Earlier this week, I talked to the director of security at a Fortune 500 company. The company recently suffered a breach caused by malware. This news is not earthshattering; virtually every large organization has been hacked at one time or another, with malware being a top culprit. What is surprising, though, is the company’s drastic response to the breach. After trying to detect cyber-threats with various security tools for years—with limited success—the company decided to eliminate leading conduits for malware. They are shutting down access from the corporate network to social media sites like Facebook, Twitter and Tumblr. The company’s InfoSec team determined that their employees were falling prey to automated attacks distributed over social networks. And their employees are not alone. In January 2015, more than 110,000 Facebook users were infected with a Trojan masquerading as an Adobe Flash update. One of the reasons that the Fortune 500 company decided to cut off social media sites altogether was because they couldn’t inspect the traffic. Today, nearly every social media site—from Facebook and LinkedIn to Twitter and Tumblr—encrypt traffic. What’s more, an increasing number of these apps are using certificate pinning to lock down communications and prevent government snooping.
The Rise of Certificate Pinning
Today, hackers can exploit the certificate trust model to intercept encrypted traffic. For example, malware can install fake root CA certificates on devices. Once the certificate is installed, the malware or a malicious proxy can eavesdrop on communications. In addition, hardware manufacturers can add forged certificates to their devices and certificate authorities (CAs) can issue fake certificates on behalf of underhanded organizations. Recent headlines indicate that the certificate trust model is broken.
How Certificate Pinning Works
Because of these risks, many application owners are implementing certificate pinning to verify the identity of application servers. Certificate pinning prevents fraud and Man-in-the-Middle (MitM) attacks by validating that a server certificate matches the cert "pinned" to the application. Many popular mobile apps, including business and social media apps, use certificate pinning.
Security Black Holes Created by Certificate Pinning
While certificate pinning improves user privacy, it also exposes a gap in corporate defenses. This is because traditional security controls like firewalls cannot decrypt pinned SSL traffic. As a result, Data Loss Prevention (DLP) platforms cannot detect when employees share confidential data through mobile apps. Advanced Threat Protection (ATP) solutions cannot detect malware sent in mobile apps. The full spectrum of network security solutions lose visibility into cyber threats; certificate pinning creates a black hole in organizations' defenses. As more and more apps add certificate pinning, security-conscious organizations have to decide whether to block this data or let it through their firewalls uninspected. Many will undoubtedly choose to allow it but they will be opening themselves up for attack. Others, like the InfoSec team at the Fortune 500 company that I spoke to, will choose to block this traffic. On April 19, I will host a session at BSidesSF and I’ll propose an alternative way to inspect this traffic. In my session, "Stick a Pin in Certificate Pinning: How to Inspect Mobile Traffic and Stop Data Exfiltration," I will discuss how attackers can use certificate pinning to bypass security controls. I will also suggest creative ways to help InfoSec teams regain visibility into mobile apps that use certificate pinning. If you are in San Francisco, please be sure to attend.
About the Author: Gopal Jayaraman is the CEO and co-founder of Sierraware. He established Sierraware with the goal to supply rock-solid and full-featured virtualization and security software to enterprises all over the world. Prior to Sierraware, Gopal was a Senior Software Architect at Cavium Networks. Gopal previously served as the CTO of Menlo Logic, an SSL VPN company that was acquired by Cavium in 2005. Gopal is also an active participant in the IETF community and an expert in Android security technology. To find out more about Sierraware and Virtual Mobile Infrastructure, visit Sierraware’s site. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
