Talk on HITB GSEC 2015 “SAP Afaria. One SMS to hack a company”
Have you ever wondered how to get access to the crucial data stored on a Fortune 2000 CEO’s mobile phone and rule the world? Today, we are witnessing an unprecedented number of mobile devices being integrated into the core business processes of companies and being actively accessed by top executives to manage them remotely. Another aspect is the level of access: even if mobile access for a typical middle-level employee is restricted or limited, CEOs can do everything!
There are more and more business applications and an increasing number of mobile devices out there. The “mobilization” of enterprises also forces the advent of evils associated with integration and security.
You might hear of many talks regarding mobile security, but never has anything significant related to the SAP Mobile ecosystem been spoken on before. These systems access the most essential functions of a large enterprise, which in turn often deploy a plethora of business systems and a heterogeneous fleet of devices. Essentially, information needs to be transmitted quickly and safely.
SAP’s best-known software products are its enterprise resource planning, CRM, and BW applications that are deployed in almost all companies in the Forbes Global 2000 list. You already hear a lot about vulnerabilities in different SAP platforms, and now the new emerging scenario dictates that even their mobile infrastructure needs to be paid closer attention.
This talk reviews SAP’s MDM solution called Afaria and proves that an attacker does not need to know a lot to compromise data on an enterprise CEO’s phone. The MDM (Mobile Device Management) technology is supposed to solve some of the problems related to mobile device data control. But how secure are the systems designed to secure critical data?
We have discovered a lot of typical vulnerabilities for enterprise systems, but we have also found a few logical vulnerabilities that are specific to this platform. See how many SMS messages can stop a large business. These vulnerabilities were to be presented at the BlackHat APAC security conference in March, but the presentation was revoked in accordance with SAP’s Disclosure Guidelines.