论文信息 - Exchanging Demands: Weaknesses in SSL Implementations for Mobile Platforms

Exchanging Demands: Weaknesses in SSL Implementations for Mobile Platforms

The ActiveSync protocol’s implementation on some embedded devices leaves clients vulnerable to unauthorised remote policy enforcement. This paper discusses a proof of concept attack against the implementation of ActiveSync in common Smart phones including Android devices and iOS devices. A two‐phase approach to exploiting the ActiveSync protocol is introduced. Phase 1 details the usage of a man‐in‐the‐middle attack to gain a vantage point over the client device, whilst Phase 2 involves spoofing the server‐side ActiveSync responses to initiate the unauthorised policy enforcement. These vulnerabilities are demonstrated by experiment, highlighting how the system can be exploited to perform a remote factory reset upon an Exchange‐integrated Smart phone.

[1] Stefan Poslad,et al. Ubiquitous Computing: Smart Devices, Environments and Interactions , 2009 .

[2] Yan Li,et al. Market structure, regulation and the speed of mobile network penetration , 2012 .

[3] Peter James,et al. The Mobile Execution Environment: A Secure and Non-Intrusive Approach to Implement a Bring You Own Device Policy for Laptops , 2012 .

[4] Richard N. Clarke. Expanding Mobile Wireless Capacity: The Challenges Presented by Technology and Economics , 2013 .

[5] Richard J. Enbody,et al. Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.