SAP Fiori and cybersecurity: what’s the risk?


With more businesses looking to enable workers to access SAP on the go via mobile devices, Joerg Schneider-Simon discusses how you can protect your systems from content-based cyber-attacks.

How we do business has changed. The lines are being blurred between work time and home time, between office, home, and public spaces, and between work devices and personal ones. People in coffee shops are submitting purchase orders on their phones, and then checking Twitter.

SAP has positioned itself in this new environment with Fiori, a UX-optimised app experienced powered by SAP HANA. Fiori is designed to allow on-the-go access to commonly used SAP systems.

This is incredibly convenient, in many ways. Sales reps can submit orders and reports easily while out in the field. Manufacturing staff can upload images and data from the plant floor. Suppliers can send through specs and quotes while in transit.

However, it’s not all sunny news.

When a company’s SAP environment extends beyond the boundaries of their protected corporate network, the risk surface increases exponentially:

  • Fiori is often accessed via mobile devices, which may or may not be well-secured by the manufacturer. In addition, users may be careless with their device security, leaving it unattended or failing to implement a secure screen lock.
  • Accessing Fiori on public, unprotected wi-fi provides no network security to users. With the public server acting as a midpoint, redirection attacks are a significant risk.
  • In crowded public places, cyberattackers could easily film a user typing in their credentials, using them later to enter the system and wreak havoc.

As a result of Fiori’s increased attack surface, SAP systems could face an onslaught of cyberattacks.

This is extremely bad news for many companies: Most organisations that use this type of enterprise software wind up interweaving it into multiple business functions. A typical resource extraction company, for example, could use SAP for their human resources, their accounts payable and receivable, for purchasing, and to track production. If the SAP system is breached by cyberattack, a couple of things could happen:

  • The cyberattacker could sabotage systems, either on a large scale, or in small and subtle ways that lead to a domino effect of critical mistakes.
  • The cyberattacker could also steal confidential data. Data on personnel could be sold on the black market to identity thieves, while corporate data could fall into the hands of competitors.

And either way, companies’ reputations tend to suffer when it’s publicly revealed that they’ve fallen victim to a major cybersecurity breach. In some cases, it’s been a death knell.

There are multiple types of attacks that cybercriminals can use to penetrate SAP’s defenses. One (among many) is MIME-type filter evasion.

SAP and MIME type checks

Typically, when somebody uses a Fiori app to upload a file to an SAP system, the file extension is reflective of the file within. A .pdf indicates a PDF file. A .docx indicates a Microsoft Word file. It’s pretty straightforward … usually.

But what if that .pdf file is actually an .exe file?

It turns out that cyberattackers send disguised malicious files through to organizations’ SAP systems, simply by changing the file extension.

As a trick, it’s brilliant (yet incredibly frustrating) in its simplicity.

Even more frustrating is according to our research, 30 per cent of SAP installations do not implement any filtering or restrictions on the types of files accepted by the application. And even if they do, SAP’s built-in file-type filtering relies solely on the extension of the filename. So if an organization is one of the 70 per cent that does filter file types, it may be all for naught, if cyberattackers are simply changing the extension and slipping through anyway. And they are slipping through: More than 60 per cent of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to a permitted extension type.

The tip of the iceberg

There are multiple ways that cybercriminals can stage attacks on SAP users and applications, with Fiori apps providing a more porous attack surface with which to do so. Companies need to be vigilant in ramping up their SAP cybersecurity, using a multi-pronged strategy to reduce risk.

Learn more about the other types of attacks Fiori might let slip through and the specific steps your company can take to protect its SAP system by watching our webinar, ‘Protecting Fiori and SAP Applications From Content-Based Cyber-Attacks‘.

This article is sponsored by bowbridge Software. Joerg Schneider-Simon is the chief technology officer and co-founder of bowbridge Software, which offers SAP cybersecurity solutions for organisations worldwide. With over 20 years of security and IT experience, Joerg is a popular international speaker on traditional IT and network security, malware, vulnerabilities and exploits, and SAP infrastructure.

Leave a Reply