MiTM Attacks Against Mobile Devices

Normally when one thinks of MiTM (Man In The Middle) attacks over wireless802.11 protocols, thoughts of ARP Poisoning and Wifi-Pineapples come to mind. Traditionally these attacks were conducted against laptops using embedded wireless functionality. Now that most mobile phones and tablet devices have Wifi capabilities in addition to access to their cellular networks, they have added themselves to the list of potential victims.


Wifi only devices, such as Google Android tablets and Apple Ipads, are particularly at risk to these kinds of attacks, especially in public environments such as airports.

If you use an Android or iOS device to connect to a Microsoft Exchange server over WiFi, security researcher Peter Hannay a PhD student, researcher and lecturer based at Edith Cowan University in Perth Western Australia has taken readily available security tools and prepared a rather damaging MiTM attack targeting mobile devices over WiFi.

The purpose of this attack is to impersonate an application the mobile device is attempting to connect to (MS Exchange Server in this case). Once the connection is established, the bogus Exchange Serve sends provisioning commands back to the device. Among commands that can be sent is the option to remotely wipe the device of its data.

How it works:

The attacker would enable their wifi-pineapple or similar platform to perform DNS spoofing and offer up a self-signed SSL certificate to clients that connect to i. This would prompt the connecting victim to accept this bogus certificate and make the connection. Unfortunately most end users aren’t particularly security savvy, click through the warning message, and are then subjected to what the attacker has in store for them. In this case, possibly the issuance of a command to remotely wipe the device.

The future does not look particularly bright for mobile device owners. Pending research is attempting to add the implementation of an open source software protocol library with the objectives of emulating the ActiceSync protocol and serving as a translation layer between mobile MS Exchange clients and other types of servers. This could ultimately provide such nefarious activities as retrieving data from the mobile device such as address books, contacts, emails, calendar entries and similar data using remote backup facilities or pushing policy to the phone and change configuration options such as what server the device wants to communicate with by default. There are, however, mobile hacking and security training classes available to help people learn countering techniques (and other attack techniques).

This attack is not viewed as a flaw in MS Exchange Server or the client software, according to Microsoft, but a flaw in the implementation of the aforementioned client in the Google Android and Apple iOS mobile operating systems. One has to at least question the trust model that is in place. The server component goes through great measures to ensure that a trusted client and end user is connecting while the client doesn’t follow suit. Microsoft Windows Phones are not vulnerable to this attack.

About the Author

Anthony Williams is the founder of IT security consulting firm, IRON::Guard Security, LLC. Anthony is an active member of the hacking and forensics community, he teaches advanced hacking courses for an international training leader (TrainACE) and is a noted speaker and contributor to major security publications.



Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.