It Is Time To Free The Sandbox!
Did you know that you are not allowed to independently evaluate the integrity of your own iPhone & Android devices?
One of the main challenges today is that current iOS and Android sandbox restrictions enable attackers to have a significant edge over defenders.
Specifically, some of the key challenges facing defenders include the following:
Lack of permissions enable attackers to hide.
Once security team identifies a compromised asset (through available logs, DNS, or other methods) - due to sandbox restrictions there is no legitimate mechanism to extract the malware, payload or exploit used by the attackers.
Defenders need to spend significant investigation time attempting to break into the operating system in order to analyze it, and by that time, advanced attackers are capable of erasing their footprints.
Discovering 0-day vulnerabilities and creating associated exploits to leverage them in order to analyze devices is not feasible for most organizations and security professionals. Furthermore, using 0-day exploits may delay and even hinder the investigation as well as place researchers and digital forensics experts in a predicament whether to perform responsible vulnerability disclosure (to make relevant mobile platform safer) and simultaneously lose their ability to investigate or keep 0-day in order to retain capabilities to analyse compromised devices and attacks.
The time it took Jeff Bezos to analyze his device,
may have been sufficient for the attackers to delete all traces.
Image credits: Jeff Bezos - Seattle City Council from Seattle
We would like to ask OEM vendors to have greater transparency and enable malware investigations without requiring to hack into the device, especially for devices with Microphone, Camera & Internet access.
In addition, various companies specialise in developing commercially available hacking tools allowing them to hack into devices remotely. Unfortunately, whilst some vendors may only sell their hacking technology to legitimate entities, the availability of such tools on the open market inevitably leads to nefarious operators getting hold and leveraging them for illegitimate purposes such as compromising devices of journalists, researchers, think tanks, venture capitalists, doctors, senior executives, and human rights activists. This predicament has been emphasized by multiple examples of remote attacks on both iOS and Android platforms in the last few years.
For the avoidance of doubt, we do not advocate piracy. We also do not request for persistent access to a device. Instead, we encourage OEM vendors to enable Digital Forensics and Incident Response (DFIR) community to properly inspect modern iPhone and Android devices without the need to hack into them.
FreeTheSandbox initiative aims to raise awareness to this issue and ultimately change the current situation. Device vendors should collaborate with security researchers and incident handlers to bring attention to the required adjustments. There are more than three billion smartphones in use today with a common restriction of not allowing incident handlers and security researchers to inspect and analyze attacks. Thus the purpose of this collaboration is to build a safer ecosystem for analysis and investigations.
Although we are currently covering only mobile phones, we see this as a wider problem. We would love to work with device vendors and offer our help to enable seamless DFIR analysis in order to achieve greater security of these devices. Should you wish to contribute and collaborate, feel free to contact us at info@FreeTheSandbox.org
What do we want
Once users decide to analyze their own devices - they should have read-only access to the entire filesystem, and ideally full access to the devices’ memory whilst the elevated access should be provided only after typing the pin code and can be revoked after a reboot.