The smartphone-based attack wreaks havoc on Android and iOS smartphones.

by Dan Goodin - July 26 2012




An image from Peter Hannay's Thursday presentation at the Black Hat security conference.
Peter Hannay

If you use an Android or iOS device to connect to a Microsoft Exchange server over WiFi, security researcher Peter Hannay may be able to compromise your account and wreak havoc on your handset.

At the Black Hat security conference in Las Vegas, the researcher at Edith Cowan University's Security Research Institute in Australia described an attack he said works against many Exchange servers operated by smaller businesses. Android and iOS devices that connect to servers secured with a self-signed secure sockets layer certificate will connect to servers even when those certificates have been falsified.

"The primary weakness is in the way that the client devices handle encryption and do certificate handling, so it's a weakness in SSL handling routines of the client devices," Hannay told Ars ahead of his presentation on Thursday. "These clients should be saying that the SSL certificate really doesn't match, none of the details are correct. I won't connect to it."

Hannay has developed an attack that uses a WiFi network to implement a rogue server with a self-signed certificate, rather than one issued by a trusted certificate authority. Vulnerable devices on the same network that try to connect to their regular Exchange server won't reach that intended destination. Instead, it will initiate communications with Hannay's imposter machine.

The use of an SSL certificate to protect an Exchange server is designed to preclude precisely this kind of man-in-the-middle attack. Devices are supposed to connect only if the certificate bears a valid cryptographic key certifying the service is valid. But that's not what always happens, the researcher said.

Android devices that connect to an Exchange server with a self-signed certificate will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices fared only slightly better in Hannay's tests: They issued a warning, but allowed users to connect anyway. Microsoft Windows Phone handsets, by contrast, issued an error and refused to allow the end user to connect.

Once a phone connects to a rogue server used in Hannay's experiments, a script he wrote issues a command to remotely wipe its contents and to restore all factory settings. He said it's also possible to retrieve the login credentials users need to sign in to their accounts. Hannay said a malicious hacker could then use that information to login to the legitimate account.

"It's really simple and that's what's disturbing to me," Hannay said. The whole attack is just 40 lines of python and most of that is just connection handling."

As stated earlier, the attack works only against phones that have connected to an Exchange server secured by a self-signed SSL certificate. Hannay said most organizations with fewer than 50 people use such credentials, rather than paying to have a certificate signed by a recognized certificate authority.

Google and Apple didn't respond to an e-mail seeking comment for this article. A Microsoft representative said members of the company's Exchange team are looking in to the report.