LAS VEGAS -- The best-laid plans, and the seeds for a sweet hack, are sometimes sewn over a few drinks.
Peter Hannay, a researcher based at Edith Cowen University in Perth, Australia, recalled a conversation over a few cold ones with a client who was curious what an attacker could do should they pwn an Exchange Server. Patiently, Hannay explained bad things could happen; a lot of things could get broken. An attacker would be able to push policy updates and a lot more.
"How about pushing a remote wipe command to every mobile device connected to Exchange?" the client asked.
More from Black Hat 2012
For all the news, analysis, commentary and video interviews from Las Vegas, visit SearchSecurity.com's Black Hat 2012 special coverage page.
At that moment, the wheels began to turn for Hannay. Surely an attacker who was to gain direct access to Exchange could issue any command via policy change they desired. But since Exchange is a network service, Hannay wondered, perhaps there would be a way to duplicate the service and issue commands.
With help from some willing students and faculty, Hannay learned the answer is "yes" to all of the above. Thursday at the 2012 Black Hat Briefings, Hannay described the technique he and his cohorts developed to issue remote wipe commands against Apple iOS and Android devices, taking advantage of an SSL handling weakness in both platforms. Ironically, Windows-based phones were immune to his attack.
"This could ruin a lot of days," Hannay said.
Hannay had believed SSL would intervene, and the attack would never work.
"At the very least, we're not going to get a trusted certificate for any random connection to our server. And surely, SSL on the device would also prevent us from receiving a connection," Hannay said. "I also figured some Exchange security, or shared secrets between Exchange and the device would step in."
Hannay's attack does not exploit a vulnerability in Exchange. Instead, it takes advantage of a weakness in the way Android and iOS devices handle SSL certificates. Hannay was able to run a man-in-the-middle attack using the popular Wi-Fi Pineapple tool and a self-signed SSL certificate, which both devices accepted with only slight interference on iOS. Windows phones would not connect to the phony server. Once the user checked email from the device, a short Python script written by Hannay would execute, sending a remote wipe command to the phone, and the phone would revert itself to factory settings.
Hannay said that to mitigate the flaws, Apple and Google must implement fixes to their respective platforms. Both companies have been notified.
It's been a bad 12 months for digital certificates. A breach at Dutch certificate authority (CA) DigiNotar last fall was the most egregious misstep. More than two dozen CA servers were breached and hundreds of forged certificates were signed against 20 different domains. Microsoft, Google and Mozilla quickly announced they'd deemed DigiNotar certificates untrustworthy and blocked them. The CA eventually filed for bankruptcy protection.
Hannay, meanwhile, plans to explore where he can apply his hack next, hinting it could be used to steal data or penetrate remote backup or sync features.
"I think it should be possible," he said.