With Core Impact Pro’s Mobile Device Penetration Testing capabilities, you can demonstrate the exploitability of iPhone®, Android™ and BlackBerry® smart phones using the same attack techniques employed by criminals today.
Conducting mobile penetration tests with Core Impact Pro enables you to ...
- Identify and prove critical data breach exposures created by mobile devices in your environment
- Evaluate the security of new mobile technologies prior to deployment
- Get actionable data required to mitigate financial, operational & reputational risks
- Assess end-user security awareness of social engineering techniques
- Protect end users from defamation, fraud and blackmail
- Audit and report on mobile device security to executive management and other stakeholders
Assess Mobile Device Security Before Attackers Do
Core Impact’s Mobile Penetration Testing capabilities assess end users and their devices through the following real-world attack techniques:
Enables you to send emails and texts that determine whether your organization’s employees would fall prey to phishing and spear phishing attacks by clicking through to malicious sites and/or installing nefarious mobile apps.
- Web form impersonation
Assess data leakage threats by conducting phishing tests seeded with links to web forms designed to capture and record user-entered data, such as usernames and passwords.
- Fake wireless access points
Impersonate valid wireless access points in an attempt to trick users into connecting their devices to them.
- Wireless man-in-the-middle (MITM) attacks
Identifies and monitors wireless networks that have either no encryption or WEP-based encryption and observe any connected devices.
The Core Impact Mobile Device Testing Process
Core Impact’s mobile device penetration test capabilities speed the testing process, automate mundane tasks, and provide a repeatable assessment methodology for measuring mobile device security over time.
Attack and Penetration: Exploit Devices Using Real-World Techniques
One of the most effective ways for an attacker to take control of a mobile device is by getting the user, or the device itself, to install a malicious application. During phishing tests, you trick the user to clicking on a link and triggering the attack. For Wi-Fi tests, Impact delivers attacks in response to data requests (fake AP attacks) and inserts them into existing traffic (MITM attacks).
- Email phishing attacks are launched directly from Impact
- SMS text phishing attacks are launched from Impact via an email-to-SMS gateway service
- Wi-Fi attacks are delivered via Impact’s integration with the AirPcap ® TX Wireless Packet Capture Adapter from Riverbed Technology and the Pineapple Mark V Support for Fake AP (sold separately)
Impact’s mobile attacks are packaged as applications that attempt to run locally on the mobile device. In addition, some attacks attempt to leverage known vulnerabilities in the device’s operating system or built-in components, leveraging those weaknesses to run the application. All Impact attack capabilities are developed and tested in-house, are designed to maximize the target stability and integrity, and are updated as new vulnerabilities emerge and attackers hone their techniques.
Android Agent and Post Exploitation Modules
- Shell access
- Get/Send SMS
- Make a phone call
- Contacts CRUD (Create Read Update Delete)
- Calls log info
- Geo-location/line number info
- Upload/Download files
Evidence Retrieval: Demonstrate the Implications of a Mobile Device Breach
With Core Impact Pro, you not only can demonstrate how mobile devices in your environment can be compromised, but also reveal how attackers can access and manipulate device data to obtain your organization’s intellectual property and potentially defraud, defame or blackmail its end-users.
Once you compromise a tested device, Impact Pro enables you to extract data from the device just as an attacker would. Impact enables you to extract the following data types:
- Phone call, SMS and MMS logs
- GPS location
- Contact information
Reporting: Gain Actionable Data to Address Critical Exposures
Core Impact Pro generates the following reports to assist in vulnerability remediation and fulfill security assessment documentation requirements:
- Mobile Device Reports record information on all mobile devices accessed during testing
- Executive Reports provide a high-level overview of test findings
- Client-Side Reports present the results of security awareness assessments
- Vulnerability Reports detail vulnerabilities exploited and provide links to remediation information
- Activity Reports provide audit trails of all targeted devices and conducted tests
- Delta Reports compare the results from tests repeated over time
- Attack Path Reports graphically depict the path followed to target and exploit specific devices