SAP Afaria vulnerability: One SMS to wipe and lock 130m+ mobile devices of enterprises

Atlanta, GA – September 17, 2015 Dmitry Chastuchin, director of research at ERPScan, presented details of critical vulnerabilities in SAP Afaria (Mobile Device Management solution) at the HackerHalted security conference in Atlanta. These issues can be exploited to obtain control over all mobile devices associated with a company via the Internet, as well as wipe and lock them via one SMS message. These issues were scheduled to be presented at the BlackHat APAC conference in March, but SAP was not able to release updates in time and the talk was revoked.

Mobile device management solutions are intended to secure organizations and establish strong BYOD policy. Typically, MDM solutions consist of a server component, which sends out management commands to the mobile devices, and a client component. The recent research revealed that solutions which should secure systems are the weakest points and put systems at risk of cyberattacks.

SAP’s Afaria platform is the most popular MDM solution and the leader in the 2014 Enterprise Mobility Management, Forrester Wave said. According to the latest available information, 6300 enterprise customers use this solution to manage 130m+ mobile devices. Government entities also use this solution (for example, Afaria is implemented in the U.S. Census Bureau to manage about 150K devices).

SAP Mobile Security

Here are details of 2 most critical issues demonstrated at the conference.

SAP Afaria Vulnerability 1: One SMS to wipe all information from mobile devices

The most critical one, authorization bypass vulnerability, allows to send out administrative SMS messages from Afaria server to mobile phones. These messages can be used to control the phone remotely: wipe, lock, disable Wi-Fi and so on. To prevent those messages from spoofing, secure signature is used. But in fact, to falsify the administrative messages what an attacker should know is only phone IMEI number.

To exploit the vulnerability, a malicious insider has to find phone numbers of personnel (an enterprise portal usually provides this information). The IMEIs of employees’ devices are also required to perform the attack. Some publicly available tools can sniff radio signals to gather IMEI, but there is an easier way. Usually, companies buy a batch of mobile devices, so their IMEIs are almost the same, only a few characters are different. This fact facilitates bruteforcing. So, knowing his or her IMEI, one can find out IMEIs of other employees’ devices, generate the signature and send administrative messages to each mobile phone in the organization. There are several commands which can be executed to clean up data and lock devices. Even under the most optimistic scenario, the information was backed up, but the company will be paralyzed for days or even weeks.

Unfortunately, solutions intended to secure organizations often put them at risk. The MDM solution that manages all company mobile devices is an attractive target for hackers. Our research revealed that this target is easy to achieve. Millions of mobile devices may be compromised.

–Alexander Polyakov, CTO at ERPScan, says.

SAP Afaria Vulnerability 2: One single packet to take control over all devices via the Internet

Another vulnerability can be exploited remotely via the Internet just by scanning for particular service of MDM solution. The vulnerability is a Stored XSS issue in an administrative console of MDM Solution. This service is often exposed to the Internet as mobile devices should have remote access to the MDM solution. It’s not a common XSS issue that websites usually contain but a stored XSS. It means that by sending a packet to a server port, an attacker injects malicious JavaScript code into MDM console. When an administrator logs into this console, attacker’s JavaScript code is executed automatically, and the malicious person takes control over all mobile devices. Thus, he can send malwares to all mobile devices to steal critical data or simply lock them.

Nowadays we are witnessing an increasing number of issues in SAP mobile applications. In 2013, we published the world-first vulnerability in SAP Mobile applications, in 2014 SAP closed 21 vulnerabilities, and in 2015, 16 vulnerabilities in mobile platform have already been reported.

– Dmitry Chastuchin adds.

If an attacker gets control over an employee’s mobile device, not only MDM solution is compromised. Business applications (such as ERP, CRM, HR, BI, and others) are highly connected that allows attackers to escalate privileges in the network easily, thus he gets access to corporate systems which store and process all mission-critical data.

ERPScan recommends that all Afaria customers apply patches and configure securely SAP Mobile Platform components.

Other SAP Afaria vulnerabilities discovered by ERPScan research team:

Slides: SAP Afaria Security. One SMS to hack a company