Why pen testing is crucial for mobile architecture

At Black Hat MEA 2022, Georgia Weidman (Founder and CTO at Shevirah and Bulb Security LLC) shared a demo of new software she’s developed to test for vulnerabilities in the mobile threat landscape.

Weidman is an experienced penetration tester and a serial entrepreneur – and author of Penetration Testing: A Hands-On Introduction to Hacking. Her work on smartphone exploitation has been featured by major media companies around the world, including ABC, BBC, and BNC; and she has served as a subject matter expert for the CyberWatch Center’s National Visiting Committee.

But why should mobility be included in pen testing operations?

Mobile devices create vulnerabilities in an organisation’s network

Weidman noted that most people assume her work in mobile security testing focuses on mobile applications, rather than the devices themselves. But that’s not the case: most of her research and product building is centred around making devices themselves more secure.

IT and security professionals have traditionally tended to take certain things for granted: namely, the ability to know what’s on a network; and “we make the assumption that we know the traffic at our perimeter, going in and out of our network.”

If these assumptions were correct then patching and tooling could reasonably be based on that knowledge.

“However, as soon as we started allowing mobility into our network, all of those assumptions broke down,” Weidman said. “We no longer had control over even understanding what all the devices were on our network.”

When employees were able to bring their own devices to work (or use their own devices for work in any location), organisations immediately lost administrative access over all devices involved in their network, and lost a clear view of the perimeter of the network. Because mobile devices don’t just use company WiFi – they also have other ways to communicate, through cellular networks and bluetooth, for example.

Pen test mobile devices to understand vulnerabilities and build resilience

In one pen testing project, Weidman’s client was trying to build their own multi-factor authentication application. In order to differentiate themselves in a competitive market, they wanted Weidman to show that if she was on a mobile device and exploited it, she could then steal the codes from the multi-factor authentication app.

This code theft gives a hacker access to the complete device – and through that, they can access the sandbox of a particular application and gain access to critical information that affects an organisation in some way. This is an extreme kind of attack, but one that government organisations or large corporations could fall victim to.

Pen testing mobile devices like this identifies vulnerabilities, in order to secure them before a threat actor launches an attack.

Attackers who access mobile devices can steal data, control those devices, or activate privilege escalation. They can also use the device as a pivot point – to bypass perimeter controls and attack other devices on the network.

“We do have a lot of options out there in terms of what we can be deploying in our enterprise to deal with security issues around mobility,” Weidman said. But, “unfortunately what we don’t really have is a lot of oversight into what our vulnerabilities are,” as organisations often completely leave out mobility from penetration testing.

“My goal with the software I’m releasing is to make it possible for security researchers, as well as enterprise professionals, to be able to bring mobility into the penetration test.”

Her company’s technology can measure the complete security posture of an organisation’s mobility program – including the device, the users, the applications, and the infrastructure.

“I’m interested in what are the vulnerabilities that those devices bring into your enterprise network,” Weidman added – and that interest is driving the development of innovative technology that can enhance network visibility, knowledge, and security.