iOS Devices Vulnerable to MITM Through ShoreTel App SSL Certificate Flaw

ShoreTel Mobility Client app

2
software vulnerability
Unified Communications

Published: January 26, 2017

Rob Scott

Rob Scott

Publisher

Concern has arisen surrounding the ShoreTel Mobility Client app for iOS devices recently, after research revealed that the application is unable to properly validate SSL certificates as they are provided by HTTPs connections. This certificate flaw has meant that iOS users could be vulnerable to man-in-the-middle, or MITM attacks, according to advisories issued by the Software Engineering Institute’s centre for CERT coordination through Carnegie Mellon University.

MITM attacks pose a significant threat to online security because they provide the attacker with the opportunity to find and manipulate crucial information in real-time. The attacks are similar to a form of eavesdropping; however, the entire conversation can often be controlled by the attacker. Sometimes, this is referred to as a hijacking attack.

The ShoreTel iOS App Flaw

The vulnerability in the system has been described as “CVE-2016-6562” and it affects the version 9.1.2.101 and all earlier adaptions of the mobility client, which can be used by enterprises to extend desk phone services and UC capabilities such as cellular and video calling, and VoIP to iOS devices. According to the CERT advisory, an attacker on the same network as the individual using the iOS device will have the ability to potentially view or change network traffic that should otherwise have been defended by HTTPs. This vulnerability could therefore lead to the exposure of sensitive information from various accounts – including login details.

Specifically on iOS devices, the previous versions of the ShoreTel Mobility app have failed to properly validate SSL certifications, which leaves attackers in the unique position of being able to perform MITM attacks. A separate advisory noted that ShoreTel – the company based in Sunnyvale, California, was informed of the issue during October 17th, 2016, and began working on the problem immediately. David Coomber – a security researcher – was announced as being responsible for the discovery of the flaw.

As of January 6th, 2017, ShoreTel released an announcement that the Mobility Client for iOS devices had been fixed. The validation issue has been resolved, and the ShoreTel new build in version 9.1.3.109 should fix the vulnerability. The update is available now in the Google Play Store and Apple App store.

ShoreTel Mobility Client app for iOS
ShoreTel Mobility Client app for iOS

About ShoreTel

ShoreTel is one of the most significant providers of premises-based, cloud, and hybrid solutions for unified communications and hybrid business telephony in the market today. The company has won numerous awards for their innovative communication solutions, and dedicate themselves completely to absolute customer satisfaction. Their product portfolio ranges from business phones, to collaboration tools, application integration, contact centre applications, and mobility solutions.

More on ShoreTel here – a short history

Featured

Share This Post