Google Android, Apple iOS, BlackBerry and Windows Mobile devices have an inherent security weakness in the method they use for connecting to Wi-Fi networks that has the potential for exploitation by skilled cyber-attackers claims Raul Siles, a SANS Instructor. The vulnerability is dependent on how the network is added to the device and stems from the procedure where mobile devices keep a list of manually configured wireless networks plus any networks previously connected on a Preferred Network List (PNL). Every time the Wi-Fi interface is switched on, and on a periodic basis, the device checks through 802.11 probe requests what networks on its PNL are available in the current location. Based on the responses obtained, it tries to connect to the most preferred network. In the past, this network discovery process was performed by sending a generic probe request as an open broadcast plus specific requests for every network in the PNL. This meant devices disclosed the full PNL in the air, exposing themselves to karma-like attacks where an attacker can identify all the networks (or access points) the mobile device is trying to connect to and impersonate them. These fake networks can trick a victim’s device into connecting to the attacker’s network that then captures and manipulates its traffic to launch additional advanced attacks. ‘This situation has been known since 2004; Microsoft fixed it for Windows XP in 2007 and recently in Windows Phone devices, but it seems the other mobile device vendors are not as concerned,’ states Siles. PNL disclosure still applies to the latest Android 4.x versions and was acknowledged but not fixed since Android 2.x-3.x dating back to 2011. It is also prevalent when adding Wi-Fi networks manually in iOS 1.x-6.x and in BlackBerry 7.x, although in this platform it can be resolved from the advanced Wi-Fi settings, and in particular by enabling the SSID Broadcasted option. ‘In some cases, there are options that can be changed to avoid this issue but on most devices when a Wi-Fi network is added manually it presents the vulnerable behaviour and few users are aware of the security implications’, Siles claims. He believes that end users, corporate administrators and security professionals using or managing Android, iOS or BlackBerry mobile devices should become more aware of this behaviour and ensure that all the Wi-Fi networks available on the device PNL are treated as visible. He adds, ‘I need to stress that these types of client attacks are commonly left unchecked, and without consideration the modern smartphone could become the ultimate digital Trojan Horse, allowing attacks to breach ultra-secure locations. The threat grows as individuals start mixing personal and corporate activities, logons, confidential data and applications all on the same device.’ Siles also claims that the lack of attention to Wi-Fi security is not an oversight but intent by Google, Apple, and others to make device operation simpler for users. He says, ‘Unfortunately, a clever and targeted attack can use these simplifications as a staging post for a more damaging assault which traditional detection capabilities would be unlikely to spot.’
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.