New reports are suggesting that a security flaw in SAP AG’s Afaria mobile management system could allow hackers to wipe mobile devices; an action that’s only taken by companies for consumers who have lost their devices or had them stolen.
“Ordinarily, system administrators send a signed SMS from an Afaria server to lock or unlock a phone, wipe it, request an activity log, block the user, disable the Wi-Fi or obtain location data,” according to Wired.
“But researchers at ERPScan found that the signature is not secure. The signature uses a SHA256 hash composed from three different values: the mobile device ID, or IMEI; a transmitter ID, and a LastAdminSession value.”
The transmitter ID isn’t hard for hackers to obtain and the ID is paired with a LastAdminSession timestamp that can be chosen at random. The next step is getting a phone number or International Mobile Station Equipment Identity and according to the report it’s fairly possible for hackers to guess the IMEI.
“Because the vulnerability is in the management system, not a phone’s operating system, it affects all mobile operating systems used with the Afaria server—Windows Phone, Android, iOS, BlackBerry and others,” according to Wired.
“Afaria is considered one of the top mobile device management platforms on the market, and ERPScan estimates that more than 130 million phones would be affected by the vulnerability. The ERPScan researchers presented their findings last week at the Hacker Halted conference in Atlanta, but say many companies who use the Afaria system did not get the message.”
Wired is relating this hack to the Stagefright hack that solely affected Android devices through a malicious text message, However, this hack has the potential to affect a larger range of mobile companies and their devices. If a hacker wipes a consumers phones there is a possibility that the information will be completely lost, if not, it would take days to restore the information lost to the hackers, according to the report.
Read the full story.