Most corporates still rely on Microsoft Exchange Server for emails int he office and on the go. A vast majority out of them use RIM’s push email service.
These companies are known to use SSL for IMAP email data exchange, which is ofter 256bit or 512bit encryption. Does that mean everything you do via Exchange email service is secure? Not really, read on to find out.
If you are using your smartphone: Android or iOS device to connect to a Microsoft Exchange server over WiFi, security researchers like Peter Hannay will be able to hack the hell out of your email and phone.
Each year at Back Hat conference, insanely brilliant hackers meet together in Las Vegas to shake the world of Technology with surprises no one had seen coming. New Attacks on various products, and technologies are exposed, leaving Millions of users worldwide exposed to vulnerability.
The Exchange Hack/Spoof explained
Smartphones connect to Exchange servers with a secured and self-signed secure sockets layer (SSL) certificate. Now the same communication is still possible when those certificates are spoofed.
As the hacker quotes:
“The primary weakness is in the way that the client devices handle encryption and do certificate handling, so it’s a weakness in SSL handling routines of the client devices, These clients should be saying that the SSL certificate really doesn’t match, none of the details are correct. I won’t connect to it.”
The attack developed by the hacker works over WiFi. In this rogue Wifi network, he implemented a rogue server with a self-signed certificate, with no relation to actual signing authority. When devices connect to thing network, and try to fetch email from Exchange servers, instead of reaching real exchange server, it will reach the spoofed exchange server, and there on, hacker captures everything he wants.
This is a typical Man-in-the-middle attack. Devices will connect to the spoof exchange server, only if the certificate bears a valid cryptographic key certifying the service is valid.
Security varies by device, well different devices have different levels of security built-in against such attacks. Android devices will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices were only slightly better, it issued a warning but it allowed connection to go through anyway. Microsoft Windows Phone handsets, were the best here, issued an error and refused to allow the end user to connect.
Once the device connects to Spoofed Exchange Server, Hannay claims that he can:
- Decrypt and use Exchange email user/password
- issue remote commands and take over the Smartphone. e.g. perform tasks like remotely wipe.
“It’s really simple and that’s what’s disturbing to me,” Hannay said. The whole attack is just 40 lines of python and most of that is just connection handling.”
Are you Safe from Exchange Spoof Attack?
The attack works only against phones that have connected to an Exchange server secured by a self-signed SSL certificate. Hannay said this is common with organizations with fewer than 50 people where they don’t feel its necessary to use such credentials.
Microsoft is working on a fix for the spoof attack.