CVE-2017-9601 in Mobile Banking App
Summary
by MITRE
The "FNB Kemp Mobile Banking" by First National Bank of Kemp app 3.0.2 -- aka fnb-kemp-mobile-banking/id571448725 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/18/2019
The CVE-2017-9601 vulnerability affects the FNB Kemp Mobile Banking iOS application version 3.0.2, representing a critical security flaw in mobile banking client implementation. This vulnerability stems from the application's failure to properly validate X.509 certificates during SSL/TLS communication with backend servers. The absence of certificate verification creates a significant attack surface that enables malicious actors to perform man-in-the-middle attacks against unsuspecting users. The vulnerability specifically impacts the app's secure communication channel, which is fundamental to protecting sensitive financial data during transactions and account access.
The technical flaw manifests as a complete absence of certificate pinning or validation mechanisms within the mobile banking application. When the app establishes SSL connections to server endpoints, it fails to perform proper certificate chain validation against trusted certificate authorities or implement certificate pinning techniques. This allows attackers to present fraudulent certificates that appear legitimate to the application, enabling them to intercept and potentially modify all communication between the mobile client and banking servers. The vulnerability directly violates established security protocols for mobile application development and network security implementation.
The operational impact of this vulnerability is severe and multifaceted, affecting both individual users and the financial institution's security posture. Attackers can exploit this weakness to capture sensitive user credentials, account information, transaction details, and other confidential data transmitted through the mobile banking channel. The vulnerability essentially nullifies the security benefits of SSL/TLS encryption, making it possible for threat actors to conduct eavesdropping attacks without detection. This creates significant risk for financial data breaches, identity theft, and unauthorized financial transactions that could result in substantial monetary losses for both customers and the bank.
This vulnerability aligns with CWE-295, which specifically addresses "Improper Certificate Validation" in security protocols, and represents a classic example of inadequate transport layer security implementation. From an ATT&CK framework perspective, this weakness maps to T1046 for Network Service Scanning and T1566 for Phishing, as attackers can leverage this vulnerability to establish persistent access to banking systems through crafted certificate attacks. The lack of certificate verification also creates opportunities for attackers to perform session hijacking and credential theft operations. Organizations should implement certificate pinning mechanisms, enforce strict certificate validation procedures, and conduct regular security assessments to prevent similar vulnerabilities in mobile banking applications. The incident underscores the critical importance of proper cryptographic implementation in financial mobile applications and the necessity of following industry security standards such as those outlined in NIST SP 800-52 for certificate management and validation.