If you judge a conference by the recovery time involved afterwards then Black Hat 2011 has to be the winner – 13 hours solid sleep on my first night back home. This level of exhaustion (tiredness doesn’t quite capture the feeling correctly) is only achieved by a whirlwind of top quality briefings, demos with prospects, meetings with customers, and the celebrated art of trying to attend every event (something I spectacularly failed at this year) including the Hack Cup tournament. (Considering that one of our players broke his shoulder during the game, I am happy I opted out this year…). But for me there was one amazing thing I came away from the conference with; and it was the excitement around the new capabilities for CORE IMPACT Pro v12 to test mobile devices (announced last Wednesday). I think we set a new phone hacking record at the Core booth. If you consider that we demonstrated the product’s new phone testing capabilities about every 5 minutes over two days on the show floor, I would say that we successfully attacked mobile devices more than 240 times. And yes, the phones are still running perfectly. So, as a product manager, why have I chosen now to add the capability to target mobile devices? As you can imagine to do it properly (the only way it is worth doing) costs a lot in terms of engineering resources and QA resources (as you know, when we create something at Core we test it heavily). I have two reasons why I think the ability to test and measure the security of mobile devices is important today:
1. The sheer number of mobile devices out there. All reports (like this one from IDC) indicate the number of smart devices out there is growing, and growing fast. This means a new and rapidly growing attack surface is being deployed at companies, who may not also be deploying the defenses for these devices as quickly as they are deploying the devices themselves. And that’s not taking into account the companies who are saving money by allowing employees to use their personal mobile devices to access corporate email, data and networks.
2. The capabilities of these devices. Gone are the days of a black and white (or green) screen that could only display a few lines of text. Those devices were great for making calls and texting but you wouldn’t even dream of doing any of your work on those devices. Now these devices have enough computing power to run business applications, rich enough graphics that people can work with them for hours, and large enough storage that people can work offline (these days a mobile device is about the only thing I can use on a plane when crammed into an economy seat).
So many people in IT and security departments I speak with are being pressured to allow employees to use any mobile device to access corporate data and email. (It normally starts with an executive who got a fancy new phone as a gift). These folks know there is risk involved in doing so but cannot articulate the risk to non-IT folks and cannot demonstrate that risk. As a result we all end up looking like we are simply saying “the sky is falling” and holding back the business. IMPACT Pro provides a simple way to both target and expose the security weaknesses of a smart phone (and the resulting data that can be extracted) as well as to do so in a highly visual way. Now users of IMPACT Pro v12 can show how clicking a link in an email or SMS on the phone, or working over a Wi-Fi network, can easily expose the mobile device to risk. And let’s face it, you actually only need them to turn their Wi-Fi on to target them).
Now we can clearly demonstrate the risk associated with the new mobile technology (which is our role) and the company can decide if they are prepared to accept that risk (their role). We can also use this capability to both demonstrate the need for a Mobile Device Management system/infrastructure or some other investment in security associated with mobile devices. And to effectively compare different proposed mobile security offerings and make an educated decision about which provides the most security to your business. I am constantly surprisedby the number of companies who evaluate IDS/IPS solutions by comparing GUIs and how easy it is to monitor the devices. If the device is intended to detect block exploits then surely the only way to evaluate them is to pass real exploits through them and see how they react.