Blackhat 2012

A recent paper presented at Black hat 2012 by Peter Hannay has demonstrated a vulnerability in how iOS and Android deal with certificates whilst operating with an Exchange Server. The good news in this report is that Peter was unable to trick Windows Phone 7.5 devices using the same methods.

Using a man in the middle attack combined with a generic fake certificate, they were able to gain some traction in sending a command to iOS and Android devices to commence a device wipe. When devices are connected via Active Sync they commit to accepting certain responsibilities, one of the most important and sensitive of which is the wipe command. They tested off two sets of Exchange 2010 servers. One running with a self-signed certificate, a very common configuration for small business and another using a certificate from a trusted certificate signing authority.

More →
3
loading...
0
loading...
0
loading...
0
loading...