SAP Afaria: how to wipe mobile devices clean with one text message

In the previous blog entry, we described how to exploit an XSS vulnerability in SAP Afaria. Today’s post is dedicated to another security issue affecting Afaria.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Control via SMS

As you know, Afaria allows a system administrator to control a device remotely. One of the ways how the administrator can manage devices is a text message. This feature is rather useful. Just imagine, an employee has left his mobile phone with all trade secrets in a bar after a corporate party. To prevent a data leakage, the administrator will send a special command to block the lost device.

Examples of administrative SMS commands:

Obviously, this functionality is very powerful. To prevent the stuff’s mobile phones blocking when one receives a message like «LOCKDEVICE», an authentication is in place. To learn how it works, let’s look at the message used in SAP Afaria.

For example, a text message to block a user looks like this:


It consists of several parts:
1) @#!Afaria — a signature that indicates that it is not just a message from his mom, but an administrative command;
2) 64aACAhntVzjTIjhHDMGql8ldvc/8U6IlIoPU7aAOT8= — a base64-encoded authentication string;
3) $\$CMD: — a signature that indicates that a command name comes next;
4) USERLOCK — a command that will run on the device if the authentication succeeds.

The authentication is the most interesting part for hackers. The signature uses an SHA256 hash composed from the following values:


At first sight, it looks rather secure. To authenticate, one needs to know session, client, and server. So, the text message looks like this:


But don’t give up too soon. Here is how the client works:

SAP Afaria authentication

If you look closer, you will notice that the client tries to compare two hashes, not one. The first one consists of all three parameters (IDs of session, client, and server), and the second one that is composed of two parameters (client ID twice and server ID). It turns out that you don’t need to know the session, and It facilitates an authentication bypass.

So, what about ClientID and TransmitterID? As for TransmitterID, we can obtain it anonymously by sending a connection request to the Afaria server, as the server retrieves the value as a response. Hackers only need to obtain ClientID to perform the attack.

Analysis of Afaria binary files showed that ClientID is generated on the basis of IMEI (International Mobile Equipment Identity). The only thing the hacker needs to direct the attack is someone’s phone number and IMEI.

How can one obtain IMEI? It is another task. Here are several ways to resolve it:

  • Bruteforce attack. It makes sense as corporations often purchase phones in bulk, so IMEI numbers are sequential. it’s pretty easy to guess all IMEIs for phones belonging to a company if you know one.
  • Traffic Interception. One can sniff traffic transmitted from third-party applications via insecure protocols. For example, map services send both phone and base station information to the server;
  • Vulnerabilities in Afaria. For instance, an XSS described in the previous blog post;
  • A number of different IMEI catchers and fake BTS.

It is recommended to install SAP Note 2155690 to fix this issue.

( Read More: 10 Questions To Ask Before You Start Your Bug Bounty Program… )


You should not rely on security solutions completely and think that they are a panacea because they are supposed to have been written by more skilled programmers. Sometimes these products only worsen a situation and provide hackers one more entry point to your system.

Views: 122

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform



CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us


Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service