Thursday 24 November 2011

Please root these devices (project and customer awareness)

Here is a cool opportunity which also raises some interesting questions

I just got asked to see if I could recommend a good AppSec and Reverse Engineer person to spend one month breaking the security of a tablet (and another device) that is coming to a place near you next year.

The brief is quite an interesting one, since it basically says: '...please root this device, show how to install malicious apps on it without root, and/or show how to extract encrypted content...'  (so if you know somebody or are interested please ping me directly)

What is interesting about this gig is the company that it is from. Usually those corporate folks are bit more gentle and politically correct, but this shows that these guys really want to know first the problems (which is a nice evolution in our market). I have to say that 'finally' I have seen more people/customers who want to be secure (vs being compliant or wanting to been seen doing something about it).

It also shows how interconnected out day-to-day devices are becoming, and how big a can of worms (from a security point of view) they can/will be.

Note how web app security is staring to be more and more dependent with the devices that use it, for example, there could be a number of vulnerabilities created by how the client/server exchanges occur (it would be cool to root the device by tricking it into installing something via an reflected exploit on the server, would we call that a 'Reflected Root' vulnerability? :)   ) . 

This also feels a lot like the 'return of the fat client', where the vendors have so much control over the client's device that they extend the attack surface to it (which could lead to a number of security decisions being made on the wrong location).