BLESMA partners with Bolton Wanderers FC » Sky Bet Championship side Bolton Wanderers have announced BLESMA – The Limbless Veterans as their na... Duke goes to Afghanistan...raises morale of office... » THE Duke of York has paid a morale boosting visit to personnel in Camp Bastion and Kandahar Airfield... Qualys bolsters continuous monitoring for proactiv... » REDWOOD CITY , Calif.: Qualys, Inc. has announced it has further bolstered its industry-leading clou... Leeds City College selects MOBOTIX to protect data... » UK: MOBOTIX AG, a leading manufacturer of digital high-resolution, network-based video security syst... Linksys launches high performance managed network ... » Rushden, UK: Linksys has announced its first managed switches in the Linksys Business product line-u... snom okays new handsets » Manchester: snom technology AG has said the complete snom handset range comply fully with the new In... Thales wins EDF Energy's £300 million contract » Basingstoke: Thales has been awarded a 10-year contract to support computerised control system servi... Security Council, UN officials hail signing of Cen... » A view of thousands of internally displaced people at Bangui’s airport, Central African Republic ... Defence Secretary full of praise for military pers... » SOURCE: MoD The Defence Secretary Michael Fallon has met the regular and reserve military personnel... MoD appoints UK busisness deal maker to head SSRO » The Chair of the new body that has been established to oversee all single-source procurement by the ...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

The basic operation of how the majority of mobile devices connect to networks leaves them open to “Karma-like” attacks says security researcher

UK Google Android, Apple iOS, BlackBerry, and Windows Mobile devices have an inherent security weakness in the method they use for connecting to Wi-Fi networks that has the potential for exploitation by skilled cyber-attackers says Raul Siles, a highly respected security expert and SANS Instructor.

The vulnerability is dependent on how the network is added to the device and stems from the procedure where Mobile devices keep a list of manually configured wireless networks plus any networks it has previously connected to on a Preferred Network List (PNL). Every time the Wi-Fi interface is switched on, and on a periodic basis, the device checks through 802.11 probe requests what networks on its PNL are available in the current location. Based on the responses obtained, it tries to connect to the most preferred network.

 

In the past, this network discovery process was performed by sending a generic probe request as an open broadcast plus specific requests for every network in the PNL. This meant devices disclosed the full PNL in the air exposing themselves to karma-like attacks where an attacker can identify all the networks (or access points) the mobile device is trying to connect to and impersonate them. These fake networks can trick a victim’s device into connecting to the attacker's network that then captures and manipulate its traffic to launch additional advanced attacks.

“This situation has been known since 2004; Microsoft fixed it for Windows XP in 2007 and recently in Windows Phone devices but it seems the other mobile device vendors are not as concerned,” says Siles.

This “PNL disclosure” still applies to the latest Android 4.x versions and was acknowledged but not fixed since Android 2.x-3.x dating back to 2011. It is also prevalent when adding Wi-Fi networks manually in iOS 1.x-6.x and in BlackBerry 7.x although in this platform it can be resolved from the advanced Wi-Fi settings, and in particular by enabling the "SSID broadcasted" option.

“In some cases, there are options that can be changed to avoid this issue but on most devices when a Wi-Fi network is added manually it presents the vulnerable behaviour and few users are aware of the security implications” Siles adds.

Raul Siles is a founder and senior security analyst with Taddong and has over a decade expertise performing advanced security services and solutions in various worldwide industries include security architecture design and reviews, penetration tests, incident handling, forensic analysis, security assessments, and information security research in new technologies.

He is also a SANS Institute author and instructor of penetration testing courses, a regular speaker at security conferences, author of security books and articles, and contributes to research and open-source projects. Siles recently presented his research into several mobile security vulnerabilities at the RootedCON2013 conference in Madrid last March.

The expert believes that end users, corporate administrators, and security professionals, using or managing Android, iOS or BlackBerry mobile devices should become more aware of this behaviour and ensure that all the Wi-Fi networks available on the device PNL are treated as visible. “I need to stress that these types of client attacks are commonly left unchecked and without consideration, the modern smartphone could become the ultimate digital ‘Trojan Horse’ allowing attacks to breach ultra-secure locations. The threat grows as individuals start mixing personal and corporate activities, logons, confidential data and applications all on the same device.”

Siles also believes that the lack of attention to Wi-Fi security is not an oversight but intent by Google, Apple, and others to make device operation simpler for users, “Unfortunately, a clever and targeted attack can use these simplifications as a staging post for more damaging assault which traditional detection capabilities would be unlikely to spot.”

Siles recommends that Google Android should add a new configuration setting to the user interface that allows the user to specify if the network must be considered hidden or visible every time a new Wi-Fi network is added to the mobile device. This option should be independent of the method used, or at least when it is manually added through the vulnerable “Add Wi-Fi Network” or “+” button.

Siles adds, “The default value for this new setting must reflect that the network to connect to is visible unless the user specifies otherwise by changing the default value, this change would at least stop Karma-like attacks by default unless a user intentionally exposed the full PNL to the open air.”

The situation in Apple iOS mobile devices is even worse in Siles view. Within iOS additional security settings are limited and user cannot even manage the device PNL. The user does not know what networks the device has connected to previously and cannot easily delete Wi-Fi networks from the PNL unless within the area of coverage of the network. A new free tool called iStupid (indiscreet SSID Tool (for the) Unknown PNL (on) iOS Devices) which is based on the result of Siles’ research presented in March, will be released this month for that specific purpose.

Siles research also extends the analysis of mobile vulnerabilities affecting Wi-Fi Enterprise (802.1x/EAP) networks previously included in the SANS SEC575 material. As a result, an attacker can force an Android, iOS, BlackBerry and Windows Phone mobile device to disclose the user credentials (username and password) when trying to connect to a fake corporate Wi-Fi network.

 

 

Siles will be teaching the SEC575: Mobile Device Security and Ethical Hacking at the SANS Institute Pen Test Berlin, the largest dedicated training event for ethical hackers in Europe, which runs from the 3rd to the 8th of June 2013 at the Radisson Blu Hotel on the bank of Berlin's River Spree.

The course is designed to help organisations struggling with mobile device security by equipping personnel with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course teaches the critical skills necessary to support the secure deployment and use of mobile phones and tablets within any organisation. The four courses offered at Pen Test Berlin provide essential preparation for a number of Global Information Assurance Certification (GIAC) exams