Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:01 AM

Impersonating Microsoft Exchange Servers To Manipulate Mobile Devices

Black Hat researcher demonstrates mobile man-in-the-middle proof-of-concept attack that allows for unauthorized remote wipes

So much to-do has been generated around preventing unauthorized mobile devices from accessing sensitive corporate resources, but what happens when security researchers turn that model on its head? What happens when the theoretical attackers use unauthorized, spoofed servers to connect to mobile devices? This Thursday at Black Hat, an Australian researcher will demonstrate a proof-of-concept attack that employs just that type of attack, using a man-in-the-middle connection and Microsoft Exchange to conduct unauthorized remote wipes on mobile devices.

Click here for more of Dark Reading's Black Hat articles.

The genesis for the research, says Peter Hannay, a PhD student, researcher and lecturer based at Edith Cowan University in Perth Western Australia, came from the idea that mobile Exchange attacks don't necessarily need to compromise services in the organization if the endpoint devices themselves are unprotected and poorly configured. The initial proof-of-concept demonstrated by Hannay is a multi-stage attack.

"The first stage is to entice the mobile device (user) to allow you to establish a man-in-the middle condition," he says. "The idea being that you're sitting between the server it's trying to talk to and the mobile device itself."

Once the attacker is in that position, phones that are improperly secured or configured will allow the attacker to impersonate the server.

"And one of the commands that you can push down when you're pretending to be a corporate email server is the command to erase all of the data to the device," he says.

According to Hannay, his work shows how lopsided the trust model currently is between mobile endpoints and Microsoft Exchange server services. At the moment, he says, all of the trust authenticators in this system focus on making sure the client is what it says it is and that the user is who he says he is.

"There's genrally very little care taken to ensure that you're connecting to the server you think you're talking to," he says. "So it is a very one-way, weighted relationship in the majority of corporate deployments."

According to Hannay, the research presented at Black Hat is just the start to further explorations of what man-in-the-middle attacks leveraging Microsoft Exchange against poorly configured mobile devices can really be capable of doing.

"What we're looking at employing is emulating and essentially faking much, much more of the service functionality with the idea that eventually we could do things like steal data off mobile devices with this same attack," he says.

This could mean that a connection impersonating the server could potentially access the device emails, calendar entries, phonebook entries and so on.

"That's when it would change from something very simple to something much more potentially damaging," says Hannay, who will reveal at the show the proof-of-concept, along with configurations and phones vulnerable to the attack.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...
PUBLISHED: 2021-04-14
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send i...
PUBLISHED: 2021-04-14
AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution.