Australia's #1 industrial directory for equipment & suppliers

Smartphone users at risk of phone hacking

11 December, 2012

Smartphone users who remotely check their emails are at risk of online hackers gaining access to their devices, ECU researcher Peter Hannay has found.

Hannay’s new research has found a way to hack in to people’s smartphones by impersonating a Microsoft Exchange server, gaining access to their private information or completely wiping the data from their phone.

A Microsoft Exchange Server is used on many smartphones to check emails. It is the mail server for Microsoft Windows which combines email, calendars and contacts into one system.

"Microsoft Exchange has an interesting relationship with its clients - it demands control over mobile devices through passwords, remote lock out and remote wipe functionality. People hand over the control of their phones to the server, which can then be easily hacked," Hannay said.

Conducting a series of tests at ECU’s secau Security Research Institute, Hannay was able to impersonate a Microsoft Exchange server, acting as a makeshift man-in-the-middle.

Using the makeshift server, he manipulated the relationship between smartphones and Microsoft Exchange, hacking into a phone, gaining access to private information and deleting all data. .

The flaw, Hannay believes, is the way in which the Microsoft Exchange is set up.

"When emails are synced to your phone you accept the conditions via an initial prompt," Hannay said.

"Thereafter, whenever the server sends updates or amendments to the phone they are accepted without awareness or permission from the user."

This research is only the start of further investigation in to man-in-the-middle attacks, leveraging Microsoft Exchange against poorly constructed smartphones.

"At the moment we have a lot of trust in the Microsoft Exchange server. We put faith in them to look after all our data," Hannay said.

"Initial findings show that the relationship is not at as secure as first thought, putting many of us at risk of attack without even knowing.

"Manipulating the system was really simple to do, which is what I find most disturbing." 

The research is part of an ongoing investigation into the flawed relationship between servers and mobile devices, conducted by Hannay and the team at the secau Security Research Institute.

Have your say...

We welcome thoughtful comments from readers
Reload characters
Type the characters you see in this box. This helps us prevent automated programs from sending spam.