Exchanging Demands

Presented at DEF CON 20 (2012), July 28, 2012, 3 p.m. (50 minutes).

Smart phones and other portable devices are increasingly used with Microsoft Exchange to allow people to check their corporate emails or sync their calendars remotely. Exchange has an interesting relationship with its mobile clients. It demands a certain level of control over the devices, enforcing policy such as password complexity, screen timeouts, remote lock out and remote wipe functionality. This behavior is usually accepted by the user via a prompt when they first connect to Exchange. However, the protocol for updating these policies provides very little in the way of security and is quickly accepted by the device, often with no user interaction required. In this talk we will focus on the remote wipe functionality and how a potential attacker could abuse this functionality to remotely wipe devices that are connected to Exchange. By impersonating an Exchange server and sending appropriate policy updates through a simple script we are able to erase all data on devices remotely without any need for authentication. The presentation will explain how this can be accomplished and show proof of concept code for Android & iOS devices.

Presenters:

  • Peter Hannay - Security Researcher, PhD Student
    Peter Hannay is a PhD student, researcher and lecturer based at Edith Cowan University in Perth Western Australia. His PhD research is focused on the acquisition and analysis of data from small and embedded devices. In addition to this he is involved in smart grid & network security research and other projects under the banner of the SECAU research organisation. Peter is an accomplished academic, with more than 20 publications in peer reviewed conferences and journals, in addition he is a regular speaker at the Ruxcon and Kiwicon hacker conferences taking place in Australia and New Zealand respectively. Twitter:@kronicd http://openduck.com

Links:

Similar Presentations: