Hackers do not miss an opportunity of creating havoc in the lives of unsuspecting technology users. And, when this opportunity comes to them in the form of vulnerability in specific software, they have even more to rejoice about at our cost.

Revelation from ace enterprise software maker SAP has once again left users in a lurch and thinking whether there is anything in the tech world that can be termed as 100% safe. SAP’S mobile device management program Afaria, used by over 6300 companies worldwide, connects mobile devices to the company networks and secures the devices from threats and risks. A critical weakness in the form of ‘authorization bypass vulnerability’ has been found in this system that has the potential to offer grounds to hackers to attack the phones of high-level executives in an organization simply by sending a connection request (SMS) to Afaria servers. Once the connection is established, the hacker can easily use the administrator status to wipe the data in particular devices, disable its Wi-Fi, lock it and even learn the location of the user.

Yes, this is indeed a scary situation and companies that are using this mobile management system need to pay attention to the security and confidentiality of their devices and data. Here’re a few significant aspects of the SAP Afaria vulnerability:

  • A hacker can send a connection request to the Afaria server to obtain a transmitter ID
  • He can also send across a random timestamp to show it as the last admin session
  • After procuring the phone number of an executive (business cards, websites, other means), the hacker can launch an attack by guessing the IMEI number of a device
  • The IMEI number is easy to collect as large corporations typically purchase devices in bulk and this makes it easy for one to guess the serial number of the devices
  • Once the ground is all set, the hacker can attack mobile devices running on any platform – Android, iOS, Windows Phone, Blackberry and so on
  • Since this isn’t specific to a particular device type or OS version, attacks can be launched against a wide range of systems and devices
  • What makes this vulnerability scarier is the fact that an attack can be launched on several devices (running into hundreds) at a time and the data of these devices can be wiped out completely in a go
  • While a backed up device would have less at stake of losing, the number of attacked devices can significantly lower the restore process – even if it were a big corporation
  • Researchers at ERPScan identified this vulnerability while they were testing  the security settings of SAP and Oracle business-critical ERP systems

Alexander Polyakov, CTO at ERPScan shared, “Unfortunately, solutions intended to secure organizations often put them at risk. The MDM solution that manages all company mobile devices is an attractive target for hackers.” This in itself summarizes the entire situation – many solutions that are designed to provide us security, end up putting us at more risks than ever thought of.

To remain unaffected of this vulnerability, enterprises should work upon installing the security patches that were released post the revelation and the security settings of the SAP Mobile Platform components should be re-configured to ensure there isn’t a miss.