Title

Exchanging demands: Weaknesses in SSL implementations for mobile platforms

Document Type

Conference Proceeding

Publisher

Security Research Institute, Edith Cowan University

Faculty

Faculty of Health, Engineering and Science

School

School of Computer and Security Science/ECU Security Research Institute

RAS ID

16138

Comments

This article was originally published as: Hannay, P. , Carpene, C. R., Valli, C. , Woodward, A. J., & Johnstone, M. N. (2013). Exchanging Demands: Weaknesses in SSL Implementations for mobile platforms. In Proceedings of the 11th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia, 2nd-4th December, 2013 (pp. 42-48). Perth, Australia. Security Research Institute, Edith Cowan University. Original article available here

Abstract

The ActiveSync protocol’s implementation on some embedded devices leaves clients vulnerable to unauthorised remote policy enforcement. This paper discusses a proof of concept attack against the implementation of ActiveSync in common Smart phones including Android devices and iOS devices. A two‐phase approach to exploiting the ActiveSync protocol is introduced. Phase 1 details the usage of a man‐in‐the‐middle attack to gain a vantage point over the client device, whilst Phase 2 involves spoofing the server‐side ActiveSync responses to initiate the unauthorised policy enforcement. These vulnerabilities are demonstrated by experiment, highlighting how the system can be exploited to perform a remote factory reset upon an Exchange‐integrated Smart phone.

Access Rights

Article freely accessible. ECU conference series.

Share

 
COinS