An Introspection On Intro Security
by Bishop Fox, on Nov 1, 2013 2:03:48 AM
We would like to thank everyone who read our original LinkedIn Intro blog post and those of you who spent extra time examining the security and privacy issues at hand. A couple of more interesting analyses pointed out to us are from Jordan Wright and Troy Hunt – they do a great job of exploring Intro in more detail. In particular, Troy was able to put in words our thoughts on “speculation” better than we could have ourselves.
We’ve also been in touch with Cory Scott, Senior Manager of Information Security at LinkedIn, and really appreciate him taking the time to reach out to us to discuss the issues we’ve brought up in our previous blog post "LinkedIn ‘Intro’duces Insecurity." It’s upon the strength of our relationship with Cory and the open nature in which our teams have been able to exchange ideas that we want to share this update with our readers. Moreover, we’d like to thank Cory for his professionalism and dedication to being a force for good.
A New Hope
Since our original post, we’ve had some more time to further our analysis of LinkedIn’s Intro, and we would like to offer a few clarifying points:
1. The installation of Apple configuration profiles.
We previously mentioned that “Intro works by pushing a security profile to your device…A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things.” In response, LinkedIn had this to say:
“We do not change the device’s security profile in the manner described in a blog post that was authored by security firm Bishop Fox on Thursday.”
Indeed, Intro does not change your existing profile(s) – nostra culpa. But it does install a new one. Intro installs a new profile, and new profiles can be configured to take administrative actions on your phone; a common use for Apple configuration profiles is for enterprises to track and remotely control mobile devices. Having said that, the Intro profile that we looked at did not perform nefarious actions, it simply installed a certificate, a shortcut, and a mail account. However, we would be remiss not to advise users and organizations to consider the risk of installing third party configuration profiles, which are powerful things that have the potential to be a phantom menace for your device’s security.
In brief, we found that the LinkedIn Intro configuration profile was not inherently malicious, excluding the fact that it reroutes your email through LinkedIn. Seeing as that’s a design issue where we and LinkedIn fundamentally differ on opinion, we shall leave final judgment to the reader.
2. Hardened attack surface, penetration testing, and the use of SSL/TLS encryption.
In the fourth and tenth bullet points of our original blog post, we raised questions about the implementation of Intro, particularly in relation to security assessments and encryption of data. LinkedIn responded to our blog with several points on this matter:
• All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system.
• We performed hardening of the externally and internally-facing services and reduced exposure to third-party monitoring services and tracking.
• Our internal team of experienced testers also penetration-tested the final implementation, and we worked closely with the Intro team to make sure identified vulnerabilities were addressed.
At the time of our original post, there was a darth of information about the exact steps LinkedIn had taken to secure Intro, but they clarified. In our own analysis, we verified that Intro’s email servers do indeed require SSL/TLS encryption, credentials and data are not transmitted between iPhones and Intro unencrypted, and there were no thermal exhaust ports. This is good and confirms LinkedIn’s statements.
With LinkedIn being a prime target for attack, it’s important to recognize the value of taking the right steps to secure a service like Intro. With the threat of hackers, one always wonders will the battle endor will it continue, but we’ve found it’s best to be proactive. Cory and his team have done this.
Revenge of the SSLv2
We also examined the “hardened” Intro SSL implementation to determine which protocols and ciphers were supported. We found that SSLv2 was enabled on two Intro servers: imap.intro.linkedin.com and smtp.intro.linkedin.com:
SSLv2, Cipher is DES-CBC3-MD5
SSLv2, Cipher is RC2-CBC-MD5
SSLv2, Cipher is RC4-MD5
SSLv2, Cipher is RC4-MD5
SSLv2 is known to be insecure. In fact it’s a violation of many standards and guidelines, such as PCI DSS, to allow SSLv2. We always suggest using strong encryption. Against the large scale, government-backed spying, it may help. It may be your only hope.
Earlier we mentioned that we were able to conduct more in-depth testing against the application and that both teams have learned a great deal from this exchange, including this issue we shared with LinkedIn. Cory and his team at LinkedIn were real troopers, and they stormed in to remediate the issue within four hours of our reporting it. At the time of writing, the Intro servers no longer support SSLv2. Take that, NSA!
Credit should be given to LinkedIn’s security team for their steps in addressing some of the questions and concerns we raised about Intro, and we wish more companies would mirror this attitude toward security. We admire infosec teams who are agile and adaptable and we hope LinkedIn continues to look further into their application to ensure it meets their users’ security and privacy expectations.
For our readers, we encourage them to continue to ask the remaining difficult questions, and determine if they’re willing to trade the privacy of their emails for the features offered by Intro. Nothing is gained without something given.