What if instead of wiping a stolen device clean using your trusted remote mobile management tool, you discover one day that the table has been turned on you and it’s your phone that has been wiped clean of all the data stored in it.
This is the risk facing CEOs and company executives who are using SAP’s Afaria remote management app. Thousands of high level executives currently manage the mobile devices used by their employees through Afaria.
But a critical security vulnerability discovered in the app by researchers at ERPScan is allowing hackers to erase the data contained in a mobile phone, and even steal data and locate the position of the executive.
Afaria works by enabling system administrators to transmit a signed text message from the Afaria server when there is a need to wipe clean a handset, unlock it, block the user or render some of its features dysfunctional. This same signature used by business leaders was found to be containing a security flaw that allows attackers to take it over and instead do the wiping on the executive’s phone.
The signature relies on the mobile device’s IMEI, transmitter identification and the LastAdminSession value, which shows the most recent time when the device connected to the Afaria server. The IMEI and the user’s phone number are all that’s needed to perform the hack.
It’s hard to believe SAP could fall prey to this kind of vulnerability, given the size of the company and the scope of its market. Afaria is among the top remote management products used by CEOs and c-suite executives. More than a hundred million mobile devices are exposed to the vulnerability, and we are talking not only about a single mobile operating system, but all of them – Windows Phone, iOS, Android and BlackBerry.
As we speak, there is already a fix for the vulnerability out for Afaria users. But some security analysts believe other vulnerabilities in the SAP systems might exist, and they could go undetected for months and even years. The one barrier to implementing a security patch is its impact on operability, so businesses are sometimes discouraged to install the updates from SAP for this matter.
But there is another vulnerability that ERPScan detected on the Afaria system. It involves hard-coded encryption keys and cross-site scripting that are susceptible to hackers in that they can be used to allow malicious code into the Afaria administrative console.
There could be no problem with having your phone wiped clean, especially if you have implemented a data backup software.