Singapore – March 26-27, 2015 Vahagn Vardanyan & Dmitry Chastuhin from ERPScan Research team delivered a presentation called “Attacking SAP Mobile” at BlackHat Asia 2015.
Have you ever thought how to get access to the most influential data stored on a Fortune 2000 CEOs mobile phone and rule the world? Today, we are witnessing an unprecedented number of Mobile devices being integrated into core business processes of companies and actively being accessed by top executives to manage them remotely. Another aspect is the level of access, even if mobile access for a typical middle-level employee is restricted or limited, CEOs can do everything! There are more and more business applications and an increasing number of mobile devices out there. The “mobilization” of enterprises also forces the advent of evils associated with integration and security. You might have heard many talks regarding mobile security but there has never been anything significant spoken on an SAP Mobile ecosystem before. These systems access most essential functions of a large enterprise, which in turn often deploy a plethora of business systems and heterogeneous fleet of devices. Essentially, information needs to be transmitted quickly and safely. The SAP’s best-known software products are its enterprise resource planning, CRM and BW applications that are deployed in almost all companies in the Forbes Global 2000 list. You already hear a lot about vulnerabilities in different SAP’s platforms and now the new emerging scenario dictates that even their Mobile infrastructure needs close attention. It consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP’s mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk was an attempt to highlight how one can hack SAP Mobile. In this popular platform, we have discovered a lot of typical vulnerabilities – XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform – logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones. As part of a contribution to the EAS-SEC.org project, the whitepaper on how to assess security of the SAP Mobile platform will also be released.
Black Hat is returning back to Asia again in 2015, having quite an event in store. The brightest professionals and researchers in the industry will come together for a total of four days–two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at Briefings section.
More about event via this link