CVE-2020-35138
📋 TL;DR
MobileIron MDM agents for Android and iOS contain a hardcoded encryption key used to encrypt authentication credentials. This allows attackers to decrypt intercepted authentication traffic and potentially compromise user accounts. All organizations using MobileIron MDM agents through March 2021 are affected.
💻 Affected Systems
- MobileIron Mobile@Work (com.mobileiron)
- MobileIron MDM agents
📦 What is this software?
Mobile\@work by Mobileiron
Mobile\@work by Mobileiron
⚠️ Risk & Real-World Impact
Worst Case
Attackers decrypt authentication traffic, compromise admin accounts, take over MDM infrastructure, and deploy malicious configurations to all managed devices.
Likely Case
Attackers intercept authentication traffic, decrypt credentials, and gain unauthorized access to user accounts and sensitive corporate data.
If Mitigated
With proper network segmentation and monitoring, impact is limited to credential exposure requiring password resets.
🎯 Exploit Status
RustyIron tool available on GitHub demonstrates exploitation. Requires network access to intercept authentication traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2021-03-22
Vendor Advisory: https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research
Restart Required: Yes
Instructions:
1. Update MobileIron MDM agents to version after March 22, 2021. 2. Update Mobile@Work app from official app stores. 3. Restart devices to apply updates.
🔧 Temporary Workarounds
Network Segmentation
allIsolate MDM traffic to prevent interception
VPN Enforcement
allRequire VPN for all MDM agent communications
🧯 If You Can't Patch
- Implement certificate pinning for MDM communications
- Monitor network traffic for unusual authentication patterns
🔍 How to Verify
Check if Vulnerable:
Check Mobile@Work app version in device settings. Versions before March 2021 are vulnerable.Check Version:
On Android: adb shell dumpsys package com.mobileiron | grep versionNameVerify Fix Applied:
Verify app version is after March 2021 and check that authentication traffic uses dynamic encryption.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same source
- Unusual authentication patterns
Network Indicators:
- Intercepted encrypted authentication traffic with predictable patterns
- Traffic analysis showing static encryption patterns
SIEM Query:
source="mobileiron" AND (event_type="authentication" OR event_type="login") AND result="failure" | stats count by src_ip🔗 References
- https://github.com/optiv/rustyIron
- https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US
- https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research
- https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
- https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration
- https://github.com/optiv/rustyIron
- https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US
- https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research
- https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
- https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration
