Core Security has introduced mobile device testing and measurement in the latest version of its Core IMPACT penetration testing software. Version 12 also improves Core's integration with the popular open source Metasploit Framework pen-testing tool.
Mobile phones, which have been hyped as a coming major attack vector for years, have become a hot-button security issue. Smart phones, capable of both cellular and Wi-Fi connectivity, have grown more powerful and capable of storing large amounts of data. They are commonly used to access corporate email and other standard business applications.
In addition to managed phones, chiefly BlackBerry devices, enterprises are embracing the use of privately owned devices, particularly the iPhone and, increasingly, Android. Attackers can potentially retrieve data or, more likely, read corporate email and/or use the victim’s account to pose as a legitimate user to conduct spear-phishing attacks within the enterprise.
Core Impact Pro v12 allows penetration testers to exploit critical exposures by:
The new release also uses social engineering techniques to test user awareness and trust on mobile devices. Testing techniques include phishing emails and texts; Web form impersonation; fake wireless access points; and man-in-middle attacks.