Usually, smartphone users don't have to worry about being hacked. But, new research from ECU's Security Research Center that was conducted by Peter Hannay, has discovered that for those users who check their email remotely there may be a whole new threat from hackers they hadn't previously recognized. Thanks to some unusual weaknesses in the email hosting technology, checking messages on a smartphone could be an open invitation to hackers.
Hannay's research has discovered that for hackers, getting access to a user's emails is about as easy as impersonating a Microsoft (News - Alert) Exchange server. A Microsoft Exchange server not only performs email hosting duties but also brings in calendar and contact functions, putting them all into one readily available system. Since Microsoft Exchange demands a large amount of control over the device including passwords, remote lock out and remote wipe capability, pretending to be a Microsoft Exchange server is a free pass into a user's phone.
Through a series of tests at the research facility, Hannay managed to create what was called a "man-in-the-middle" setup that would allow him to fool a phone into believing he was a Microsoft Exchange server, thus giving him the kind of incredible access level that a standard Microsoft Exchange server allows. That included the ability to not only access the data found on the phone, but also remotely wipe it clean.
He believes that the inherent problem in the system is a matter of how Microsoft Exchange is set up, requiring users to accept the conditions of Microsoft Exchange access before they can even get their emails at an initial prompt. So when the server sends updates, they already have the permission necessary to deliver and install them and the user doesn't get so much as a notification. This allows for impersonators to slip in, take control of that incredible amount of trust being put into a Microsoft Exchange server, and raise all sorts of havoc.
Perhaps worst of all, Hannay's research found that not only was the relationship between Microsoft Exchange and the standard smartphone user not particularly secure, performing the necessary tasks to "manipulate the system" was also particularly easy.
Needless to say, this should have some email users very concerned indeed. Users count on their email hosting systems to be secure—this is the whole point of selecting powerful passwords and changing them regularly—but when the whole thing can be swamped by someone pretending to be a server, it calls the whole product into question.
Email hosting needs to be secure above just about all else except maybe the user experience itself, and any evidence to the contrary is disconcerting to say the least. Hopefully, Microsoft has a few changes in mind as a result of Hannay's research and will at least be publicly discussing his research soon.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, Jan 29- Feb. 1 in Miami, Florida. Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.
Edited by Jamie Epstein