Mobile offices and working from home have become integral parts of today's business world. But as the flexibility increases, so do the risks for companies: Any unsecured end device can potentially compromise sensitive data or serve as a gateway for cyberattacks. As mobile devices often have direct access to internal systems and company resources, effective mobile device management (MDM) is essential. Companies must ensure that all devices are centrally managed, protected and used in compliance with security requirements. This is the only way to minimize security risks and ensure uninterrupted business operations.
We spoke to our colleague Benedikt Müller from usd HeroLab to find out whether MDM solutions in companies can be made more secure through an audit and/or a pentest.
Benedikt, what exactly is Mobile Device Management (MDM)?
MDM refers to the central management of mobile devices used in a company. Security policies and profiles can be used to ensure that certain configurations are active, guaranteeing a company-wide minimum level of security for basic settings. Deviations can be identified, end devices can be blocked or users can be prompted to adjust settings.
Several providers offer such mobile device management solutions. One popular option is integration into an existing cloud infrastructure, for example using Microsoft Intune. The software used usually contains a component that is installed on the client side, for example as an iOS app, on the managed end devices. These MDM solutions usually offer a wide range of configuration options. However, this creates scope for errors or deficits with regard to the security of the devices. At the same time, deficiencies in a policy implemented via MDM can also potentially jeopardize the security of all end devices.
How can these security vulnerabilities in MDM solutions be closed?
The MDM profiles should be reviewed as part of a configuration audit. We compare the settings provided in the profile with common standards and assess the severity of the identified deviations individually. We identify problems and security vulnerabilities and give recommendations as to which settings should be implemented instead.
How exactly are MDM audits conducted?
In preparation, we need access to the exports of the company's existing MDM policies. Alternatively, we need reading access to the software in which the MDM is configured. Of course, we make all preparations for the audit with our customers in a kick-off meeting before the start of the project.
As part of the MDM audit, the MDM guidelines are specifically compared with recognized standards and best practices. Using Microsoft Intune as an example, this comparison can be based on benchmarks from the Center for Internet Security (CIS). An example of a deviation from the recommendations of the CIS benchmarks is the approval of iOS devices with a so-called jailbreak. A jailbreak makes it possible to bypass all restrictions imposed by Apple on the device and, for example, install any iOS applications. This overrides many of the security measures implemented by the manufacturer, making the device particularly vulnerable to malware. For this reason, jailbroken devices should not be granted access to company resources. The same also applies to Android devices that have been “rooted”.
Can you give another example?
Another example of an insufficient MDM configuration is to allow any so-called TLS root certificates on the managed mobile end devices. Such certificates are used on the device to verify the authenticity of the data traffic. By default, Android and iOS trust a list of recognized certification authorities. This list can be extended by users as required by default. This may be necessary within a company network in order to access internal resources. However, users should not be able to add TLS root certificates on their own. In the worst case, this can lead to attackers in a machine-in-the-middle position (e.g. within an insecure WLAN) being able to read and manipulate any data traffic.
But these are just a few of the possible checks we make during an audit. Other examples of best practices in relation to mobile devices include a sufficiently strong password policy, enforcing encryption of backups or restricting which apps are allowed to access company documents. As a result of the audit, we prepare a final report containing all identified deviations together with specific recommendations for changes. On this basis, companies can adjust their MDM guidelines and thus improve the security level of all managed devices.
Are these audit results enough or do companies need an additional pentest of their MDM solution?
While an MDM audit primarily focuses on analyzing profiles and guidelines, a mobile device management penetration test goes one step further: it checks whether these specifications are implemented correctly by the MDM software.
For example, a pentest can be used to bypass a jailbreak detection provided for in the MDM profile. One possible approach here is to perform the jailbreak only after the device has been successfully registered. Another example is checking whether the applications permitted in the MDM profile allow the extension of user rights or access to sensitive information. We also use common techniques from penetration tests, for example when examining client-side MDM components such as fat clients or apps.
However, compared to an MDM audit, a penetration test of MDM products requires more preparation. For example, it may be necessary to provide special customer hardware in order to properly install and comprehensively test the solution. To summarize, a penetration test is about testing the security of an MDM solution. An audit, on the other hand, is more about looking at the technical setup and settings in order to evaluate and improve them.
And to wrap it up: What do you recommend companies do?
Even if MDM software is often regarded as a standard product and is used by numerous customers, that does not mean that it is free of vulnerabilities. Regular penetration tests as a supplement to an MDM audit are a sensible measure to systematically uncover security gaps in these products. Through our MDM pentests and MDM audits, we can identify vulnerabilities and thus ensure greater transparency with regard to IT security in the company.
Thank you for your time, Benedikt.
Our experts at usd HeroLab will be happy to help you plan and carry out a security audit of your mobile device management solution. Contact us for more information.
