NetWitness Community

Anonymous · ‎2014-02-18

I am wondering if anyone out there knows how or has figured out if Security Analytics can detect the use of jailbroken/rooted mobile devices on your network?

I am assuming there would be something in the meta data that you can latch too, but I haven;t been able to find it just yet.

thanks

Anonymous · ‎2014-02-18

Great question - someone is crafting an answer should have some good thoughts to you later today

RSAAdmin · ‎2014-02-18

My guess is that the First Watch team will have more to add, however, off the top of my head I could think of a few different vectors to look for the presence (or soon to be presence) of a rooted device. One, you could look for the the actual jailbreak utility downloads. This simply shows a user downloading a tool intended to jailbreak their phone. The second way would be to look for user agents for mobile browsers that you know doesn't belong on your network. That would probably be the least efficient way, but if you have a BYOD policy already, it may work for you. A third way would be to look for instances of hosts accessing the Cydia app repository (or any other app repository popular for rooted devices).

Anonymous · ‎2014-02-18

last i checked user agents have 0 bearing on if the phone is rooted. as it would be stupid if they would change user agent strings for something as trivial as rooting a phone.

that being the case the only way to know if a phone is rooted is via a client on the phone that can actually check the internal options for su access, etc.

RSAAdmin · ‎2014-02-18

I agree, user agent by itself has zero to do with whether a phone is rooted. I meant to imply that if the user agent was something different than what you normally saw (for instance if somebody was using the Atomic mobile web-browser without having the smarts to configure it to pretend to be another mobile browser) that it may be indicative of a phone that was not like the others (making the assumption that you're looking for phones that belong to your organization and not really caring if an outsiders phone was rooted or not). The methods I suggested would just point to a possible intent, with the exception of the Cydia access which could be browsed by a workstation or somebody who recently rooted their phone- but thats about the best you could do without having access to the phone itself. I was just trying to exhaust the ways on the wire that you may be able to hone in on a potentially rooted phone.

Anonymous · ‎2014-02-18

but unless you have ssl decrypt, the whole plan is shot down if they go to an ssl version of the site.

RSAAdmin · ‎2014-02-18

touche!

Anonymous · ‎2014-02-18

but seeing as how sa/nw is more of a investigative platform. you should be more looking at content filtering / exchange to solve this issue.

RSAAdmin · ‎2014-02-20

This is one of those instances where the use case is defined too narrowly. What it seems you are really looking for is "Mobile Telephony Abuse" such as using the mobile devices for data exfiltration, unauthorized hotspot access, and the list goes on and on.

Creating custom reports to explore all of the use cases related to mobile telephony- rare user-agent strings, known ips associated with mobile, visualization of all photographs emailed outbound by mobile phones, and more- will eventually lead to a trove of security violations. And in so doing, you will likely find rooted phones.

The number one way to exfiltrate data is not to use a phone as a thumb drive, but taking photographs of sensitive information- whiteboards, employee payroll spreadsheets, and lots more. I've seen several people get frogmarched due to mobile telephony security violations.

NetWitness Community

jailbreak/root detection, can it be done?