Hack Brief: Mobile Manager’s Security Hole Would Let Hackers Wipe Phones

Source: National Cyber Security – Produced By Gregory Evans

REMOTE MANAGEMENT SYSTEMS for mobile phones are supposed to make it easy for companies to wipe a device clean if it gets lost or stolen. But a vulnerability discovered in a popular remote management system used by thousands of businesses to manage employee mobile phones would allow an attacker to wipe a CEO’s phone clean, steal the phone’s activity log, or determine the executive’s location, researchers say. The Hack The hack involves an authentication bypass vulnerability inSAP AG’s Afaria mobile management system used by more than 6,300 companies. Ordinarily, system administrators send a signed SMS from an Afaria server to lock or unlock a phone, wipe it, request an activity log, block the user, disable the Wi-Fi or obtain location data. But researchers atERPScan found that the signature is not secure. The signature uses a SHA256 hash composed from three different values: the mobile device ID, or IMEI; a transmitter ID, and a LastAdminSession value. An attacker can easily obtain the transmitter ID simply by sending a connection request to the Afaria server over the Internet, and the LastAdminSession—a timestamp indicating the last time the phone communicated with the Afaria server—can be a random timestamp. The only thing the hacker […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Hack Brief: Mobile Manager’s Security Hole Would Let Hackers Wipe Phones appeared first on National Cyber Security.

View full post on National Cyber Security