Executive Summary

This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

This case study examines a security lapse within a Life Insurance Mobile Application, highlighting a vulnerability originating from CloudSEK’s supply chain monitoring tool, SVigil. Leveraging this vulnerability, attackers can gain unauthorized access to live user activity and sensitive user information, including personally identifiable information (PII).  

The vulnerability within the internal mobile application used by Life Insurance company agents is the hardcoded IP address pointing to an MQTT server, which allows unauthenticated access to sensitive user data, including real-time snapshots, user statistics, transaction details, and personally identifiable information (PII) such as phone numbers and agent IDs. This exposes users to potential exploitation by attackers who can monitor live user activity and personal messages.

‍

MQTT is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service.

‍

Step-by-Step Process

• The initial attack vector originates from a supply chain monitoring tool, SVigil.

1. Hardcoded IP Address Vulnerability: The application contains hardcoded IP addresses directing to internal MQTT servers, making them easily accessible to attackers.
2. Unauthenticated MQTT Server: Lack of authentication mechanisms on the MQTT servers allows unauthorized access, enabling attackers to view and manipulate data.

‍

3. Excessive Screen Sharing Permissions: The application requests unnecessary screen sharing permissions, potentially granting attackers access to sensitive user information beyond the intended scope.
4. MQTT Server Data Exposure: Leveraging knowledge of MQTT and Python, attackers exploit vulnerabilities to intercept real-time snapshots of user devices shared over the application's MQTT server.
5. Live User Activity Monitoring: Attackers gain the ability to monitor live user activity, including personal messages, by exploiting vulnerabilities within the MQTT server.
6. PII and Transaction Data Exposure: The application exposes user statistics, transaction data, and personally identifiable information (PII) of agents, including phone numbers and IDs, increasing the risk of unauthorized access and misuse.

Recommendations

• Immediate IP Address Remediation: Remove hardcoded IP addresses from the application code and implement dynamic server discovery mechanisms to enhance security.
• Authentication Mechanisms: Implement robust authentication mechanisms for MQTT servers to prevent unauthorized access and ensure data integrity.
• Reevaluate Screen Sharing Permissions: Review and revise screen sharing permissions to minimize access to sensitive user information and limit potential attack vectors.
• Data Encryption: Encrypt sensitive data transmitted over MQTT servers to protect against eavesdropping and unauthorized access.
• Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
• User Education: Provide training and awareness programs for users and agents to enhance security hygiene and prevent inadvertent data exposure.

References

• https://en.wikipedia.org/wiki/Traffic_Light_Protocol
• https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html
• https://www.hivemq.com/mqtt/mqtt-security-fundamentals/

• http://www.steves-internet-guide.com/topic-restriction-mosquitto

‍