DeepSec 2013 Talk: Bypassing Security Controls With Mobile Devices
How do you counter threats emerging from a new trend? Well, standard practice is to buy a new appliance, add-on, or similar magic trick. People do this currently with the trend of Bring Your Own Device (BYOD). Once you say yes to BYOD, you just gave Santa Claus (or your chief financial officer) more options for Christmas presents. There is Mobile Device Management (MDM in short), plus you can do a lot of filtering at the edge of your network(s). Still mobile devices are a threat. At DeepSec 2013 Georgia Weidman of Bulb Security LLC will show you how the threats work in real environments.
Testing if your wonderful BYOD playground works for attackers can be done by taking your MDM’s promises to the limits. Let’s see if your MDM has ever heard of polymorphic code. What about that proxy that stops all outbound traffic unless its in the Internet Explorer process authenticated against the internal domain? Why not just send your shell back to an exploited mobile device in the environment and have it pass the shell out via SMS? Creativity will get you almost anywhere, and this is what Georgia’s talk is all about. She will give you a live demonstration of the techniques used. Everything you see will be released as additions to her Smartphone Pentest Framework.
If you bring your own device to the talk, we will add a voucher for some extra sleepless nights – for free!