Smartphone users at risk of phone hacking
Smartphone users who remotely check their emails are at risk of online hackers gaining access to their devices, ECU researcher Peter Hannay has found.
Hannay’s new research has found a way to hack in to people’s smartphones by impersonating a Microsoft Exchange server, gaining access to their private information or completely wiping the data from their phone.
A Microsoft Exchange Server is used on many smartphones to check emails. It is the mail server for Microsoft Windows which combines email, calendars and contacts into one system.
"Microsoft Exchange has an interesting relationship with its clients - it demands control over mobile devices through passwords, remote lock out and remote wipe functionality. People hand over the control of their phones to the server, which can then be easily hacked," Hannay said.
Conducting a series of tests at ECU’s secau Security Research Institute, Hannay was able to impersonate a Microsoft Exchange server, acting as a makeshift man-in-the-middle.
Using the makeshift server, he manipulated the relationship between smartphones and Microsoft Exchange, hacking into a phone, gaining access to private information and deleting all data. .
The flaw, Hannay believes, is the way in which the Microsoft Exchange is set up.
"When emails are synced to your phone you accept the conditions via an initial prompt," Hannay said.
"Thereafter, whenever the server sends updates or amendments to the phone they are accepted without awareness or permission from the user."
This research is only the start of further investigation in to man-in-the-middle attacks, leveraging Microsoft Exchange against poorly constructed smartphones.
"At the moment we have a lot of trust in the Microsoft Exchange server. We put faith in them to look after all our data," Hannay said.
"Initial findings show that the relationship is not at as secure as first thought, putting many of us at risk of attack without even knowing.
"Manipulating the system was really simple to do, which is what I find most disturbing."
The research is part of an ongoing investigation into the flawed relationship between servers and mobile devices, conducted by Hannay and the team at the secau Security Research Institute.
Have your say...
The approval of your comment is at the discretion of this article's publisher. Write your comment with the following in mind to ensure the highest likelihood of it being approved:
- No promotional undertones
- No use of profanity
- Good spelling, grammar and layout
- Check punctuation, language and missing words
- No use of aggression
- No unsubstantiated claims
We reserve the right to remove comments at our discretion.
Your name is used alongside Comments.