According to Citrix, there are new mobile device hacks and attacks exploiting SMS (text messaging) vulnerabilities appearing. This is something businesses implementing Bring Your Own Device (BYOD) programs need to be aware of.

First there was “Stagefright” – an Android vulnerability that provided a way for a hacker to steal device data through an infected SMS message. More recently, another vulnerability has been discovered in mobility management that has left thousands of customers at risk. The vulnerability occurs when a signed SMS is sent from the management server to the device during the enrolment process, or the general day to day management of the device including locking, unlocking and wiping.

In this scenario, the signature is not secure – leaving the door open for impersonation and “Man in the Middle” (MITM) attacks. All a hacker need do is obtain a transmitter ID by attempting to connect to the management server (the transmitter ID is automatically returned) and the phone number of the targeted device. This is simplified, but it is not difficult to do.

Kevin Binder from Citrix explained that the latest vulnerability doesn’t apply to clients using XenMobile because it does not use SMS mechanisms from the management server to manage the device. He also outlined that XenMobile has a new certificate pinning feature to mitigate the risk of MITM attacks. The software on the client side is pinned with the public key of the server during enrolment and will reject server connection requests if the server’s public key is different from the pinned one on the local client.

Whilst Citrix XenMobile isn’t the only solution for mobility management, it proving to be one of the more secure.

If you’re implementing a BYOD program or allowing employees to bring their own devices, contact us to better understand the available management solutions, and how to better mitigate the potential security risks.