Australian security researcher Peter Hannay has demonstrated a security vulnerability when popular smart phones are used over Wi-Fi networks to connect to Exchange servers using ActiveSync.
Ars Technica reports:
Hannay has developed an attack that uses a Wi-Fi network to implement a rogue server with a self-signed certificate, rather than one issued by a trusted certificate authority. Vulnerable devices on the same network that try to connect to their regular Exchange server won’t reach that intended destination. Instead, it will initiate communications with Hannay’s imposter machine.
In effect, because Peter controls the Wi-Fi network itself he is able to trick the mobile device into connecting to his rogue server. At that point the security vulnerability is exposed.
Android devices that connect to an Exchange server with a self-signed certificate will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices fared only slightly better in Hannay’s tests: They issued a warning, but allowed users to connect anyway.
Microsoft’s current smart phone OS doesn’t expose the same vulnerability.
Microsoft Windows Phone handsets, by contrast, issued an error and refused to allow the end user to connect.
And this is where the serious risks become clear.
Once a phone connects to a rogue server used in Hannay’s experiments, a script he wrote issues a command to remotely wipe its contents and to restore all factory settings. He said it’s also possible to retrieve the login credentials users need to sign in to their accounts. Hannay said a malicious hacker could then use that information to login to the legitimate account.
Although the researcher only mentions this attack working against devices that are connecting to Exchange servers with self-signed certificates, my thought is that it may also work against servers with certificates issued by private certificate authorities. On that assumption the weakness is two-fold:
- the behavior of Android and iOS when they encounter an untrusted certificate
- the behavior of users when they ignore or accept certificate warnings (though difficult to stamp this one out, many users have been trained to ignore the warnings when companies are too cheap to buy a proper SSL certificate)
Windows Phone has the right approach in this situation in that it will simply not allow the user to connect. Does this make Windows Phone the most secure mobile device OS?
It will be interesting to see how Google and Apple respond to this, or whether Microsoft can come up with a way to provide Exchange customers with a method for preventing the attack.