MDM solutions are ubiquitous in today's enterprise environment. They provide a way for security and IT departments to mitigate the risk of mobile malware and lost/stolen devices when personal devices are being used to access and store corporate resources.
Like any other piece of software being deployed on a large scale, we need to ask the questions "is it secure?," "what are the risks?"; because MDM is a security product itself, this crucial step seems to have been overlooked. With a few exceptions, the security community has not had much to say about vulnerabilities in MDM products and this is likely due to the extremely restrictive licensing requirements to gain access to the software.
This talk focuses on vulnerabilities in MDM products themselves. Through a number of penetration tests we have conducted on our clients, we have discovered and leveraged critical vulnerabilities in MDM solutions to gain access to sensitive information. We will provide an overview of these vulnerabilities, some of which seem to be systemic across a number of products.