Doubled edged sword – Mobile Device Management remote management feature

Remote management feature of MDM are supposed to make it easy for companies to wipe a device when it is lost or stolen. But a vulnerability discovered in a popular MDM used by thousands of businesses to manage employee mobile phones would allow an attacker to wipe a CEO’s phone clean, steal the phone’s activity log, or determine the executive’s location, researchers say.
This shows that if the remote management is not securely developed and implemented it can lead to wrong use of same feature.
The hack involves an authentication bypass vulnerability in SAP AG’s Afaria MDM used by more than 6,300 companies. Ordinarily, system administrators send a signed SMS from an Afaria server to lock or unlock a phone, wipe it, request an activity log, block the user, disable the Wi-Fi or obtain location data.
Researchers found that the signature is not secure.The signature uses a SHA256 hash composed from three different values: the mobile device ID, or IMEI; a transmitter ID, and a LastAdminSession value. An attacker can easily obtain the transmitter ID simply by sending a connection request to the Afaria server over the Internet, and the LastAdminSession—a timestamp indicating the last time the phone communicated with the Afaria server—can be a random timestamp. The only thing the hacker needs to direct the attack, then, is someone’s phone number and IMEI, or International Mobile Station Equipment Identity. Phone numbers can be obtained from web sites or business cards, and an attacker can determine the IMEI number of devices by sniffing phone traffic at a conference or outside a company’s office, using a home-made stingray-like device. Since IMEI numbers are often sequential for corporations who purchase phones in bulk, it’s possible for an attacker to guess the IMEI’s for other phones belonging to a company simply by knowing one.
Please read a full article on this at url

Rate this article: 
No votes yet
Article category: