Windows Phone apps without the Phone

TV ads promote Windows apps over 'Phone' branding

C-C-C-Changes

Windows Phone OS to drop 'Phone' from name, lose Nokia

More Windows Phone Threshold rumors?

Alcatel could release a Windows Phone tablet

Windows Phone vs BlackBerry

UK Windows Phone users may go above BlackBerry's

Windows Phone News

5.8 million Lumia smartphones sold this last quarter

From the Forums

What made you buy Windows Phone in the first place?

WPCentral News

Are you buying a new Windows Phone soon or waiting for new hardware?

Editorials

iOS App Store vs Windows Phone Store in 2014 – How do they compare?

Microsoft News

Microsoft's planned surprise today was indeed another Android smartphone dubbed Nokia X2

Microsoft News

Microsoft's secret list of Android patents revealed by Chinese government

Windows Phone News

Watch the full response as to why Microsoft is considering Cortana for iOS and Android

Microsoft News

Touch-friendly version of Office reportedly headed to Android before Windows 8

New Apps

Hotel Tonight app debuts on Windows Phone

Windows Phone News

Lumia 630 now available in Russia, Lumia 930 up for pre-order

Microsoft News

Motorola Solutions (the other Motorola) signs licensing agreement with Microsoft

How To

How to share your Windows Phone's internet - whether or not your carrier wants you to

Developers

Microsoft opens up OEM portal, build your own Windows Phone

Developers

Microsoft to host new Publish Windows developer days with awesome prizes

Microsoft News

Microsoft and Dell enter new patent deal for Xbox, Android and Chrome

Rumors

HTC rumored to be building a Windows Phone version of the new Android flagship

< >
34

Windows Phone dodges Black Hat 2012 certificate vulnerability bullet - other smartphones not so lucky...

WP Central Padlock

A recent paper presented at Black hat 2012 by Peter Hannay has demonstrated a vulnerability in how iOS and Android deal with certificates whilst operating with an Exchange Server. The good news in this report is that Peter was unable to trick Windows Phone 7.5 devices using the same methods.

Using a man in the middle attack combined with a generic fake certificate, they were able to gain some traction in sending a command to iOS and Android devices to commence a device wipe. When devices are connected via Active Sync they commit to accepting certain responsibilities, one of the most important and sensitive of which is the wipe command. They tested off two sets of Exchange 2010 servers. One running with a self-signed certificate, a very common configuration for small business and another using a certificate from a trusted certificate signing authority.

Android devices accepted the fake certificate and wiped with no user interaction or warning on the Exchange server that was operating using a self-signed certificate. The Android device would not wipe whilst connected to the trusted certificate-holding server.

WP Central

On both the self-signed and trusted certificate servers, iOS rolled over and wiped the device in both instances, only displaying a new certificate warning white flag whilst doing so. In both cases, a normal user would likely accept the certificate warning. You know, users do that kind of thing to get on with their lives.

Windows Phone on the other hand would not accept the new certificate in either case and would need to have one manually installed for such an attack to be possible. Hopefully these papers will lead to a strengthening of security on Android and iOS devices. In the meantime, we hope that more companies would wake up to the benefits of Windows Phones. Whilst we certainly do not wish to see any ill come of this, we can at least gloat about our platform being a little more savvy when it comes to accepting gifts from strangers over Wi-Fi pineapples?

Want to read more about Wi-Fi Pineapples? Need a place to vent some steam at the injustice of certificate signing authorities? The comments are open for business; we look forward to your contribution!

Source: Blackhat 2012; via WP Sauce

9
loading...
0
loading...
305
loading...
0
loading...

Reader comments

Windows Phone dodges Black Hat 2012 certificate vulnerability bullet - other smartphones not so lucky...

34 Comments

Android has its goods but accepting a fake certificate is something I expected as I seen many fake apps/pirate markets work with no problems, on the other hand shame on iOS.

It worked on Froyo and then again on Honeycomb. If it when from 2.3 to 4.0 which is a couple years of OS dev, what makes you think 4.1 would be much different? 4.1 is an upgrade to 4.0 equivalent to WP 7.5 upgraded to 7.8. Its still the same kernel, just new features with a new look and feel. I bet it still works on jelly bean too, just a guess though.

I have a problem about this... At work I have an Exchange Server with certificate self-signed and Windows Phone doesn't allow me to access to my server? How can I do? Thank you!

A third-party full certificate from GoDaddy for Exchange (multi-domain) is like $80/year. Small business or not, do it right and sign it properly. It makes life so much easier for your users, and it guarantees you're protected for Android and Windows Phone.

Hey there. You have to manually install the certificate. I had to do the same thing with the company I work for. In my case, a link to the certificate is available online. I just clicked, downloaded and installed. Your IT dept. should be able to provide you a similar link. Good luck!

Siri: You got an email from the Prince of Nigeria. He says if you wipe your phone, he'll deposit $1,000,000.00 into your bank account. I went ahead and did that for you. Goodbye.

funny, after i recieved my WP i kinda freaked out about how i have to install a cert and everything. Now, i know why :P

Professionals everywhere: BlackBerry is not the only secure system. And Microsoft has a few other advantages and tools like this Office thing that might be handy....

I assume that SSL is not enough so what can I do to make my Galaxy Nexus more secure thus less vulnerable to a possible attack like this?

I'm a Windows Phone / Microsoft fan. I own a Nokia Lumia 800. I work as an IT admin and there is nothing but Windows on the network (barring 3 Linux appliances). Exchange 2010, Win Serv 2010 R2.

Right, that's out of the way.

For this "hack" to work, the attacker has to:-

A) Poison a DNS server to direct web requests to the fake Exchange Server.
B) Go through the hassle of setting up a fake certificate or more elaborately, trick a certificate authority into issuing them with a cert they shouldn't have.
C) Guess the target company's internal domain name (assuming they're using domain\username format of authentication)
D) Guess the username of each user(could be determined via security logs / firewall activity I suppose)
E) Most hilariously, guess the passwords of the victims, because unless both ends agree on the credentials used, no connection can occur. Please, someone point out a method of extracting a password from an authentication attempt, otherwise this is non-news.

Andriod fanboys are invading.  Time to wipe them. But really as average user, this means crap to me. Lol.