So much to-do has been generated around preventing unauthorized mobile devices from accessing sensitive corporate resources, but what happens when security researchers turn that model on its head? What happens when the theoretical attackers use unauthorized, spoofed servers to connect to mobile devices? This Thursday at Black Hat, an Australian researcher will demonstrate a proof-of-concept attack that employs just that type of attack, using a man-in-the-middle connection and Microsoft Exchange to conduct unauthorized remote wipes on mobile devices.
The genesis for the research, says Peter Hannay, a PhD student, researcher and lecturer based at Edith Cowan University in Perth Western Australia, came from the idea that mobile Exchange attacks don't necessarily need to compromise services in the organization if the endpoint devices themselves are unprotected and poorly configured. The initial proof-of-concept demonstrated by Hannay is a multi-stage attack.
"The first stage is to entice the mobile device (user) to allow you to establish a man-in-the middle condition," he says. "The idea being that you're sitting between the server it's trying to talk to and the mobile device itself."
Once the attacker is in that position, phones that are improperly secured or configured will allow the attacker to impersonate the server.
"And one of the commands that you can push down when you're pretending to be a corporate email server is the command to erase all of the data to the device," he says.
According to Hannay, his work shows how lopsided the trust model currently is between mobile endpoints and Microsoft Exchange server services. At the moment, he says, all of the trust authenticators in this system focus on making sure the client is what it says it is and that the user is who he says he is.
"There's genrally very little care taken to ensure that you're connecting to the server you think you're talking to," he says. "So it is a very one-way, weighted relationship in the majority of corporate deployments."
According to Hannay, the research presented at Black Hat is just the start to further explorations of what man-in-the-middle attacks leveraging Microsoft Exchange against poorly configured mobile devices can really be capable of doing.
"What we're looking at employing is emulating and essentially faking much, much more of the service functionality with the idea that eventually we could do things like steal data off mobile devices with this same attack," he says.
This could mean that a connection impersonating the server could potentially access the device emails, calendar entries, phonebook entries and so on.
"That's when it would change from something very simple to something much more potentially damaging," says Hannay, who will reveal at the show the proof-of-concept, along with configurations and phones vulnerable to the attack.