New Security Threat to Enterprise Smartphones and Tablets?

By Jessica Binns, Contributing Editor — June 29, 2012

Researchers at Certified Security Solutions, Inc. (CSS), an information security company, have uncovered a potentially serious security threat involving the use of the Simple Certificate Enrollment Protocol (SCEP) in conjunction with mobile devices. Enterprises that rely on SCEP to issue digital certificates to mobile devices may be subject to a privilege escalation attack.

The problem is not caused by an implementation error in a single product, or by an issue with the SCEP protocol itself, but rather by a combination of features, configurations, and use cases that, together, open up a previously unforeseen avenue of attack. Mobile device management (MDM) platforms that leverage SCEP to issue certificates for authentication into enterprise systems such as Wi-Fi, VPN, or ActiveSync are among the most critically affected scenarios.

Certified Security Solutions has been working for several weeks with US-CERT and CERT/CC at Carnegie Mellon to facilitate notifications and information disclosure through the proper channels. The official US-CERT vulnerability report can be found here.

"We strongly encourage every organization that uses SCEP or a Mobile Device Management system along with an enterprise Public Key Infrastructure to take a deeper look to see whether they're affected and at risk," said Ted Shorter, CSS' chief technology officer. "We've setup an area on our website that takes a deeper dive into explaining the vulnerability, and the steps for enterprises to protect themselves."

Visit this informational portal online at www.css-security.com/scep.


POST A COMMENT

comments powered by Disqus

RATE THIS CONTENT (5 Being the Best)

12345
Current rating: 2 (2 ratings)

MOST READ STORIES

topics

Must See


FEATURED REPORT

Who Owns Mobility

Less than one decade ago, smartphones and tablets changed workplace technology—virtually overnight. IT lost "control" and users became decision makers. Is it any wonder we are still trying to figure things out, and that the question of  "who owns mobility" remains? This research examines the current state of mobility in an attempt to answer that question.