A recent paper presented at Black hat 2012 by Peter Hannay has demonstrated a vulnerability in how iOS and Android deal with certificates whilst operating with an Exchange Server. The good news in this report is that Peter was unable to trick Windows Phone 7.5 devices using the same methods.
Using a man in the middle attack combined with a generic fake certificate, they were able to gain some traction in sending a command to iOS and Android devices to commence a device wipe. When devices are connected via Active Sync they commit to accepting certain responsibilities, one of the most important and sensitive of which is the wipe command. They tested off two sets of Exchange 2010 servers. One running with a self-signed certificate, a very common configuration for small business and another using a certificate from a trusted certificate signing authority.
Android devices accepted the fake certificate and wiped with no user interaction or warning on the Exchange server that was operating using a self-signed certificate. The Android device would not wipe whilst connected to the trusted certificate-holding server.
On both the self-signed and trusted certificate servers, iOS rolled over and wiped the device in both instances, only displaying a new certificate warning white flag whilst doing so. In both cases, a normal user would likely accept the certificate warning. You know, users do that kind of thing to get on with their lives.
Windows Phone on the other hand would not accept the new certificate in either case and would need to have one manually installed for such an attack to be possible. Hopefully these papers will lead to a strengthening of security on Android and iOS devices. In the meantime, we hope that more companies would wake up to the benefits of Windows Phones. Whilst we certainly do not wish to see any ill come of this, we can at least gloat about our platform being a little more savvy when it comes to accepting gifts from strangers over Wi-Fi pineapples?
Want to read more about Wi-Fi Pineapples? Need a place to vent some steam at the injustice of certificate signing authorities? The comments are open for business; we look forward to your contribution!
Source: Blackhat 2012; via WP Sauce
Use GroupMe? You're finally going to get this long-overdue feature
Beta versions of GroupMe on iOS, Android, and Windows 10 are finally gaining a past-due feature: the ability to delete messages. The feature is now live for Windows Insiders and those enrolled in the beta programs. Such a feature would be necessary if GroupMe is to become a more extensive public social network.
Call of Duty: Warzone gets a new look in Season 3
The third season of Call of Duty: Black Ops Cold War is here, and with it comes the biggest change to Call of Duty: Warzone yet. A new map, new locations, and more are here for players to experience.
I'm learning how to make Xbox and PC games, and you can too
I've been learning to make video games in Unity for Xbox and PC, and it's not as scary (or as expensive) as you might think. Here's how you can hop on the game dev train with yours truly.
Play Microsoft Flight Simulator 2020 on the go with these gaming laptops
You don't require a desktop PC to truly enjoy Microsoft Flight Simulator 2020. We've rounded up some fine gaming laptops, like the excellent Razer Blade 15, that will more than happily let you take to the skies without a desk.