Security Experts:

Black Hat Keynote: Mobile Platforms 'Actively Obstructing' Zero-Day Malware Hunters

Prominent security practitioner Matt Tait kicked off the annual Black Hat security conference Wednesday with a call for platform vendors to make major technology changes to help cope with the surge in mobile zero-days and supply chain attacks.

Tait, an outspoken researcher who has held stints at Google’s Project Zero and the U.K.’s GCHQ intelligence agency, said mobile platforms must immediately start providing improved “on-device observability” to help defenders cope with ongoing in-the-wild zero-day attacks.

“There's an enormous amount of exploited zero-day being detected in the wild and no device observability. This should be a wake-up call to all of the platform vendors.  It’s deeply disturbing that we know that there's massive amounts of zero-day being exploited against mobile platforms and we have no forensics on devices in order to collect this data,” Tait said.

[ Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]

The Corellium COO explained that on-device observability is necessary before, during and after an intrusion to help incident responders understand the true scale of an advanced attack.

“When you discover a new threat actor, one of the first things [an incident responder] will do is they will go back and will look at an enormous pile of Windows binaries, and they will say, do any of these other binaries show similar artifacts because, maybe that's malware that's been used in the past.”

“Maybe there are other pieces of malware [associated with a threat actor]. This helps with attribution. It helps with detection. It helps with working out who the victims are, and it increases the cost of the attacker that these systems exist. They should exist on mobile, but they don't,” Tait declared.

Even worse, Tait accused mobile platform vendors of “actively obstructing” any attempts at accessing security features and data from devices.

“The problem at the moment is the platform vendors in the mobile space are actively obstructing some of the security features that we need. One of these is the ability to scan apps. We should be able to scan all applications in a given app store,” he declared.

“We can 'kind of' do this on the Play Store on Google Android, but we really can't do that on iOS at the moment,” he added.

[Related: The Big SolarWinds Supply Chain Hack ]

“It should also be possible to install security agents on mobile devices and also do forensics. And this should be both post-compromise and also in anticipation of compromise,” Tait said, arguing that mobile systems have been specifically designed to prevent malware scanning tools.

Even beyond mobile platforms, Tait said big technology providers must take the lead in helping to thwart major supply chain attacks like the ones that hit SolarWinds, CodeCov and Kesaya.

"Supply chain infections can only be fixed by platform vendors. The government is not coming to save you,” Tait declared, insisting that tech providers need to aggressively “de-privilege applications,” break permissions to entitlements, and impose auditing requirements on highly-permissioned apps.

Even as the U.S. government is aggressively pushing ahead with mandatory security requirements to handle software supply chain problems, Tait insists these issues cannot be fixed by bureaucrats in federal agencies.

“I think the first thing to point out is the government is not going to fix [supply chain security issues]. This isn't going to get fixed by a collection of international organizations. It's not going to be fixed by a consortium of governments. The only way to tackle supply chain intrusions at the scale that's needed is to fix the underlying technology,” Tait added.

The real fix, Tait insists, is for platform vendors to automate trust throughout computing but he acknowledges the problems will remain in place because technology changes sometimes conflict with “substantial business interests.” 

Related: Sophisticated APT Group Burned 11 Zero-Days in Mass Spying Operation

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: For Microsoft, Security is a $10 Billion Business

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. He is a regular speaker at cybersecurity conferences around the world. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Follow Ryan on Twitter @ryanaraine.