Enterprises are turning to certificates to secure mobile devices, applications, and users, rather than relying on less secure authentication methods such as usernames and passwords. Digital certificates authenticate mobile users to a growing set of applications, including the web, cloud, Virtual Private Networks (VPNs), and wireless networks secured by 802.1X, and the shift toward Bring Your Own Device (BYOD) has led to the rapid deployment of hundreds of thousands of mobile certificates.
However, many of the security experts I speak to have little control over or visibility into their mobile certificate inventory, and they do not know which mobile certificates each user can access. As a result, cyber-criminals can easily exploit certificates for mobile devices and users and pose as trusted users, thereby infiltrating corporate networks and stealing intellectual property.
Mobile device and user certificates as an emerging threat vector
With the rapid influx of mobile devices in the enterprise, these mobile devices have become an effective threat vector against the corporate network. In fact, according to a Verizon Data Breach Report, 71% of compromised assets in 2013 involved users and their endpoints. Why are cyber-criminals targeting users’ mobile devices? These mobile devices contain enough information, such as email accounts, user passwords, and company VPN credentials, to allow attackers to infiltrate the internal network as legitimate users. The mobile devices themselves essentially serve as a conduit directly into the enterprise network. For example, if attackers can download custom malware to a mobile device, they can use the mobile device’s VPN connection to access the corporate network.
This attack method is so effective malware creators are focusing on mobile devices. In 2012 McAfee Labs discovered 44 times the number of mobile malware samples found in 2011. This means that 95% of all mobile malware samples ever seen appeared in the last year.
In addition to the increased volume of mobile threats, the threats are becoming more dangerous. Cyber-criminals have determined that one of the best ways to circumvent standard system security is to electronically “sign” their malware using a stolen or fabricated certificate. Network systems then “trust” the malware, making it possible for attackers to target specific systems and retrieve confidential data. McAfee Labs discovered that instances of signed malware increased 3 times just in Q4 2012.
Mobile malware, code signing, man-in-the middle (MiTM) attacks, other mobile certificate-based attacks demonstrate how easily cyber-criminals can use mobile devices to access the corporate network. In fact, mobile certificates present a risk even when attacks do not directly target them because they provide access to the enterprise.
IT is losing control of mobile and user certificates
To protect the network, IT must be able to detect when mobile device and user certificates are being attacked or compromised and prevent these compromised certificates from accessing the network. However, IT is quickly losing control of mobile and user certificates. Consider the problem: Thousands of users connect to the corporate network, and each user has multiple, personally owned mobile devices. These users and devices are issued hundreds of thousands of certificates, and IT must track and protect all of them.
In a Venafi survey conducted at the 2013 RSA Conference, we found that 57% of organizations do not have an accurate mobile certificate inventory. In addition, in more than 50% of organizations some mobile and application certificates are issued outside the control of the IT security team. The rapidly growing influx of mobile and user certificates is becoming a nightmare for IT security teams—and the lack of insight into and control over their mobile and user certificate inventory introduces significant security vulnerabilities such as:
Orphaned and duplicate mobile certificates
The organization’s existing security controls do not detect certificate anomalies such as orphaned and duplicate mobile certificates, which attackers can use to gain unauthorized access. IT security teams are aware that certificates have been issued and know these certificates grant access to various resources—perhaps even critical ones. But they do not know which users have access to the certificates, how many certificates have been issued, or where the certificates have been deployed. Sophisticated attackers executing advanced persistent threats (APTs) will take advantage of any and every exploit to steal corporate—including exploiting orphaned and duplicate mobile and user certificates. For example, if attackers can download custom malware to a mobile device, they can use an orphaned VPN certificate to establish a VPN connection and gain access to a corporate network. In addition, attackers can use orphaned certificates to sign code from a “trusted” source. Once their code is trusted, attackers can use the mobile device or application to infiltrate the enterprise.
Constantly changing environments
Terminated employees or contractors who have access to mobile and server certificates, Secure/Multipurpose Internet Mail Extensions (S/MIME) keys, and Secure Shell (SSH) keys can use those keys to impersonate corporate servers or steal data. In addition, users frequently change roles, and whenever they change roles, the level of access they require to corporate data changes as well. Mobile certificates issued to users serve as trusted credentials, granting users secure access to critical networks, applications, and data. But if employees or contractors are terminated or reassign and their mobile, Wi-Fi, VPN, and S/MIME certificates are not revoked, those users can still access the corporate network and sensitive information.
Fraudulent mobile certificates and compromised Certificate Authorities (CAs)
As the use of certificates has increased, the CAs that issue certificates have increasingly become targets for sophisticated attacks. Hackers have successfully obtained fraudulent certificates that grant them unauthorized access and forged digital signatures. These attacks on CAs make it critical for organizations to ensure they are using secure CAs. Organizations also need to respond quickly if a CA is compromised or a fraudulent certificate is issued.
According to a Ponemon Institute research, the average Global 2000 company still uses 1024-bit keys. In fact, 1024-bit keys make up almost 70% of the encryption key inventory. In addition, the weak MD5 algorithm allows hackers to create a rogue CA root certificate that is trusted by all browsers. Unfortunately, many mobile certificates used for VPN access still use the MD5 algorithm, leaving a huge backdoor wide open for attackers to steal information.
Poor application security
Mobile applications are vulnerable to MiTM attacks that are instigated by inserting rogue certificates. For example, attackers used a T-Mobile vulnerability to access and modify calls and text messages T-Mobile users sent on millions of Android smartphones. In this vulnerability, the certificate validation was not fully implemented, so without proper verification, hackers could create a fake certificate and pretend to be the T-Mobile server.
As you can see, the rapid adoption of mobile devices has made it challenging for enterprises to secure and protect the certificates on these devices, making them prime targets for attackers eager to exploit security vulnerabilities and hijack mobile and user certificates for their own use. Bad actors and cyber-criminals have proven that once they gain access to unprotected certificates, they can authenticate to networks and gain access to corporate information.