Tuesday, 04 December 2012
Smartphone users who remotely check their emails are at risk of online hackers gaining access to their devices, ECU researcher Mr Peter Hannay has found.
Mr Hannay’s new research has found a way to hack in to people’s smartphones by impersonating a Microsoft Exchange server, gaining access to their private information or completely wiping the data from their phone.
A Microsoft Exchange Server is used on many smartphones to check emails. It is the mail server for Microsoft Windows which combines email, calendars and contacts into one system.
“Microsoft Exchange has an interesting relationship with its clients - it demands control over mobile devices through passwords, remote lock out and remote wipe functionality. People hand over the control of their phones to the server, which can then be easily hacked,” Mr Hannay said.
Conducting a series of tests at ECU’s secau Security Research Institute, Mr Hannay was able to impersonate a Microsoft Exchange server, acting as a makeshift man-in-the-middle.
Using the makeshift server, he manipulated the relationship between smartphones and Microsoft Exchange, hacking into a phone, gaining access to private information and deleting all data. .
The flaw, Mr Hannay believes, is the way in which the Microsoft Exchange is set up.
“When emails are synced to your phone you accept the conditions via an initial prompt,” Mr Hannay said.
“Thereafter, whenever the server sends updates or amendments to the phone they are accepted without awareness or permission from the user,” he said.
This research is only the start of further investigation in to man-in-the-middle attacks, leveraging Microsoft Exchange against poorly constructed smartphones.
“At the moment we have a lot of trust in the Microsoft Exchange server. We put faith in them to look after all our data,” Mr Hannay said.
“Initial findings show that the relationship is not at as secure as first thought, putting many of us at risk of attack without even knowing.
“Manipulating the system was really simple to do, which is what I find most disturbing.”
The research is part of an ongoing investigation into the flawed relationship between servers and mobile devices, conducted by Mr Hannay and the team at the secau Security Research Institute.
Mr Hannay is set to present at the secau Security Congress in Perth from 3 to 5 December 2012. His presentation with ECU colleagues, Eavesdropping on the Smart Grid, further looks at the security risks associated with smart grid technologies.