Articles at Ars Technica and Tweakers.net (Dutch) reported that Peter Hannay, an Australian Security Expert, demoed at the Blackhat conference how Adroid and IOS devices could be wiped by spoofing the connections to the Exchange server using Untrusted SSL Certificates:
Android devices that connect to an Exchange server with a self-signed certificate will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices fared only slightly better in Hannay’s tests: They issued a warning, but allowed users to connect anyway. Microsoft Windows Phone handsets, by contrast, issued an error and refused to allow the end user to connect.
For the attacker to succeed, he must be able to spoof the connection. This could easily be achieved by setting up an unsecured Wi-Fi network. Past Blackhat conferences have proven that people tend to connect to unsecured Wi-Fi networks; even if they do not know it’s roots!
Hannay has developed an attack that uses a WiFi network to implement a rogue server with a self-signed certificate, rather than one issued by a trusted certificate authority. Vulnerable devices on the same network that try to connect to their regular Exchange server won’t reach that intended destination. Instead, it will initiate communications with Hannay’s imposter machine.
Although the problem doesn’t seem to lie with the Exchange Server, I agree with Paul Cunningham his point-of-view: I’m also curious to see how Microsoft will react to these findings.
ActiveSync in the future?
Crappy ActiveSync implementations have always been a thorn in the flesh of Microsoft. To “force” better implementations they launched the ActiveSync Logo Program. However, it seems however that the program somehow missed it’s target…
Although Exchange Server 2013 still supports ActiveSync, Dave Stork reported that Windows 8 still ships with version 14. This might point out that Microsoft is perhaps reducing it’s effort to further develop ActiveSync. I wouldn’t be surprise is Microsoft is trying to shift away from ActiveSync in the future: that way they don’t have to deal with problems that are introduced by the bad implementation of ActiveSync in mobile devices.
However, I haven’t come across a worthy replacement for it in the Release Preview of Exchange Server 2013 yet… Time will tell, but I’m watching closely to see what ‘s still to come.