Dave Hartley, Group Technical Director
3 mins read
As part of the research, vulnerabilities were identified that could be used to compromise the applications and devices serving such applications. The attack vector relied on an adversary being able to capture and manipulate internet requests, so an adversary looking to achieve a compromise would be required to be in the vicinity of their target (for example in the same coffee shop or bar).
This reliance on proximity makes attacks at scale difficult, and if attacks are difficult to scale, the return on investment is minimized. The ability to capture and manipulate data upstream, such as when it traverses telecommunications or ISP networks, is not one possessed by many threat actors, further limiting the exposure to a much smaller threat group.
However, if an adversary were able to compromise the mobile advertising network itself, such an endeavor would potentially be much less challenging but offer the reward of being a much more scalable attack vector.
The Weakest Link
Targeted attackers will often compromise weak links in an organization’s supply chain to achieve their end goal. A breached organization may not always be the end target, but merely a stepping stone towards achieving an ultimate goal. Hence, it would not be unreasonable to consider a breach of a mobile advertising network as being an effective stepping stone towards a much greater ambition.
Many of the vulnerabilities discovered and disclosed by F-Secure Consulting in mobile applications and advertising networks software development kits are still prevalent. However, even without the vulnerabilities in the mobile applications and/or the software development kits being present, the ability to push code of the attackers’ choosing to millions of mobile devices is a very useful capability. For instance, it can be leveraged to target known and undisclosed mobile device vulnerabilities that can provide remote control of phones and tablets.
The mobile Pwn20wn competition, which F-Secure Consulting enters annually, is a good example of undisclosed vulnerabilities being present in modern devices that could potentially be leveraged to achieve many adversarial goals.
In addition, this site provided by Android also provides useful statistical analysis with regards to how many devices are in use today that are running old and vulnerable versions of the platform’s operating system.
Should an adversary breach a mobile advertising network, therefore, they may find themselves in a position to attack and compromise many mobile devices at scale – a scary prospect. While we still do not know the extent of the RevMob breach, it is certainly food for thought.
How comfortable do you feel that an advertising network has the ability to execute code on your device? Code that has been proven to have features and vulnerabilities that can be used to collect a wealth of data, transmits it insecurely, uses its privileges to track your movements, profile you, listens to you and profits from this directly or by selling your data on to unknown third parties? Code that can also be used by adversaries to compromise and control your mobile phone and/or tablet completely?