Remote management systems for mobile phones are supposed to make it easy for companies to wipe a device clean if it gets lost or stolen. But a vulnerability discovered in a popular remote management system used by thousands of businesses to manage employee mobile phones would allow an attacker to wipe a CEO’s phone clean, steal the phone’s activity log, or determine the executive’s location, researchers say.

The Hack

The hack involves an authentication bypass vulnerability in SAP AG’s Afaria mobile management system used by more than 6,300 companies. Ordinarily, system administrators send a signed SMS from an Afaria server to lock or unlock a phone, wipe it, request an activity log, block the user, disable the Wi-Fi or obtain location data. But researchers at ERPScan found that the signature is not secure.

The signature uses a SHA256 hash composed from three different values: the mobile device ID, or IMEI; a transmitter ID, and a LastAdminSession value. An attacker can easily obtain the transmitter ID simply by sending a connection request to the Afaria server over the Internet, and the LastAdminSession—a timestamp indicating the last time the phone communicated with the Afaria server—can be a random timestamp. The only thing the hacker needs to direct the attack, then, is someone’s phone number and IMEI, or International Mobile Station Equipment Identity. Phone numbers can be obtained from web sites or business cards, and an attacker can determine the IMEI number of devices by sniffing phone traffic at a conference or outside a company’s office, using a home-made stingray-like device. Since IMEI numbers are often sequential for corporations who purchase phones in bulk, it’s possible for an attacker to guess the IMEI’s for other phones belonging to a company simply by knowing one.

Who’s Affected?

Because the vulnerability is in the management system, not a phone’s operating system, it affects all mobile operating systems used with the Afaria server—Windows Phone, Android, iOS, BlackBerry and others. Afaria is considered one of the top mobile device management platforms on the market, and ERPScan estimates that more than 130 million phones would be affected by the vulnerability. The ERPScan researchers presented their findings last week at the Hacker Halted conference in Atlanta, but say many companies who use the Afaria system did not get the message.

SAP AG, a German-based company, has issued a patch for the vulnerability, but Alexander Polyakov, CTO of ERPScan, says his company, which specializes in Systems Applications and Product security, often finds businesses with years-old vulnerabilities unpatched in their SAP systems.

“The administrators usually don’t apply patches especially with SAP [systems] because it can affect usability,” he notes. “So what we see in the real environment is, we see vulnerabilities that were published three years ago but are still in the system [unpatched]. They really need to implement these patches.”

How Severe Is This?

The vulnerability is somewhat similar to the recent Stagefright security hole that hit Android in that both attacks involve sending a text message to a phone. But Stagefright, which would allow an attacker to execute remote code on a phone to steal data from it, affects only Android phones, whereas the SAP Afaria vulnerability affects a broader range of mobile phones and devices. Although wiping data from a phone isn’t catastrophic—if there is a backup from which the phone can be restored—not all employees and businesses back up phone data. And even if phones are backed up, it can take days to restore them if an attacker wipes numerous phones at a company.

The authorization bypass vulnerability wasn’t the only flaw ERPScan researchers discovered in the SAP Afaria system. They also found hard-coded encryption keys as well as a cross-site scripting vulnerability that would allow an attacker to inject malicious code into the Afaria administrative console and potentially use it to deliver malware to employee phones. SAP has patched this flaw as well.