporations focus on their external, Internet-facing vulnerabilities, as naturally these are easier for attackers to exploit. To attack internal assets, an attacker will need to already be on the internal network by cracking a Wi-Fi password, phishing an employee at their workstation, etc. Penetration testers usually consider it trivial to find exploitable vulnerabilities on internal networks. The compromised mobile device has direct access to exploit those vulnerabilities.

Compromised mobile devices also provide a method of bypassing any data loss prevention mechanisms at the network perimeter. In the figure above, after the compromised mobile device has exploited a vulnerable local system, that system calls back to an attacker system on the Internet, just like in traditional compromise scenarios. Thus, security conscious enterprises are deploying technologies to notice malicious connections and sensitive data leaving the network and block these connections. Once again, it is the compromised mobile device to the rescue. That same pivot point that gave attackers access to the network in the first place through the carrier network connection can be used to infiltrate malicious connections as shown below. This will bypass any perimeter data loss prevention controls.

With mobile devices entering the enterprise en masse, it is important to recognize the unique threats these devices bring with them. Mobile devices default to being as connected as possible, often to multiple networks at a time (e.g., carrier mobile network and corporate Wi-Fi). This opens up a unique scenario for malicious attackers to use compromised devices as a pivot point to attack the internal network and bypass perimeter controls.

Georgia Weidman
Founder and CEO of Bulb Security, LLC

Georgia will be presenting Going from Practitioner to Entrepreneur at ISACA’s Inaugural CSX North America Conference, 19-21 October in Washington DC.

[ISACA Now Blog]