SAP Mobile Platform Security: Introduction
Mobile devices are actively integrated into business processes. Companies have more and more business applications and mobile devices. Employees increasingly bring their own equipment to the workplace (BYOD policy – Bring Your Own Device) and gain access to critical corporate information.
SAP Mobile Platform (or SMP, formerly called Sybase Unwired Platform, or SUP) is a MEAP (Mobile Enterprise Application Platform) solution. SMP is used for monitoring and controlling applications which are installed on mobile phones and have access to business data. The main goal of SMP is providing business data to mobile devices with enterprise security. Platform capabilities allow users to work with data from SAP business applications using mobile applications both online and offline. This data can be accessed through all modern mobile devices. Android, Blackberry, iPhone / iPad and Windows / Windows Mobile devices are used by end users. Installed client applications are connected to SMP. These programs can be found on Play Market, Apple Store, or Windows Store.
SMP security service supports secure connections using SSL between app and server. Data on the device or in-transit can be encrypted using user supplied key. It supports authentication, authorization, access control to various apps and roles, single-sign-on, security audit logging etc. to provide an end to end security from device to the platform.
In order to further secure the access, Mobile Device Management software should be used. All of the security functionality from device to SMP such as SSL, authentication, authorization, and single-sign-on are provided along with the device management, app configurations, and device data security. SMP works with any MDM provider besides Afaria/Mobile Secure for mobile device management.
SMP is also a platform for development. This platform includes tools for rapid development of client applications for various platforms and much more, but let’s focus on risks first.
Risks associated with attacks on SAP Mobile Technology
Risks related to business applications usually include espionage, sabotage, and fraud. Some of the potential risks for SAP Mobile Platform if somebody finds vulnerabilities in this platform and exploits them are provided below:
- (ESPIONAGE/FRAUD). Unauthorized Access to business applications, such as ERP, CRM, BI, by hacking SAP Mobile platform. SMP can be considered a “proxy” for access to business systems. Usually, mobile devices and mobile applications, especially from 3rd parties, are for security reasons not allowed to connect directly to ERP but use SMP instead. If a cybercriminal is able to get access to SMP, they will be able to get almost direct access to mission-critical systems inside the company, such as ERP, SCM, BI, and others.
- (ESPIONAGE). Access to critical data stored on mobile devices, such as personal data (SSN), personal healthcare data (PHI), credit card data (PCI). Unauthorized access to this data can turn into a data breach if somebody exploits this vulnerability against multiple mobile devices, or into a targeted attack against high-level executives from commerce, government, or military.
- (SABOTAGE/FRAUD). Modification of critical data stored or presented on mobile devices. Some vulnerabilities may allow changing critical data stored on a mobile device, or show fake data by means of a Man-in-the-Middle attack. Imagine what will happen if a nurse sees the wrong results, executives get modified information about financial results from a BI system, warehouse logistics employees will be informed about the lack of goods in stock, and many other examples.
- (SABOTAGE). Denial of Service attacks on SAP Mobile Infrastructure. Imagine that nobody will be able to connect to the latest business data via a mobile device. This risk is especially critical due to the reason that mobile access is mostly used by C-level executives to analyze the latest dashboards. Also, mobile devices can be used in a warehouse, so the entire supply chain can be deactivated with a simple DoS attack.
Vulnerabilities identified by ERPScan researchers:
Now let’s see how real the listed risks are and if there are vulnerabilities which can be exploited to prove that those risks exist. We found multiple vulnerabilities in SAP Mobile Technology including SAP Mobile Platform, SAP Mobile Applications, and SAP Afaria MDM. We will now show 4 of them, which were recently patched by SAP. Each of them is associated with a particular risk described in the previous section. The first two vulnerabilities are server-side and the last two are client-side.
- Sabotage attack example. SAP Mobile Platform uses Sybase SQL Anywhere as the database. An attacker can use a special request to crash the Sybase SQL Anywhere database server resulting in a denial of service.
Advisory
Vulnerability reported: 09.12.2014
Vendor response: 10.12.2014
Date of Public Advisory: 15.03.2015
Defense: SAP Note 2108161 - Vulnerability in SAP Mobile Platform Portal page. An XXE (XML External Entity) vulnerability allows multiple attack vectors. First of all, XXE can be used for a Denial of Service attack on Portal, which would make impossible all interactions between mobile devices and ERP system or any other mission-critical application. Secondly, it is possible to get access to the file system and potentially get full control over the server. Sometimes, access to business systems is provided to 3rd parties or subcontractors only via SAP Mobile, so they can use this XXE vulnerability to obtain broader and direct access to ERPs or other mission-critical systems. Then they may proceed to espionage, sabotage, and fraud attacks against SAP ERP using vulnerabilities in SAP ERP, and there are plenty of them there according to our report.
Advisory
Vulnerability reported: 29.12.2014
Vendor response: 30.12.2014
Date of Public Advisory: 15.03.2015
Defense: SAP Note 2125513 - Espionage attack example. Critical healthcare information disclosures in the SAP EMR Unwired application for Android. Google store indicates that the number of installations is 1000-5000. SAP EMR Unwired allows doctors and nurses to get up-to-date information of all patients, including findings and charts, view X-ray and CT images (non-diagnostic quality images), clinical orders, risk factors, demographics, lab results, patients’ latest vital signs, progress notes, DRG, diagnoses, procedure codes, etc. The app connects to clinical back-end systems, including hospital information and imaging systems (PACS), and displays the patient’s data in a clear and easy-to-read format on the Android device (information from the app description in Android store). An unauthorized access vulnerability in the mobile application allows attackers to get access to short-lived temporary documents. To exploit this kind of vulnerability, you need to upload a malicious app to the victim’s phone. Normally, you can’t get access to an application from another one without a local privilege escalation exploit.
Advisory
Vulnerability reported: 20.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 16.11.2013
Defense: SAP Note 1864518 - Sabotage/Espionage. Vulnerability in the SAP EMR Unwired application for Android. It is possible to reconfigure this application so that it will connect to a malicious server. The threat exists only if the user confirms the settings changes, but the attacker can show this confirmation window infinitely until they click OK. Thus, it will be possible to send fake medical data into the mobile application so nurses will receive wrong information about the patient’s health and assign the wrong course of treatment. This can lead to unpredictable damage for patients.
Advisory
Vulnerability reported: 20.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 15.02.2015
Defense: SAP Note 2117079
Comments