Windows Phone vs BlackBerry

UK Windows Phone users may go above BlackBerry's

Windows Phone News

5.8 million Lumia smartphones sold this last quarter

From the Forums

What made you buy Windows Phone in the first place?

WPCentral News

Are you buying a new Windows Phone soon or waiting for new hardware?

Editorials

iOS App Store vs Windows Phone Store in 2014 – How do they compare?

Microsoft News

Microsoft's planned surprise today was indeed another Android smartphone dubbed Nokia X2

Microsoft News

Microsoft's secret list of Android patents revealed by Chinese government

Windows Phone News

Watch the full response as to why Microsoft is considering Cortana for iOS and Android

Microsoft News

Touch-friendly version of Office reportedly headed to Android before Windows 8

New Apps

Hotel Tonight app debuts on Windows Phone

Windows Phone News

Lumia 630 now available in Russia, Lumia 930 up for pre-order

Microsoft News

Motorola Solutions (the other Motorola) signs licensing agreement with Microsoft

How To

How to share your Windows Phone's internet - whether or not your carrier wants you to

Developers

Microsoft opens up OEM portal, build your own Windows Phone

Developers

Microsoft to host new Publish Windows developer days with awesome prizes

Microsoft News

Microsoft and Dell enter new patent deal for Xbox, Android and Chrome

Rumors

HTC rumored to be building a Windows Phone version of the new Android flagship

From the Forums

What visual glitches have you discovered in Windows Phone?

Windows Phones

Huawei plans to sell phone running both Android and Windows Phone later this year

Rumors

Microsoft reportedly waiving Windows Phone license fees for some hardware partners

< >
34

Windows Phone dodges Black Hat 2012 certificate vulnerability bullet - other smartphones not so lucky...

WP Central Padlock

A recent paper presented at Black hat 2012 by Peter Hannay has demonstrated a vulnerability in how iOS and Android deal with certificates whilst operating with an Exchange Server. The good news in this report is that Peter was unable to trick Windows Phone 7.5 devices using the same methods.

Using a man in the middle attack combined with a generic fake certificate, they were able to gain some traction in sending a command to iOS and Android devices to commence a device wipe. When devices are connected via Active Sync they commit to accepting certain responsibilities, one of the most important and sensitive of which is the wipe command. They tested off two sets of Exchange 2010 servers. One running with a self-signed certificate, a very common configuration for small business and another using a certificate from a trusted certificate signing authority.

Android devices accepted the fake certificate and wiped with no user interaction or warning on the Exchange server that was operating using a self-signed certificate. The Android device would not wipe whilst connected to the trusted certificate-holding server.

WP Central

On both the self-signed and trusted certificate servers, iOS rolled over and wiped the device in both instances, only displaying a new certificate warning white flag whilst doing so. In both cases, a normal user would likely accept the certificate warning. You know, users do that kind of thing to get on with their lives.

Windows Phone on the other hand would not accept the new certificate in either case and would need to have one manually installed for such an attack to be possible. Hopefully these papers will lead to a strengthening of security on Android and iOS devices. In the meantime, we hope that more companies would wake up to the benefits of Windows Phones. Whilst we certainly do not wish to see any ill come of this, we can at least gloat about our platform being a little more savvy when it comes to accepting gifts from strangers over Wi-Fi pineapples?

Want to read more about Wi-Fi Pineapples? Need a place to vent some steam at the injustice of certificate signing authorities? The comments are open for business; we look forward to your contribution!

Source: Blackhat 2012; via WP Sauce

9
loading...
86
loading...
305
loading...
0
loading...

Comments

There are 34 comments. Sign in to comment

thucbiz2 says:

Is that a huge monitor you're holding the phone in front of?

nizzon says:

The Apples, Androids and most of the press will blame it all on Exchange.

Would be funny if that happened, considering the tester used the same methods on all platforms.

Amazing... Do you have any link of press morons blaming exchange?

nizzon says:

I was suspecting

jdep1 says:

Android has its goods but accepting a fake certificate is something I expected as I seen many fake apps/pirate markets work with no problems, on the other hand shame on iOS.

inteller says:

heh, well I say let's get to wiping those Androids!  That's one way to get rid of that scourge!

That's a terrible idea.

Munkeyphyst says:

Har har... I'll assume this was meant to be funny. It wasn't.

baileystein says:

I don't think was necessary.

cedarlog says:

i'll join you :D

neo158 says:

Go ahead, wipe my Galaxy Nexus. I'll just sign in and get everything back again anyway!!!

larspassic says:

I only ever thought this resulted in ActiveSync headache in a lab setting. Not so! Looks like it is good.

NIST says:

Another reason to love Windows Phone.

cedarlog says:

they should call windows phone 
Secure windows phone castle 

dameon_03 says:

Good to hear. Can't wait have a wp in my hands

baileystein says:

It would be interesting to try this on Jelly Bean. I'm not the tester though :D

jsnod25 says:

It worked on Froyo and then again on Honeycomb. If it when from 2.3 to 4.0 which is a couple years of OS dev, what makes you think 4.1 would be much different? 4.1 is an upgrade to 4.0 equivalent to WP 7.5 upgraded to 7.8. Its still the same kernel, just new features with a new look and feel. I bet it still works on jelly bean too, just a guess though.

Dome85 says:

I have a problem about this... At work I have an Exchange Server with certificate self-signed and Windows Phone doesn't allow me to access to my server? How can I do? Thank you!

A third-party full certificate from GoDaddy for Exchange (multi-domain) is like $80/year. Small business or not, do it right and sign it properly. It makes life so much easier for your users, and it guarantees you're protected for Android and Windows Phone.

teamjawbox says:

Hey there. You have to manually install the certificate. I had to do the same thing with the company I work for. In my case, a link to the certificate is available online. I just clicked, downloaded and installed. Your IT dept. should be able to provide you a similar link. Good luck!

schlubadub says:

Email yourself the certificate (gmail, hotmail etc) and install on your phone

LCARS says:

That's what I like to hear

WinFan1 says:

People get what they pay for I guess

Darkstar1756 says:

Windows Phones are a lot cheaper than iPhones

q21701 says:

Siri: You got an email from the Prince of Nigeria. He says if you wipe your phone, he'll deposit $1,000,000.00 into your bank account. I went ahead and did that for you. Goodbye.

Sumit8 says:

funny, after i recieved my WP i kinda freaked out about how i have to install a cert and everything. Now, i know why :P

snowmutt says:

Professionals everywhere: BlackBerry is not the only secure system. And Microsoft has a few other advantages and tools like this Office thing that might be handy....

bdgamas says:

This can't be true.

schlubadub says:

It's true as it's a pain to install a self-signed cert when you want to!

JNM says:

I assume that SSL is not enough so what can I do to make my Galaxy Nexus more secure thus less vulnerable to a possible attack like this?

mountjl says:

I'm a Windows Phone / Microsoft fan. I own a Nokia Lumia 800. I work as an IT admin and there is nothing but Windows on the network (barring 3 Linux appliances). Exchange 2010, Win Serv 2010 R2.

Right, that's out of the way.

For this "hack" to work, the attacker has to:-

A) Poison a DNS server to direct web requests to the fake Exchange Server.
B) Go through the hassle of setting up a fake certificate or more elaborately, trick a certificate authority into issuing them with a cert they shouldn't have.
C) Guess the target company's internal domain name (assuming they're using domain\username format of authentication)
D) Guess the username of each user(could be determined via security logs / firewall activity I suppose)
E) Most hilariously, guess the passwords of the victims, because unless both ends agree on the credentials used, no connection can occur. Please, someone point out a method of extracting a password from an authentication attempt, otherwise this is non-news.

crooza says:

Andriod fanboys are invading.  Time to wipe them. But really as average user, this means crap to me. Lol.