Sign up to save your podcasts
Or
Share Physical threats to mobile phones, SIM hijacking, out of band SMS, and Yubikeys
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Physical threats to mobile phones, SIM hijacking, out of band SMS, and Yubikeys
Part 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
- Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Personal travel:
Laptops have transformed to mobile devices (phones and tablets)
Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?"
Biometrics are convenient but quite dangerous
Biometrics are a proxy for a numeric passcode on a mobile device.
Physical compromise is a 5-alarm fire situation.
Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up.
Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen.
Avoid banking apps.
The first things that the baddies go after are Venmo, Apple Pay, Cash apps.
Out of band SMS for MFA
SIM swapping risk, or eSIM embedded in the phone
Put a PIN on your physical SIM.
MySudo – Can clone that instance to other phones.
Password manager on phone
Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey.
Password manager helps you recover.
Segmentation strategies
They can see all the emails on your phone and change passwords or password reset is typically done via email
Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers.
Need to have an out of band mechanism to receive alerts and ability to remove kill the device.
Microsoft Authenticator and Google Authenticator do not have a separate PIN.
Authy is free. It has its own separate PIN.
Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain.
Diversification strategy with inventory.
MDM
- Kill apps
- Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that.
Risk examples
- loss of device (resiliency e.g. MFA)
Risk reduction / resiliency
- OS decision (iOS vs. android)
- Note that one is not better than the other
Resources
https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim
https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/
View all episodes
By qpcsecurityPart 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
- Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Personal travel:
Laptops have transformed to mobile devices (phones and tablets)
Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?"
Biometrics are convenient but quite dangerous
Biometrics are a proxy for a numeric passcode on a mobile device.
Physical compromise is a 5-alarm fire situation.
Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up.
Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen.
Avoid banking apps.
The first things that the baddies go after are Venmo, Apple Pay, Cash apps.
Out of band SMS for MFA
SIM swapping risk, or eSIM embedded in the phone
Put a PIN on your physical SIM.
MySudo – Can clone that instance to other phones.
Password manager on phone
Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey.
Password manager helps you recover.
Segmentation strategies
They can see all the emails on your phone and change passwords or password reset is typically done via email
Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers.
Need to have an out of band mechanism to receive alerts and ability to remove kill the device.
Microsoft Authenticator and Google Authenticator do not have a separate PIN.
Authy is free. It has its own separate PIN.
Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain.
Diversification strategy with inventory.
MDM
- Kill apps
- Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that.
Risk examples
- loss of device (resiliency e.g. MFA)
Risk reduction / resiliency
- OS decision (iOS vs. android)
- Note that one is not better than the other
Resources
https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim
https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/