At the most recent Blackhat conference, the high-end information security meeting, mobile devices were put to the test with false certificates. Microsoft Exchange allows for IT departments to remotely lock or wipe devices, assuming the certificates check out. Well, that’s the theory. According to Peter Hannay, a security researcher, iOS and Android are both susceptible to a Man-in-the-Middle (MitM) attack, allowing a hacker to send a policy update via ActiveSync. Once the policy is accepted – and it must be accepted before the user can access their account – the policy is enacted.
Those policies can dictate things such as screen time-out duration, password complexity, remote wipe and remote lock; all logical things for enterprise IT folk to control. The problem arises when your device mistakenly connects to a false Wi-Fi signal that mimicks a trusted one, then tries to access the exchange server. Once the above described policy exchange is implemented, you’re toast. Hannay set up two exchange servers; one with a self-signed certificate and one with a certificate signed by a trusted Certificate Authority (CA). The new certificates were pushed to the devices with the following results:
As you can see, Android (both 2.3 Gingerbread and 4.0 Ice Cream Sandwich) were automatically wiped with the self-signed certificate, no user interaction required. They fared better on the trusted certificate, displaying an error. iOS 5 was wiped both times, but displayed a certificate error, and Windows Phone 7.5 was not wiped. Hit the source link for the paper from the conference.
Source: Blackhat via Agrippa